This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Accessing Internal Intranet From External Location

Hi all,

We are running two Sophos SG450 UTM Hardware Appliances 9.505-4) running in active-passive configuration.

I have been tasked with permitting access to our internal Intranet from locations external to our organisation. I have mostly got it working, but I've hit a hurdle that I'm hoping someone will give me a hand to get over.

The Intranet site, let's call it assist.domain.com can be accessed fine, as long as the URL begins with assit.domain.com. However, there are other resources, let's call them cdn.domain.com and profiles.domain.com which are referenced from the Intranet site. These are also on our internal network but I cannot access these links. These resources are located on separate servers from the one hosting our Intranet site.

Could someone please point me in the right direction as to how I may resolve this issue? Is it a case creating separate Real Webservers (and corresponding Virtual Webservers) for each of these resources or can Request Redirection aid in this.

I have Reverse Authentication working on the primary Intranet site but do not want to keep inputting usernames and passwords when accessing the additional resources.

Any help/suggestions would be much appreciated.

Best regards,

John P



This thread was automatically locked due to age.
  • You need to switch to a technology that can access your whole network.  

    Options are SSL VPN client, html5 VPN to rdp (Which requires a personal desktop or terminal server),  html5 vpn to web page (which runs a very old version of firefox on the user's behalf), or a non-UTM solution like VMware Horizon View.

    Bob Alfson, who knows nearly all about UTM, warns that HTML5 to RDP is high overhead and not intended for more than a very few users.

  • Hi Douglas,

    Thank you for taking the time to respond to my query.

    Can't say that I'm not a tad disappointed in the inability of the UTM Appliance to handle what appears to be a pretty standard requirement. After all, it isn't beyond the realms of reason that an internal Intranet site draws some content from other internal resources.

    Our current method of accessing the Intranet from external locations is via a Microsoft UAG Portal. The web application within the portal has no problem accessing internal resources outside the main Intranet site.

    Looks like we'll have to stick with that discontinued solution for the foreseeable future.

    Best regards,

    John P

    2 x SG450 (Version 9.714-4)

    HA = Active-Passive

  • I cannot justify why they have not updated HTML5 VPN Web resource to use a current browser.   I cannot help wondering if the code was inherited in the Astaro acquisition but nobody understands it well enough anymore to make it current.   It would be the solution you want.

    WAF is for protecting a website from hostile web queries.   For that function, you need a WAF virtual webserver for each real website.  If you are letting people into your internal network, you are probably not very worried about hostile queries.

  • John, what does Support say about this?  I suspect that it's not possible though, as Doug says.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    Thank you for your post.

    Support basically re-iterated what Doug said, the Sophos UTM Appliance couldn't handle these types of redirection requests. They told me to configure HTTP Redirect within IIS on the server hosting our main Intranet site.

    However, I have been assured by our Developer Team (who look after our internal web servers) that this would not work as the desired redirected destinations have completely different FQDNs from the main Intranet site and are hosted on completely separate servers.

    I have to admit that I'm a bit disappointed that Sophos UTM lacks this functionality. Looks like we will have to keep sweating our MS UAG Appliances (having said that, they've run for years without any major mishaps) until a solution is forthcoming from Sophos. Otherwise we may start looking at alternatives to the Sophos UTMs.

    Best regards,

    John P

    2 x SG450 (Version 9.714-4)

    HA = Active-Passive

  • If your domain dns-server points any request to UTM (you can verify by pinging all the subdomains)

    This can be done by Web Server protection instead of DNAT rules