Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
Sophos Remote Ethernet Device (RED) is a small network appliance, designed to be as simple to deploy as possible. Its main purpose is to provide a secure tunnel from its deployment location to a Sophos UTM firewall.
There is no user interface on the RED appliance. It is designed to be fully configured and managed from a Sophos UTM. RED devices can be shipped to a remote site, connected to any DHCP connection to the internet, and be fully configured by a remote administrator with no prior knowledge of the site, and no need to walk local personnel through technical setup steps.
This guide details how to setup Sophos RED in each of its operational modes, and outlines common troubleshooting steps to resolve connection issues.
Applies to the following Sophos products and versions Sophos UTM Sophos RED
When a RED is configured in a Sophos UTM firewall, the configuration options chosen by the administrator are uploaded to the Sophos provisioning servers. The configuration is little more than the following items:
The unlock code is not stored on the RED appliance, but is used to prevent a RED that is in use from being accidentally or maliciously redirected. The correct unlock code must be supplied for the provisioning servers to accept new configuration for a RED. Initially, the unlock code is blank, until a RED has been connected to a UTM once. The first time a RED device is configured in a UTM, the unlock code should be left blank. Every time a RED is connected to a new UTM, the old unlock code must be entered in the new UTM to move the RED. Once the settings are pushed to the provisioning server, a new unlock code is issued, and displayed in the WebAdmin of the UTM.
The provisioning servers store the configuration provided by the administrator, on a centrally reachable set of servers. RED devices are able to be centrally configured due to this mechanism. When a RED device has no configuration, or the configuration it has is unsuccessful, it will look to the provisioning servers for updated instructions. A DNS lookup of red.astaro.com will return the closest provisioning server, which it will then securely connect to, and check for new instructions from the provisioning servers. As long as a RED has a working configuration, it will not check back with the provisioning servers again.
RED can operate in several modes. This section will help to understand how each of these modes operate, and help you to decide which modes are best suited to which circumstances.
The deployment helper tab in the UTM WebAdmin can assist in setting up new appliances very rapidly. It does much of the work necessary to fully enable a RED tunnel to be active, and able to allow traffic. In the following examples, we will not use the deployment helper, but instead walk through all steps manually, that the deployment helper would complete automatically. These scenarios will reference two different Sophos devices. One is the RED appliance, which sits at the remote location. The other is the UTM appliance with which the RED device will establish a tunnel. Both will have a connection to the internet, as shown in figure 1.
Figure1: General RED layout
This is the most commonly used mode. In this mode, we expect that the remote network will be fully managed by the UTM, through the RED. DHCP may be offered for the remote LAN by the UTM, and the RED may be the only device connecting the LAN to the Internet. While another router may sit in front of the RED, there is not a parallel path around the RED to the internet.
Figure 2: RED used in Standard/Unified mode
Figure 2 illustrates the flow of data in this operational mode. All traffic from the remote LAN will pass through the RED tunnel, whether it is heading for the local LAN, or the Internet. This allows the UTM to allow or deny requests in exactly the same manner as it does for traffic coming from the local LAN. Traffic between local and remote LANs can be blocked or allowed just by using firewall rules on the UTM. Web traffic can be filtered using the web security module, and applications such as Skype or BitTorrent can be controlled for remote LAN users, just as they can be for LAN users. This provides the highest level of security and manageability for remote networks. Its biggest drawback is the increased bandwidth requirements it may place on the UTM’s internet link. Since all internet traffic from the remote LAN also uses internet bandwidth at the UTM, the internet bandwidth at the UTM must be large enough to service requests from both its own local users, and all remote RED users. The RED 10 appliance is capable of tunneling data at up to 30 Mbps.
In the event that the RED loses contact with the UTM, and the tunnel fails, the RED will fail closed. Remote LAN users will lose access to the internet as well as to the UTM LANs until the tunnel can reconnect.
Standard/Split mode is physically similar to Standard/Unified mode. We expect that the remote network may be managed by the UTM, and UTM may provide DHCP to the remote LAN. Also, the RED is most likely the only device between the LAN and the internet. However, only traffic for selected networks is sent through the tunnel. All other traffic is sent directly out the local internet connection. The RED will masquerade outbound traffic to come from its public IP address. This minimizes bandwidth usage over the tunnel, and lightens the bandwidth requirements on the UTM, but it also reduces the manageability of the remote network substantially. Traffic to or from the internet cannot be filtered or protected from threats. Security can only be applied between the remote and local LANs.
Figure 3: RED used in Standard/Split mode
In this option, the UTM is not expected to manage the remote network. It will be connected between the remote LAN and the remote LAN’s gateway, and it will expect to receive an address on the remote LAN via DHCP. Similar to the Standard/Split option, only traffic destined for certain networks will be sent down the tunnel. In this case, the RED does not act as the gateway, but since it is in-line with the gateway, it can transparently redirect packets down the tunnel.
This option requires no reconfiguration of the remote network, but it does not allow any management of the remote LAN. It can only provide security between the remote LAN, and any local subnets which are accessible through the tunnel. Also, in the event that the tunnel should go down, the internet will also go down for any devices behind the RED.
This section will outline the basic steps required to manually add a new RED to a UTM. In some cases, more detailed setup options may be desired, but this will be outside of the scope of this document.
Figure 4: Adding a RED appliance
Note: It is strongly recommended that the Uplink Mode remain set to DHCP client if at all possible. Static address should only be chosen if there is no option for DHCP. When setting a static IP, bear in mind that the RED must connect to a DHCP network at least once, to download its settings. If static address is chosen, then additional fields will appear for IP address, Netmask, Gateway IP, and DNS servers.
