All,
(XG v16.05.2 XG125)
I have a internal terminal server (WIN 2008 R2) with a business rule from external wan interface with port 9001 to mapped port 3389
My outcome was to enable users to have a single RDP connection shortcut with say : remote.xyz.com.au:9001, which allows access to the term server from within the lan or when external to the network. Past experience i enabled blanket half-nat (half-pipe) as global feature and be done with it.
sophos model appears to enable it per rule.
-----
rule
-----
rule:
source : WAN
allowed client networks : ANY
Destination & service : destination host/network : #PORT2 (one of the wan interfaces we use on this site)
forward type: port
server port: 9001/tcp
forward to: <network object for termserver ip>
mapped port ype: port
mapped port: 3389
protected zone : zone
intrusion prevention: <does not matter if i have this enabled with a selective policy or set to none)
routing (create reflexive rule) : <!!! THIS IS THE PROBLEM !!)
I found the following:
(1) when you have reflexive rule disabled. all works (business rule, external web browsing, normal ping latency of about 85ms)
(2) when you have reflexive rule ENABLED:
- business rule allows the remote connection to term server and response by very slow
- external web browsing does not work
- normal ping latency of about 85ms rockets up to 600ms (shows in 8.8.8.8 ping times)
(3) i also tried to "rewrite source address (masquerading) but did not assist with any reflective rule being enabled
Checked for reference links on site/ google and nothing noted. What am i missing??
on a side note, spent many hours in the sophos training videos and class based training for xg training.
Thanks.
Wayne
Australia
This thread was automatically locked due to age.
