Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 26 subscribers
  • Views 891 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Publish internal XG Firewall VPN using External XG Firewall and DNAT - Port 443

cm00001

Hello,

I am a new XG Firewall Home User and I have been reading how to setup XG Firewall OpenVPN to publish the VPN though port 443 without impacting the ability to publish web applications on 443 through WAF. As I understand, this is not possible at the moment (even with v18). As I read, it is somehow possible with UTM9 though.  I was surprised to see this was not available on XG (I come from using TMG 2010 where you can do port sharing (WAF + SSTP thru TCP 443)).

 

By reading threads like this one below, I read there’s people trying to overcome this issue by having the VPN server on a different box, and have XG firewall DNAT to it on port 443 (either TCP or UDP).

https://community.sophos.com/products/xg-firewall/sfos-eap/sfos-v18-early-access-program/f/feedback-and-issues/116782/ssl-vpn-on-port-443-tcp

I understand this sounds like an overkill, but using a port different than 443 for VPN seems too restrictive due to the way firewalls block most of the other ports. I’d like to give this a try and see how it works.  My setup is:

VPN Server (XG Firewall just for the VPN):

- WAN: 10.20.20.1 (DMZ Network)

- Port 443 TCP or UDP (based on performance and compatibility).

- Certificate used: Public domain cert.

- Hostname: public FQDN

 

XG Firewall (Internet Facing):

- DMZ: 10.20.20.254

- DNAT (TCP or UDP 443) to 10.20.20.1. (DMZ Network).

 

When I test this, on the VPN client log I see: CONNECTION TIMEOUT.

 

On the XG Firewall Log (Internet Facing), I see: Invalid Packet.

 

Has anyone done this successfully? Thoughts?

 

Thanks!

 



This thread was automatically locked due to age.
Parents
  • 0

    Hello cm00001,

    Thank you for contacting the Sophos Community.

    Unfortunately, if you set a DNAT rule on port 443 then the SSL VPN will not be able to connect as the DNAT rules take precedence, which is the reason why you are getting the Connection Timeout, because the traffic is being passed down to whatever server you have configured in the DNAT rule for port 443.

    Regards,

Reply
  • 0

    Hello cm00001,

    Thank you for contacting the Sophos Community.

    Unfortunately, if you set a DNAT rule on port 443 then the SSL VPN will not be able to connect as the DNAT rules take precedence, which is the reason why you are getting the Connection Timeout, because the traffic is being passed down to whatever server you have configured in the DNAT rule for port 443.

    Regards,

Children
  • 0 in reply to emmosophos

    Thanks Emmanuel. However, is that still true if the DNAT rule is set on the internet facing XG Firewall only?

    Here's what I was thinking:

    1.- VPN request comes through the XG Firewall WAN interface.

    2.- Using DNAT on 443 UDP,  the XG Firewall forwards the request to the DMZ Network, where the 2nd XG Firewall is (the one that has SSL VPN configured).

    3.- In the DMZ (which is the address of the WAN interface of the 2nd XG Firewall), the request is now received by the SSL VPN.

    If this still not clear, I'll create a diagram so this makes more sense.

  • 0 in reply to cm00001

    Hello cm0001,

    Thank you for the follow-up.

    Oh, I see, in that case since the request will pass to the second XG it should work.

    Regards,