Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 4 replies
  • Subscribers 28 subscribers
  • Views 6023 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN setup - Sophos XG in Azure

Eirik Jolle

Hi all

 

 

I need some guidance on getting SSL VPN working on the XG. I'm going to migrate some workloads for a client to Microsoft Azure. I have started building the Azure network, and placed a Sophos XG in a perimeter Azure vNet, following this guide. community.sophos.com/.../128102.

The idea is to have a site-to-site VPN between On-prem office Sophos XG and Sophos XG in Azure.

Remote workers are going to use SSL VPN to connect to Sophos XG in Azure. I have followed this guide to configure SSL VPN for clients. community.sophos.com/.../122769

 

Users can’t connect. I see this in the Sophos client log:

 

Sat Mar 17 09:07:43 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340

Sat Mar 17 09:07:43 2018 Need hold release from management interface, waiting...

Sat Mar 17 09:07:43 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340

Sat Mar 17 09:07:43 2018 MANAGEMENT: CMD 'state on'

Sat Mar 17 09:07:43 2018 MANAGEMENT: CMD 'log all on'

Sat Mar 17 09:07:43 2018 MANAGEMENT: CMD 'hold off'

Sat Mar 17 09:07:43 2018 MANAGEMENT: CMD 'hold release'

Sat Mar 17 09:07:47 2018 MANAGEMENT: CMD 'username "Auth" "User1"'

Sat Mar 17 09:07:47 2018 MANAGEMENT: CMD 'password [...]'

Sat Mar 17 09:07:47 2018 MANAGEMENT: CMD 'proxy HTTP 40.91.198.181 8443'

Sat Mar 17 09:07:48 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]

Sat Mar 17 09:07:48 2018 Attempting to establish TCP connection with [AF_INET]40.91.198.181:8443 [nonblock]

Sat Mar 17 09:07:48 2018 MANAGEMENT: >STATE:1521274068,TCP_CONNECT,,,,,,

Sat Mar 17 09:07:49 2018 TCP connection established with [AF_INET]40.91.198.181:8443

Sat Mar 17 09:07:49 2018 Send to HTTP proxy: 'CONNECT 10.47.0.4:8443 HTTP/1.0'

Sat Mar 17 09:07:49 2018 recv_line: TCP port read failed on recv()

Sat Mar 17 09:07:49 2018 SIGUSR1[soft,init_instance] received, process restarting

Sat Mar 17 09:07:49 2018 MANAGEMENT: >STATE:1521274069,RECONNECTING,init_instance,,,,,

Sat Mar 17 09:07:49 2018 Restart pause, 5 second(s)

Sat Mar 17 09:07:54 2018 MANAGEMENT: CMD 'proxy HTTP 40.91.198.181 8443'

Sat Mar 17 09:07:55 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]

Sat Mar 17 09:07:55 2018 Attempting to establish TCP connection with [AF_INET]40.91.198.181:8443 [nonblock]

Sat Mar 17 09:07:55 2018 MANAGEMENT: >STATE:1521274075,TCP_CONNECT,,,,,,

Sat Mar 17 09:07:56 2018 TCP connection established with [AF_INET]40.91.198.181:8443

Sat Mar 17 09:07:56 2018 Send to HTTP proxy: 'CONNECT 10.47.1.4:8443 HTTP/1.0'

Sat Mar 17 09:07:56 2018 recv_line: TCP port read failed on recv()

Sat Mar 17 09:07:56 2018 SIGUSR1[soft,init_instance] received, process restarting

Sat Mar 17 09:07:56 2018 MANAGEMENT: >STATE:1521274076,RECONNECTING,init_instance,,,,,

Sat Mar 17 09:07:56 2018 Restart pause, 5 second(s)

Sat Mar 17 09:07:58 2018 SIGTERM[hard,init_instance] received, process exiting

Sat Mar 17 09:07:58 2018 MANAGEMENT: >STATE:1521274078,EXITING,init_instance,,,,,

 

 

I have opened ports in the Azure Network security group (any). The vNet in Azure have the 10.47.0.0/16 address space, with SophosXG-Public-DMZ-Frontend-WAN as 10.47.0.0/24 and SophosXG-Public-DMZ-Backend-LAN in the 10.47.1.0/24 subnet.

Any help would be highly appreciated!



This thread was automatically locked due to age.
Parents
  • 0

    Hi Eirik,

    I have the same problem now and found your post. Have you found a solution?

    Our situation is pretty similar. XG on prem and another one in Azure. IPSec site2site is working fine, user in the on prem network can easiliy access ressources in Azure (e.g. Terminal Servers, web applications etc.). Also DNS and AD sync is OK. But I am struggeling to achieve access via SSL VPN.

    I am 100 % sure, that SSL-VPN is OK, because the if the connection is establsihed, I can access the admin portal of the XG via the local IP address. Additionally, I know how SSL VPN with XH works, because the SSL VPN to the on prem XG works as required, RDP to Windows VMs in the on prem network is no problem.

    Would be great if you found the solution...

    Cheers Dirk

  • 0 in reply to Dirk Sterzenbach

    Hi Dirk

     

    This is a long time ago.. I got this to work at the end, but i dont remember what fixed it. My client decided at the end that Azure was too expensive, and the environment is removed. Unfortunately i cant go back to have a look at the config.
    Hope you find out about it in the end.

  • 0 in reply to Eirik Jolle

    First of all.

    Check the dump, are the packets arriving in Azure? 

    https://community.sophos.com/products/community-chat/f/knowledge-base-article-suggestions/105811/how-to-tcpdump-on-xg

    You are Using Port 8443 (TCP). So you need a NSG Rule for this traffic. 

  • +1 in reply to LuCar Toni

    Thanks to everybody who tried to help.

    It is pretty emberassing but I made a real simple mistake. In the SSL VPN policy I added a (wrong) group which was similar to the one I should have added - but of course not matching the users I treid to get access with.

    But again thanks to all contributors, in the end all helped to solve the problem. BTW investigating my issue I found the policy tester very helpful.

    Cheers Dirk

Reply
  • +1 in reply to LuCar Toni

    Thanks to everybody who tried to help.

    It is pretty emberassing but I made a real simple mistake. In the SSL VPN policy I added a (wrong) group which was similar to the one I should have added - but of course not matching the users I treid to get access with.

    But again thanks to all contributors, in the end all helped to solve the problem. BTW investigating my issue I found the policy tester very helpful.

    Cheers Dirk

Children
No Data