PRODUCTS (HTTPS://WWW.SOPHOS.

COM) SOLUTIONS
(https://www.sophos.com) (HTTPS://WWW.SOPHOS.COM/SOLUTIONS.ASPX) PARTNERS (HTTPS://WWW.SOPHOS.COM/EN-
US/PARTNERS.ASPX) COMPANY (HTTPS://WWW.SOPHOS.COM/EN-US/COMPANY.ASPX)
Search... LOGIN

HOME (/SUPPORT/S/)

Sophos XG Firewall: How to configure SSL VPN remote access

KB-000035542 Apr 6, 2021 98 people found this article helpful

English

Overview
This article describes the steps to configure SSL VPN remote access.

Click on the links below for the steps:

Prerequisites
Configuring Sophos Firewall
Defining SSL VPN group and users
Defining local subnet and remote SSL VPN range
Defining remote SSL VPN policy
Verifying the authentication services for SSL VPN
Verifying the allowed zones for SSL VPN
Configuring advanced SSL VPN settings
Creating a firewall rule
Configuring SSL VPN client
Downloading the SSL VPN client software
Installing the SSL VPN client software on Windows
Results

Applies to the following Sophos products and versions

Sophos Firewall
 
Prerequisites
Please note that for the first-time configuration of SSL VPN, it is required to edit the attributes of the default certificate of the Sophos Firewall to be able to make the SSL
VPN configuration work. Follow the steps in Update default CA (https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-
us/webhelp/onlinehelp/nsg/sfos/tasks/CertificatesDefaultCAUpdate.html) to edit the default certificate.
 
Configuring Sophos Firewall

Defining SSL VPN group and users

Go to Authentication > Groups and create a group for remote SSL VPN users.
  

Go to Authentication > Users and create remote SSL VPN users.

 
Defining local subnet and remote SSL VPN range
Go to Hosts and Services > IP Host and define the local subnet behind Sophos Firewall.

Go to Hosts and Services > IP Host and define the remote SSL VPN range.

Note: Please make sure that the LAN and VPN assigned networks are not the same.

 
Defining remote SSL VPN policy
Go to VPN > SSL VPN (Remote Access) and select Add to create an SSL VPN policy.
 
Verifying the authentication services for SSL VPN
Go to Authentication > Services and make sure that the Local authentication server is selected under SSL VPN Authentication Methods section.

Note: Also make sure that the Local authentication server is selected under Firewall Authentication Methods section. This is needed for remote users to logon to the
portal to download the SSL VPN client software later in this article.
 
Verifying the allowed zones for SSL VPN
Go to Administration > Device Access and allow SSL VPN and User Portal for the LAN zone under Local Service ACL section. Add other zones as required.

Note: To minimize the attack surface, only run the User Portal on LAN.  Users will need to be on the network to download the SSL VPN client.  If you require your SSL VPN
and User Portal to be available on the WAN zone, Sophos highly recommends enabling MFA/OTP (http://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-
us/webhelp/onlinehelp/nsg/sfos/learningContents/ConfiguringTwoFactorAuthentication.html).  

 
Configuring advanced SSL VPN settings
Go to VPN and select Show VPN Settings.

Under SSL VPN tab, verify the IPv4 Lease Range configured earlier and set the rest of options as required.
Note: If the XG Firewall does not have a public IP assigned on the WAN interface but behind a NAT device, set the public IP in the Override Hostname field. This sets the
SSL VPN client configuration file to use this public IP when establishing the connection. The NAT device has to be configured to forward the SSL VPN connection to the
XG Firewall.
 
Creating a firewall rule
Go to Rules and policies > Firewall rules > Add new firewall rule > New firewall rule.
Notes:
 
If there is multiple firewall rules from VPN to LAN zones, then put the above firewall rule at the top of the list as described in Sophos XG Firewall: How to change
firewall rule order (KB-000036669).
It is possible for the remote host to access the internet via the XG Firewall. To do this, create a firewall rule with VPN as the source zone and WAN as the destination
zone.

Configuring SSL VPN client

Note: Sophos highly recommends enabling MFA/OTP (http://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-
us/webhelp/onlinehelp/nsg/sfos/learningContents/ConfiguringTwoFactorAuthentication.html) for any WAN facing portals
 

Downloading the SSL VPN client software

From a browser, logon to the user portal. In this example, the user portal is accessible at https://172.20.120.15:4443
Note:
 
You can find the user portal HTTPS port configured in Sophos Firewall by going to Administration > Admin Settings under Port Settings for Admin Console section.
We don't recommend enabling either the user portal or the web admin console on external-facing (WAN) interfaces. This could allow hackers to easily identify the
firewall vendor and type, and launch a targeted attack.
To restrict XG Firewall user portal and web admin console to local interfaces, go to Administration > Device Access, then deselect User Portal and both Admin
Services from the WAN zone.

Once logged into the portal, download the SSL VPN client for the required endpoint accordingly. In this article, we will download and install the client and configuration for
Windows 10.

 
Installing the SSL VPN client software on Windows
Run the downloaded SSL VPN client.

Note: If you have an application control software, make sure to unblock OpenVPN and SSL VPN Client for Windows in order for the installation to be successful.
 
Click Next and follow the wizard.

Accept the license agreement.

 
Choose the folder location and click Install.  

Monitor the installation process.  

 Click Finish to complete the installation.  

Once installed, start the VPN authentication by

clicking on the traffic light symbol in the task  
bar.

Log in using the same credentials for the user

portal.

The traffic light will change from red

(disconnected) to red and amber
(negotiating/connecting). As soon as the traffic
light changes to green, a pop up message
appers confirming the SSL VPN connection is
established.

Results
From your Windows machine, verify that you have been assigned an IP address from the SSL VPN range configured earlier in Sophos Firewall.

Note: You can also verify the route injected by the SSL VPN client by running route print command.

From Sophos Firewall, go to Firewall and verify that rmote SSL VPN access rule allows ingress and egress traffic.
Go to Current Activities > Live users to verify SSL VPN users.

Go to Report > VPN to verify remote SSL VPN users list.

 
Related information
Sophos XG Firewall: Configuring two-factor authentication (Recommended if User Portal is available on the WAN) (http://docs.sophos.com/nsg/sophos-
firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/learningContents/ConfiguringTwoFactorAuthentication.html)
Sophos XG Firewall: How to change firewall rule order (KB-000036669)
Sophos Firewall: Ho to troubleshoot SSL VPN remote access connectivity and data transfer issues (KB-000036884)
Sophos Firewall: How to configure SSL VPN for Mac OS X (KB-000036421)
Sophos Firewall: How to configure SSL VPN Client in Ubuntu (KB-000036417)
Sophos Firewall: How to configure SSL VPN for iPhone or iPad (KB-000036418)

 
Sign up to the Sophos Support Notification Service (https://centralstatus.sophos.com/smscodeverification) to get the latest product release information and critical
issues.

Previous article ID: 122769

Did this article provide the information you were looking for?
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question
(https://community.sophos.com/r?5) to the community. Or click here (https://www.sophos.com/en-us/support/feature-requests.aspx) for new feature/product
improvements. Alternatively for paid/licensed products open a support ticket (https://www.sophos.com/en-us/support/contact-support.aspx).
Yes No

Submit

Quick Links

Sample Submissions

Sophos Community
Sophos Labs

Twitter Support