Instructions for configuring to block devices without Sophos Endpoint from accessing VPN on Sophos Firewall’s internal network

Instructions for configuring to block devices without Sophos Endpoint from accessing VPN on Sophos Firewall’s internal network

1 Overview

Security Heartbeat is a Sophos-exclusive feature that exchanges state between the Sophos endpoint and Sophos Central through the Sophos Firewall. This connection indicates the trustworthiness of the device and from there you can create policies to allow or prevent access to these computers.

This article techbast will guide you to configure blocking VPN access for computers that do not have Sophos Endpoint installed through Security Heartbeat.

2 Diagram

There are 2 Windows 10 machines here, one with Sophos endpoint installed and one without. We configure to block computers that do not have VPN endpoints installed on the LAN as well as allow machines with endpoints to access normally.

Sophos firewall configures network access policies and allows SSL VPN to LAN

3 Configuration

The configuration steps are as follows:

  • Initial configuration includes
    • SSL VPN
    • Enable Security Heartbeat on Sophos Firewall.
  • Install Sophos Endpoint on the device.
  • Configure VPN access blocking for computers without Security Heartbeat

3.1 Initial configuration

-We proceed to configure to allow SSL VPN connection to Sophos Firewall

Please refer to the following article for configuration

– Enable Security Heartbeat on Sophos Firewall

To enable security heartbeat we need to enter the Sophos Central account on the Firewall, please refer to the following article for configuration

3.2 Install Sophos endpoint on device

To install, we go to Sophos Central >> Protect Devices and Download the appropriate installation

With AD system we can use GPO to deploy the installation, refer to the following article for configuration

3.3 Configure VPN blocking with computers that do not have Sophos Endpoint installed

After preparing the steps, we proceed to turn on the Heartbeat policy on the Firewall

3.3.1 The case of SSL VPN Full tunnel

In this case all Windows 10 VPN traffic to the LAN and to the internet must go through the Sophos Firewall.

We go to the Remote access VPN section, at the SSL VPN tab we edit the previously installed configuration. Select Use as default gateway in the Tunnel access section

After changing the configuration, we access the user portal and reload the new configuration file to import into the VPN software on the client computer.

Next, we reconfigure the policy to allow SSL VPN to access the LAN. We access the configured Firewall rule.

Scroll down. In the Configure Synchronized Security Heartbeat section, we set the state of Heartbeat minimum source HB permitted to Yellow or higher, then we are allowed to access. And block connection without Heartbeat.

Save the configuration and move on to section 4 to check the results.

3.3.2 SSL VPN Split tunnel case

In this case, only the traffic entering the Lan system will go through the VPN, the rest will not go through the VPN.

We configure the route traffic to the Security Heartbeat ip address, it will go through the VPN to Sophos Firewall

My Security Heartbeat’s IP address is 52.5.76.173. Different data centers will have different IP addresses.

We can check by accessing the following path:

C:\ProgramData\Sophos\Heartbeat\Config and open the file Heartbeat.xml

However, this folder will be blocked and to check, we have to turn off the features of Sophos Endpoint.

To disable this feature we must have tamper protection password.

After getting the heartbeat Ip, we configure Split tunnel for SSL VPN

Go to the Remote access VPN section, at the SSL VPN tab, select edit the previously installed configuration. Disable Use as default gateway in Tunnel access. In the Permitted network resource section, we add the Heartbeat ip address just now

After changing the configuration, we access the user portal and reload the new configuration file to import into the VPN software on the client computer.

Next, we reconfigure the policy to allow SSL VPN to access the LAN. We access the configured Firewall rule.

Scroll down. In the Configure Synchronized Security Heartbeat section, we set the state of Heartbeat minimum source HB permitted to Yellow or higher, then we are allowed to access. And block connection without Heartbeat

Save the configuration and go to section 4 to check the results.

4 Check the result

4.1 For devices with Sophos Endpoint installed

At the computer with the Endpoint installed, we VPN to the Firewall

Accessing the Firewall admin page, we see the connection and the security heartbeat item has appeared on the device.

Accessing the central page, we select the device we have access to the vpn to view information. Go to the Device section, select the computer name and look at the Summary tab. We will see that Security Heartbeat Firewall has been connected to our Firewall with the Serial number as shown in the section below

We try to connect to resources inside the system

So the connection is successful.

4.2 For devices without Sophos Endpoint

Next, on the machine that does not have Sophos Endpoint installed, we connect the VPN to the Firewall and similarly the Firewall admin page can’t see the Security heartbeat.

Try accessing resources inside the network and as a result you have been blocked.

So we have configured the VPN computer management feature through Security Heartbeat

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.