Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Subscribers 5 subscribers
  • Views 22643 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN Cannot Connect

LianneGaunt

I have just setup SG 125 using UTM 9.3.  I have been trying to get the SSL VPN to work and been unsuccessful.  I had help directly from Sophos for the setup as well as I have double-checked my setup from the guides.  Our main DNS/AD server is a Small business Server and so we use .internal extension for most of our naming conventions and the UTM is no exception.  So the hostname is utm.domain.internal.  Trying to login using Tunnelblick because we use Macs I can connect while on the LAN but offsite the hostname fails to resolve and I assume that this is because of the .internal extension and therefore this cannot be found publicly.  I then put in the internal IP address of the UTM in the override hosts line and when I tried to connect offsite I get AF_INET IP of UTM:4443 failed will try again in 5 seconds.  I am not seeing anything in any of the logs that is pointing me in the right direction.  I can provide more info as needed but am wondering if someone can help point me in the right direction.  One thing about Small Business Server is that creating new A records results in the .internal extension.  We have mail.domain.com and remote.domain.com for our OWA and RWA as zones.  I don't like to make too many changes to SBS setup because it causes problems with the way the entire system works together.



This thread was automatically locked due to age.
  • 0

    Hi, Lianne, and welcome to the UTM Community!

    Check out The Zeroeth Rule in community.sophos.com/.../22065 (link repaired 22 Feb 2016)

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Assuming that you were just using the VPN connection in the LAN for test purposes only, in Override Hostname you need to put the FQDN that is used by external DNS that points to the WAN of the UTM or the external WAN address of the UTM. Otherwise, how are the clients to know what the WAN address of the UTM is?
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • 0 in reply to BAlfson
    Thanks Bob. I did read that link and found it very helpful but in the very beginning it says this, "Start with a hostname that is a unique (not used for anything else) FQDN resolvable in public DNS to your public IP. If you didn't do that, use slickone27's trick to get CAs, certificates, hostname entries, etc. all aligned; " Unfortunately the link is broken so I do not know what the trick is and I think that would help me a lot. Do you know any place else that info is.
  • 0 in reply to Scott_Klassen
    Hi Scott, so because of our sbs setup we don't have just one FQDN. We use mail. and remote. suffixes for the .com address and everything else is on .internal. I haven't tried to put in our external IP address for the override hostname so I will try that. Thanks. Otherwise I guess I will need to create a new DNS zone for the UTM. And I'm not feeling like that is something I will tackle without some technical help since I haven't had to do much with DNS.
  • 0 in reply to LianneGaunt
    Hi Lianne,

    1. Create new A host DNS record in public DNS zone for vpn access that points to WAN IP address of UTM device.
    2. Define that FQDN in Override Hostname SSL VPN settings.
    3. Download SSL VPN packages from UTM Webadmin console and distribute it to end users.
  • 0
    So using the external IP address for the UTM worked. Kind of a duh moment there. I knew logically it wouldn't work with the internal addresses but it seemed like it was supposed to work so I knew I was doing something wrong just couldn't figure out what. Thanks for responding.
  • 0 in reply to Scott_Klassen

    Understand, Lianne, Scott's comment is an effective workaround, it does solve your immediate problem and it gives you a better understanding of what you're dealing with. Since this is a new installation, I would still recommend fixing the underlying problem that will bite you again later in one of over 20 different ways.

    Cheers - Bob

    PS I just corrected the link that was broken - thanks for letting me know!  It's now https://community.sophos.com/products/unified-threat-management/f/58/p/55244/202495#202495

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Got it. Thanks. I think I need to gain a better mastery of DNS and how to add a new zone for public DNS entries or wait until we upgrade out of SBS and make sure next time we do not use .internal for the LAN. For now I have a little breathing room and can get some of our remote users off my back until I can gain some more knowledge.
  • 0 in reply to LianneGaunt
    The DNS server in SBS is the full Microsoft version. When you get time, I think you'll see that it's easy to create a new "Forward Lookup Zone" in addition to domain.local. With domain.com as an additional zone, you can do what one calls "split DNS" where internal clients get the LAN IP of servers and the UTM and external clients get public IPs. You might take a look at "DNS Best Practice" - community.sophos.com/.../109152

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Thank you!! I will let you know how it turns out.
Unfiltered HTML