Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 3 subscribers
  • Views 8421 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WinSCP to External Server

Tom McCallum

Hi,

 

I have an internal server (A) and I want to use WinSCP to SFTP to an external server (B).

In between A and B is a Sophos UTM 9 appliance.

The Sophos UTM 9 appliance has a web proxy set up.

There is a firewall rule on UTM 9 that forwards port 80 traffic from the internal to external network.

To test the proxy, I used IE to browse to bbc website.  Before the proxy was set it could not load the page.  When I set the proxy as the UTM device and the web proxy port, I could then browse to the bbc website.  No web proxy login was required.

In WinSCP I chose to use a proxy using HTTP and set the proxy server to be the UTM 9 appliance and the port as the web proxy port.  No web proxy was required.

When I try to connect to the external server (B) using WinSCP, the logs say it connects to the web proxy but then times out waiting for response from the external server.

 

My questions are as follows:

1. Has anyone managed to do something similar and had success?

2. Will the UTM 9 web proxy forward SFTP traffic?  I have read some web proxy's will not do this.

3. Are there any logs on the UTM 9 appliance that I could check to see what is happening on the web proxy and see any more information of what is happening?

4. Can anyone offer any tips for trying to diagnose what the issue might be?

5. Could the follow explanation be valid: If the connection being attempted by the web proxy was to external server port 22, if so could it be that another firewall exists between the web proxy and the external network that is blocking traffic on port 22 - how could we test this?

6. Or: as there is a firewall rule for port 80 to route from internal to external via UTM, do we need to set one up for port 22, so that the connection from the web proxy can exit the UTM 9 appliance?  e.g. could it be that this is the situation:

A begins SFTP connection via web proxy -> web proxy on port (XX) on UTM 9 -> proxy attempts connection to B (port 22) -> UTM 9 firewall blocks as will not allow traffic out on port 22

add firewall rule for port 22, same as existing one for port 80:

A begins SFTP connection via web proxy -> web proxy on port (XX) on UTM 9 -> proxy attempts connection to B (port 22) -> UTM 9 firewall allows traffic out on port 22

 

 

 

Thanks for your time,

 

Tom



This thread was automatically locked due to age.
  • +1

    There are many logs where you can find something to your connections. Your best friends are 'Web Filtering' for the web security, 'Firewall' for the... guess what ;-) and Intrusion Prevention System for anything concerning IPS and/or flood protection.

    If I am honest I don't understand your setup really.

    You have a UTM and you are using the web protection. If you use that, you don't need to allow firewall rules that allow port 80. This rule will only apply, if the proxy is bypassed by simply not using it or because of an exception. But - and I think there was your initional problem - you do not seem to have Masquerading activated. Without Masquerading your UTM does not NAT the outgoing traffic to its external IP (assuming your UTM is directly connected to the internet and has an external IP on its WAN interface).

    When you use the proxy all traffic going over it uses the external IP of the UTM automatically.

    If you want to use sftp over http proxy then you need to allow the usage of SSH traffic in the proxy configuration. I would activate Masquerading and define a firewall rule for SSH outgoing to the known destination only. Actually you are getting 'target service not allowed' errors in the Web Filtering Log I could bet.

    I would start with a very small config at the start... no proxy, no ips, no flood protections active. A Masquerading rule for your internal network to your external interface and then allow 'Internal network (network)' using service 'Web Surfing' going to 'Internet IPv4'. If that works you can refine the firewall rules and activate network protection (if licensed). In a complete second step I would activate a transparent proxy and disable the 'Web Surfing-rule' from above.

    If you are new to the materia UTM (sorry if not, but it seems so) then you should read some basics about the concepts of firewalls and proxies first before you start to configure an all-in-one solution.

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • +1

    Hi, and welcome to the UTM Community!

    I'm with Kevin about not "seeing" your whole setup, but it shouldn't make any difference.  I bet his suggestion to look in the Firewall log file will have given you the answer you were seeking.  Whenever something seems strange, do #1 in Rulz.

    I use WinSCP with SFTP often on client UTMs and have done so as far away as Germany, India and Australia.  Port 22 traffic does not pass via the Web Proxy, nor via any Proxy - it passes via a firewall rule.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    In the end the answer was that I had not specified that the web proxy could allow SSH traffic.  Masquerading was setup so all I was missing was allowing SSH traffic and it worked!.

     

    Thanks all for your help - it all set me on the right track so much appreciated.

Unfiltered HTML