Sophos XG v18: How to configure SSL VPN Client to Site with OTP

Overview

The article provides guidance on configuring the SSL VPN Client to Site feature combined with One-time Password authentication, which provides enhanced security for users’s connection to the central network

With OTP authentication, we will use the Sophos Authenticator app on mobile devices (support both iOS and Android)

Table of contents

  1. Create VPN user
  2. Enable OTP feature on Sophos XG
  3. Create SSL VPN remote access connection
  4. Download and install Sophos SSL VPN Client

Diagram

How to configure

  • Access the Sophos XG device’s web interface with the Admin account
1. Create VPN user
  • Go to CONFIGURE -> Choose Authentication -> Choose tab Users -> Click Add
  • Enter username
  • Enter password
  • In User type: Choose User
  • Enter email
  • In Group: Select Sophos’s default group or create a VPN group under Group and select in that group here
  • In Surfing quota: Select the amount of bandwidth you want for the user to use
  • In Access time: Choose time which you want to allow your users to access
  • Click Save
2. Enable OTP feature on Sophos XG
  • Go to CONFIGURE -> Choose Authentication -> Choose One-time password tab -> Click Settings
3. Create SSL VPN remote access connection
  • Go to CONFIGURE -> Choose VPN -> Choose SSL VPN (remote access) tab -> Click Add
  • Enter name for VPN
  • Choose user or group VPN which you was create before
  • In Permitted network resource (IPv4): Choose networks which you want VPN users to access
  • Click Apply
  • Click Show VPN settings -> Choose SSL VPN -> In Override hostname: Enter IP WAN of Sophos XG device which you want the VPN to reach
4. Download and install Sophos SSL VPN Client
  • Access the User Protal with the account of the user you created earlier
  • Download Sophos Authenticator software on mobile device and scan QR code
  • After scan QR code, on Sophos XG device will automatically identify the authenticated user
  • Click icon OTP time-offset synchronization
  • We will enter passcode which was received on Sophos Authenticator software -> Click Check -> Click Apply
  • Backup to login page to login again with username and password + passcode which was authenticated
  • Click Download client and configuration for Windows to download installation file and install as normal
  • After installation, we can VPN using username and password + passcode (passcode obtained on Sophos Authenticator application)

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.