Note: Mobile broadband failover is covered in a later section.
Follow this section for all setup modes:
Follow this section for Standard/Unified mode. This section can be skipped for other modes if none of the Split networksare accessed over the internet.
If traffic from the remote LAN will pass through the RED tunnel and out to the internet, you will need to create a Masquerading rule. The instructions below will create a rule specifically for traffic from the remote LAN.
Follow this section for all operation modes.
Creating firewall rules can be as simple or as complex as you require, but explaining how to create detailed firewall rules is outside of the scope of this article. In this example we will create one rule allowing the remote LAN access to both the internet, and any local networks. It is assumed that you will create more restrictive rules if tighter security is required.
Follow this section for Standard/Unified and Standard/Split operation modes.
If the UTM is managing the remote network, as would most likely be the case in Standard/Unified or Standard/Split modes, then the UTM should have a DHCP server configured.
Next, the DNS relay will need to allow queries from the remote LAN.
The RED establishes a connection between RED_WAN1 and UTM_WAN1.
If UTM_WAN1 is down: RED_WAN1 will connect to UTM_WAN2
If UTM_WAN1 and RED_WAN1 is down: RED_WAN2 will connect to UTM_WAN2
The RED establishes a connection between RED_WAN1 and UTM_WAN1 / UTM_WAN2
If RED_WAN1 is down: RED_WAN2 will connect to UTM_WAN1 / UTM_WAN2
The RED establishes a connection between RED_WAN1 / RED_WAN2 and UTM_WAN1
If UTM_WAN1 is down: RED_WAN1 / RED_WAN2 will connect to UTM_WAN2
The RED establishes a connection between RED_WAN1 / RED_WAN2 and UTM_WAN1 / UTM_WAN2
Note: If any interfaces go down, the interface will be checked until it is working again. The connection will be restored to the original interface if it becomes available again.
This is not an option that can be chosen when configuring the RED, but is implemented mostly through physical configuration. This mode is not unlike Transparent/Split mode, but it allows the tunnel to go down without also disabling local internet access. In this scenario, the red is configured in Standard/Unified mode, but is not placed in front of the remote LAN. It is connected as an alternate gateway on the remote LAN, and routes must then be added on the existing default gateway to access remote networks behind the RED.
The WAN port is plugged into the same LAN switch that LAN clients are connected to, and once the RED receive its mode configuration, you then connect a LAN port to the same LAN switch.
The setup is marginally more physically complex than other modes, but is logically simpler, and allows for tunnel or RED hardware failure, without disrupting normal internet traffic.
When dealing with a large number of RED devices, it may be simpler to treat all remote RED networks as a single LAN. The UTM supports creating a single bridge interface, bridging any number of NICs. If you have not setup a bridge interface already, you may bridge more than one RED connection together, to effectively treat all remote RED connections as a single LAN. Access from RED to RED can still be controlled by firewall rules, so security need not diminished in this setup.
To setup bridging, follow the Adding RED to the UTM instructions for at least two RED devices. Then, in the UTM WebAdmin, browse to Interfaces & Routing > Bridging. Make sure Bridging is enabled, then select Bridge selected NICs (mixed mode). Under Member NICs, select all added RED interfaces, and under Convert interface, select <<No conversion >>. Click Create Bridge to complete. Then, follow the remaining RED setup steps, but select the br0 hardware interface, instead of a reds# interface. You will only need to follow the basic red setup instructions once, no matter how many REDs are added to the UTM. Additional REDs can be added to the bridge under Interfaces & Routing > Bridging. Select the new RED interface, and click save, to apply the changes. All rules setup for one RED, will immediately also apply to the newly added RED device.
Starting in version 8.300, the ability was added to use a UTM as the client device in a RED tunnel. This greatly increases the possible number of ways a RED tunnel can be used. This guide will go over the setup of the tunnel, and the general operating principles of UTM client tunnels, but will not go into depth on how to configure advanced use of this feature. Once a tunnel is setup, configuring traffic between two UTMs becomes purely a matter of routing and firewall rules. This tunnel type is best suited for environments that:
To setup a UTM-to-UTM RED tunnel, first choose one UTM to be the server. The server role is not related to how traffic will flow through the tunnel, only on which side will await connection, and which end will initiate the connection. The server will wait for connections from the client.
To setup a RED client connection,
This will generate a provisioning file for the remote UTM. Click the Download button, to save the .red provisioning file to disk.
At this point, the tunnel should connect automatically, and each UTM will have a virtual RED interface that may be configured in whatever manner is desired. For split tunnel operation, simply route the selected destination networks to the UTM IP at the other end of the RED tunnel.
Please see How to configure Site-to-Site RED Tunnels for further details & instructions on configuring site-to-site RED tunnels.
The most important information when troubleshooting, a RED device, is the LEDs on the front of the device. When first plugged in, the power light should be lit solidly. The device will then load its current firmware.
If a failure occurs, the LEDs will blink in a particular pattern to indicate the error. See the Rev. 1 blink codes section for further info.
If a failure occurs, the System LED will blink red, and the remaining LEDs will blink in a particular pattern to indicate the error. See the Rev. 2 blink codes section for further info.
RED 10 Revision 2 (RED Rev. 2) appliance status LEDs are different from RED Rev. 1 status LEDs.
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.