SSTP / PPTP on our server

Hi,

Show us the picture of configuration and correct me if I am wrong. Are you trying to allow access to an internal server situated behind the UTM from the WAN?

Thanks

Yes, the VPN server (SSTP) is in our LAN and clients are trying to access it from the WAN. We USED to use Forefront TMG as our firewall, and said Forefront was responsible for routing requests to the VPN server.

The SSTP service is a TCP/UDP service running on 443.

If there's anything else I can screenshot, let me know.

I'd be awesome if Sophos had support for SSTP itself, but... well, it doesn't. :(

PS. In the screenshot above there's also a (pointless) service translation from SSTP -> SSTP in that rule. Out of desperation I was trying to use other things as well...

Hi Mateusz,

Instead of using the vpn.rcrm.pl as the destination address, configure the External WAN (address). Any help?

Thanks

Thanks for the suggestion, but it's still not working. :(

Hi Mateusz,

Show me the the packet filter logs. Refer community.sophos.com/.../115029

Thanks

I'd love to, but the link you posted seems to cause a runtime error.

I'm assuming you want something OTHER than what is available when looking at the Firewall log (either live or historic). The latter just shows a successful connection from my home machine (which I'm using to test the whole SSTP issue ATM) to out WAN IP.

Something like this:

17:17:57     NAT rule #1     TCP      62.21.53.132     :     56340    →     91.227.197.59     :     443     [SYN]     len=52     ttl=122     tos=0x00     srcmac=4c:5e:0c:c8:e0:07     dstmac=00:1a:8c:44:af:5d

Alas, after that, there's nothing else related to my home IP (53.132)...

If the above is not what you need (as I assume), then I'll post it as soon as I know which logs are you talking about exactly and how to get them.

I'd love to, but the link you posted seems to cause a runtime error.

I'm assuming you want something OTHER than what is available when looking at the Firewall log (either live or historic). The latter just shows a successful connection from my home machine (which I'm using to test the whole SSTP issue ATM) to out WAN IP.

Something like this:

17:17:57     NAT rule #1     TCP      62.21.53.132     :     56340    →     91.227.197.59     :     443     [SYN]     len=52     ttl=122     tos=0x00     srcmac=4c:5e:0c:c8:e0:07     dstmac=00:1a:8c:44:af:5d

Alas, after that, there's nothing else related to my home IP (53.132)...

If the above is not what you need (as I assume), then I'll post it as soon as I know which logs are you talking about exactly and how to get them.

Aeh, that was full-stop at the end of the link which caused the runtime error. Firewall logs are abbreviated log lines which are good for a quick look up but, for troubleshooting, we would require the full logs. 

To get the packetfilter.log, SSH to the UTM and execute:

cd /var/log

tail -f packetfilter.log | grep x.x.x.x (destination IP/ source IP)

Finally, what is the SSTP port defined in the UTM. Can you show us the service host definition and if the request actually hits the UTM on the configured port.

Thanks

Thanks for clearing it up. I was a bit nervous, didn't spot the . at the end myself (that, and the runtime error in that case is... kind of misleading).

Anyway, I've checked the packet log, and here's the relevant entry:

2017:04:10-18:51:06 srv-gw-p08 ulogd[4478]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62001" initf="eth1" srcmac="4c:5e:0c:c8:e0:07" dstmac="00:1a:8c:44:af:5d" srcip="62.21.53.132" dstip="91.227.197.59" proto="6" length="52" tos="0x00" prec="0x00" ttl="122" srcport="50607" dstport="443" tcpflags="SYN"

From what I've learned about Sophos, the rule 62001 is the default drop rule. So, it seems that the packet is being dropped. Which is strange, because I've tried adding that exact allow rule manually to the firewall. I.e. allow any incoming IPv4 onto External Address on port 443.

The SSTP is defined simply as a port 443 service using TCP / UDP. In theory I could use the default HTTPS service (which is that, but limited to TCP). I created the TCP / UDP out of desperation...

By default, port 443 is used for the User Portal. If you plan to forward port 443 to an internal server, you need to change the TCPport of the User Portal to another value (e.g., 1443) on the Management > User Portal > Advanced tab.

Hope that helps.

Uhm... I'm PRETTY sure I both disabled the user portal AND changed its port when trying to use that DNAT...

Albeit, on reflection, I changed it to 4433, which threw an error when attempting to turn the portal back on - no clue WHY that port wouldn't work, however - the error was rather cryptic: The TCP port '4433' is already in use by the port.

EDIT: Yeah, I just checked. I changed the User portal port to something else (44333) and even changed the default SSL VPN port. The problem persists.

EDIT 2: I've noticed that the log states "Packet logged", not "Packet dropped". So... it seems the rule is OK? I'm so confused right now. :\

OK, it seems to be working now.

I must have been doing something wrong yesterday. Perhaps stress and tiredness got to me.

Anyway, thanks a lot for the help! I'll mark the most likely suggestion as the answer.

PS. With a DNAT rule I guess it effectively prevents us from using the user portal on the same port, correct? I don't suppose DNAT can use host names to route the requests (i.e. portal.rcrm.pl:443 == portal, vpn.rcrm.pl:443 == our VPN over DNAT)?

Hi Mateusz, 

Thanks for the update. UTM listens to User portal on port 443. Hence, that needs to be changed if a DNAT is defined on the duplicate port to tell the UTM to stop listening for User Portal on 443. 

I would request you to start a new thread as we follow a simple rule of one question per thread which makes it easier to find a solution.

Thanks

Thanks again.

I apologise for the side question. I've already found someone else having a similar problem (i.e. putting SSTP on one IP, hopefully with other HTTPS services available as well) and "bumped" that thread. Perhaps something will come of it.