Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 39 subscribers
  • Views 479 views
  • Users 0 members are here
Options
Suggested

External Partners Accessing DMZ

Reem Jalal Eddine

Hello,

Need your recommendations, we want to implement a SFTP server to exchange data from and to one of external partners. I am planning to add the server to DMZ group and just restrict FTP protocol to it. Create a NAT rule also i want to force the external and internal users to VPN before accessing this server. For the internal I believe it should be easy they already have the client installed, I can create a new profile/or firewall rule for them specifically to connect to this server and all other internal users are not allowed to connect to this server. However for the external partners would using clientless VPN and create a guest user for them would help in this situation? Any other ideas or better suggestion to make it secure? Or is site to site better however they only need this SFTP server.



Edited TAGs
[edited by: Erick Jan at 12:41 AM (GMT -8) on 18 Nov 2024]
  • 0

    Hello Reem,

    Good day, and thanks for reaching out. 

    Your proposed setup of clientless VPN should work since FTPS is supported on Clientless SSL VPN Bookmark: https://docs.sophos.com/nsg/sophos-firewall/21.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/RemoteAccessVPN/Clientless/index.html

    I think the catches here are:

    -you do not have control over the end machine of the external partner (please take note of putting the server into a DMZ should the end machine has potential compromise)

    -clientless relies on HTTP/S to access resources and could potentially cause overhead

    -lacks further verification and access control, usually doesn't put zero-trust model architecture into consideration etc. 

    Some Pros I can think are:

    -they are usually easy to implement and configure

    -suitable for yout external partners since they do not need to install anything and will just access the resource on demand

    That being said, the feature should work, but consider and weigh the items above (the list could go on, I only suggested essential ones I can quickly think of Slight smile )

    Further, I may recommend you as well to be in touch with your local Sophos Sales Engineer or Sophos Partner to discuss further your setup.

    I hope this helps you on your implementation. 

    Regards,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

Unfiltered HTML