Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 29 subscribers
  • Views 4510 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG in Azure SSL VPN no access to Azure VMs

Dirk Sterzenbach

Dear all,

we have an issue with a XG in Azure: Remote users can connect via SSL VPN Client but they cannot reach any Azure VM in the virtual network behind the XG. We can reach the IP addresses on Port B (WAN) and also Port A (LAN), e.g. ping, user or admin portal but that's it.

I think it can't be an Azure routing problem which is addressed her: https://community.sophos.com/products/xg-firewall/f/vpn/84307/site-to-site-ssl-azure-rm. Because the Azure XG is connected through an IPSec site2Site VPN to an on premise Sophos XG. All working fine, on prem VMs and Azure VMs are connected, DNS is working, a second DC in Azure is synchronizing the AD without problems, users can use RDP form on prem to azure and vice versa etc. All fine!

Also we deployed the Sophos XG in Azure accrding to the Reference architecture deployment guide that also dealing with the necessary UDR in Azure routing tables.
https://community.sophos.com/kb/en-us/128102

And we know how to configure/use SSL VPN because we use SSL VPN also for the on prem Sophos XG. No problem to use RDP through the SSL VPN tunnel to work remotely on Windows VMs in the local network.

Anyone who is using Sophos XG in Azure and who works remotly on Azure VMs through an SSL VPN tunnel?

Any help or idea is appreciated.

Cheers
Dirk



This thread was automatically locked due to age.
  • 0

    Hi  

    What are you able to observe when you perform a packet capture for this attempted connection?

    Have you configured the required firewall rules and ACLs for this traffic? Any local firewall enabled on the Azure VM client?

    Florentino
    Director, Global Community & Digital Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
    The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
  • 0

    Our company hosts our customer workloads in Azure, each customer sitting behind their own XG so I have a lot of experience with XG in Azure.  Do you have a UDR (User Defined Route) table in Azure defined that is directing all Azure traffic to the Azure Sophos XG?  I wonder if an existing UDR is only covering your on prem networks and not the SSL-VPN IP pool?  In that case, return traffic is leaving the VMs and going out into the Azure ether instead of back to the Sophos.  The other thought would be NSGs that are blocking the SSL-VPN IP pool.  Those are two quick things that come to mind.

  • 0 in reply to FloSupport

    Hi FloSupport,

    thanks for your reply. I will check your hints soon and revert with the results.

    Dirk

  • 0 in reply to NateP

    Hi NateP,

    thanks for your reply. Especially the tipp related to the UDR that must cover also the SSL-VPN ppol sounds relevantI will check your hints soon and revert with the results.

    Dirk

  • 0 in reply to FloSupport

    Hi FloSupport,

    I am sorry, but I wasnt able to perform the packet capture help yet beacuse I re-checked all NSGs and route tables on Azure today. But related to your hints I have a question:

    I am 100 % sure, that SSL-VPN is OK, because the if the connection is established, I can access the admin portal of the XG via the private Azure IP address. Additionally, I know how SSL VPN with XG works, because the SSL VPN to the on prem XG works as required, RDP to Windows VMs in the on prem network is no problem.

    With the above oberservations, would the packet checker help? I am not familiar with it, but if you say I should use it, I will do. Thanks for your efforts!

    Cheers Dirk

  • 0 in reply to NateP

    Hi NateP,

    I followed your thoughts. Here are the results

    1. Do you have a UDR (User Defined Route) table in Azure defined that is directing all Azure traffic to the Azure Sophos XG?

    Yes! for all internal subnets in Azure I have

    internet-route    0.0.0.0/0    10.10.8.4      (10.10.8.4 is the IP of the LAN NIC of the XG)
    subnet-route    10.10.7.0/24    Virtual network     (10.10.7.0 is one of the subnets, there are more)
    vnet-route    10.10.0.0/16    Virtual network         10.10.0.0/16 is the vnet in Azure)

    The reference architecture says that vnet route should route to the virtual appliance, but we dont need this: we want all subnet traffic routed internally. no need to limit/control the traffic through the XG. That works fine with the on prem LAN through the IPSec site2site VPN. But of course I tried the "original" settings, no change.
    One remark: The reference architecture has no route table for the subnet of the LAN port of the XG and also no NSG. Do you use also such a configuration?

    I tried to add a route i asubnet: SSLVPN-route   172.16.0.0/24   10.10.8.4   (172.16.0.0/24 is the remote SSL VPN pool, the SSL Client has e.g. 172.16.0.11) but also this does not chage the situtation.

    2. NSGs are blocking the SSL-VPN IP pool

    I also checked all NSGs again. The NSG for Port B (for me it is the WANsubnet) has only one rule: Any-Any-Any-Any, no restrictions. Of course only the user portal and SSL-VPN is allowed for the Device Access on the WAN zone and these services are protected by OTP. The NSG for all other subnets are standard, they will be adjusted later on.

    Still no success, do you have an idea?

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?