Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Replies 43 replies
  • Answers 3 answers
  • Subscribers 48 subscribers
  • Views 3983 views
  • Users 0 members are here
Options
Suggested

Disabling VPN portal breaks SSLVPN connections

Stuart James

We're seeing a lot of failed authentication attempts on the VPN portal, and we don't need users to access it once the VPN is setup and working. However, when I close down the "VPN Portal" from the WAN zone, no-one can connect to the SSLVPN. As soon as I re-enable this, everything starts working again.

My understanding was that the only thing that needs to be open is "SSL VPN" on the WAN zone.

I've done this before, so perhaps a bug in new firmware? We're on SFOS 20.0.2 MR-2-Build378 and I've tested and confirmed that this problem exists on multiple XGS devices on that firmware version.

Also, the Sophos documentation is out of date. It still says you need to enable the User Portal - which you definitely don't.

https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/VPN/RemoteAccessVPN/VPNRemoteAccessSSLVPNSophosConnectClient/index.html



Added TAGs
[edited by: Erick Jan at 9:53 AM (GMT -7) on 5 Sep 2024]
Parents Reply Children
  • 0 in reply to LuCar Toni

    OK I understand.
    We took 443 for VPN portal since we believed it would be more convenient for end users. 443 TCP was taken for SSLVPN in good faith to evade any problems withj restricted networks.
    That "Note" in Administrator help should be a BIG FAT RED warning at least.

    However, my idea in blocking VPN portal for anything but for country "Germany" didn't work.
    On firewalls, where the bad combination of VPN portal and SSLVPN port-sharing was used and login security was unintentionally evaded logins are tried 5 or 6 times every second.
    On firewalls with ports not shared it is done every 3 minutes evading the 1-120 second timeframe for login security.

    Source IP is allways 92.53.65.166 on all firewalls.

    Regards,

    Kevin

    Sophos CE/CA (XG, UTM, Central Endpoint)
    Gold Partner

  • 0 in reply to kerobra

    You tried a Blackhole DNAT? Because this should forward everything to the blackhole regardless of the service. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    No for me it was easier to completely deactivate VPN portal in the WAN zone with no exceptions and enabling it on purpose only like we did with the UserPortal in the past.

    Regards,

    Kevin

    Sophos CE/CA (XG, UTM, Central Endpoint)
    Gold Partner

  • 0 in reply to kerobra

      I'd love to do this, but ANY VPN connections deployed with a PRO file (all of our clients) cannot connect without the VPN portal open.

    "check_remote_availability" : false

    This DOES fix the problem, but we'd have to deploy to thousands of endpoints.

Unfiltered HTML