Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote Access VPN & changing LAN IPs

XGS136, SFOS 19.5.1

Migrating from old firewall to the XGS. Deploying Sophos Connect with .OVPN files.

Examining the OVPN file and connection logs, it appears Connect tries each of 3 IPs listed at the bottom (Interfaces on WAN, LAN1 and LAN2) until it's able to make a connection.

Users will ONLY be connecting from the WAN.

The LAN1 IP will be changing when the firewall goes into production. LAN2 and WAN will not change.

Am I correct that it won't be necessary for clients to import a new OVPN file after the LAN1 IP changes because no one will need the VPN on LAN1?

I realize .PRO files would update the config automagically, and I'd love to use them...but it appears .PRO files don't work on the WAN unless the user portal is enabled on the WAN; that's a non-starter.

This thread was automatically locked due to age.
  • Hello Jeff,

    Thank you for contacting the Sophos Community.

    If you are using SSL VPN, It gets the list from System > Administration > Device Access > Local Service ACL > SSL VPN, I would suggest you to deselect all the other Zones and only leave the WAN zone enabled.

    But yes you’re correct, if you change the LAN IPs users won’t need to re-download the file. 

    As per your last comment, in a future release (I believe 20) , it won't be necessary to enable the User Portal on WAN.


    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Thanks; will disable on the other zones before users d/l their OVPNs.

    I'd heard about the user portal not needing to be enabled on the WAN zone in v20. But the way it was described on another thread is that there will be some new config-only service running on the WAN. I'd still be concerned about having VPN configs downloadable on the WAN. Just like the User Portal, it's just begging for a vuln to be found that leads to an exploit.

    Really mystified why the workstation can't grab the config when it's on the LAN and cache it for use on the WAN. It would require periodic polling for updates instead of only updating at connection time, but that's easy. You already have a "Sophos Connect Service" running that you can leverage. If a company wants it exposed on the WAN they can enable it, even if temporarily for a remote client to get a config refresh, and Connect will then update its config on the WAN when necessary. But it shouldn't be a requirement.

    Still looks to me like the design hasn't been fully thought through.