Sophos Firewall: Instructions for configuring SSL VPN Remote Access with users synced from AD

1.The purpose of the article

In this article techbast will guide how to configure SSL VPN Remote Access so that users can access the remote system with accounts synced from AD.

2.Diagram

Details:

  • The Sophos firewall device was connected to the internet through port 2 with WAN IP 192.168.1.50.
  • The LAN area of the Palo Alto device is configured on port 1 with IP 10.145.41.1/24 and allocates subnet 10.145.41.0/24 using DHCP.
  • In the LAN network, there is also an AD Server with IP 10,145.41.11/24, on this server, an IT OU has been created, in the IT OU there is a Support group, in the Support group there are users as user1,user2,user3.
  • We will have a computer outside the internet to make the SSL VPN Remote Access connection.

3.Scenario

We will configure SSL VPN Remote Access on Sophos Firewall device, after configuration, we will use user from AD to connect and when connecting it will receive IP in range 10.81.234.5-10.81.234.55 and gain access to LAN subnet resources.

4.Step to take

  • AD Sync
  • Import OU và Group
  • Configure SSL VPN Setting
  • Create profile for LAN and VPN subnets
  • Configure SSL VPN Remote Access Profile
  • Open User Portal and SSL VPN service on WAN port
  • Create policy
  • Result

5.Configuration

5.1.AD Sync

The first step we need to sync AD with Sophos Firewall.

To synchronize we go to CONFIGURE > Authentication > Server > click Add.

Configure with the following parameters:

  • Server type: select Active Directory
  • Server name*: LearningIT
  • Server IP/domain: 10.145.41.11
  • Connection security: select Plaintext
  • Port*: 389
  • NetBIOS domain: LEARNINGIT
  • ADS user name*: administrator
  • Password*: enter administrator’s password
  • Display name attribute: leave blank
  • Email address attribute: mail
  • Domain name*: learningit.xyz
  • Search quries*: Click Add, enter dc=learningit,dc=xyz and click OK.
  • Click Test connection to test the connection to the AD server.
  • Click Save.

5.2.Import OU và Group

After successful AD sync, we need to import OU and Group from AD.

Click the icon as shown in the image to perform the import.

Now the Import group wizard help window appears, click Start.

In Step 1: Provide base DN for the group, select dc=learningit,dc=xyz from the drop-down menu.

In Step 2: Select AD groups to import will show the OUs and groups that AD currently has, here techbast will select the Support group located in the IT OU as shown.

Press the “>” button to continue.

Press the “>” button to continue.

Press the “>” button and OK to continue.

Click Close to close the window.

After importing, we can go to CONFIGURE > Authentication > Group to check if the group has been imported.

As a result, the Support group was imported.

Next for the firewall device to authenticate users from AD we need to go to CONFIGURE > Authentication > Service.

In the Firewall authentication methods section, we see that currently we only perform authentication for local accounts on the firewall.

We check on box LearningIT this is the server we just synced and on the right side, we hold down the mouse on LearningIT and drag it above Local.

Click Apply to save.

5.3.Configure SSL VPN Setting

To configure SSL VPN Setting go to CONFIGURE > VPN > Show VPN Settings > SSL VPN.

We notice that the Override hostname section is empty and the IP lease range section.

In Override hostname we enter the WAN IP of Sophos XG as 192.168.1.50, this is the IP used to establish SSL VPN connection with the outside.

In the IP lease range section, this is the IP range that will be granted to users who successfully connect to SSL VPN. Techbast will keep this part, but when configuring you can change it to another IP range depending on your wishes.

Click Apply to save.

5.4.Create profile for LAN and VPN subnets

To create, go to SYSTEM > Hosts and Servers > click Add.

Create a profile for the LAN layer with the following parameters:

  • Name*: Local
  • IP version*: IPv4
  • Type*: Network
  • IP address*: 10.145.41.0 – Subnet: /24[255.255.255.0]
  • Click Save.

Similarly, we create a profile for the SSL VPN subnet with the following parameters:

  • Name*: SLL VPN Remote Access
  • IP version*: IPv4
  • Type*: select IP range
  • IP address*: 10.81.234.5 – 10.81.234.55
  • Click Save.

5.5.Configure SSL VPN Remote Access Profile

To configure go to CONFIGURE > VPN > SSL VPN [Remote Access] > Click Add.

Configure with the following parameters:

  • Name*: SSL VPN Remote Access
  • Policy members: Select the user or group that you allow VPN access, here select the Support group.
  • Permitted network resources [IPv4]: This is where to select the IP, subnet, or IP range that the VPN connection is allowed to access when connecting to the SSL VPN. Here select the Local profile just created above.
  • Click Apply.

5.6.Open User Portal and SSL VPN service on WAN port

In order for users to access the User Portal from outside the internet to download VPN software as well as connect to SSL VPN, we need to open these two services on the WAN port of the Sophos device.

To open go to SYSTEM > Administration > Device Access.

In the WAN row, we select 2 User Portal and SSL VPN services.

Then click Apply to apply.

5.7.Create Policy

When the user connects SSL VPN to the system, the user cannot connect to the LAN.

It is necessary to have the policy to allow traffic between the LAN and VPN zones.

To create a policy, go to PROTECT > Rules and Policies > click Add firewall rule > New firewall.

Create according to the following parameters:

  • Rule status: ON
  • Rule name*: SSL_VPN
  • Action: Accept
  • Log firewall traffic: check on box
  • Rule position: Top
  • Rule group: None
  • Source zones*: select LAN and VPN
  • Source networks and devices*: select 2 profile Local and SSL VPN Remote Access.
  • During scheduled time: select All the time.
  • Destination zones*: select LAN and VPN
  • Destination networks*: select 2 profile SSL VPN Remote Access and Local.
  • Service*: select Any
  • Check Match know users
  • In the User or groups* table: select the Support group. (Optional means when connecting SSL VPN only users in this group can apply this policy)
  • Click Save

5.8.Result

After we complete the configuration, use the computer outside the internet to make the SSL VPN connection.

The first step we need to access the user portal to download the software as well as the SSL VPN profile.

To access the user portal we access the link https://192.168.1.50.

After accessing, we enter the account and password to log in.

Techbast will use user1 synced from AD to login.

After logging in we click on VPN and Download client and configuration Windows to download the software.

Then install SSL VPN Remote Access software as shown below.

  • Click I Agree
  • Click Install
  • Click Install
  • Click Next
  • Click Finish

After successfully installing the application, it will appear in the System Tray at the bottom right of the screen.

Right-click the traffic light icon and click Connect.

The login box appears, enter the user1 account, password in the box and click OK.

When the connection is successful, it will appear the message as shown below.

We can see that the connection was successful and the IP assigned is 10.81.234.6 exactly as the IP allocation range we configured at the beginning.

Finally do a ping to the AD Server to check if the connection to the LAN is working.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.