Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is this XG a joke?

C'mon!! i've set up multiple UTM 9's ...... why is this piece of crap so hard to get set up??

Asymmetric routing was not a problem before....actually, hang on....it's never a problem till now!!!

I enable it, it works.....but now I can't connect to the XG.  FFS.

 

Wish I never upgraded......way to fk up my weekend Sophos.



This thread was automatically locked due to age.
  • Do you need help with something? 

    __________________________________________________________________________________________________________________

  • just my sanity.....lol

    Thanks for your offer.  i appreciate it.

     

    Trying to handle phone calls about email outages and traverse procedural documentation is a nightmare. 

    I did a tonne of reading before upgrading and I thought I had it covered. Apparently not......

     

    i just rang support.....reckon they've got me sorted.  

    Thanks again.

  • In the process of switching any IT service, recommend to use a Lab (Demo) Box to get familiar with the processes included in this new service. 

    For example, if you are familiar with Microsoft AD, you have literally no idea, what is going on in Azure AD. Just because it follows the same purpose and is the same vendor, there are different approaches. Therefore it is always recommend to work with a lab / demo box to play around your scenario and move afterwards. 

    And most important part, take your time and do not migrate everything in one move. In Case of a UTM / NGFW product, those products services many functions. If everything work except IPsec for example, the whole project could go down. Therefore testing and other mechanism are highly recommended. 

    __________________________________________________________________________________________________________________

  • Normally I would do such a thing.......unfortunately due to limited staff....as in just me, and limited time 4 days till licence runs out.....i was pushed for time after a 3 day, no sleep implementation of Server 2019 RDS upgrade from 2008 due to incompatible licencing.  :- ( 

    Trying to keep 150+ Devices over 20 sites on a WAN back to 6 Servers from 2008 to 2019 inc Exchange Server.

    Workstations with XP to Win10. 60 of which are POS with integrated EFTPOS linked to our Cloud environment with 2 more Win Server.

    That's all me.....replacing receipt printers and keyboards onsite to Domain integrated Intranet with SQL integrated reports for MYOB, Stock Management and Time Management software.

    It's a dam busy schedule....unfortunately management also just canned Logmein due to a price hike from $1800 per year to $5400, so i'm trying to roll out ManageEngines DeskTop central as well as install a 16 CCTV upgrade in 40 degree heat.   Really just bad timing and all :-( 

    Thanks to the lovely chap I spoke to from support I managed to get the email flow happening.....but, I can't get any Activesync devices to work.

    No matter what firewall entry I add.....does nothing. 

    I can ping out to internet so masq is working....but coming back in doesn't do squat.  If you could point me in the right direction i'd be very appreciative.  

  • So - DNAT does not work? 

    I assume, you are using V17.5 as a Version?

    You could do two thing: Update to V18 and work with the NAT there (Which works differently) or use the V17.5 NAT (Business Application Rules). 

    Thats the V17.5 approach: https://community.sophos.com/kb/en-us/122976 

    Business Application called - You need one Rule to allow DNAT etc. 

    __________________________________________________________________________________________________________________

  • Sorry...yeh, DNAT is working. I'm really struggling getting my head around the Business Application side of it I think.

    As we don't have a licence for the Web aspect....it is simply a gateway for our exchange server.  Minimal firewall rules and port forwarding was require on the UTM 9, but I had no issues.

    I've set up a few others as well with Web content filtering and IPS with no issues.....just lost with this interface.  Seem so to be all over the shop from what i'm used to.

    Good ole fashioned CLI might be better :-)  Spend days on a trying to set up a Motorola Meshconnex network via the Gui awhile back....went nuts!  Gave up and went to cli and it was up in no time.

    Lol

     

    This is ver  17.5..... if I could just get Activesync working tonight i'll be happy.  It's 2am at the moment.  I got Activesync to establish via DNAT......mobile device connects but it won't sync.

    I must be missing some thing straight forward surely.

     

  • Actually, you should simply DNAT Port 443 to your Exchange - Thats it. 

    Like in the KBA: 

     

    Replace

    Destination: #Port  --> Put your WAN Interface here. Or the Alias. 

    Service: Put HTTPs here

    Protected Servers: Put your Exchange here.

    Protected Zone: Put the Zone, in which your Exchange Server is sitting. (Basically the Zone of your Interface to the Exchange. 

     

    Should be enough. 

    Use a telnet from external to Port 443 of your WAN Port. Should open and you should land on your Exchange. 

    __________________________________________________________________________________________________________________

  • That's pretty much what I got......except source is ANY.

    Yup....can telnet.  Still no syncing.

  • Well it's now 3.44am....and i'm no closer to getting Active sync working.  I'm not looking forward to the phone call tomorrow....I mean today when managers can't access their daily reports from the external devices.

    I guess 1 thing, I'm glad I did this prior to licence running out.....cuz I won't be upgrading to the XG!!

    I just hope I can roll back to the UTM 9 when it was working perfectly.

    I really don't have time for this kind of balls up.  I'm now ever further behind.

    Thanks for you help Lucar Toni.... I really appreciate it. Cheers 

  • I am quite sure, this issue is not caused by XG. Instead by the Exchange server.

    There are couple of ways to debug this (Conntrack + tcpdump). 

    Exchange OWA / ActiveSync is complex enough, but actually with a DNAT, nothing can actually went wrong from a network perspective. 

    But nevertheless, you should talk about your Job description, there seems some messy stuff going on. 

    __________________________________________________________________________________________________________________