Hi Everyone.
We have a Sophos UTM 9 (9.711-5)
We have a SaaS application hosted at a remote site (of a third party). Our internal network routes any requests for this service via a RED 15 that is hosted at the remote site. The app is accessed via a web page that resolves to the internal network of the remote site. This all works fine and has been in place for many years now.
We have recently started deploying laptops to staff that are AAD joined devices. They connect in to our corporate network via VPN, which uses the Sophos connect SSL VPN client. They are able to access all resources on-site (printers, drives etc.).
The issue I am having is getting users access to the remote SaaS via the RED 15. To start with, the VPN clients could not ping the IP of the remote site. DNS resolution was working fine as it was picking that up via our internal DC's.
I added the SaaS network to the allowed Local Networks on the SSL VPN pool network (default 10.242.2.0/24) and the devices could then ping the IP but trace route would go to 10.242.2.1 and then timeout.
I have added a rule to allow traffic from the SSL VPN network to the SaaS network. I have tried creating a masquerading rule for SSL VPN > Internal. I have tried adding a DNAT so that any requests for the SaaS IP's from the SSL VPN network is sent to the SaaS network (RED).
Although I can ping any of the IP's and the DNS resolves properly, I am unable to load the required page to log into the app. I have contacted the remote site and they advise me there are no issues with any IP filtering or blocked requests.
There is an existing masquerade rule as part of the deployment years ago that states traffic from the RED going to the SaaS IP's changes the source to our Internal network, so I am wondering if the issue is that the VPN IP's should be on the same subnet? I would have thought this should have been resolved by creating a masquerading rule for the "SSL VPN > Internal" though?
Does anyone have any experience of a similar issue or can see where I am going wrong? Happy to provide more info if required.
Cheers,
Jon
This thread was automatically locked due to age.