Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 10584 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos SG135 Admin Access on the WAN interface

JosephCavallaro

Hi...

So I have a Sophos SG UTM (9.4) that I cannot access the management interface from the WAN side of the network. I've enabled the public IP for my remote network to have access in the Allowed Networks list. When I try to connect it times out. I even tried ANY and it still times out. The config is the same that I have done on our other SG boxes and they all work. The difference is that this box has an ISP router/firewall that is in a quasi “bridged” mode. I'm thinking the ISP box is blocking port 4444 but I have no way of knowing. Can I safely change the management port of the SG to port 443? The concern for all of this is that I have two new XG boxes going into my DC and if the VPN tunnel doesn't come up for some reason I have no way to remote access the remote firewall to troubleshoot.

Thanks

Joe



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to JosephCavallaro

    You could also do a tunnel through SSH, and is how I access the WebGUIs for my servers at my house.  I utilize PuTTY and simply configure the ports and IP for the Tunnel under SSH.  For example L5000 192.168.1.1:443, which would allow you to access the webGUI via https://127.0.0.1:5000

  • 0 in reply to JW0914

    Sorry...I'm not following that but it did give me another idea.  I could setup a client VPN connection and see if I can manage the firewall when connected to the VPN.  Oddly...I haven't done a client VPN on the UTM 9...only the XG.  Hope it is as easy.

  • 0 in reply to JosephCavallaro

    Sorry, probably should have articulated that a bit better =]

    The management interface can be accessed through an SSH connection or via a VPN.  Many don't realize they can also configure tunnel options for an SSH connection which allow one to access local WebGUIs of the device(s) they're SSHing into.

    For example, if one is using Windows and utilizing PuTTY as the SSH client:

    PuTTY

    Connection -> SSH -> Tunnels

    Source Port: 5000

    Arbitrary local port on the client PC, should be >1024

    Destination: 127.0.0.1:443

    This is the loopback IP of the UTM, as this is what the UTM uses internally when calling the WebAdmin webserver 

    Once you successfully authenticate and are at the CLI of the UTM, open up a web browser and navigate to: https://127.0.0.1:5000

    https:// because the WebAdmin should only ever be accessible via ssl

    127.0.0.1: as this is the loopback IP of the client [Windows], which is what's utilized when connected to an SSH connection to access an additional tunnel

    5000 as this is the local port on Windows that will forward our request to the UTM to access the UTM's internal loopback IP and WebAdmin port

    While Sophos prefers to default it's webadmin to 4444 for some reason, my advice is always to change that immediately [applicable to all web servers] as firewalls, whether they be personal or corporate, should block inbound and outbound requests across all protocols on port 4444.  Port 4444 has more exploits that utilize it than actual legitimate uses of the port.

    Additionally, one can also utilize an SSH client, such as PuTTY, to perform a multi-hop SSH connection.  A multi-hop would be: Remote device -> WAN SSH -> Router -> [multi-hop begins] -> LAN SSH -> Device on LAN (a bastion server performs a similar function).

     I believe there's a bug in the most recent version of PuTTY, which prevents it from multi-hopping through Sophos, however I know any Linux/BSD ssh client has no issue doing so (for example, I currently utilize JuiceSSH on my Nexus 6 running CM13 to multi-hop).

    Normally, to perform a multi-hop via PuTTY, one needs to configure both a local ssh profile for the end device [FreeNAS server] and a remote SSH profile for the WAN router [Sophos UTM] 

    PuTTY Profiles

    -- each profile name must contain no spaces --

    Sophos UTM profile: SSH.Sophos.Remote

    FreeNAS Profile: SSH.FreeNAS

    SSH.FreeNAS

    Connection -> Proxy -> Telnet command, or local proxy command

    plink -v -load SSH.Sophos.Remote -nc %host:%port

  • 0 in reply to JW0914

    Thank you for the detailed instructions. 


    Unfortunately everything we tried failed.  We wound up adding the Google DNS servers as secondary and tertiary.  That allow the desktops behind the SG to have internet access.  Which then let us connect to them using LogMeIn. 


    Lots and lots of issues with the XG appliance this weekend during the cutover.  Sigh....