Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Connect and delivery of configuration via User Portal

This is a follow up to https://community.sophos.com/sophos-xg-firewall/f/discussions/136595/new-code-injection-vulnerability-in-the-user-portal-and-webadmin-of-sophos-firewall

Can Sophos make available the ability to download SSL VPN client configurations without opening the whole User Portal? The best practice advice from Sophos is to not expose the User Portal on the WAN interface. Indeed there have been two exploited vulnerabilities in the User Portal in the last twelve months. Unfortunately we have to make the User Portal available on the WAN interface so that users can complete a new SSL VPN setup using a .pro configuration file.

We don't utilise the User Portal for anything but this. Why can't Sophos make the required SSL setup functionality available separately so that we don't have to enable the full User Portal on the WAN interface? As a small subset of the User Portal functionality it would be a lot more secure.



This thread was automatically locked due to age.
Parents
  • I want to add here that Sophos will tell you that you MUST have User Portal open on WAN when you deploy with the .pro file even if you argue that it is only necessary for the first initial config download (and after all subsequent changes in VPN policy or -profile). If you close user portal, they say it is unsupported.

    But yes, there should be a better way than to do VPN deployment with the use of userportal in the background. But I think it is really a difficult task to get this done.

Reply
  • I want to add here that Sophos will tell you that you MUST have User Portal open on WAN when you deploy with the .pro file even if you argue that it is only necessary for the first initial config download (and after all subsequent changes in VPN policy or -profile). If you close user portal, they say it is unsupported.

    But yes, there should be a better way than to do VPN deployment with the use of userportal in the background. But I think it is really a difficult task to get this done.

Children
No Data