Sophos Connect and delivery of configuration via User Portal

Question

This is a follow up to https://community.sophos.com/sophos-xg-firewall/f/discussions/136595/new-code-injection-vulnerability-in-the-user-portal-and-webadmin-of-sophos-firewall 
 Can Sophos make available the ability to download SSL VPN client configurations without opening the whole User Portal? The best practice advice from Sophos is to not expose the User Portal on the WAN interface. Indeed there have been two exploited vulnerabilities in the User Portal in the last twelve months. Unfortunately we have to make the User Portal available on the WAN interface so that users can complete a new SSL VPN setup using a .pro configuration file. 
 We don't utilise the User Portal for anything but this. Why can't Sophos make the required SSL setup functionality available separately so that we don't have to enable the full User Portal on the WAN interface? As a small subset of the User Portal functionality it would be a lot more secure.

Karlos · Accepted Answer

Hi JasP , 
 We've brought your concerns up internally and our Development Team is currently in the works for a new method that would eliminate the need for the User Portal to be exposed on the WAN for SSL VPN RA use. We plan to implement this in the future release.

Sophos Connect and delivery of configuration via User Portal

Top Replies