This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Migrating TMG2010 server/app publishing rules to Sophos UTM

Hi

We're migrating from a backend TMG2010 to a backend Sophos UTM and part of the work requires that we migrate server and application publishing rules e.g. we have a server publishing rule that publishes FTPS:990 protocol allowing external clients to access our internal FTPS server. 

Our TMGs and UTMs are backend proxies and not edge devices so they work alongside edge firewall NAT rules.  External clients connect to the public facing IP resolved from a public FQDN which NATs through the edge firewall to a DMZ listener IP on the backend TMG.  Firewall rule also allows specific protocols/ports.  Listener on TMG application publishing rule sends the traffic to the internal application server.

I need to replicate this on UTM but on first glance WAF doesn't do this because WAF is only allowing HTTP(S) protocol and HTTPS:990 isn't the same as FTPS:990.  I'm assuming that we need to lok at UTM firewall rules however UTM is behind the edge firewall which would be handling the NAT.

Any ideas and/or gotchas?

thanks, Mark



This thread was automatically locked due to age.
  • My first reaction would be that the UTM will most likely perfectly be able to also replace your current edge firewall. However assuming this is not what you want, you could of course create DNAT rules also on the UTM where you simply NAT the desired traffic to your internal FTPS server. You will have double NAT however....

    Personally I would go for 1 device that does it all, it's less overhead and a lower TCO.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • thanks for the reply.  I'll have a play with DNATs.

    Unfortunately one appliance isn't an option.  We're a large Local Government organisation and we do prefer the backend proxies for added security.