Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 13 replies
  • Subscribers 3 subscribers
  • Views 11651 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSTP / PPTP on our server

Mateusz Bender

I've just started using Sophos, and basic functionality works.

Unfortunately I'm having issues enabling outside access to our PPTP / SSTP server. UTM doesn't have SSTP at all, and the PPTP requires the use of local users (we already have everything set up via AD on our VPN server).

My first instinct was to try and use DNAT, but it seems this isn't working. The initial packet seems to go through fine, but the connection cannot be established, in the end.

The VPN server has an internal DNS "srv-vpn-p01" with IP 10.150.1.11. I've tried creating the following DNAT rules:
Any->PPTP->public IP
Destination translation: srv-vpn-p01

The above is for the PPTP. I've also tried the same for SSTP (setting it up as a simple service using port 443).

Turning on logging for those DNAT rules, I get the following in the Firewall logs:

15:22:34     NAT rule #1     TCP           62.21.53.132     :     52483    →     91.227.197.59     :     1723    [SYN]     len=52     ttl=122     tos=0x00     srcmac=4c:5e:0c:c8:e0:07     dstmac=00:1a:8c:44:af:5d

Where NAT rule #1 is the auto-generated firewall rule based off the DNAT rule.

What am I missing?



This thread was automatically locked due to age.
  • 0

    Hi,

    Show us the picture of configuration and correct me if I am wrong. Are you trying to allow access to an internal server situated behind the UTM from the WAN?

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Yes, the VPN server (SSTP) is in our LAN and clients are trying to access it from the WAN. We USED to use Forefront TMG as our firewall, and said Forefront was responsible for routing requests to the VPN server.


    The SSTP service is a TCP/UDP service running on 443.

    If there's anything else I can screenshot, let me know.

    I'd be awesome if Sophos had support for SSTP itself, but... well, it doesn't. :(

    PS. In the screenshot above there's also a (pointless) service translation from SSTP -> SSTP in that rule. Out of desperation I was trying to use other things as well...

  • +1 in reply to Mateusz Bender

    Hi Mateusz,

    Instead of using the vpn.rcrm.pl as the destination address, configure the External WAN (address). Any help?

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Thanks for the suggestion, but it's still not working. :(

  • 0 in reply to Mateusz Bender

    Hi Mateusz,

    Show me the the packet filter logs. Refer community.sophos.com/.../115029

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    I'd love to, but the link you posted seems to cause a runtime error.

    I'm assuming you want something OTHER than what is available when looking at the Firewall log (either live or historic). The latter just shows a successful connection from my home machine (which I'm using to test the whole SSTP issue ATM) to out WAN IP.

    Something like this:

    17:17:57     NAT rule #1     TCP      62.21.53.132     :     56340    →     91.227.197.59     :     443     [SYN]     len=52     ttl=122     tos=0x00     srcmac=4c:5e:0c:c8:e0:07     dstmac=00:1a:8c:44:af:5d

    Alas, after that, there's nothing else related to my home IP (53.132)...

    If the above is not what you need (as I assume), then I'll post it as soon as I know which logs are you talking about exactly and how to get them.

  • +1 in reply to Mateusz Bender

    Aeh, that was full-stop at the end of the link which caused the runtime error. Firewall logs are abbreviated log lines which are good for a quick look up but, for troubleshooting, we would require the full logs. 

    To get the packetfilter.log, SSH to the UTM and execute:

    cd /var/log

    tail -f packetfilter.log | grep x.x.x.x (destination IP/ source IP)

    Finally, what is the SSTP port defined in the UTM. Can you show us the service host definition and if the request actually hits the UTM on the configured port.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Thanks for clearing it up. I was a bit nervous, didn't spot the . at the end myself (that, and the runtime error in that case is... kind of misleading).

    Anyway, I've checked the packet log, and here's the relevant entry:

    2017:04:10-18:51:06 srv-gw-p08 ulogd[4478]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62001" initf="eth1" srcmac="4c:5e:0c:c8:e0:07" dstmac="00:1a:8c:44:af:5d" srcip="62.21.53.132" dstip="91.227.197.59" proto="6" length="52" tos="0x00" prec="0x00" ttl="122" srcport="50607" dstport="443" tcpflags="SYN"

    From what I've learned about Sophos, the rule 62001 is the default drop rule. So, it seems that the packet is being dropped. Which is strange, because I've tried adding that exact allow rule manually to the firewall. I.e. allow any incoming IPv4 onto External Address on port 443.

    The SSTP is defined simply as a port 443 service using TCP / UDP. In theory I could use the default HTTPS service (which is that, but limited to TCP). I created the TCP / UDP out of desperation...

  • 0 in reply to Mateusz Bender

    By default, port 443 is used for the User Portal. If you plan to forward port 443 to an internal server, you need to change the TCPport of the User Portal to another value (e.g., 1443) on the Management > User Portal > Advanced tab.

    Hope that helps.

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Uhm... I'm PRETTY sure I both disabled the user portal AND changed its port when trying to use that DNAT...

    Albeit, on reflection, I changed it to 4433, which threw an error when attempting to turn the portal back on - no clue WHY that port wouldn't work, however - the error was rather cryptic: The TCP port '4433' is already in use by the port.

    EDIT: Yeah, I just checked. I changed the User portal port to something else (44333) and even changed the default SSL VPN port. The problem persists.

    EDIT 2: I've noticed that the log states "Packet logged", not "Packet dropped". So... it seems the rule is OK? I'm so confused right now. :\

Unfiltered HTML