WinSCP to External Server

Question

Hi, 
 
 I have an internal server (A) and I want to use WinSCP to SFTP to an external server (B). 
 In between A and B is a Sophos UTM 9 appliance. 
 The Sophos UTM 9 appliance has a web proxy set up. 
 There is a firewall rule on UTM 9 that forwards port 80 traffic from the internal to external network. 
 To test the proxy, I used IE to browse to bbc website. Before the proxy was set it could not load the page. When I set the proxy as the UTM device and the web proxy port, I could then browse to the bbc website. No web proxy login was required. 
 In WinSCP I chose to use a proxy using HTTP and set the proxy server to be the UTM 9 appliance and the port as the web proxy port. No web proxy was required. 
 When I try to connect to the external server (B) using WinSCP, the logs say it connects to the web proxy but then times out waiting for response from the external server. 
 
 My questions are as follows: 
 1. Has anyone managed to do something similar and had success? 
 2. Will the UTM 9 web proxy forward SFTP traffic? I have read some web proxy's will not do this. 
 3. Are there any logs on the UTM 9 appliance that I could check to see what is happening on the web proxy and see any more information of what is happening? 
 4. Can anyone offer any tips for trying to diagnose what the issue might be? 
 5. Could the follow explanation be valid: If the connection being attempted by the web proxy was to external server port 22, if so could it be that another firewall exists between the web proxy and the external network that is blocking traffic on port 22 - how could we test this? 
 6. Or: as there is a firewall rule for port 80 to route from internal to external via UTM, do we need to set one up for port 22, so that the connection from the web proxy can exit the UTM 9 appliance? e.g. could it be that this is the situation: 
 A begins SFTP connection via web proxy -> web proxy on port (XX) on UTM 9 -> proxy attempts connection to B (port 22) -> UTM 9 firewall blocks as will not allow traffic out on port 22 
 add firewall rule for port 22, same as existing one for port 80: 
 A begins SFTP connection via web proxy -> web proxy on port (XX) on UTM 9 -> proxy attempts connection to B (port 22) -> UTM 9 firewall allows traffic out on port 22

Thanks for your time, 
 
 Tom

kerobra_retired · Accepted Answer

There are many logs where you can find something to your connections. Your best friends are 'Web Filtering' for the web security, 'Firewall' for the... guess what ;-) and Intrusion Prevention System for anything concerning IPS and/or flood protection. 
 If I am honest I don't understand your setup really. 
 You have a UTM and you are using the web protection. If you use that, you don't need to allow firewall rules that allow port 80. This rule will only apply, if the proxy is bypassed by simply not using it or because of an exception. But - and I think there was your initional problem - you do not seem to have Masquerading activated. Without Masquerading your UTM does not NAT the outgoing traffic to its external IP (assuming your UTM is directly connected to the internet and has an external IP on its WAN interface). 
 When you use the proxy all traffic going over it uses the external IP of the UTM automatically. 
 If you want to use sftp over http proxy then you need to allow the usage of SSH traffic in the proxy configuration. I would activate Masquerading and define a firewall rule for SSH outgoing to the known destination only. Actually you are getting 'target service not allowed' errors in the Web Filtering Log I could bet. 
 I would start with a very small config at the start... no proxy, no ips, no flood protections active. A Masquerading rule for your internal network to your external interface and then allow 'Internal network (network)' using service 'Web Surfing' going to 'Internet IPv4'. If that works you can refine the firewall rules and activate network protection (if licensed). In a complete second step I would activate a transparent proxy and disable the 'Web Surfing-rule' from above. 
 If you are new to the materia UTM (sorry if not, but it seems so) then you should read some basics about the concepts of firewalls and proxies first before you start to configure an all-in-one solution.

BAlfson · Answer

Hi, and welcome to the UTM Community! 
 I'm with Kevin about not "seeing" your whole setup, but it shouldn't make any difference. I bet his suggestion to look in the Firewall log file will have given you the answer you were seeking. Whenever something seems strange, do #1 in Rulz . 
 I use WinSCP with SFTP often on client UTMs and have done so as far away as Germany, India and Australia. Port 22 traffic does not pass via the Web Proxy, nor via any Proxy - it passes via a firewall rule. 
 Cheers - Bob