Sophos Firewall v22 EAP is now available! Click here to know more.

Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Non standard SSL port not working

Sophos User3534

We have an XGS 4005, we are currently having problems accessing a website non standard SSL port (7007), if we access the website from outside of our network it works fine, but when we try to access the website from within out network the website is unreachable.

Any ideas?



This thread was automatically locked due to age.
  • 0

    Hello,

    Could you confirm if I'm understanding the diagram and your setup correctly

    so the ones having problems are your internal users accessing https//website(dot)com:7007  -> passes through Sophos Firewall -> then the server is hosted in the cloud -> then they encounter an error?

    Then when external users (which are outside your network) access directly w/o Sophos Firewall to -> https//website(dot)com:7007 , then they encounter no issues.

    If the above is not the case, I think the next potential scenario would be similar to this:  DNAT Problem - You could try to follow the steps outlined in the discussion from the past thread. 

    Regards,

    Raphael Alganes
    Global Community Engineer, Support & Services
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.

    The award-winning home for Sophos Support videos! - Visit Sophos Techvids

    • 0 in reply to Raphael Alganes
      Raphael Alganes said:

      Could you confirm if I'm understanding the diagram and your setup correctly

      so the ones having problems are your internal users accessing https//website(dot)com:7007  -> passes through Sophos Firewall -> then the server is hosted in the cloud -> then they encounter an error?

      Then when external users (which are outside your network) access directly w/o Sophos Firewall to -> https//website(dot)com:7007 , then they encounter no issues.

      Yes that is correct inside the LAN no access to the website:7007 but outside of the network works OK.

      • 0 in reply to Sophos User3534

        Thanks for confirming. Are you using Web Filter/IPS/App policy? Do you see any deny messages on Log viewer? Have you tried accessing the site w/o the features?  do you use SSL/TLS decryption? 

        Raphael Alganes
        Global Community Engineer, Support & Services
        Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
        If a post solves your question, please use the 'Verify Answer' button.

        The award-winning home for Sophos Support videos! - Visit Sophos Techvids

        • 0 in reply to Raphael Alganes

          Hi, yes we are using web filter/IPS/App policy , but with IPS disabled and app set to 'allow all' we still have the same problem.

          SSL/TLS inspection is turned on however i have added exceptions for https//website(dot)com:7007 and in logs i can see action of 'do not encrypt'.

          Thanks

          • 0 in reply to Sophos User3534

            Hi,

            add 7007 to the web proxy allowed list of ports.

            Ian

            XGS118 - v22.0 EAP

            XG115 converted to software licence v21.5.0

            If a post solves your question please use the 'Verify Answer' button.

            • 0 in reply to rfcat_vk

              Can you point me to the page on the XG to do that?

              • 0 in reply to rfcat_vk

                Hi , added port to allowed web proxy ports but still having same issue.

                • 0 in reply to Sophos User3534

                  Hi,

                  you were a little quicker. Please post your firewall rule in expanded detail.

                  Ian

                  XGS118 - v22.0 EAP

                  XG115 converted to software licence v21.5.0

                  If a post solves your question please use the 'Verify Answer' button.

                  • 0 in reply to rfcat_vk

                    Hi the x2 rules in question are our web-services wan to LAN port 7007 rule below:

                    And i have a open rule for testing purposes with laptop using WIFI which uses our WIFI interface port to WAN with any services and no web filtering enabled:

                    All other traffic is working fine its just accessing our webservices 7007 that's the issue.. We have also tried another website with a non standard SSL port and that doesn't work either.

                    Just to add.. during testing if accessing the above 7007 port using an iPhone over WIFI with iCloud private relay enabled the site works fine.

                    thanks

                    • 0 in reply to Sophos User3534

                      In your SSL/TLS rules, if you have a Decrypt rule, make sure the Services is set to HTTPS and not Any.

                      If it traffic is not working, can you go to Log Viewer, Detailed View, all logs.  Do the action.  Is there anything in Web Filter, SSL/TLS Inspection or Firewall?

                      • +1 in reply to Michael Dunn

                        Issue has now been resolved. We needed to create a loopback rule as the URL was inside our local network and trying to access from our public facing IP. Creating a DNAT rule resolved it.

                    x An error occurred. Please try again or contact your administrator.