This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to make HTTP/S traffic forwarding to internal webserver work with XG SFOS 18.0.3 MR-3 ( Azure Deployment)

Hi Everyone,

Currently we have a working solution when using SophosXG 17 , but currently it seems that port forwarding isnt working like we expected on XG 18, While it was massively simply before, we are unable to make it work on our Azure environment.

From our side, we followed the simple steps when clicking on Add firewall rule > Server access Assistant (DNAT) where:

Internal server IP address: our proxy server private IP

Public IP address: SOphosXG public IP ( using a port Alias defined with the external IP )

Services: HTTPS

External source networks and devices: Any

Its important to notice I have followed the documentation provided by the support/ youtube videos/ vimeo videos but still, not success at all.

So, the question would be, does anyone had success with port forwarding with XG18 deployed on Azure? We have been delaying the migration of our 17 to 18 just because of this blocker.

This thread was automatically locked due to age.

Top Replies

LuCar Toni over 4 years ago +1

Did you allow HTTPS on the NSG in Azure? If you do not see the packets on the XG, it is a indicator, Azure is not allowing those packet to arrive on Xg.

Parents

0 FormerMember over 4 years ago
Hi Thales,

Thank you for reaching out to the Community!

Could you please provide the screenshot of the DNAT and matching firewall rule? Can you also check if you have HTTPS service in use for any local service on your firewalls such as UserPortal or SSL VPN? Navigate to SYSTEM > Administration > Admin settings > Admin console and end-user interaction to see user portal port and CONFIGURE > VPN > Show VPN settings > SSL VPN settings > Port.

If the DNAT rule and matching firewall rules are configured correctly, I suggest you run a packet capture on the source public IP address while you try to connect to the server and share the output via PM.

Monitor traffic using Packet Capture Utility in the Sophos XG Firewall GUI

Thanks,
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 FormerMember over 4 years ago
Hi Thales,

Thank you for reaching out to the Community!

Could you please provide the screenshot of the DNAT and matching firewall rule? Can you also check if you have HTTPS service in use for any local service on your firewalls such as UserPortal or SSL VPN? Navigate to SYSTEM > Administration > Admin settings > Admin console and end-user interaction to see user portal port and CONFIGURE > VPN > Show VPN settings > SSL VPN settings > Port.

If the DNAT rule and matching firewall rules are configured correctly, I suggest you run a packet capture on the source public IP address while you try to connect to the server and share the output via PM.

Monitor traffic using Packet Capture Utility in the Sophos XG Firewall GUI

Thanks,
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Thales over 4 years ago in reply to FormerMember

Hi,

Sure,

Based on DNAT instructions: www.youtube.com/watch

FW Rule:

#PortB:0 = Public IP Alias.

DNAT Rule:

Regarding Admin console /user /SSL VVPN port, we are not using port 443.

Via packet capture/ firewall log, nothing is showing up.

Currently, this is a clean installation only with our VPN connections on it.
Cancel
Vote Up 0 Vote Down

Cancel