Sophos firewall: How to configure SSL VPN Client to Site with OTP using Google Authenticator


The article guides you to configure the SSL VPN Client to Site feature in combination with One-time Password authentication and using the Google Authenticator application, this feature provides enhanced security for users’ connection to the system central network

With OTP authentication using Google Authenticator, it will be supported on mobile devices (Android only)

Table of contents

  1. Create VPN user
  2. Enable OTP feature on Sophos XG
  3. Create SSL VPN remote access connection
  4. Download and install Sophos SSL VPN Client


How to configure

  • Access the Sophos XG device’s web interface with the Admin account
1. Create VPN user
  • Go to CONFIGURE -> Choose Authentication -> Choose tab Users -> Click Add
  • Enter username
  • Enter password
  • In User type: Choose User
  • Enter email
  • In Group: Select Sophos’s default group or create a VPN group under Group and select in that group here
  • In Surfing quota: Select the amount of bandwidth you want for the user to use
  • In Access time: Choose time which you want to allow your users to access
  • Click Save
2. Enable OTP feature on Sophos XG
  • Go to CONFIGURE -> Choose Authentication -> Choose One-time password tab -> Click Settings
3. Create SSL VPN remote access connection
  • Go to CONFIGURE -> Choose VPN -> Choose SSL VPN (remote access) tab -> Click Add
  • Enter name for VPN
  • Choose user or group VPN which you was create before
  • In Permitted network resource (IPv4): Choose networks which you want VPN users to access
  • Click Apply
  • Click Show VPN settings -> Choose SSL VPN -> In Override hostname: Enter IP WAN of Sophos XG device which you want the VPN to reach
4. Download and install Sophos SSL VPN Client
  • Access the User Protal with the account of the user you created earlier
  • Download Google Authenticator software on mobile device and scan QR code
  • After scan QR code, on Sophos firewall device will automatically identify the authenticated user
  • Click icon OTP time-offset synchronization
  • We will enter passcode which was received on Google Authenticator software -> Click Check -> Click Apply
  • Backup to login page to login again with username and password + passcode which was authenticated
  • Click Download client and configuration for Windows to download installation file and install as normal
  • After installation, we can VPN using username and password + passcode (passcode obtained on Sophos Authenticator application)

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.