This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WinSCP to External Server

Hi,

 

I have an internal server (A) and I want to use WinSCP to SFTP to an external server (B).

In between A and B is a Sophos UTM 9 appliance.

The Sophos UTM 9 appliance has a web proxy set up.

There is a firewall rule on UTM 9 that forwards port 80 traffic from the internal to external network.

To test the proxy, I used IE to browse to bbc website.  Before the proxy was set it could not load the page.  When I set the proxy as the UTM device and the web proxy port, I could then browse to the bbc website.  No web proxy login was required.

In WinSCP I chose to use a proxy using HTTP and set the proxy server to be the UTM 9 appliance and the port as the web proxy port.  No web proxy was required.

When I try to connect to the external server (B) using WinSCP, the logs say it connects to the web proxy but then times out waiting for response from the external server.

 

My questions are as follows:

1. Has anyone managed to do something similar and had success?

2. Will the UTM 9 web proxy forward SFTP traffic?  I have read some web proxy's will not do this.

3. Are there any logs on the UTM 9 appliance that I could check to see what is happening on the web proxy and see any more information of what is happening?

4. Can anyone offer any tips for trying to diagnose what the issue might be?

5. Could the follow explanation be valid: If the connection being attempted by the web proxy was to external server port 22, if so could it be that another firewall exists between the web proxy and the external network that is blocking traffic on port 22 - how could we test this?

6. Or: as there is a firewall rule for port 80 to route from internal to external via UTM, do we need to set one up for port 22, so that the connection from the web proxy can exit the UTM 9 appliance?  e.g. could it be that this is the situation:

A begins SFTP connection via web proxy -> web proxy on port (XX) on UTM 9 -> proxy attempts connection to B (port 22) -> UTM 9 firewall blocks as will not allow traffic out on port 22

add firewall rule for port 22, same as existing one for port 80:

A begins SFTP connection via web proxy -> web proxy on port (XX) on UTM 9 -> proxy attempts connection to B (port 22) -> UTM 9 firewall allows traffic out on port 22

 

 

 

Thanks for your time,

 

Tom



This thread was automatically locked due to age.
Parents
  • Hi, and welcome to the UTM Community!

    I'm with Kevin about not "seeing" your whole setup, but it shouldn't make any difference.  I bet his suggestion to look in the Firewall log file will have given you the answer you were seeking.  Whenever something seems strange, do #1 in Rulz.

    I use WinSCP with SFTP often on client UTMs and have done so as far away as Germany, India and Australia.  Port 22 traffic does not pass via the Web Proxy, nor via any Proxy - it passes via a firewall rule.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hi, and welcome to the UTM Community!

    I'm with Kevin about not "seeing" your whole setup, but it shouldn't make any difference.  I bet his suggestion to look in the Firewall log file will have given you the answer you were seeking.  Whenever something seems strange, do #1 in Rulz.

    I use WinSCP with SFTP often on client UTMs and have done so as far away as Germany, India and Australia.  Port 22 traffic does not pass via the Web Proxy, nor via any Proxy - it passes via a firewall rule.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • In the end the answer was that I had not specified that the web proxy could allow SSH traffic.  Masquerading was setup so all I was missing was allowing SSH traffic and it worked!.

     

    Thanks all for your help - it all set me on the right track so much appreciated.