Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 2 subscribers
  • Views 13841 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Https Web Access on Additional Interface

UtmUser1970

Hi Guy's

I wonder if you can help me.

We have an Additional WAN Interface setup on our Sophos UTM 9 device which points to a web address IP and what I need is Https access to it, but when I browse on the IP via https I get the Sophos UTM login page. (http access works fine to the web address IP but I don't require that) I have tried creating a DNAT rule to allow https going to this Additional WAN address then on to the web address IP but as mentioned all I get is the Sophos UTM box. My question is how do I change this for the connection to go to the desired address, what am I missing here. As it stands I don't want Https to go to the UTM box on that WAN address anyway.

 

Any help will be appreciated

 

Darren



This thread was automatically locked due to age.
Parents
  • 0

    Hi Darren,

     

    could you please provide some Screenshots of the following configuration:

    QoS (if activated)

    NAT Rules

    Interface Configuration

     

    I would guess a problem with the NAT rule, but to analyse the problem these screenshots would really help :)

     

    Greetings

     

    Ole

  • 0 in reply to Ole Heydt

    Hi Ole,

    Thanks for getting back to me, like you I think its the NAT rule as http works fine on the Additional Interface as there is a DNAT rule setup for that.

    I have attached the images as requested, for security reasons I have removed the IP address but can confirm this is correct as the http rule works. Qos not enabled.

     

    Regards,

    Darren

  • 0 in reply to UtmUser1970

    Hi,

     

    So far the configuraton seems right. One thing I would recommend changing is the point "For traffic from:" in your NAT-rule. Here it would be better to put the definition "Internet IPv4" to exclude your local addresses from accessing the NAT-rule.

    Furthermore you could try changing the WebAdmin Port. It seems like it is currently set at Port 443 (standard https). Please try changing it to something else like 4444 or 10141 for example.

     

    You can do this by going into "Management" -> "WebAdmin settings" -> "Advanced" -> "WebAdmin TCP Port"

     

    Please let me know if this was helpful!

     

    Regards,

     

    Ole

     

Reply
  • 0 in reply to UtmUser1970

    Hi,

     

    So far the configuraton seems right. One thing I would recommend changing is the point "For traffic from:" in your NAT-rule. Here it would be better to put the definition "Internet IPv4" to exclude your local addresses from accessing the NAT-rule.

    Furthermore you could try changing the WebAdmin Port. It seems like it is currently set at Port 443 (standard https). Please try changing it to something else like 4444 or 10141 for example.

     

    You can do this by going into "Management" -> "WebAdmin settings" -> "Advanced" -> "WebAdmin TCP Port"

     

    Please let me know if this was helpful!

     

    Regards,

     

    Ole

     

Children
  • 0 in reply to Ole Heydt

    Ok strange one, I can now get past the Sophos UTM device by changing the port number on the remote site for HTTPS access, but I still cannot get through to the site. I get page cannot be displayed. I have opened the port in the firewall but to no avail.

    Any help would be appreciated.

    Darren

  • 0 in reply to UtmUser1970

    Can you please check the configuration of your webserver?

    Check its gateway and if you can maybe log some traffic (for example with wireshark)

     

    I did not really understand this statement:

    "I can now get past the Sophos UTM device by changing the port number on the remote site for HTTPS access"

    what do you mean by that?

     

    Hmm this really seems like a strange problem...[*-)]

     

  • 0 in reply to Ole Heydt

    Normally, WebAdmin is on TCP 4444, and that should not conflict with an HTTP access on TCP 443, so I would not suggest changing from 4444.

    If you were hitting anything, it would have been the User portal as the default for that is TCP 443.  That would indicate to me that your DNAT wasn't working because #2 in Rulz clearly states that DNATs are considered before everything else.  In addition to Ole's suggestion to replace "Any" with the "Internet IPv4" object, change the Additional Address from /28 to /32.

    If that doesn't resolve your problem, check #3 in Rulz.

    Any luck yet?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML