Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 12 replies
  • Subscribers 27 subscribers
  • Views 29194 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Exchange not working through VPN

nsumner

I can't explain this at all am and really baffled.

I finally got a IPSec VPN tunnel setup to the Fortigate at the office. For some reason (I think I know why) the clients can connect to the remote network but not the sophos. Not a big deal, I setup my DHCP server to give the office DNS server to my laptop (my wife doesn't need it so keep it simple).

Everything works great, EXCEPT Exchange. Outlook can't connect, I can't connect to OWA or anything else. In IE I get an error 502 bad gateway. Nothing else.

If I go to the public IP of the Exchange server everything works. But using the internal IP nothing works.

 

IE gives me an 502 bad gateway, chrome and firefox just can't load the page.

I can ping the mail server, I can telnet to the mail server on port 443 and it "appears" to work. I can tcping the server on port 443, I can even use openssl and get the (correct) certificate from the mail server. But that is it. I can't get to OWA, Outlook can't connect nothing.

 

Does anybody have any idea/suggestions?



This thread was automatically locked due to age.
Parents
  • 0

    Nsumner,

    can you explain better your network? Where is the Sophos XG located?

    Behind the Fortigate?

    Thanks

  • 0 in reply to lferrara

    Sorry,

     

    At my house is the Sophos XG, and the Office is the Fortigate. Home network 192.168.17.0/24 office network 172.16.0.0/16. Exchange 2013 (cluster).

  • 0 in reply to nsumner

    Thanks.

    Did you create a LAN to VPN and VPN to LAN firewall rules? Make sure to untick https scanning.

    The other idea is to disable micro-app discovery:

    system application_classification microapp-discovery off. If it does not work, do you see something inside the log?

    Thanks

  • 0 in reply to lferrara

    I have the firewall rules in place obviously (otherwise nothing would work). I don't have https scanning or any other scanning taking place on those rules (including application scanning) hence the whole discussion about microapp discovery seems irrelevant.

     

    I can ping the server, I can even RDP to the server. It is just https traffic to the internal IP of the server.

  • 0 in reply to nsumner

    Thanks Nsumner.

    If you are accessing your email server by FQDN, verify if the Pharming proteciton is enabled under Web > Advanced.

    If it is enabled, disable it and check again.

    Regards

  • 0 in reply to lferrara

    So the pharming protection was preventing you to reach the remote site because you tried to access it using hostname.

    is there any plan to improve pharming protection?

    For example, create a dns host entry on XG for situation like Sumner so we do not need to disable pharming protection at all?

    Also XG should log pharming protection blocked the user dns request somewhere.

    Hope to get more info regarding it from you.

    I have seen several threads where people had to disable the pharming protection feature (which is unsafe).

    Regards

  • 0 in reply to lferrara

    Firstly Luk thanks for your help.

     

    Just to clarify for any other users looking here. The pharming protection is under.

     

    web-->Protection under malware scanning select advanced.

     

Reply Children
No Data