This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Configure Sophos SG 135 (UTM 9) to allow Microsoft Routing and Remote Access Service (Microsoft RRAS)

Hi Everyone,

I have question on Sophos firewall and I am new to Sophos appliances. 

 

Question/I need to --->

Configure Sophos SG 135 (UTM 9) to allow Microsoft Routing and Remote Access Service (Microsoft RRAS).

 

Customer requirement --->

Microsoft RRAS and Direct Access have to be used and allowed to all remote users. Firewall or 3rd party VPN isn't an option.

 

Issue --->

1. When I add all standard rules: Firewall, Network, NAT - it doesn't work. (btw identical type devices from Cisco, Checkpoint, PaloAlto and even SonicWALL work without issues).

2. There is no guide or best practice document on how to configure RRAS with Sophos, or at list I can't find one.

 

Errors in the log --->

1. I can't see anything in Sophos Firewall Logs. Logs, literally, have nothing logged against any of the IP's: internal RRAS and external clients. No Drops or Success, literally nothing.

2. Windows Server 2016 RRAS report that client connection accepted but tunnel cannot be established as there is GRE 47 issue. (A connection between the VPN server and the VPN client xxx.xxx.xxx.xxx-external-IP has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47).)

 

 

Firewall Configuration --->

and 

and

 

P.S. Identical approach with DNAT rule & Firewall rule for Terminal Services works fine without any issue. Not sure why RRAS is different.

P.S.S. WAN is configured as PPPoE. Router a front of the appliance is set in Bridge Mode

P.S.S.S Firmware version - 9.411-3

 

Regards,

Kon



This thread was automatically locked due to age.
  • Hello Kon,

    please activate logging for the firewall and NAT rules. Look then in the firewall live log (NAT also is logged there) to see what is blocked.
    Post the log then here ;-) 

    Viele Grüße / Best Regards,
    Manu

    - CISO -
    - Sophos SCA & Partner-

  • Hi, Kon, and welcome to the UTM Community!

    What do you learn when you Also try the other items listed #1 in Rulz?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi,

    Thank you very much for your reply!

    I would appreciate if you could explain - "enable logging firewall and NAT"? I understand it is already enabled and when I go in to "Logs - Firewall" there is nothing captured in there

    BTW: I got it working with SSTP, but PPTP and L2TP are still dead

    Regards,

    Kon 

  • Rulz?! never waste time on Forum rules which is impossible to find and are longer then 5 sentences :)

    I am new to this place and I have no idea about mistery rules.

    Anyway, I have outlined clearly everything what I could gather in the topic.

  • Hi Kon,

    when you make new firewall oder NAT rules you can activate if they should be logged or not. Normally logging ist deaktivated. Open your rules by edit button, open the advanced tab at the buttom of the rule and activate the logging option.

    If the rule is logged or not you can see on a "note" symbol in the overview:

    BTW: the rulz that where linked by Bob are NO forum rules, behind his link you find the best practice configuration rules ;-).

    Viele Grüße / Best Regards,
    Manu

    - CISO -
    - Sophos SCA & Partner-

  • Thanks, I can't make any changes right now but I will look in to it first thing on the morning and will post logs. I am delighted to hear that there are logs available as I was getting worried...

    I misunderstood Rulz thing :) It wasn't clear from his reply. Anyway, it sounds great, I will take a look it - best practice all the way! ;)