Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 2 subscribers
  • Views 19515 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ssl vpn internet issues

Olaf Lobrecht

Hi * following situation 

utm9 on a sg 330

vpn SSL is configured with adsso backend and default vpn pool dhcp adresses

vpn pool is set  to allowed in dns

dns server in vpn ssl are internal dns servers with no outside connection( e.g. they can't resolve www.google.com )

web protection filtering is on in standard mode (and internal network + vpn ssl pools are allowed )

now when connected with vpn ssl to the sophos, i can look up internal addresses fine, I can access all servers fine

but I cannot access the proxy ( http://sophos:8080)( the squid proxy is not enabled just the web filtering in standard mode ) and therefore I cannot access the internet through the proxy.

I do not see any of my assigned ops in the web filtering log

the vpn ssl connection is set to allowed networks ==>internal

internal computers can surf the web via sophos:8080 proxy  which is can be auto configured via wpad.dat 

i can ping outside addresses if I know the ipaddress, but obviously, this will not help me with the webproxy

eg in whatever browser I type www.google.con , and nothings happens

In the company i cannot resolve the ip address of www.google.com either but when typing it into the webbrowser, the proxy resolves it accordingly and i can surf the web

 

I hope that makes sense

 



This thread was automatically locked due to age.
Parents
  • 0

    Hi, Olaf, and welcome to the UTM Community!

    Like the SSL VPN, several different sections of the UTM will use AD, but only Web Filtering uses AD-SSO.

    "vpn pool is set  to allowed in dns" - Have you configured 'Remote Access >> Advanced'?

    "web protection filtering is on in standard mode (and internal network + vpn ssl pools are allowed ) [...] but I cannot access the proxy"  Is the browser of the client connected via SSL VPN configured to use the Standard mode?

    "I cannot access the internet through the proxy.  I do not see any of my assigned ops in the web filtering log" - doesn't this mean that the browser of your client isn't configured to use the Proxy?

    I normally configure the Default Profile in Transparent mode without Authentication and then create a Web Filtering Profile in Standard mode with AD-SSO authentication.  That way, if a computer doesn't qualify for the Profile in Standard mode or is not configured for Standard Mode, requests from it are handled by the Default Profile in Transparent.  I put more restrictions on Transparent mode usage.

    Cheers - Bob
    PS Moving this thread to the Web Protection forum.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    "vpn pool is set  to allowed in dns" - Have you configured 'Remote Access >> Advanced'? 

    ==> yes , what info do you need here

    "web protection filtering is on in standard mode (and internal network + vpn ssl pools are allowed ) [...] but I cannot access the proxy"  Is the browser of the client connected via SSL VPN configured to use the Standard mode 

    ==> i only test with macbookcs and I have the proxy in the network settings , if that answers your question

    "I cannot access the internet through the proxy.  I do not see any of my assigned ops in the web filtering log" - doesn't this mean that the browser of your client isn't configured to use the Proxy? 

    ==> as above the proxy is configured

    I normally configure the Default Profile in Transparent mode without Authentication and then create a Web Filtering Profile in Standard mode with AD-SSO authentication.  That way, if a computer doesn't qualify for the Profile in Standard mode or is not configured for Standard Mode, requests from it are handled by the Default Profile in Transparent.  I put more restrictions on Transparent mode usage.

     

    ==> I have tried yesterday and taken the block away if ads fails  and at least on the commandline i could reach the web via wget, but no browser was able to reach the web

  • 0 in reply to Olaf Lobrecht

    A screencap of 'Remote Access >> Advanced' would work!  Also, one of 'Allowed Networks' in you Web Filtering Profile and one of 'Local Networks' in the SSL VPN Profile.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    how do i get those screenshots to you ?
  • 0 in reply to Olaf Lobrecht

    You can drag-n-drop them into the editor here or cut-and-paste or Insert an image file.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to Olaf Lobrecht

    That all looks good.  DNS best practice recommends that your DNS servers try to access the UTM before going directly to public name servers.

    Another thought - mobile users probably don't have their browsers set to use a Proxy.  You might want to make a Web Filtering Profile that duplicates your existing Default Profile and then change the Default to Transparent mode.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    The second part I have done, but icant do the first part

    My Internal DC's shall not have access to any public dns server

    My Internal Computers shall not use the sohos as dns server but the dc's

    If someone wants to browse the web, they can do so with the webfiltering proxy on the Sophos, which then does the name Resolution for them

     

    If I access through vpn ssl, this is somehow not honored

    I can browse the Internet when ussing the dns server fron the Sophos, but nothing works if I take the proxy, 

    When choosing the proxy i do not even see any traffic  in the logs. Therefore something must be wrong with the config for the sophos

  • 0 in reply to Olaf Lobrecht

    If Web Filtering is used in Transparent mode, the client requests DNS resolution.  If it is used in Standard mode, the Proxy requests name resolution.  If the client browser is configured to use the Proxy on port 8080, a Transparent-mode profile will respond as if it were in Standard mode.

    For your Transparent-mode Profile, you should add "VPN Pool (SSL)" to 'Allowed Networks' in 'Network Services >> DNS', change 'DNS Server #1' in 'Remote Access >> Advanced' to 10.242.2.1 and be sure that you have Request Routes in DNS for your internal domain(s).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to Olaf Lobrecht

    If Web Filtering is used in Transparent mode, the client requests DNS resolution.  If it is used in Standard mode, the Proxy requests name resolution.  If the client browser is configured to use the Proxy on port 8080, a Transparent-mode profile will respond as if it were in Standard mode.

    For your Transparent-mode Profile, you should add "VPN Pool (SSL)" to 'Allowed Networks' in 'Network Services >> DNS', change 'DNS Server #1' in 'Remote Access >> Advanced' to 10.242.2.1 and be sure that you have Request Routes in DNS for your internal domain(s).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML