Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Disabling VPN portal breaks SSLVPN connections

We're seeing a lot of failed authentication attempts on the VPN portal, and we don't need users to access it once the VPN is setup and working. However, when I close down the "VPN Portal" from the WAN zone, no-one can connect to the SSLVPN. As soon as I re-enable this, everything starts working again.

My understanding was that the only thing that needs to be open is "SSL VPN" on the WAN zone.

I've done this before, so perhaps a bug in new firmware? We're on SFOS 20.0.2 MR-2-Build378 and I've tested and confirmed that this problem exists on multiple XGS devices on that firmware version.

Also, the Sophos documentation is out of date. It still says you need to enable the User Portal - which you definitely don't.

https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/VPN/RemoteAccessVPN/VPNRemoteAccessSSLVPNSophosConnectClient/index.html



Added TAGs
[edited by: Erick Jan at 9:53 AM (GMT -7) on 5 Sep 2024]
Parents Reply
  • I did a little bit of more digging into this topic. 
    Pro Files will download the SSLVPN and IPsec Files and push them to the Sophos Connect client. Sophos Connect then can use this client to connect to the firewall. At this point, you do not need the VPN Portal anymore. This was tested in V2.3.1 of Sophos connect. But if you try to update the policies in Sophos Connect, it will try to reach out to the VPN Portal to get a new portal. 

    Generally speaking, Sophos recommends to follow industry hardening advises:  Hardening Your Sophos Firewall  

    About the VPN Portal: Sophos implemented a new portal (VPN Portal) in v20.0GA:  Sophos Firewall v20 is Now Available This Portal is build to be used in the modern world and is by no means a normal webadmin portal. 

    Follow up on some feedbacks here: In SFOSv21.0 the firewall supports third party feeds, which can include those malicious actors as well and automatically block them:  New Techvids Release - Sophos Firewall v21 Demo Videos Part 2: Third-Party Threat Feeds 

    My last thought here is: If you do not want to expose or use this process at all, SFOS also support ZTNA as an alternative, using Sophos Central for remote access to your apps. This process do not require any exposing of any port, making you completely invisible for external scans and/or attacks. We are offering 3 Licenses of this for free:  Free Sophos ZTNA Licenses for Sophos Firewall customers   

    __________________________________________________________________________________________________________________

Children