Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
Advisory: Sophos XG Firewall - Antivirus service stopped due to failed pattern update. Please visit this KBA for the latest updates
This article describes the steps to configure SSL VPN remote access. The following sections are covered:
Applies to the following Sophos products and versions Sophos Firewall
Go to Authentication > Groups and create a group for remote SSL VPN users.
Go to Authentication > Users and create remote SSL VPN users.
Go to Hosts and Services > IP Host and define the local subnet behind Sophos Firewall.
Go to Hosts and Services > IP Host and define the remote SSL VPN range.
Note: Please make sure that the LAN and VPN assigned networks are not the same.
Go to VPN > SSL VPN (Remote Access) and select Add to create an SSL VPN policy.
Go to Authentication > Services and make sure that Local authentication server is selected under SSL VPN Authentication Methods section.
Note: Also make sure that Local authentication server is selected under Firewall Authentication Methods section. This is needed for remote users to logon to the portal to download the SSL VPN client software later in this article.
Go to Administration > Device Access and allow SSL VPN and User Portal for WAN and LAN zones under Local Service ACL section. Add other zones as required.
Go to VPN and select Show VPN Settings.
Under SSL VPN tab, verify the IPv4 Lease Range configured earlier and set the rest of options as required.
Note: If the XG Firewall do not have a public IP assigned on the WAN interface but behind a NAT device, set the public IP in the Override Hostname field. This sets the SSL VPN client configuration file to use this public IP when establishing the connection. The NAT device has to be configured to forward the SSL VPN connection to the XG Firewall.
Go to Firewall, click + Add Firewall Rule and select User/Network Rule.
Notes:
From a browser, logon to the user portal using the Sophos Firewall's public IP address and the user portal https port. In this example, user portal is accessible at https://172.20.120.15:4443
Note: You can find the user portal https port configured in Sophos Firewall by going to Administration > Admin Settings under Port Settings for Admin Console section.
Once logged into the portal, download the SSL VPN client for the required endpoint accordingly. In this article, we will download and install the client and configuration for Windows 10.
Run the downloaded SSL VPN client.
Note: If you have an application control software, make sure to unblock OpenVPN and SSL VPN Client for Windows in order for the installation to be successful.
Accept the license agreement.
From your Windows machine, verify that you have been assigned an IP address from the SSL VPN range configured earlier in Sophos Firewall.
Note: You can also verify the route injected by the SSL VPN client by running route print command.
route print
From Sophos Firewall, go to Firewall and verify that rmote SSL VPN access rule allows ingress and egress traffic.
Go to Current Activities > Live users to verify SSL VPN users.
Go to Report > VPN to verify remote SSL VPN users list.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.