Sophos XG v18: How to configure SSL VPN Client to site for outside user can connect to File Server

November 7, 2019 Vincent Sophos 1

Overview

This article describes how to configure SSL VPN Client to Site so that remote VPN users can access the enterprise File Server system remotely. Configuration is done on Sophos XG firewall device with firmware version 18

Diagram

Summary of configuration steps

  1. Configure SSL VPN Client to Site on Sophos XG
    1. Create SSL VPN Group
    2. Create SSL VPN User
    3. Identifier for LAN network and SSL VPN network
    4. Configure authentication service for SSL VPN
    5. Open access port for SSL VPN
    6. Configure profile for SSL VPN Client
    7. Create firewall rule for communication between SSL VPN and LAN
    8. Access User Portal to install SSL VPN software
  2. Configure NAT port on Modem or Router
  3. Configure share file on File Server
  4. Result

Configuration details

  1. Configure SSL VPN Client to Site on Sophos XG

Login to Sophos XG by Admin account

1.1 Create SSL VPN Group

** Configuring group creation for SSL VPN, it’s making easy for administrators to manage and user groups to apply policies according to the needs of the business

  • Authentication -> Choose Group -> Click Add
  • Create SSL VPN Group
    • Group Name: Enter name for SSL VPN
    • Surfing Quota: Select the network traffic you want
    • Access Time: Select the access time you want

-> Click Save

1.2 Create SSL VPN Users

  • Authentication -> Choose Users -> Click Add
  • Create SSL VPN Users
    • Username: Enter VPN Username
    • Password: Enter SSL VPN user’s password
    • Email: Enter manager’s email
    • Group: Choose SSL VPN Group which created before

-> Click Save

1.3 Identifier for LAN network and SSL VPN network

  • Hosts and Services -> Choose IP Host -> Click Add
  • With LAN network
    • Name: Enter name for your Local network (Ex: Local subnet)
    • Type: Choose Network
    • IP Address: Enter IP of LAN network (172.16.16.0/24)

-> Click Save

  • With SSL VPN network
    • Name: Enter name for your SSL VPN network (Ex: Remote SSL VPN range)
    • Type: Choose Network
    • IP Address: Enter IP of SSL VPN network (Ex: 10.10.10.0/24)

-> Click Save

  • VPN -> SSL VPN (Remote Access) -> Click Add
    • Name: Enter policy name you want (Ex: Remote SSL VPN policy)
    • Policy members: Choose Remote SSL VPN group which was created before
    • Permitted network resource (IPv4): Choose Local subnet was created before

-> Click Apply

1.4 Configure authentication service for SSL VPN

  • Authentication -> Service -> In SSL VPN Authentication Methods -> In Selected authentication server -> Choose Local
  • Authentication -> Services -> In Firewall Authentication Methods -> In Selected Authentication Server -> Choose Local

1.5 Open access port for SSL VPN

  • Administrator -> Device Access -> Choose SSL VPN in WAN and LAN -> Click Apply

1.6 Configure profile for SSL VPN Client

  • VPN -> Click Show VPN settings
  • In IPv4 lease range: Enter IP range you want to grant for SSL VPN users (the IP needs to be the same as the IP of the SSL VPN that you created in the group)

-> Click Apply

1.7 Create firewall rule for communication betwwen SSL VPN and LAN

  • Rules and policies -> Click Add Firewall Rule
  • Enter name for rule
  • In Source zones: Choose VPN
  • In Source network and devices: Choose Any
  • In Destination zones: Choose LAN
  • In Destination networks: Choose Local subnet
  • Choose Match known users
  • In Users or groups: Choose SSL VPN group which was created before

-> Click Save

1.8 Access User Portal to install SSL VPN software

  • Login to User Portal in: https://ipfirewall:443 or https://ipfirewall:4443
  • Use SSL VPN user account to login
  • In Download Client -> Choose Download for Windows
  • Install SSL VPN software
  • Check SSL VPN software in installed by using the icon in the right corner of the screen (in the taskbar)

2. Configure NAT port on Modem or Router

  • Access to Modem or Router device by Admin account
  • We need NAT for 2 port to SSL VPN Client can connect to Sophos XG
  • 2 ports is: 443 and 8443

3. Configure File Server

  • File sharing on File Server, share files folder for all users as well as VPN users to have access to read and write files

4. Results

  • Make SSL VPN Client to Site connection by opening the application installed on your computer
  • Right-click on the SSL VPN application icon -> Choose your username -> Click Connect -> Enter your username and password -> Click OK
  • Wait a few seconds to be able to connect to the intranet system
  • When the connection is successful -> You will receive a notification that the connection is done and an IP address is given to you
  • Application icon is connected
  • You access to File Server with File Server’s IP address is 172.16.16.19
  • You type in address bar: \\172.16.16.19

-> Done

1 Comment

  1. Very nicely done but you missed one crucial point which applies to V18 only, It is important to create a NAT rule Rule to route traffic:
    Orignal source* : Remote SSL VPN range
    Orignal destination*: local subnet
    Orignal service*: Any
    Interface matching Criteria–>
    Inbound interface* : ( this should be is your LAN port for internal network)

    Reply

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.