This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL being picked up on an external scan

We're seeing an odd result when we scan our SFTP server from outside. The SFTP server is accessed through our UTM, using a natted IP. Before we used SSL VPN connections, external port scans on the natted IP showed only the expected SFTP.

Now we are using UTM based SSL VPNs for a couple of employees to connect to our network. When we run a scan now we are seeing compliance errors do to x.509 certs and misnamed certs. The errors are services and certs on the UTM, not the SFTP server. How do I configure my SSL VPNs to only answer the UTM's IP and not the natted IP?

This thread was automatically locked due to age.

0 BAlfson over 8 years ago
Steve, first, take a look at #2 in Rulz...

I generally like to change the Protocol for SSL VPNs over to UDP as it's faster. Apparently, that can be blocked in some European hotels, but I have only heard comments on that here several years ago. My suggestion:

Change your port on the 'Settings' tab to UDP 1443 for example and create a Service "SSL VPN port" = UDP 1443 (caution, this requires everyone to get a new SSL VPN configuration file).

Create a NAT rule 'No NAT : Internet -> SSL VPN port -> External (Address)'.

Create a NAT rule 'DNAT : Internet -> SSL VPN port -> {natted IP or group of "(Address)" objects of Additional Addresses on the External interface} : to {non-existent IP}'.

Any better luck with that?

Cheers - Bob
Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel