This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM VPN server behind ISP router working partially?

Hi,

I have a SG105 behind an ISP cablemoden (router). In this router I forwarded port 443 to the SG box. 
Now I can connect from outside via SSl VPN to this SG105 successfully, that means my outside VPN client says, the connection is established. But I cannot access any PCs in the network.

What have I missed?

Thanks for any hints,
Alex



This thread was automatically locked due to age.
  • Hi Alex,

    Usually i'm leaving the OpenVPN server on UDP/1194. But TCP/443 should be fine.
    For your issue, under Remote Access --> SSL --> edit Profile, please verify that the Local Networks setting is set to ANY. This will avoid split tunneling though, so be aware of this. 

    Also, please have a check on this document (SSL VPN best practices and setup instructions from Sophos):
    https://www.sophos.com/en-us/medialibrary/PDFs/documentation/utm90_Remote_Access_Via_SSL_geng.pdf

    Regards,

    M.

  • Hi,

    thank you for your answer, it brought me one step further - but still not working completely.

    I made the settings you mentioned above:

    ... please verify that the Local Networks setting is set to ANY...

    Now I can still connect from remote, I can ping the SG105 UTM box from remote, I can ping the desired PC from remote but I cannot establish a RemoteDesktop connection nor can access the webadmin interface on the UTM box from remote.

    I think there must be a rule blocking that traffic. Do you have a further suggestion?

    BTW: this UTM box is a client that connects via site-to-site VPN (also SSL) to another UTM box also. This connection is working properly but it uses the "VPN Pool (SSL)" network (created by default from sophos). And I use this default "VPN Pool (SSL)" network for the desired road warrior connection also. Could this be a problem? 

  • do you use "automatic firewall rules" in your definition of the ssl-vpn or do you set the packet filter rules manual?

     

    i dont prefer using "any" in the local network def for ssl-vpn cause ALL traffic is then send from client to vpn...

    split-tunneling is better option so only needed traffic is travelling through the tunnel...

    but thats a point on how you work with your connect..

     

    greets

    zaphod
    ___________________________________________

    Home: Zotac CI321 (8GB RAM / 120GB SSD)  with latest Sophos UTM
    Work: 2 SG430 Cluster / many other models like SG105/SG115/SG135/SG135w/...

  • Does doing #1 in Rulz provide any insight?

    If you are judging "access" by pinging, be aware that pinging is regulated on the 'ICMP' tab of 'Firewall'.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi,

    the problem is solved now: there was an interference with the site-to-site VPN connection to the other (site-to-site VPN-server) UTM box. Both connections used the same SSL VPN IP Pool addresses and therefore the traffic never came back to the roadwarrior (and was not logged, because nothing was blocked). After defining another SSL VPN IP Pool for the roadwarrior it is working now - hurrray!

    Thanks for your help!
    best regards,
    Alex