Sophos SG135 Admin Access on the WAN interface

Hi Joe,

Before making the change execute tcpdump and check if the request reaches UTM from the remote network. Remember to change the ports for SSL VPN and User portal before changing the management port to 443.

Thanks

Thanks...

Okay, so the management port affects the SSL VPN tunnels.  We're not using SSL VPN but I assume I still need to change it? 

You could also do a tunnel through SSH, and is how I access the WebGUIs for my servers at my house.  I utilize PuTTY and simply configure the ports and IP for the Tunnel under SSH.  For example L5000 192.168.1.1:443, which would allow you to access the webGUI via https://127.0.0.1:5000

Sorry...I'm not following that but it did give me another idea.  I could setup a client VPN connection and see if I can manage the firewall when connected to the VPN.  Oddly...I haven't done a client VPN on the UTM 9...only the XG.  Hope it is as easy.

Sorry, probably should have articulated that a bit better =]

The management interface can be accessed through an SSH connection or via a VPN.  Many don't realize they can also configure tunnel options for an SSH connection which allow one to access local WebGUIs of the device(s) they're SSHing into.

For example, if one is using Windows and utilizing PuTTY as the SSH client:

PuTTY

Connection -> SSH -> Tunnels

Source Port: 5000

Arbitrary local port on the client PC, should be >1024

Destination: 127.0.0.1:443

This is the loopback IP of the UTM, as this is what the UTM uses internally when calling the WebAdmin webserver 

Once you successfully authenticate and are at the CLI of the UTM, open up a web browser and navigate to: https://127.0.0.1:5000

https:// because the WebAdmin should only ever be accessible via ssl

127.0.0.1: as this is the loopback IP of the client [Windows], which is what's utilized when connected to an SSH connection to access an additional tunnel

5000 as this is the local port on Windows that will forward our request to the UTM to access the UTM's internal loopback IP and WebAdmin port

While Sophos prefers to default it's webadmin to 4444 for some reason, my advice is always to change that immediately [applicable to all web servers] as firewalls, whether they be personal or corporate, should block inbound and outbound requests across all protocols on port 4444.  Port 4444 has more exploits that utilize it than actual legitimate uses of the port.

Additionally, one can also utilize an SSH client, such as PuTTY, to perform a multi-hop SSH connection.  A multi-hop would be: Remote device -> WAN SSH -> Router -> [multi-hop begins] -> LAN SSH -> Device on LAN (a bastion server performs a similar function).

 I believe there's a bug in the most recent version of PuTTY, which prevents it from multi-hopping through Sophos, however I know any Linux/BSD ssh client has no issue doing so (for example, I currently utilize JuiceSSH on my Nexus 6 running CM13 to multi-hop).

Normally, to perform a multi-hop via PuTTY, one needs to configure both a local ssh profile for the end device [FreeNAS server] and a remote SSH profile for the WAN router [Sophos UTM] 

PuTTY Profiles

-- each profile name must contain no spaces --

Sophos UTM profile: SSH.Sophos.Remote

FreeNAS Profile: SSH.FreeNAS

SSH.FreeNAS

Connection -> Proxy -> Telnet command, or local proxy command

plink -v -load SSH.Sophos.Remote -nc %host:%port

Thank you for the detailed instructions. 

Unfortunately everything we tried failed.  We wound up adding the Google DNS servers as secondary and tertiary.  That allow the desktops behind the SG to have internet access.  Which then let us connect to them using LogMeIn. 

Lots and lots of issues with the XG appliance this weekend during the cutover.  Sigh....