Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Subscribers 26 subscribers
  • Views 12242 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG in vSphere/ESXi - can't access vmware host client through SSL VPN

dma0

I've set up Sophos XG in a VM on vSphere 6.5. Because I set up vSphere first, I assigned the admin interface a static IP address of 10.0.0.1. I then proceeded to setup XG and all seems to be working, more or less. When I'm on the LAN, I can connect to the Host Client for vSphere by entering https://10.0.0.1 in a browser. But for some reason, I cannot seem to connect when accessing through SSL VPN. When I SSH into the server on the LAN, I can ping it just fine, but can't seem to access the web interface.

When I set tunnel access for the VPN and created the firewall rule, I included the entire 10.0.0.0/255.255.255.0 subnet, so I'm a bit puzzled why I can't access 10.0.01. I'm sure I'm missing something rather basic, but if someone could point me in the right direction it would be most appreciated.



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to dma0

    Try to create a LAN to vpn firewall rule too. Make sure on both rules LAN to vpn and vpn to LAN) to remove any filter.

    Thanks

  • 0 in reply to lferrara

    Thanks again. Yes, this is something that someone else had also suggested in response to a general question on getting VPN up and running. I have created the rule as you've suggested but alas, still no luck. The firewall log shows the packets from the remote connection to vSphere being allowed, but no ping, no access to the web host client. Hmm.

    I will perhaps apologize in advance for (yet another) dumb question, but might it have anything to do with the fact that the IP address for vSphere is a static IP address that was set in vSphere (and not as a static DHCP lease in Sophos)?

  • +1 in reply to dma0

    stupid question? Does the vSphere has XG configured as its default gateway?
    If not, enabling masquerade on SSLVPN->LAN rule might be a workaround

  • 0 in reply to dma0

    DMA0,

    can you share the output of drop-packet-capture "port 443" while you are accessing the Vmware ESXi?

    Does a telnet to ESXi on port 443 work?

    Make sure that ESXi is able to reach XG and vice-versa internally.

    Thanks.

  • 0 in reply to sixteen again

    Ah, yes. Someone else had mentioned (in response to a separate question) that NAT should be turned on. At the time I didn't think it was necessary but now I see why.

    And not a stupid question at all regarding the gateway. Sometimes in trying to figure out all this stuff out, I don't see the forest for the trees. It should have been obvious that this was something I should have looked at. In any event, no, vSphere did not have the XG configured as its default gateway. To be honest I wasn't able to figure out or find how to set it as such. The management network port (vmk0) is linked to the physical NIC on a vswitch, which is also the same physical NIC as XG is linked to for the LAN. 

    I was thinking of perhaps changing it to DHCP but was a bit worried that I'd have trouble accessing the vSphere management interface before booting up the XG VM. In any event, I turned on NAT for SSLVPN -> LAN and all is working just fine now.

    Thanks! 

  • 0 in reply to lferrara

    Thanks Luk - sixteen again's note was able to resolve the problem for me so looks like no need. I do appreciate it though.