Webserver Protection for SSTP on one ip

Question

Hi all, 
 I am preparing my companies migration from MS TMG to Sophos utm appliance or vm... one very important feature for our users was and still is Microsoft's sstp vpn because of its firewall pass-through capabilities! 
 Has anyone of you successfully configured Sophos utm to publish sstp from/to an internal RRAS? 
 I have read several ideas how to accomplish that, can anyone tell me whether one actually works? 
 1) destination NAT: internet -443-> RRAS (I suppose that must work) 
 2) webserver protection wit entry URL: /_sra&#123;...&#125;/ HTTPS -> HTTPS 
 3) same as 2, with bridge: HTTPS -> HTTP (that seems closest to that TMG does) 
 And in order to make things even more complicated: 
 Is it possible to configure all this with one public IP using default ports, without some double nginx reverse proxy? 
 Thanks!

BAlfson · Accepted Answer

Hi, Janko, and welcome to the UTM Community! 
 Like apijnappels, I don't have experience with SSTP. If you must use TCP 443, I would try Webserver Protection, but I doubt that it would work. If you're stuck with a DNAT using TCP 443 with SSTP, you will want to change the port for the UTM User Portal to something like 2443. 
 Also, like apijnappels, I think your folks would be happier with the UTM's SSL VPN. There is little additional effort to do that and it means that you don't have traffic from anywhere going to your server. I would still change the User Portal to 2443, but I would use the UDP Protocol with the SSL VPN. You will find it noticeably faster than SSTP on TCP 443. 
 Cheers - Bob