This is a follow up to https://community.sophos.com/sophos-xg-firewall/f/discussions/136595/new-code-injection-vulnerability-in-the-user-portal-and-webadmin-of-sophos-firewall
Can Sophos make available the ability to download SSL VPN client configurations without opening the whole User Portal? The best practice advice from Sophos is to not expose the User Portal on the WAN interface. Indeed there have been two exploited vulnerabilities in the User Portal in the last twelve months. Unfortunately we have to make the User Portal available on the WAN interface so that users can complete a new SSL VPN setup using a .pro configuration file.
We don't utilise the User Portal for anything but this. Why can't Sophos make the required SSL setup functionality available separately so that we don't have to enable the full User Portal on the WAN interface? As a small subset of the User Portal functionality it would be a lot more secure.
This thread was automatically locked due to age.