Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 8 replies
  • Answers 3 answers
  • Subscribers 30 subscribers
  • Views 35450 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Manage Device from WAN

TXGARobert@Home

How does one connect to the XG box from the WAN side? Is there something similar to the " Management / Webadmin Settings " on the UTM?

I have looked at the help files (honest), but I can't find anything, or am not understanding what I am reading.

It would also be nice to figure out the process that replaced the UTM process of " Network Protection/NAT/NAT ".

For instance.

On the XG system, where would I go to route a incoming RDP connection to a specific computer.  This is very simple on the UTM, but I have no idea where to go on the XG.

Policies?

So.

Station on the WAN side trying to connect to a computer on the LAN side.

XG WAN IP: 172.16.81.4

XG LAN IP: 192.168.1.254

Computer on the WAN: 172.16.95.48

Computer on the LAN I want to RDP into: 192.168.1.1

RDP Port: 3389

So what I want to do is open my RDP client and connect to: 172.16.81.4

I then want the XG to route any Port 3389 traffic from 172.16.95.48(WAN) to 192.168.1.1(LAN)

On the UTM, simple.  Probably is for the XG as well.  I just don't understand the terminology/steps to do so.

BTW - I know both the ranges I listed are private.  This is not a production system.  It is not even a home system.  It is just something I am playing with at work and would rather play with from my desk than have to sit at a remote station.

Thanks for any help.



This thread was automatically locked due to age.
  • +1

    You need to make sure that the the device access from the WAN side is allowed for the webadmin in System > Administration > Device Access.

    If you're not creating a Site-to-site VPN, you can create a policy to allow the RDP connections from WAN to LAN and specify the target host in the policy to make a DNAT. I'll pull a screenshot, it's a little vague at the moment.

  • 0 in reply to Emile Belcourt
    Got the first part, am happily messing with the test system from my desk. Thanks.

    Second part, no, not a Site-to-Site. Sitting here, want to forward RDP traffic form my computer (172.16.95.48) to a computer(192.168.1.1) on the LAN of my test network.

    A picture would be helpful.

    I am assuming I am supposed to make a User / Network rule to accomplish this?
  • 0
    You will need to use a 'Business Application Rule' within the Policies area. And chose the type of 'Non-HTTP'; this enables you to build DNAT rules as you would expect of any platform.
  • 0

    You'll need to make 2 rules of Business Application Type, as Azron says and their configuration needs to be as follows:

    • Host: Any (Or you could add the external (in your case externally internal) IP as the sole allowed IP)
    • Exceptions: None
    • Source Zone: WAN
    • Hosted Address: External Port with IP assignation of the IP of the XG's WAN link (External IP)
    • Protected Zone: LAN
    • Protected Application Servers: Create a Definition with the internal IP of your computer
    • Forward all ports: Off
    • Protocol: TCP
    • External Port Type: Port Range
    • Port range: 1 - 65535
    • Mapped Port Type: Port
    • Mapped Port: 3389
    • Rewrite Source Address (Masquerading): On
    • Use Outbound Address: Create a new NAT Policy for the internal IP of your XG
    • Intrusion Prevention & Traffic Shaping: I didn't create any but feel free to play
    • Reflexive Rule: Off

    You will need to duplicate the above but with the protocol set to UDP with the same Mapped Port of 3389 as RDP uses TCP/UDP 3389.

    Here are some screenshots of my working RDP on my test platform on a spare external and I see no reason why it shouldn't work in your setup:

  • 0 in reply to Emile Belcourt

    Hi EmileBelcourt,

    I'm trying to enable SSL VPN on my home lab Sophos XG. I dont have static IP from my ISP. Have configured Sophos WAN with 192.168.1.150

    Have Port 1 and Port 3 as LAN with 172.16.16.0 / 24 and 10.0.0.0/24 respectively

    What im trying to achieve is , is it possible i can access Sophos XG and the networks when im working from my Office

    Will the above steps you had mentioned would work in my scenario

    Appreciate your help, also im pretty new to Sophos and also firewall configuration , so SNAT and DNAT are pretty new to me

    Have a good day , looking forward to hearing from you

    Thanks

    Raj

  • 0

    Hi TXGARobert,

     

    Please advise if you had any luck in configuring this. I'm trying to do something similar whereby i can access Home Sophos XG lab from my work place.

    I dont have static IP assigned from ISP

    Appreciate any help

    Thanks


    Raju

  • 0 in reply to Ruka

    Hi,

    depends on what you mean by access your XG?

    Do you to remotely manage the XG or do you want to access your local LAN?

    If it is the XG you wish to manage why not try the free version on the Central Management server? You also investigate the Sophos DDNS.

    Ian

  • 0 in reply to rfcat_vk

    Hi Ian,

    Thanks for your reply. Sorry i should have been more precise, im wanting to access the Local LAN.

     

    Appreciate any assistance

    Thanks

    Raju