Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Disabling VPN portal breaks SSLVPN connections

We're seeing a lot of failed authentication attempts on the VPN portal, and we don't need users to access it once the VPN is setup and working. However, when I close down the "VPN Portal" from the WAN zone, no-one can connect to the SSLVPN. As soon as I re-enable this, everything starts working again.

My understanding was that the only thing that needs to be open is "SSL VPN" on the WAN zone.

I've done this before, so perhaps a bug in new firmware? We're on SFOS 20.0.2 MR-2-Build378 and I've tested and confirmed that this problem exists on multiple XGS devices on that firmware version.

Also, the Sophos documentation is out of date. It still says you need to enable the User Portal - which you definitely don't.

https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/VPN/RemoteAccessVPN/VPNRemoteAccessSSLVPNSophosConnectClient/index.html



Added TAGs
[edited by: Erick Jan at 9:53 AM (GMT -7) on 5 Sep 2024]
Parents Reply Children
  • OK I understand.
    We took 443 for VPN portal since we believed it would be more convenient for end users. 443 TCP was taken for SSLVPN in good faith to evade any problems withj restricted networks.
    That "Note" in Administrator help should be a BIG FAT RED warning at least.

    However, my idea in blocking VPN portal for anything but for country "Germany" didn't work.
    On firewalls, where the bad combination of VPN portal and SSLVPN port-sharing was used and login security was unintentionally evaded logins are tried 5 or 6 times every second.
    On firewalls with ports not shared it is done every 3 minutes evading the 1-120 second timeframe for login security.

    Source IP is allways 92.53.65.166 on all firewalls.

    Regards,

    Kevin

    Sophos CE/CA (XG, UTM, Central Endpoint)
    Gold Partner

  • You tried a Blackhole DNAT? Because this should forward everything to the blackhole regardless of the service. 

    __________________________________________________________________________________________________________________

  • No for me it was easier to completely deactivate VPN portal in the WAN zone with no exceptions and enabling it on purpose only like we did with the UserPortal in the past.

    Regards,

    Kevin

    Sophos CE/CA (XG, UTM, Central Endpoint)
    Gold Partner

  •   I'd love to do this, but ANY VPN connections deployed with a PRO file (all of our clients) cannot connect without the VPN portal open.

    "check_remote_availability" : false

    This DOES fix the problem, but we'd have to deploy to thousands of endpoints.