Sophos XG Firewall: How to configure SSL VPN remote access

Overview

  • This article describes the steps to configure SSL VPN remote access.

Configuring Sophos Firewall

Defining SSL VPN group and users

  • Go to Authentication > Groups and create a group for remote SSL VPN users.

  • Go to Authentication > Users and create remote SSL VPN users.

Defining local subnet and remote SSL VPN range

  • Go to Hosts and Services > IP Host and define the local subnet behind Sophos Firewall.

  • Go to Hosts and Services > IP Host and define the remote SSL VPN range.

Defining remote SSL VPN policy

  • Go to VPN > SSL VPN (Remote Access) and select Add to create an SSL VPN policy.

Verifying the authentication services for SSL VPN

  • Go to Authentication > Services and make sure that Local authentication server is selected under SSL VPN Authentication Methods section.

  • Note: Also make sure that Local authentication server is selected under Firewall Authentication Methods section. This is needed for remote users to logon to the portal to download the SSL VPN client software later in this article.

Verifying the allowed zones for SSL VPN

  • Go to Administration > Device Access and allow SSL VPN for WAN and LAN zones under Local Service ACL section. Add other zones as required.

Configuring advanced SSL VPN settings

  • Go to VPN and select Show VPN Settings.
  • Under SSL VPN tab, verify the IPv4 Lease Range configured earlier and set the rest of options as required.

  • Note: If the XG Firewall do not have a public IP assigned on the WAN interface but behind a NAT device, set the public IP in the Override Hostname field. This sets the SSL VPN client configuration file to use this public IP when establishing the connection. The NAT device has to be configured to forward the SSL VPN connection to the XG Firewall.

Creating a firewall rule

  • Go to Firewall, click + Add Firewall Rule and select User/Network Rule.

Configuring SSL VPN client

Downloading the SSL VPN client software

  • From the browser, login to the User Portal using Sophos Firewall’s public IP address and user portal https port.
  • Note: You can find the user portal https port configured in Sophos Firewall by going to Administration > Admin Settings under Port Settings for Admin Console section.

  • Once logged into the portal, download the SSL VPN client for the required endpoint accordingly. In this article, we will download and install the client and configuration for Windows 10.

Installing the SSL VPN client software on Windows

  • Run the downloaded SSL VPN client, click Next->I Agree -> Next -> Wait a minute -> Next -> Finish.
  • Mouse click right in SSL VPN icon and click connect.

  • Log in using the same credentials for the user portal.

  • The traffic light will change from red (disconnected) to red and amber (negotiating/connecting). As soon as the traffic light changes to green, a pop up message appers confirming the SSL VPN connection is established.

 

3 Comments

  1. Thanks for this tutorial, it is very clear and helpful. I can access devices on the LAN, but nothing on the WAN, so web browsing for instance is blocked. What additional steps are needed to allow WAN access on the SSH VPN? Thank you for any advice.

    • You need to create firewall rule allow inbound and outbound traffic from VPN zone to WAN zone. Go to Firewall > Add Firewall Rule > User Network Rule to create

Leave a Reply to Russ Cancel reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.