This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Device Access: SSL-VPN from VPN Zone greyed out - like from Site-2-Site

We're having the situation that we cannot allow SSL VPN Device Access to a central XG Firewall from locations connected by Site-2-Site IPSec tunnels.

That's because the remote locations are automatically assigned to VPN zone in XG.

And SFOS does not allow to enable SSL VPN for the VPN zone - it's disabled. I wonder why there is this limitation? What's the reason that there is the need to deny this?

The only way to enable this is by ACL Exceptions from "Any Zone" and I hate that.

Isn't there a better way to do that? Transparent and easy to manage?

You may ask why we're doing such things: that is because we're requesting users to connect once to SSL VPN from their office after they received a new computer or a new Sophos Connect Client installation with .pro file. So they can be sure, they have the configuration loaded in their SSL VPN client and that it's working.

SFOS 18.5. MR3

This thread was automatically locked due to age.

Top Replies

LuCar Toni over 1 year ago in reply to LHerzog +1 suggested

I am currently not sure. But are you sure, SSLVPN does not work over a IPsec connection due the drop of ACL? Because the services run on 0.0.0.0. So the service will accept it. Anyway, it is questionable…

0 Vivek Jagad over 1 year ago

Hello LHerzog,

This is by default architect of the SFOS, the same can be seen under the DOC screenshot:
https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Administration/DeviceAccess/index.html

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 LHerzog over 1 year ago in reply to Vivek Jagad

Hi,

Device Access is documented,

but I could not find the answers for my querstions there, so was hoping to get them here.

And SFOS does not allow to enable SSL VPN for the VPN zone - it's disabled. I wonder why there is this limitation? What's the reason that there is the need to deny this?

Isn't there a better way (than ACL Exceptions) to do that? Transparent and easy to manage?
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad over 1 year ago in reply to LHerzog

Yup, you are right there. For the reasons I'll get to the internal team to update the doc for the relevant information as "WHY greyed out?"

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 1 year ago in reply to LHerzog

I am currently not sure. But are you sure, SSLVPN does not work over a IPsec connection due the drop of ACL? Because the services run on 0.0.0.0. So the service will accept it.

Anyway, it is questionable if this will work from a perspective as you would tunnel a tunnel. So from this perspective, this will cause a lot of trouble. Maybe that is the reason it was disabled per default. You will run eventually into a lot of problems of MTU size problems

__________________________________________________________________________________________________________________
Cancel
Vote Up +1 Vote Down

Cancel
0 LHerzog over 1 year ago in reply to LuCar Toni

LuCar Toni said:
you would tunnel a tunnel. So from this perspective, this will cause a lot of trouble. Maybe that is the reason it was disabled per default. You will run eventually into a lot of problems of MTU size problems

Perhaps that's why you cannot enable it. I guess some admins would configure and let it run that way.

In our case we just need it to load SSL VPN Config with the CC .pro file once. Else we would need userportal open on WAN zone and let user do their first connect from a Guest WiFi or at home.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 1 year ago in reply to LHerzog

The Download feature within the .pro only requires User Portal to be reachable. The SSLVPN will not work afterwards. But the download will work.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel