Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SilverShield SFTP behind XG

Hi Guys

I have a program called SilverShield which is SFTP program behind UTM and realized that it has DNAT set up on UTM. I am trying to set up DNAT on XG which has more options and tried a few it does not work. By looking at below screenshot, is there a way of saying or showing me how i could mock this DNAT rule on XG?

Change the destination to: It's the Server where i have the Silvershield sftp program installed. When I try I get winSCP saying that Access Denied. I've checked Azure all the SecurityGroups are allowing Port 22. I can SSH the XG no problem, but to this program I can not.. I think i need to set up DNAT in order to access to the server and the program?

Thanks in advance.

Regards



This thread was automatically locked due to age.
Parents
  • Are really going to NAT SSH to a Server? From ANY? I would highly recommend to not do that. 

    __________________________________________________________________________________________________________________

  • What' the best practice? What do you suggest? I want to make it right :) Thanks

  • It highly depends on your scenario, but It's never recommended to open up SSH to the Internet, on almost all scenarios your better off setting up a VPN such as SSLVPN at the firewall so you have a secure way to SSH to the server.

    But of course, If the SilverShield SFTP Server supports public key authentication, and have login rate limit set up; Or you have a lot of users who wouldn't be able to use a VPN, then It's "fine" to open up to the internet.

    If you still want to setup a DNAT to the server, you can check out this Recommended Read for XG v18. After setting up the NAT Rule you will need to create a Firewall Rule to allow the traffic.

    One tip to reduce the amount of brute force attacks (If doing a DNAT) is - If possible use a GeoIP policy.

    Example: If your from UK, and all users that will access the SFTP server is from the UK, then within the Firewall Policy you should only allow UK IPs.

    Thanks!


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 GA @ Home

    Sophos ZTNA (KVM) @ Home

  • Thanks. The Key is: reduce the attack surface. 

    __________________________________________________________________________________________________________________

Reply Children
No Data