Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 39 subscribers
  • Views 1144 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Allow Sophos Connect connection through local XGS firewall

Carlo

Hello,

Company A

Site A 

(public ip aaa.aaa.aaa.aaa) 

XGS 116 with remote access VPN configured

Company B

Site B (public ip bbb.bbb.bbb.bbb)

XGS 2100 with remote access VPN configured

How to allow pc with Sophos Client installed on site B to connect to site A (using vpn client). I have profile imported and VPN works but not when I'm behind local XGS firewall. I don't need site to site, only one client from site B to able to connect to site A from time to time.

I get error 

no response from gateway : aaa.aaa.aaa.aaa



This thread was automatically locked due to age.
  • 0

    Look at your App Control, which is probably blocking VPNs, which people often use to bypass your App Controls. You should find Application Logs indicating this.

    Is the PC at Site B well-known or a particular user? You could have a higher-up firewall rule to allow that user (or clientless user) through with less (or no) App control.

  • 0

    Do you allow outbound SSL-VPN-Port or IPSec (UDP500+UDP4500)?

    If yes, try to exclude destination from SSL-decryption.

    ... and check AppControll as suggested by Wayne Folta.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    So I can solve this in two way?

    1. I can allow ISAKMP VPN through Application filter 

    2. I can create firewall rule

    Did I understand correctly?

    
				                    
    
                
    
            
    
        	
    

		
		
		
		
	
    
	
    
		
    
			
		
    
	
    
	
    
		
						
				
				
				
				
				
		
		
    
			
		
    
	
    

    

    • 

	

  • 
	
    



	
			
		
	



    
	
    
		
    
							
					
    
		
    
			
													+1
							
			
				
									
							
						
				
			
												
						in reply to Carlo
					
									
    
	
    

		
		
    
					
    You need the firewall rule, because the application-filter must be bound to a firewall rule.
    

    But if you allow (IKE)UDP500+IPSEC-NAT(4500) you don't need an additional application filter.
    
				                    
    
                

    Dirk
    

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003 
    If a post solves your question, click the 'Verify Answer' link at this post.
    
            
    
        	
    

		
		
		
		
	
    
	
    
		
    
			
		
    
	
    
	
    
		
						
				
				
				
				
				
		
		
    
			
		
    
	
    

    

    • 

	





	
			





















































			











Unfiltered HTML