This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WebProtection can't resolve hostnames without domain suffix

It seems that it's not possible to use WebProtection at all if I need http access to hosts on local or tunneled networks.

For example on Windows workstations there is a advanced DNS tab where I can put in a list with additional domain suffixes so every DNS request is being suffixed with those domains until a matching host is found.

Now when I use WebProtection in "Transparent mode" and try to access host-xyz without a domain suffix I get an error message from the sophos firewall.

Now my questions:

1. Is there a way to add multiple domain suffixes for the WebProtection proxy?

2. Since those hosts are trustful web-servers it would be also ok to create a Exception in Filtering Options to skip protection when accessing hostnames without domain suffixes. How I could create such a exception?



This thread was automatically locked due to age.
Parents
  • I've an VPN tunnel to an network with another DNS suffix. I added this suffix to "Network Services" -> "DNS" -> "Request Routing", and pointed to the DNS server of the other network so that the UTM knows, which DNS server it has to ask, when someone calls a URL with this suffix. But this is not working for HTTP request over the WebProtection proxy. I get an error "No route to host". I think the WebProtection proxy ask only the external DNS servers, not the internal or forwarded DNS servers.

    You need to add the networks to the exception list of the WebProtection to solve this.

  • https://community.sophos.com/kb/en-us/115191 also

     

    Probably wouldn't hurt to read some documentation before setting the UTM up

  • The article has nothing to do with the problem. There is no NAT and/or asynchron routing, because he tried to access an "internal" URL over a VPN tunnel, which has another DNS suffix as the own LAN. The problem seems to be, that the WebProtection proxy doesn't solve the DNS suffix of the VPN network, and it tried to solve it via the external DNS servers.

    Maybe it works when he create a static DNS entry in the UTM with the DNS suffix of the VPN LAN.

Reply
  • The article has nothing to do with the problem. There is no NAT and/or asynchron routing, because he tried to access an "internal" URL over a VPN tunnel, which has another DNS suffix as the own LAN. The problem seems to be, that the WebProtection proxy doesn't solve the DNS suffix of the VPN network, and it tried to solve it via the external DNS servers.

    Maybe it works when he create a static DNS entry in the UTM with the DNS suffix of the VPN LAN.

Children
No Data