Professional Documents
Culture Documents
COM) SOLUTIONS
(https://www.sophos.com) (HTTPS://WWW.SOPHOS.COM/SOLUTIONS.ASPX) PARTNERS (HTTPS://WWW.SOPHOS.COM/EN-
US/PARTNERS.ASPX) COMPANY (HTTPS://WWW.SOPHOS.COM/EN-US/COMPANY.ASPX)
Search... LOGIN
HOME (/SUPPORT/S/)
English
Overview
This article describes the steps to configure SSL VPN remote access.
Defining local subnet and remote SSL VPN range
Go to Hosts and Services > IP Host and define the local subnet behind Sophos Firewall.
Go to Hosts and Services > IP Host and define the remote SSL VPN range.
Note: Please make sure that the LAN and VPN assigned networks are not the same.
Defining remote SSL VPN policy
Go to VPN > SSL VPN (Remote Access) and select Add to create an SSL VPN policy.
Verifying the authentication services for SSL VPN
Go to Authentication > Services and make sure that the Local authentication server is selected under SSL VPN Authentication Methods section.
Note: Also make sure that the Local authentication server is selected under Firewall Authentication Methods section. This is needed for remote users to logon to the
portal to download the SSL VPN client software later in this article.
Verifying the allowed zones for SSL VPN
Go to Administration > Device Access and allow SSL VPN and User Portal for the LAN zone under Local Service ACL section. Add other zones as required.
Note: To minimize the attack surface, only run the User Portal on LAN. Users will need to be on the network to download the SSL VPN client. If you require your SSL VPN
and User Portal to be available on the WAN zone, Sophos highly recommends enabling MFA/OTP (http://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-
us/webhelp/onlinehelp/nsg/sfos/learningContents/ConfiguringTwoFactorAuthentication.html).
Configuring advanced SSL VPN settings
Go to VPN and select Show VPN Settings.
Under SSL VPN tab, verify the IPv4 Lease Range configured earlier and set the rest of options as required.
Note: If the XG Firewall does not have a public IP assigned on the WAN interface but behind a NAT device, set the public IP in the Override Hostname field. This sets the
SSL VPN client configuration file to use this public IP when establishing the connection. The NAT device has to be configured to forward the SSL VPN connection to the
XG Firewall.
Creating a firewall rule
Go to Rules and policies > Firewall rules > Add new firewall rule > New firewall rule.
Notes:
If there is multiple firewall rules from VPN to LAN zones, then put the above firewall rule at the top of the list as described in Sophos XG Firewall: How to change
firewall rule order (KB-000036669).
It is possible for the remote host to access the internet via the XG Firewall. To do this, create a firewall rule with VPN as the source zone and WAN as the destination
zone.
Once logged into the portal, download the SSL VPN client for the required endpoint accordingly. In this article, we will download and install the client and configuration for
Windows 10.
Installing the SSL VPN client software on Windows
Run the downloaded SSL VPN client.
Note: If you have an application control software, make sure to unblock OpenVPN and SSL VPN Client for Windows in order for the installation to be successful.
Click Next and follow the wizard.
Results
From your Windows machine, verify that you have been assigned an IP address from the SSL VPN range configured earlier in Sophos Firewall.
Note: You can also verify the route injected by the SSL VPN client by running route print command.
From Sophos Firewall, go to Firewall and verify that rmote SSL VPN access rule allows ingress and egress traffic.
Go to Current Activities > Live users to verify SSL VPN users.
Related information
Sophos XG Firewall: Configuring two-factor authentication (Recommended if User Portal is available on the WAN) (http://docs.sophos.com/nsg/sophos-
firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/learningContents/ConfiguringTwoFactorAuthentication.html)
Sophos XG Firewall: How to change firewall rule order (KB-000036669)
Sophos Firewall: Ho to troubleshoot SSL VPN remote access connectivity and data transfer issues (KB-000036884)
Sophos Firewall: How to configure SSL VPN for Mac OS X (KB-000036421)
Sophos Firewall: How to configure SSL VPN Client in Ubuntu (KB-000036417)
Sophos Firewall: How to configure SSL VPN for iPhone or iPad (KB-000036418)
Sign up to the Sophos Support Notification Service (https://centralstatus.sophos.com/smscodeverification) to get the latest product release information and critical
issues.
Did this article provide the information you were looking for?
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question
(https://community.sophos.com/r?5) to the community. Or click here (https://www.sophos.com/en-us/support/feature-requests.aspx) for new feature/product
improvements. Alternatively for paid/licensed products open a support ticket (https://www.sophos.com/en-us/support/contact-support.aspx).
Yes No
Submit
Quick Links
Sample Submissions
Sophos Community
Sophos Labs
Twitter Support