Remote SSL VPN - Can't open login page

Sreenshot from the Userportalsettings plz!

Below error I get when try to browse... no proxy has been setup on client browser.. tried with Mozilla and Chrome both..

Regards,

Khushnood

Ok, I meant the Userportalsettings!

Hi,

Can you elaborate more on user portal settings means? If this is about browser then we do not use any proxy in the network.

Regards,

Khushnood

Hi, by loginpage you mean the UTM user portal, right? The user portal where you can download the SSL VPN client! If you can't access it, either a firewall rule blocks it or the VPN network is not allowed to access the user portal.

If it is another website, you should check whether the SSL VPN network is masked.

Hi,

I tried with opening all the ports, however, no luck.

Can you elaborate more on "VPN network is not allowed to access the user portal" means? Is it something I need to add static route?

And what does "SSL VPn network is masked" stands for?

Thanks & Regards,

Khushnood

I guess I misunderstood what you meant by Loginpage. Here is an example of masking the internal network. Add the VPN-Pool and check.

1.

2. Remove your FW rule, because "Auto Firewall is on" you setup on your Remote access profle

See if that work....

Hi,

No luck even after "Auto Firewall is off"

Regards,

Khushnood

Hi,

I have turned off Auto Firewall and even update the records in public DNS, but no luck. I am attaching herewith NAT rule for your reference and need your advise if this is okay;

Regards,

Khushnood

Namaste Khushnood and welcome to the UTM Community!

I see that you're new to UTM.  In fact, you've run into many learning opportunities! ;-)

You do want to keep 'Auto Firewall Rule' in the SSL VPN Profile.

On the 'Settings' tab in 'Server Settings', you cannot use TCP 4443.  I recommend UDP 1443.

On the 'Advanced' tab, I recommend against selecting to compress the traffic.

Firewall rule 7 has no effect.  Note that "External (WAN) Address" is the single IP that you've assigned to that interface.  I suspect you wanted the "Internet IPv4" object instead.

It's confusing that the Hostname would be an internal IP.  See The Zeroeth Rule in Rulz.

The DNAT has no effect.  See #4 and #5 in Rulz before you make another NAT rule.

 You may also want to add the "VPN Pool (SSL)" object to 'Allowed Networks' in DNS and Web Filtering.

58.185.35.212 is an IP in Singapore.  If you still need help, tell us what you are trying to login to there.

Cheers - Bob

Hi Bob,

Namaste and thanks for detailed finding. I will do all the changes as per suggestion made above and open for you to login and check.

Just to elaborate more: the UTM is behind the NAT .

Kindly advise your availability tomorrow so that I can open the port for your to login if necessary.

Thanks & Regards,

Khushnood

Hi Bob,

Namaste and thanks for detailed finding. I will do all the changes as per suggestion made above and open for you to login and check.

Just to elaborate more: the UTM is behind the NAT .

Kindly advise your availability tomorrow so that I can open the port for your to login if necessary.

Thanks & Regards,

Khushnood

HI again Khushnood,

Thanks for your compliment to my integrity by inviting me into your UTM.

My time here in the UTM Community is justified as "marketing" for MediaSoft as a Sophos sales and services partner.  When I have direct contact over the phone or I work on a client's device, MediaSoft bills that time.

Please show us pictures of your new configuration.  That will let me quickly confirm and it will help future Community members to see what works.

Cheers - Bob

Hi Bob,

This is a test environment and we are evaluating product specially for SSL VPN with 2FA. Paying a bill back is quite difficult for me in this case. I am proposing Sophos but won't able to prove  unless I can make it working.

To give you a detailed view about setup, this is installed on a hardware with 2 network ports in our LAN subnet 192.168.248.x / 24. The WAN IP of the device is 192.168.248.16 for which I already have made DNS entry sophos.lantone.com.sg which is point out to the WAN IP. The LAN subnet configured is 10.10.10.x / 24 which is not been connected anywhere.

Now I am trying to connect to local interface 192.168.246.16 from my LAN, however, no luck and getting below error;

I took screenshots of entire configuration and are as below;

Dashboard

Hostname

WebAdmin Settings

Network Definitions

Service Definitions

Interfaces

DNS

Firewall

NAT – Masquerading

NAT

Web Filtering

Remote Access – SSL

Regards,

Khushnood

You're getting closer, Khushnood.  Change the port for the SSL VPN to 1443.  In the DNAT, delete "HTTPS" in ''and change the service to'.  Try again and let us know what you learn from doing #1 in Rulz.

Cheers - Bob