Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
Advisory: Sophos XG Firewall - Antivirus service stopped due to failed pattern update. Please visit this KBA for the latest updates
We'd love to hear about it! Click here to go to the product suggestion community
I am having an issue controlling remote SSL VPN clients with VNC or RDP. Users connect to our XG firewall (Version 17.5.8 MR 8) just fine and can access all services on the local LAN from home. I want to be able to VNC or RDP into their PCs from the local LAN but there seems like there is a block between the local LAN going back to the SSL VPN client network. I have tried every kind of firewall rule to connect these two networks. I used to use the Sophos IPSec VPN clients on V9 and this process worked just fine. Since upgrading to XG and SSL VPN clients it does not work. Does anyone know if this is blocked by design or I am doing something wrong? Any help would be appreciated. Thanks.
Local LAN 192.168.1.xSSL VPN 10.10.10.x
Hi Jae Lupo Please enable "Use as default gateway" from SSL VPN remote access configuration and create VPN to VPN firewall rule and verify.
In reply to Keyur:
Thank you for the info but this creates a full tunnel with all traffic going through our network. This does not work for us as the traffic is too much and slows our entire network down. We need a split tunnel to be productive. Is there another way to configure this? Thanks.
In reply to Jae Lupo:
Hi Jae Lupo Unfortunately, there is no alternative to this.You could create a separate SSL VPN policy for those specific users and enable full tunnel.
I tried your solution; enable "Use as default gateway" and the connected clients could not see any network resources either by name or IP address Does anyone else have a solution for this issue? I know there is a setting missing here and I don't need a full tunnel for this to work as it worked on UTM 9 with an IPSec client with no problems. Thanks.
Define the host (IP subnet because the IP range does not work), e.g. "sslVPN-IP IP subnet 10.10.10.0/255.255.255.0 IPv4". Add this subnet in the ssl VPN remote access definition as Permitted network resources (IPv4). Define the firewall network rule for VPNSource zone: LAN + VPN any any Destination zone: VPN + LAN any anyNAT & routing do not select.It should work as you wanted.
In reply to JanSadlik:
You are brilliant!! Thank you so much for this fix. This works perfectly and I still have a split tunnel SSL VPN and I can control and help all my remote users safely and securely. You are the best!
I would read the solution to this thread so you can inform users properly in the future. I knew this was possible without a full tunnel (which didn't work by the way) I just needed the right settings.
Hi Jae Lupo Thank you for updating the thread with the solution.Thank you JanSadlik for sharing tour expertise, much appreciated.I have tested the "Use Default Gateway" option in my local lab and able to achieve your requirements and suggested accordingly.Glad to know that the issue got resolved and community members are helping each other.