Unable to acces WAF Sites through Web Proxy on XG 210. Does anybody know why?

Hello,

This is my first time publication on this community.
First of all, sorry for my english.

We have a Sophos XG 210 with SFOS 17.1.4 MR-4 Firmware.

I've published some web sites through WAF firewall rule and look like everything is ok. I'm able to access the web site from WAN side and from LAN side, but on computers with the Sophos XG web proxy we are unable to acces web sites created on WAF.

The desktops that has Web Proxy are on branch offices, and all are abble to acces any site on Internet.

LAN DESKTOPS - 192.168.0.x GATEWAY:192.168.0.1

WEB PROXY: 192.168.0.1:3128

The web site are on the DMZ: 172.26.1.X

The sites are published through #PortE1:0...#PortE1:4

Does anybody know why and how to solve it?

I'm a little bit frustated, because I don't find the solution on the comunity.

Thanks

Jordi

 

 

  • Hi,

    if you do an nslookup or DNS check from the remote sites what address do you see for the WAF devices?

    Ian

  • In reply to rfcat_vk:

    Resolve the public IP (#PortE1:X)

  • In reply to JordiPa:

    Hi,

    If you do a tracert to the site where does it go?

    Ian

  • In reply to rfcat_vk:

    On branch office tracert points to nowhere, like any other internet web site, but on branch office I've WEB PROXY for HTTP Traffic,

    We can browse any website, except those published by WAF in the Sophos XG.

    I get a sophos page with the message: "Website not available. Reason for this message: We found the website's address but were unable to connect to the web server"

     

    SOPHOS XG LAN: 192.168.0.X Gateway:192.168.0.1

    SOPHOS XG DMZ: 172.26.1.X Gateway:172.26.1.1

    BRANCH OFFICE LAN: 192.168.22.X Gateway:192.168.22.1

    SOPHOS XG WEB PROXY: 192.168.0.1:3128

    WEBSERVER1 on DMZ: 172.26.1.15

    WEBSERVER1 is on #PortE1:4 - 62.36.3.40 (not the real ip)

    WEBSERVER1 FQDN: webserver1.domain.com (not the real fqdn)

    Sophos XG is resolving DNS on 8.8.8.8

    LAN and BRANCH LAN is resolving DNS on internal DNS Server. The internal DNS Server points to the public ip of the web server fqdn.

  • In reply to JordiPa:

    Hey, you DO have a Business Application Rule added correct?

  • Hello Jordi,

    If you have assigned the interface Port E.4 or E.3, your main traffic is going through the default WAN interface address, i.e. Port E. You may so the traffic might be flowing between your WAN interfaces. Could you please configure a WAN to WAN rule with no NAT applied and check if that would resolve this issue?

  • In reply to @wajdiaa:

    Yes, I do.

  • In reply to Aditya Patel:

    Thanks for the answer.

    It didn't do the trick. I understant what u'r explainning but unnafortunatelly the WAN to WAN rule didn't solve it. I try to capture the packets when I attemp to browse to my DMZ sites but it's like it doesn't exist, I get no traffic or maybe I don't know what to look for.

  • In reply to JordiPa:

    Hi JordiPa,

    In the WAN to WAN firewall rule, could you please apply NAT MASQ and check if that would work. Also, could you add an exception on one of your machines to bypass proxy for that public address and check  if that made a difference.

    I would advise to open a service request withsecure2.sophos.com/.../support.aspx Sophos Support to open a investigation to check your scenario.

  • In reply to Aditya Patel:

    Hi Aditya,

    Thanks for the response.

    I've tried the WAN to WAN rule with and without MASQ and nothing.

    The machines with web proxy enabled are on branch offices and the gateway doesn't point the sophos firewall, so if I bypass proxy I got a 404, it's the correct behaviour.

    I've open a support case.

    Jordi