Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 12 replies
  • Subscribers 26 subscribers
  • Views 14901 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Trying to enable multiple port forwarding to DVR/webserver

Dan Allen

OK, I'm trying to configure an XG135 to allow traffic from the public IP to a DVR/Webserver located on a separate VLAN on my internal network. The vendor indicates that I need multiple ports opened up (3 TCP ports, including 443 and 1 UDP port). I discovered that Sophos treats this as a webserver so I went ahead and purchased the Webserver protection license and added that to my firewall. Unfortunately I still can't get this to work. I've tried researching this on the forums and knowledge base, but haven't found a good answer. It looks like I should be using the DNAT/Full NAT/Load Balancing Business Application template in order to configure the port list, but when I do this those ports still aren't showing up as Open when I run an external port scan (and the DVR app doesn't connect). I also tried use the Web Server Protection (WAF) rules, but it looks like that's really only designed for use with port 80 or 443. I did try configuring multiple rules using the Web Server Protection template; 1 for each port, and that worked as far as showing the ports open, but I still couldn't get the DVR app to work. Does anyone have any ideas as to why when I use the DNAT template the ports don't show as open? I'm running SFOS 16.01.2. Thanks!



This thread was automatically locked due to age.
Parents
  • +1

    Dan,

    for DVR you should DNAT and not Web Server (WAF). WAF is a module used to protect web server (80/443) that uses real web server components (iis, apache, tomcat) because there are filters build to protect those components (I do not want to go in deep into explaining how WAF module works).

    Anyway you need to open the ports required by the DVR using DNAT template.

    Can you share how did you open the DNAT? Please post screenshots.

    Regards,

Reply
  • +1

    Dan,

    for DVR you should DNAT and not Web Server (WAF). WAF is a module used to protect web server (80/443) that uses real web server components (iis, apache, tomcat) because there are filters build to protect those components (I do not want to go in deep into explaining how WAF module works).

    Anyway you need to open the ports required by the DVR using DNAT template.

    Can you share how did you open the DNAT? Please post screenshots.

    Regards,

Children
  • 0 in reply to lferrara

    Here are the screenshots of the DNAT. I have two WAN Gateways (originally configured in Active/Backup), and I tried changing them to Active/Active (weighted 100 to 1 so the majority of traffic goes out the primary gateway) and using the DNAT to the second gateway, when I couldn't get it to work on the primary gateway and it still doesn't work. I've tried just about everything I can think of, so any help would be greatly appreciated!

  • 0 in reply to Dan Allen

    Thanks Dan. Which Gateway is using the security zone where the DVR is attached?

    Also the PORT 4 does not any Public IP address?

  • 0 in reply to lferrara

    The Security zone isn't attached to either Gateway; it's a VLAN behind the firewall.

    Port 4 does have a public IP, I just removed it from the pictures.

    Thanks!

    Dan

  • 0 in reply to Dan Allen

    Ok. Is the XG able to ping the dvr? And viceversa? Make sure that XG knows how to reach that vlan.

  • 0 in reply to lferrara

    Yes, I've confirmed connectivity to/from the DVR to the XG. I don't understand why after implementing these rules a port scan still shows the ports as being closed. Any thoughts?

    Thanks - any input is appreciated.

    Regards,
    Dan

  • 0 in reply to Dan Allen

    Port scan can be blocked by XG. Try a telnet on those ports.

    Who is managing the vlan? Also try to access the required ports externally while you are using the command drop-packet capture from XG console.

    Thanks

  • 0 in reply to lferrara

    I manage the network. I was assuming that the port scanners showing the ports closed where correct, since the DVR app won't connect either. I'll connect to another network and verify with telnet.


    Thanks

  • 0 in reply to lferrara

    I verified remotely last night, using telnet, that the ports I designated using the DNAT rules are not open.  So apparently the issue isn't with my rules; the XG just isn't opening the ports. I'm going to try a reboot after hours tonight and re-test. If the DNAT rules still aren't working then I'll open up a case with support and hope someone gets back to me who can actually help resolve the issue. I'll update if I get a resolution. Thanks for your input.

  • 0 in reply to Dan Allen

    Dan,

    send me a PM and I will try to help you.

    Regards

  • +1 in reply to lferrara

    I have connected to Dan Environment and all the BAR were correclty configured. No mistakes. Dan did not try for a couple of days (it was not working 2 days ago) and magically the XG started to forwarded the traffic from WAN to DVR Device.

    It is strange. I remember another guy on the community having the same issue and only after a couple of day XG started to allow traffic from WAN.

    I told to Dan to turn the BAR off and on again and test if the traffic is allowed. The other advice was to open a ticket with Sophos Support.