Unless I'm mistaken, a typical DNAT rule meant to expose an internal service to the outside world should forward a packet coming from the internet to a target server (changing only the destination, hence D in the DNAT).
Now, as is, we have the following kind of setup.
Internet -> Sophos UTM -(DNAT,443)> Windows SSTP server -(RADIUS)> Windows NPS server
In other words, our UTM forwards TCP 443 connections from a specific IP to our SSTP server (I'd love to use the Webserver Protection, but AFAIK it's not supported for SSTP). Our SSTP then connects to our NPS to authenticate the connection request. However, the NPS logs seem to indicate the requests are coming not from some online IP, but all have the UTM's IP.
The DNAT rule in question is as follows:
Matching Condition
- For traffic from: Internet IPv4
- Using service: HTTPS
- Going to: public facing IP
Action
- Change the destination to: Availability group with our 2 VPN hosts
I know it's probably a long shot but... any idea why the logs might be showing Sophos as the source?
This thread was automatically locked due to age.
