Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 3293 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Open Port 80 and 442 to two specific IP addresses

Brian Dadswell

Good morning. 

 

Admittedly, I am very green at the Sophos UTM-9 interface.  We have recently taken over maintenance of this device, and have found that a significant portion of our traffic for our operations software (which is cloud hosted) needs to pass through ports 80 and 442.  There are two static IP addresses that need to be able to pass through to our internal network (all PC's on the network) as well as having outbound traffic be allowed to those two external IP's as well. 

I've been looking through the forum here, as well as done other research and am doing nothing more than getting more confused. 

I know that I need to create two DNAT's for this, but also don't want to put the internal network at a high risk. 

Can anyone help?  



This thread was automatically locked due to age.
Parents
  • 0

    I assume you meant port 443 (the normal port for https), not port 442.

    Outbound to the cloud:

    You need a Masquerading definition to convert internal private-IP addresses to an Internet address.  I assume that this is already configured.

    Outbound web traffic is normally allowed.   If it is blocked, it would be best to understand why, be reviewing the logs to understand what caused the connection to be blocked.  However, it is easy enough to bypass everything. I recommend the following process:

    • Create a Website object, create a new tag, and assign the tag to the Website object.   Makeup a meaningful Tag name, such as "Corporate Cloud Sites."   To whitelist all of the servers in mydomain.com, make the website name "mydomain.com" and check the box for "include subdomains".   Alternatively, leave the box unchecked and list each host name individually.
    • Create an Exception object, disabling everything or only the items that are problematic, then configure the Exception for "Going to websites Tagged as" your new Tag name.

    Tags are much safer and easier than regular expressions.  It is very difficult to know that a regular expression allows exactly what you intend, nothing more and nothing less.   We stopped using regular expressions after we discovered some unwanted traffic that was accidentally being allowed.

    In my experience, a bypass-all exception works the same as skiplists, and is much easier for system administration, because it applies equally well to Standard and Transparent proxy modes.  (I use both modes together, and recommend you do the same.)

    UTM has a connection tracker, so replies from the Cloud will be allowed without any special configuration.

     

    Inbound from the Internet:

    If I understand the problem, you need to allow inbound traffic from your two servers in the cloud.

    You create a SNAT rule that maps the cloud server IP address to an internal IP address (or a DNAT rule in the other direction).   The internal IP address has to be chosen so that internal traffic for that address will naturally route to the UTM. 

    Then you also need a firewall rule to allow the traffic.

    Does that help?

Reply
  • 0

    I assume you meant port 443 (the normal port for https), not port 442.

    Outbound to the cloud:

    You need a Masquerading definition to convert internal private-IP addresses to an Internet address.  I assume that this is already configured.

    Outbound web traffic is normally allowed.   If it is blocked, it would be best to understand why, be reviewing the logs to understand what caused the connection to be blocked.  However, it is easy enough to bypass everything. I recommend the following process:

    • Create a Website object, create a new tag, and assign the tag to the Website object.   Makeup a meaningful Tag name, such as "Corporate Cloud Sites."   To whitelist all of the servers in mydomain.com, make the website name "mydomain.com" and check the box for "include subdomains".   Alternatively, leave the box unchecked and list each host name individually.
    • Create an Exception object, disabling everything or only the items that are problematic, then configure the Exception for "Going to websites Tagged as" your new Tag name.

    Tags are much safer and easier than regular expressions.  It is very difficult to know that a regular expression allows exactly what you intend, nothing more and nothing less.   We stopped using regular expressions after we discovered some unwanted traffic that was accidentally being allowed.

    In my experience, a bypass-all exception works the same as skiplists, and is much easier for system administration, because it applies equally well to Standard and Transparent proxy modes.  (I use both modes together, and recommend you do the same.)

    UTM has a connection tracker, so replies from the Cloud will be allowed without any special configuration.

     

    Inbound from the Internet:

    If I understand the problem, you need to allow inbound traffic from your two servers in the cloud.

    You create a SNAT rule that maps the cloud server IP address to an internal IP address (or a DNAT rule in the other direction).   The internal IP address has to be chosen so that internal traffic for that address will naturally route to the UTM. 

    Then you also need a firewall rule to allow the traffic.

    Does that help?

Children
No Data
Unfiltered HTML