Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 41 subscribers
  • Views 4476 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN connected, login web page available, login refused

Wayne Folta

I was recently testing remote SSL VPN access and connected successfully from a Mac using OpenVPN. I was able to then go to the admin login web page, and when I entered the login and password -- from a password manager, so no possibility of typo -- it said that the login failed. Trying a couple more times resulted in the login page displaying a Captcha and slowing down.

I wondered if the XGS has been hacked (running SFOS 18.5 MR1) and I'd been locked out. When I returned to inside the firewall, login worked as always.

What could have caused this?

Authentication is local. SFOS is the latest release. Mac was able to reach internet via SSL VPN connection, so the VPN part was working. It's set up so that the VPN can access the Admin login page. (Or I assume I would not even see the page displayed.)



This thread was automatically locked due to age.
  • 0

    First of all: Never ever open Webadmin (HTTPs) to WAN. You only need User Portal. User Portal can have a different auth server in the backend. Maybe its AD and you forgot to select the AD server for user portal --> Check the Auth - Services part on Webadmin.

    If you have User Portal open to WAN, check if you can access this component of XGS. 

    Then check for some sort of plugins in your browser, which could potentially mess up the captcha. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    It's open to VPN and VPN SSL is open to WAN, but it's not open to the WAN. Is that secure? (I don't need to have it open to the VPN, but figured I might want to reconfigure some things when I'm out of town. Using internal; SSH (not open to the WAN) is another alternative, for some things. Or I could say no to both over VPN.

    There's no AD or any other authentication outside of the XGS.

  • +1 in reply to Wayne Folta

    Webadmin should be closed to WAN. If you want Remote Access, use Central Management. It will open a secure connection to your Firewall. See: https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/learningContent/CentralManageXG2.html

    This will give you full access after OTP etc. to Central. 

    Your Device Access Looks fine to me. You should cannot get the config file from WAN, but you could activate User Portal for WAN temporary, if you need to update a new config. Nevertheless, SSLVPN should work in this terms. 

    BTW: If you have SSLVPN and User Portal on the same Port, it will be still accessible. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    So this is still odd to me. I was connected to the VPN. The VPN can access Admin via HTTPS, I did so -- and saw the web page display properly -- but the login attempts failed. (It literally said that in red letters on the web page.) So I was getting through, but the password was failing. Totally weird. (I'm using 1Password, which has never done anything weird to me.)

    Also note that SSH did work. So I was able to get into Admin Services, just not through the web interface. It was totally weird.

    If there's no mechanism that you're aware of that would cause this, I'll accept your answer for best effort. It'll still be a mystery, but I'll move on and either use Sophos Central or won't do remote administration.

    Above, "LAN" includes a trusted SSID, while "WIFI" includes a guest SSID and a work-from-home SSID. They're both treated much differently from the trusted SSID. (LAN is a bridge between two XGS ports, one connected to the AP, one to a local file server.)

    I've disabled Admin Services and User Portal access from VPN, as recommended in the help, and have enabled Sophos Central management. Just for future reference: managing from Sophos Central provides the same menus as I see locally, which is nice.

Unfiltered HTML