This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Webserver Protection for SSTP on one ip

Hi all,

I am preparing my companies migration from MS TMG to Sophos utm appliance or vm... one very important feature for our users was and still is Microsoft's sstp vpn because of its firewall pass-through capabilities!

Has anyone of you successfully configured Sophos utm to publish sstp from/to an internal RRAS?

I have read several ideas how to accomplish that, can anyone tell me whether one actually works?

1) destination NAT: internet -443-> RRAS (I suppose that must work)

2)  webserver protection wit entry URL: /_sra{...}/ HTTPS -> HTTPS

3) same as 2, with bridge: HTTPS -> HTTP (that seems closest to that TMG does)

And in order to make things even more complicated:

Is it possible to configure all this with one public IP using default ports, without some double nginx reverse proxy?

Thanks!



This thread was automatically locked due to age.
Parents
  • Hi, Janko, and welcome to the UTM Community!

    Like apijnappels, I don't have experience with SSTP.  If you must use TCP 443, I would try Webserver Protection, but I doubt that it would work.  If you're stuck with a DNAT using TCP 443 with SSTP, you will want to change the port for the UTM User Portal to something like 2443.

    Also, like apijnappels, I think your folks would be happier with the UTM's SSL VPN.  There is little additional effort to do that and it means that you don't have traffic from anywhere going to your server.  I would still change the User Portal to 2443, but I would use the UDP Protocol with the SSL VPN.  You will find it noticeably faster than SSTP on TCP 443.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Usually UDP on 443 will work, but there are some situations where firewalls are really tight and do not allow UDP 443 out. So to be extra sure or you simply know that you may have problems with other ports, than you can just leave the default TCP443.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Reply
  • Usually UDP on 443 will work, but there are some situations where firewalls are really tight and do not allow UDP 443 out. So to be extra sure or you simply know that you may have problems with other ports, than you can just leave the default TCP443.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Children
No Data