Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 25 replies
  • Subscribers 1 subscriber
  • Views 14616 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Ssl vpn & firewall?

JohnKenny
Hi,

Ive just set up the SSL VPN in Sophos UTM to replace windows server pptp VPN, but I have the connection working and the clients network settings are OK but certain services on our network are not working.  I can access web pages using IP addresses as DNS is not resolving for some reason, also our Citrix Desktops will not connect with Citrix Receiver.  All the login parts work OK but when Citrix Receiver Launches it cannot connect to the Virtual Desktops.  Do I have to configure Firewall rules for Clients on the VPN too?  I dont see any drops regarding this traffic in the live log.

Can anyone help?

Thanks

JK


This thread was automatically locked due to age.
  • 0
    Hi JK,

    if you activated "Automatic Firewall Roule" in your SSL VPN configuration there is a rule that allow "Any" traffic from your SSL VPN to the configured local network/s.

    Have you configured your DNS server in "remote access" -> "advanced"?

    Dome

    -----------------------------------
    UTM Certified Engineer
    XG Certified Architect
    Central Certified Architect

    Sophos Platinum Partner

  • 0
    I have ticked the auto rule creation in the SSL VPN Config already and yes the DNS servers are configured correctly and i know it works elsewhere as it resolves host names.  Its just the SSL VPN clients that are not resolving correctly even though the DHCP has the right addresses on the clients.  Another thing when connected on the client I cannot ping any hosts on the network, even though i have allowed ping.

    So do i need to set up a rule to allow all traffic from the SSL VPN Pool?

    Thanks

    JK

    JK

    CompKickers

  • 0
    Above your FW ruleset you can choose to display all rules, not only user created rules, please check if there is a rule from:VPN-usernetwork service:any to:internal(network)

    -----------------------------------
    UTM Certified Engineer
    XG Certified Architect
    Central Certified Architect

    Sophos Platinum Partner

  • 0
    OK so the only other rule i can see with anything to do with VPN other than the rule created by the SSL VPN wizard is the rule i set up for PPTP VPN traffic which is the old existing server, but that is on a different Ext IP and so is listening for traffic comming from that IP only so surely that couldnt effect the new VPN?

    The rule the SSL VPN Wizard created is: -

    AD users, User1, user2.     -     Any     -     Internal.

    Does this cover what you asked me?

    JK

    CompKickers

  • 0
     Its just the SSL VPN clients that are not resolving correctly even though the DHCP has the right addresses on the clients.

    That's why DomeP pointed out that DNS is configured for Remote Access in 'Remote Access >> Advanced'.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    That setting is set right.

    JK

    CompKickers

  • 0
    Is it an external DNS server or is it your UTM itself you are pointing to?

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0
    Its our own dns, it works for everything else just not sell vpn.  Can't see any issues in event logs.

    JK

    CompKickers

  • 0
    even with FW rule for : -

    ssl pool    -    Any    -     Internal
    Internal     -     any     -     ssl pool

    it doesnt work.  Any ideas?

    JK

    CompKickers

  • 0
    You've already checked the Firewall log.  Please also check the Intrusion Prevention log for Anti-UDP Flood activity and the Web Filtering log for anything related to your issue.

    If that didn't give you the answer, please state the "VPN Pool (SSL)" subnet and say what mode Web Filtering is in for the "VPN Pool (SSL)" subnet.  Also, click on 'Go Advanced' below and attach pictures of:
      'Allowed Networks' in 'Network Services >> DNS'
    • The Web Filtering Profile for "VPN Pool (SSL)" open in Edit
    • The 'Client Options' in 'Remote Access >> Advanced'.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML