Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Forwarding non-standard ssh port to standard ssh port internal (remote SFTP Server)

Hi all,

# XG330

I have a project to set up an SFTP server to transfer data securely from a remote station to the SFTP server located in
the DMZ.(Head Ofice)
the server is installed, configured and integrated into the dmz.
the remote client uses an sftp tool to automatically transfer data with a configured task, using : ipaddr: non-standard port

So I created a dnat rule as follows:

and I created the firewall rule as follows:

For more security the client will have to connect with a non-standard SFTP port, then the FW will have to do the port translation of the non-standard port
to the default SSH port which is 22.
the first connection tests were not successful! Impossible to connect
Is there anything I forgot?
Are there other particularities to take into account and adjust the configuration?

thanks



This thread was automatically locked due to age.
Parents
  • Hi,

    the firewall rule should have the internal address as the destination.

    ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • And also the internal SSH port instead of external.

    PS  Changing the port used for SSH access does not increase security. It just keeps a small amount of scripts from finding the SSH-server but your SSH-access will still be found really quickly. Make sure to limit access as much as possible and use public/private keypairs to log on to the SSH-server to really increase security.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • As per the requirement instead of exposing ports over WAN I would suggest to use IPSec remote access or SSL VPN.

    Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

Reply Children
No Data