Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to allow guest user for accessing internet and connect to their office using Cisco AnyConnect VPN

I have a dedicated VLAN in our network and a dedicated AD username for guest users. I am not using Sophos wireless network, I use another brand wireless network.

I am using SFOS 19.5.3

Every time my guest users browse the internet after logging into the captive portal with the AD username, they get "Your connection is not private" and there is no Continue button inside Advanced button. I understand this is because the SSL certificate the browser received is from the XGS unit, not the one from the website. How to get rid of this, so the browser will receive the certificate from the website. Don't suggest installing XGS's certificate in the guest machine. 

This client also wants to connect to his office network using Cisco AnyConnect VPN. I already opened TCP 443, UDP 443, TCP 80, UDP 500, and UDP 4500 but the Cisco Secure Client shows "The service provider in your current location is restricting access to the internet. You need to log on with the service provider before you can establish a VPN session. You can try this by visiting any website with your browser." How can I allow a VPN client to connect through SFOS?



This thread was automatically locked due to age.
Parents
  • Of course you can allow this kind of traffic by the use of a firewall rule.

    If you want to further control the source of this traffic, so that only this guy is able to do that, you have to find out his ip in your local Guest LAN. Then built a firewall rule for this source IP and put it abvoe your normal web filter (proxy) rules.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • Of course you can allow this kind of traffic by the use of a firewall rule.

    If you want to further control the source of this traffic, so that only this guy is able to do that, you have to find out his ip in your local Guest LAN. Then built a firewall rule for this source IP and put it abvoe your normal web filter (proxy) rules.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Children
No Data