A.3. Procedure – Configuring advanced routing on Sophos UTM (formerly Astaro Security Gateway) firewalls

Purpose: 

To configure a Sophos UTM firewall to redirect selected traffic to PSM instead of its original destination, complete the following steps. Interface 1 will be referred to as 'Internal' and Interface 2 will be referred to as 'ServerFarm'.

Steps: 

  1. On the Policy Routes tab of the Sophos UTM firewall, click New Policy Route.

  2. Figure A.4. New Policy Route

    New Policy Route

    In the dialog box, enter the following settings:

    • Position: Set the position number, defining the priority of the policy route. Lower numbers have higher priority. Routes are matched in ascending order. Once a route has been matched, routes with a higher number will not be evaluated anymore.

    • Route Type: Select Gateway route. Packets will be sent to a particular host (gateway).

    • Source Interface: Select Internal. This is the interface where the data packet to be routed arrives from.

    • Source Network: Select Internal (Network). This is the source network of the data packets to be routed.

    • Service: Select Microsoft Remote Desktop Protocol. This is the service definition that matches the data packet to be routed.

    • Destination Network: Select ServerFarm (Network). This is the destination network of the data packets to be routed.

    • Gateway: Select the IP address of PSM. This is the router where the gateway will forward data packets to.

    • Comment: Optionally, enter a description or other information.

  3. Click Save.

  4. Click the status icon to activate the route.

  5. Navigate to Definitions & Users > Service Definitions and click New Service Definition.

  6. Figure A.5. New Service Definition

    New Service Definition

    In the dialog box, enter the following settings. It will ensure that the policy will apply to all TCP/3389:

    • Name:: Enter a descriptive name for the definition (for example Microsoft Remote Desktop Protocol).

    • Type of Definition: Select TCP. This is the service type.

      Note

      The definition type cannot be changed after saving the definition. To change the definition type, delete the service definition and create a new one with the desired settings.

    • Destination port: Enter 3389. This is the destination port that can either be entered as a single port number (for example 80), or as a port range, using a colon as delimiter (for example 1024:64000).

    • Source port: Enter 1:65535. This is the source port that can either be entered as a single port number (for example 80), or as a port range, using a colon as delimiter (for example 1024:64000).

    • Comment: Optionally, enter a description or other information.

  7. Click Save. The new definition appears in the service definition list.

    With this step, the client-server routing is configured.

  8. To configure the server-client routing, create another policy route, and In the dialog box, enter the following settings:

    • Position: Set the position number, defining the priority of the policy route. Lower numbers have higher priority. Routes are matched in ascending order. Once a route has been matched, routes with a higher number will not be evaluated anymore.

    • Route Type: Select Gateway route. Packets will be sent to a particular host (gateway).

    • Source Interface: Select ServerFarm. This is the interface where the data packet to be routed arrives from.

    • Source Network: Select ServerFarm (Network). This is the source network of the data packets to be routed.

    • Service: Select 3389. This is the service definition that matches the data packet to be routed.

    • Destination Network: Select Internal (Network). This is the destination network of the data packets to be routed.

    • Gateway: Select the IP address of PSM. This is the router where the gateway will forward data packets to.

    • Comment: Optionally, enter a description or other information.