Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 3050 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Route Web through Site-to-Site IPSEC VPN

tss_it_servicedesk
Successfully established an IPSec site-to-site VPN tunnel between remote site A (10.10.9.0/24) and UTM Site B (10.12.254.0/24). Site A endpoint is just a router.
I just want to direct all web traffic through the tunnel without manually setting the proxy in the client browsers. (If I set site A client browser to proxy address of UTM it does work)

SA:10.12.254.0/24=UTM_Public_IP/Site_B  Site_A_Public_IP=10.10.9.0/24

Web Protection -> Web Filtering 
Allowed networks includes Site A network
Operation Mode: Transparent
Default Authentication: None

Masquerading Rule:
Site A -> External WAN interface

I also believe no traffic from Site A is allowed out to the internet through the UTM. I've tried web, SMTP, FTP etc while monitoring the Web Filter log and Firewall logs, but nothing is allowed or blocked so I don't know why it can route to the UTM, but not out.

Any ideas?


This thread was automatically locked due to age.
  • 0
    Hi, and welcome to the User BB!

    Do you get any hints by trying #1 in Rulz?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    If you mean firewall Rule 1 (automatically created rule)
    - SSL VPN All Sites Group (User Group Network). This is created because an AD Group is defined to allow AD users access to certain networks, but I don't think it applies in this situation. (maybe I'm wrong)
    Also I have enabled logging for all firewall rules including Rule 1 and nothing comes up when I try to connect to an external host from a client in remote site A, which I find very strange.
  • 0
    If you use the proxy from the other site, you just need the other site's LAN subnet in your VPN (for web browsing), but if you want real outside access (bypassing the UTM as a proxy) you will need the Internet IPV4 and/or IPV6 addresses in you VPN definition.

    If you don't want to manually set proxy on all clients, you may be able to use a PAC-file which can be delivered automatically through (I believe) DHCP.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0
    Not the firewall rule, but, apparently, I didn't look closely enough and assumed you had a different problem. Apijnappels got the answer with his first shot! 

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML