Sophos UTM: Decommissioning of obsolete URL categorization services CFFS. Click here for important info.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSTP VPN pool not recognized by Access Control

I've set up a site for internal use. Since I wanted to leverage UTMs ability to handle Let's Encrypt certificates I've used Webserver Protection to route the traffic from our public IP to that internal site, and then used Site Path Routing -> Access Control to select allowed networks.

Among those networks is our SSTP pool, which is set up on a Windows Server; clients correctly get IPs from the predefined IP range, but this is obviously NOT handled by Sophos.

However, despite having an IP belonging to the pool specified and allowed via Access Control users using SSTP still report a generic Forbidden message, and logs show these users are, in fact, external.

Any idea what could be the issue? This could possibly be an issue with SSTP itself, but I'm not sure where to look.

This thread was automatically locked due to age.
  • Cześć Mateusz,

    I'm just guessing that this is a DNS/routing issue.  Have you tried using split DNS to have the SSTP pool get an internal IP where you have a separate Virtual Server for the site?

    Cheers - Bob

    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • OK, I feel sheepish. I just figured it out.

    Normally, a new VPN in Windows (SSTP or other) will use the connection as a gateway. We had this explicitly disabled via policies to, simply, not waste bandwidth (if someone wants to stream music or watch YT at home we don't really want this to affect our traffic).

    In this configuration SSTP, despite already using the UTMs DNS, appears as external to the UTM when accessing public DNSes. When I re-enabled using the connection as a gateway then I was able to access those internal sites.

    In other words - there's no issue, everything works as intended, and our IT admin (i.e. me) is an idiot. Face palm