This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Redirect traffic to UTM VIP

Hi,

I am using UTM 9 with a single network adapter in order to redirect my traffic based or the host header. Everything works fine, but now I wan to configure the SSL VPN and the User Portal. Since 443 is already used on the Sophos adapter I have created a virtual one with a different IP address to bind to in order to use the VPN and portal on 443.

From the internal network the portal and VPN works fine since its hitting the VIP directly, but from outside I can't get the portal to work, I don't know about the VPN yet. I have created a Virtual Web Server that redirects traffic to the "Real Web Server", the VIP of the network interface, again, based on the host header it gets from the browser. Looks like is having trouble redirecting to one of its own IPs.

For the real server option I have created a new host and added the VIP of the UTM network adapter.

Can I redirect Web traffic to Sophos own IPs using a Virtual Server?

      

 

Thanks



This thread was automatically locked due to age.
  • Here are my usual recommendations, Adrian:

    • SSL VPN: UDP 1443
    • User Portal: TCP 2443
    • WAF: TCP 443

    Up until Google came up with QUIC (UDP 443) as a way to accelerate HTTPS, I was comfortable with UDP 443 for the SSL VPN.

    All that to say that I wouldn't try to resolve the situation in the way you are trying to do it.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi,

    Yes, I know I can change the port and I did it and it works great but doing it will block my connection on networks that have their traffic filters. If I want to connect from work it won't work since only 80 and 443 is allowed outside.

    I guess I will need another IP from my IPS for this.

  • Not sure what you mean by a Virtual IP.    If you only have one IP address from your ISP, you cannot invent a second IP that is reachable from the internet.   

  • It is hard to understand what you configured before user portal.   Here is my guess:

    You have a bunch of things that you want to reach at home from work.   You set them up as WAF sites.   But now you want to do something more, and you are limited by the work firewall and the fact that the web ports are already used.

    I will only suggest in passing that you may be best served to avoid doing personal stuff from your work network...

    If this setup is only for you, consider removing all of the WAF configuration, and use just User Portal.   Configure HTML5 VPN to RDP to access your systems at home.   Once connected to one of those systems, you can access web sites as a local user.

    If this is a side business and your clients need access to the WAF sites, then you need a second IP address.   I would make the WAF sites into the secondary address and put User Portal on the address that UTM thinks is primary.

    Either way, strongly suggest OTP for any remote access.  The bad guys are doing password guessing attacks all the time.

  • The VIP I mean  the additional internal address. So eth0 is my network adapter and I added a second IP to this adapter which becomes eth0.1 (IP multinetting).

    I already have RDS in my network, just wanted to test VPN from outside see how is working. I guess I will need another public IP.

     

    Thanks for the help, much apprech...