I have a problem that probably started with a IOS upgrade to 17.5 and 18.4. Our Sophos XG could allowed our users to download vpn client by contacting our public interface, however, that is only possible after activating appliance_access on the console, but this disrupts all other internet traffic and renders this useless, as we have more critical services running through internet traffic. I have tried sophos tech but its useless.
From my understanding of your post - you want to allow your users to connect to the User portal via the WAN Interface ?
Can you send a picture of the "Device Access" Tab ? It's located inside the "Administration Option on the left menu.
Also, within that menu; In order to allow WAN Access of the User Portal, you would need to select the option "User Portal" for the WAN Interface, a reminder, be sure there's no other Services/NAT using the same User Portal TCP Port.
If a post solves your question use the 'Verify Answer' link.
What Port are you currently using for the User Portal ? You can see this information inside "Admin and user Settings".
Is there any NAT Rule using the same Port ?
Also, is there any other router or firewall on front of Sophos XG ?
I will try and create a DNAT rule for this, which I have tried before but without any luck ... if you say I should I will now
There's no need for a DNAT Rule for this, I only asked since NAT Rules can pass-through and overwrite the XG Services.
Again, is there any other router or firewall in front of Sophos XG, or the Firewall have a public IPv4 Address on the WAN Interface ? If you do a packet capture on XG, do you receive any packets on the WAN Interface for the Port TCP/443 ?
Maybe I confused a DNAT and NAT Rule, whats the difference, becuz I have only option for a new firewall rule or DNAT. Anyway, I have router with no rules in front of the XG. I have not tried the packet capture thing because all I know I need to enable the appliance_access to get access, but this disrupts our internet traffic. Yes, the firewall has a public IP facing the router and breaks to the Internet.
Strange the users already having the VPN client configured have no problems, only user portal access to the public IP is denied. How can I create a rule for this access to permitted without using the appliance_access enabled
What happens when you browse to the public IP from outside your office? Do you get the XG user portal or some other webpage?
Nope, same reaction denied. I created a rule and it did allow me when testing then again back to the problem