Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
We'd love to hear about it! Click here to go to the product suggestion community
Hope someone can advise on this,
I have an XG FW and have set up the sophos connect client VPN which seems to work perfectly to allow remote users access to the network, however, i have resouces on another site that can be accessed from my main site but not by remote users using sophos connect. how can I allow remote SC users to access this as if they are on the network?
Main site 10.0.0.0/22 , branch ipsec site to site 10.1.0.0/22, Cloud hosted subnet connected via ipsec (where we have an application hosted 172.20.0.0/24 (users on the main site and branch site can both access network shares on one another and also the cloud hosted site) my users access the main site (10.0.0.0/22 via SC but are ONLY able to access resources on the 10.0.0.0/22 subnet - i have tinkered with rules to no avail (and noticed in SSL VPN theres a "remote networks" option which i think i need to locate an equivalent of for SC?)
Any advice here would be massively appreciated.
Hi Benjamin Cox As per my understanding, your requirement is to access the remote location resources through Sophos connect client user and the Remote site is connected with the Main site via Site to Site VPN.Sophos Connect Client >> Main Site >> IPsec Tunnel >> Remote Site resources.You may try below configuration steps, it may help.1. Please add the IP address of the Sophos Connect client in the Local Subnet of the Main site IPsec VPN configuration and in the Remote Subnet of the Remote Site IPsec VPN configuration2. Create a VPN to VPN zone firewall rule and verify, if you are able to access
In reply to Keyur:
Thank you for your response, I don't see any "Main site" within Sophos connect? or any IPSec policies called "Main Site"
Can you advise where i should be looking? (Running XG 17.5)
In reply to Benjamin Cox:
Hi Benjamin Cox There is no such thing called "Main Site".Just refer to "Main site" as your primary location or Head Office where the Sophos Connect Clients user is connecting to the Sophos XG firewall.
Sorry i'm not really sure what you mean, Where do I refer to it?
The initial instructions made me think I need to look in the menu structure for Sophos Connect, Where in sophos connect do I refer to a site? the options for sophos connect are very limited and i've looked in IPsec policies and had a play with FW rules to no avail.
Do you happen to have any screenshots at all?
Many thanks for your help so far :)
Hi Benjamin Cox As per my understanding below is the scenario.You have three sites.Main site 10.0.0.0/22Branch site 10.1.0.0/22Cloud site 172.20.0.0/24Sophos Connect Client users connect to "Main site 10.0.0.0/22" firewall.Now you want that your Sophos Connect Client users should be able to access Branch Site 10.1.0.0/22 as well.Please correct me if anything is missing.
Yes that's exactly how it's set up,
When connected the connected users (Via sophos connect) is able to access resources on the 10.0.0.0/22 network but we'd also like them to have access to the other networks too. Ive set up an L2TP VPN profile and users that can connect to that are able to access all resources but I prefer the concept of the SC client as its easier to manage users.
Hi Benjamin Cox Thank you for confirming the details.Now, please follow below given steps to access Branch site 10.1.0.0/22.1. VPN to VPN firewall rule should be configured at Main site 10.0.0.0/22 Sophos Firewall XG.
2. The IP lease range of Sophos Connect Client configuration(XG firewall) should be added in the IPsec configuration(XG Firewall) "Local Subnet" and in the "Remote Subnet" of the IPsec tunnel configuration (XG Firewall) of Branch Site.3. Re-establish the tunnel and verify if the Sophos Connect User is able to access the Branch Site network.
Did you get it working with the last suggestion? Please let us know.