SSTP VPN pool not recognized by Access Control

Question

I've set up a site for internal use. Since I wanted to leverage UTMs ability to handle Let's Encrypt certificates I've used Webserver Protection to route the traffic from our public IP to that internal site, and then used Site Path Routing -> Access Control to select allowed networks. 
 Among those networks is our SSTP pool, which is set up on a Windows Server; clients correctly get IPs from the predefined IP range, but this is obviously NOT handled by Sophos. 
 However, despite having an IP belonging to the pool specified and allowed via Access Control users using SSTP still report a generic Forbidden message, and logs show these users are, in fact, external. 
 Any idea what could be the issue? This could possibly be an issue with SSTP itself, but I'm not sure where to look.

Mateusz Bender · Accepted Answer

OK, I feel sheepish. I just figured it out. 
 Normally, a new VPN in Windows (SSTP or other) will use the connection as a gateway. We had this explicitly disabled via policies to, simply, not waste bandwidth (if someone wants to stream music or watch YT at home we don't really want this to affect our traffic). 
 In this configuration SSTP, despite already using the UTMs DNS, appears as external to the UTM when accessing public DNSes. When I re-enabled using the connection as a gateway then I was able to access those internal sites. 
 In other words - there's no issue, everything works as intended, and our IT admin (i.e. me) is an idiot.

SSTP VPN pool not recognized by Access Control

Top Replies