Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 26 replies
  • Subscribers 1 subscriber
  • Views 16946 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN inbound thru UTM to 2012 R2 server

justinhow
I am interested in allowing Windows clients to directly VPN or Direct Access to my 2012 R2 server which is on the internal network. Can anyone help me on how I would allow/direct this traffic inbound, rather than the tunnel terminate at the UTM. 
I am familiar with DNAT, firewall rules etc but am not sure if letting VPN through is slightly different than the usual HTTP port 80 type stuff as it can also terminate at the firewall.
Also any big pros and cons as to which is best (tunnel into UTM or internal Server).
Thanks


This thread was automatically locked due to age.
Parents
  • 0
    As soon as I saw that you were trying to use IPsec behind a NAT, I knew what the problem was - that can't work for L2TP/IPsec, and I don't know of an IPsec client that can deal with it either.  It's just the way IPsec works - your client drops the responses because they're not "signed" with the public IP but with the private IP of your server.

    That made me wonder if L2TP/IPsec had been mentioned earlier in the thread.  I found my first post in the thread actually recommended a DNAT.  What was I thinking!  I've now noted at the top of the post that my suggestion of the DNAT was thoughtless. [:O]

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0
    As soon as I saw that you were trying to use IPsec behind a NAT, I knew what the problem was - that can't work for L2TP/IPsec, and I don't know of an IPsec client that can deal with it either.  It's just the way IPsec works - your client drops the responses because they're not "signed" with the public IP but with the private IP of your server.

    That made me wonder if L2TP/IPsec had been mentioned earlier in the thread.  I found my first post in the thread actually recommended a DNAT.  What was I thinking!  I've now noted at the top of the post that my suggestion of the DNAT was thoughtless. [:O]

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML