Achieving Domain Controller via SSL VPN is impossible

Question

Hi to all of you. 
 I have two Sophos XGS 136 in HA (active / passive); the firmware version is SFOS 18.5.3 MR-3-Build408. 
 IT infrastructure consists on: 
 
 1 Windows Server 2019 Host with Hyper-V role 
 n.2 VM Windows Server 2019: both are DC and one of them has file server Role 
 Many Windows 10 Pro clients 
 
 All servers (Host and VM) and clients are on the same subnet 
 I have configured user authentication via active directory on Sophos XG; users access via VPN SSL using them AD credentials and they are able to reach all the devices on the network (PC clients, NAS, networks printers, access point, or the Hyper-V Host server), but not the Domain controllers VM! 
 On the firewall, Active Directory Server authentication was originally set with "Plaintext" connection security, but in this moment is set with SSL/TLS connection security (and the Test connection works). 
 There's no way to reach DCs: ping, rdp session, shares browsing on file server, etc always fail, but If I make the same tests to the Host Server, they perfectly work. 
 DCs are not reachable also if I try to connect using SSL VPN local user of the Sophos XG 
 If Host Server and VMs are on the same subnet (10.0.0.0/24), can the problem be a bad traffic rules configuration? 
 PS: To exclude that it is a Hyper-V problem, I installed a Windows 10 VM on the Hyper-V Host server and It's perfectly reached from SSL VPN user PPS: Having a Qnap NAS at my disposal, I enabled OpenVPN server on it; in this case SSL VPN (qnap) users can perfectly reach DCs servers. 
 Can you help me to solve this big problem? Thanks for your support!

tragikcomic · Accepted Answer

A quick peek at your "dumpvpncli" pcap shows what I assume would be your DCs at 10.0.0.201 and 10.0.0.202 repeatedly doing an ARP request for 10.81.234.6. This leads me to believe that the traffic from the host at 10.81.234.6 on the SSL VPN is indeed reaching the DC but it appears the DCs do not know how to route back to the 10.81.234.0 network. I wouldn't expect to see an ARP from 10.0.0.201 for 10.81.234.6. Since they arent in the same subnet the proper response would be for the DC to look into its routing table first for the 10.81.234.0 network and then find the next hop and ARP for that IP if it wasnt already in the ARP table. I wonder if your subnet setting on the DC are correct? Is the NIC setup as IP - 10.0.0.201, Subnet 255.255.255.0 and GW 10.0.0.254? Right now the DCs think 10.81.234.6 resides inside its subnet so it doesn't send the traffic to its default gateway (the Sophos).

LuCar Toni · Answer

Broadcast Domains (Same subnet) traffic is likely be reachable directly. That means, the firewall is not involved. 
 The client from 10.0.0.10 will send directly the traffic to 10.0.0.1. The firewall will never see this traffic. If the SSLVPN is not working as well, it is likely a network problem within your hyper-v / Server.

emmosophos · Answer

Hello, 
 You should do a tcpdump on the traffic arriving from the SSL VPN client, first to confirm the traffic directed to the DCs is actually making it to the tunnel, then do another TCPdump on the Interface where the traffic is meant to exit (Interface where the DC connects to) see if the XG is sending the traffic out, if you see this is correct and don't see a reply back from the DC most likely your Hypervisor or VM is doing something with the traffic, most likely might be the Local Firewall of the DCs blocking traffic not coming from the same subnet. 
 Regards,

Achieving Domain Controller via SSL VPN is impossible

Top Replies

Submitted a Tech Support Case lately from the Support Portal?