Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 16 replies
  • Subscribers 5 subscribers
  • Views 34741 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

No WebAdmin access over VPN using public hostname

Mateusz Bender

I can't access the WebAdmin despite being connected via VPN (SSL).

Here's the basic configuration:

The UTM has a publicly accessible hostname (with matching certificate) - COMPANY.COM -> our public IP
On our internal DNS it also has a local DNS entry - UTM.LOCAL.NET -> UTM local IP
The WebAdmin has been configured to allow all connected from our internal network, as well as the IP pools for SSL.

After I connect via VPN (SSL), I can't connect via the COMPANY.COM address, but I CAN connect using the UTM.LOCAL.NET address. That said, any machines which are physically in our LAN can indeed connect to the WebAdmin using the public DNS name.

When checking the logs, it logs a blocked WebAdmin access attempt coming not from the assigned VPN IP, but from my home IP. On one hand, this is understandable, but on the other... how do I make this work?

My only idea thus far is to add a local DNS entry overriding the COMPANY.COM public DNS, so it points to the internal LAN IP of our UTM, rather than the public IP... but there's a minor issue with that (unrelated to this question) and feels like a workaround rather than an actual solution to the problem.

So... what could I do?



This thread was automatically locked due to age.
Parents
  • 0

    Hi

    By default, Remote access SSL VPN pool does not use the firewall as the Default Gateway and goes out directly through the ISP when going out to the Internet (i.e. accessing the public IP of your WebAdmin). That is why you see your home’s public IP on the logs vs. the assigned VPN pool IP.

    Therefore your 2 other options are:

    1. Make the UTM the default gateway of the Remote Access SSL VPN by adding "0.0.0.0" to 'Allowed Networks' on your VPN configuration.

    2. Change the 'Allowed Networks' on your WebAdmin settings to “Any” so it is accessible to outside users, but of course, this compromises security.  

    Hope that helps.

    Cheers,

    Karlos

    Karlos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.
Reply
  • 0

    Hi

    By default, Remote access SSL VPN pool does not use the firewall as the Default Gateway and goes out directly through the ISP when going out to the Internet (i.e. accessing the public IP of your WebAdmin). That is why you see your home’s public IP on the logs vs. the assigned VPN pool IP.

    Therefore your 2 other options are:

    1. Make the UTM the default gateway of the Remote Access SSL VPN by adding "0.0.0.0" to 'Allowed Networks' on your VPN configuration.

    2. Change the 'Allowed Networks' on your WebAdmin settings to “Any” so it is accessible to outside users, but of course, this compromises security.  

    Hope that helps.

    Cheers,

    Karlos

    Karlos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.
Children
  • 0 in reply to Karlos

    Addition:

    OR instead of typing in "0.0.0.0" try just the public IP of your UTM on the "Allowed Networks" of your VPN configuration

    Karlos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.
  • 0 in reply to Karlos

    Incorrect about internet default gateway

  • 0 in reply to Karlos

    The first suggestion doesn't work and everything behaves as it did before. The second option is, of course, unacceptable.

    That said, it appears that the UTM still isn't the default gateway for my VPN connection after making these changes.

    EDIT: After opening the SSL VPN I did a quick "tracert" from my machine, and it appears I AM using the UTM as the gateway. Unfortunately, accessing the public DNS name still doesn't work, as mentioned above. Also, when you mentioned adding 0.0.0.0 to the "Allowed Networks" you mean the "Local networks" section of an SSL VPN configuration? There's nothing else that would fit the bill...

Unfiltered HTML