Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Disabling VPN portal breaks SSLVPN connections

We're seeing a lot of failed authentication attempts on the VPN portal, and we don't need users to access it once the VPN is setup and working. However, when I close down the "VPN Portal" from the WAN zone, no-one can connect to the SSLVPN. As soon as I re-enable this, everything starts working again.

My understanding was that the only thing that needs to be open is "SSL VPN" on the WAN zone.

I've done this before, so perhaps a bug in new firmware? We're on SFOS 20.0.2 MR-2-Build378 and I've tested and confirmed that this problem exists on multiple XGS devices on that firmware version.

Also, the Sophos documentation is out of date. It still says you need to enable the User Portal - which you definitely don't.

https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/VPN/RemoteAccessVPN/VPNRemoteAccessSSLVPNSophosConnectClient/index.html



Added TAGs
[edited by: Erick Jan at 9:53 AM (GMT -7) on 5 Sep 2024]
Parents Reply
  • You can close the VPN Portal. You can still download the Policy by downloading it via VPN Portal (internally) and publish it to the Client.

    Provisioning over the VPN Portal is given over the port, you want. Can be shared with the SSLVPN Portal or not. 

    As stated above, you can still close the VPN Portal after publishing the pro file by using the specific flag. 

    Your statement is more about the Sophos Connect component and not the Firewall, as the firewall cannot control this. 

    __________________________________________________________________________________________________________________

Children
  • That means contacting more than 2000 end users and redeploying the VPN profile with the specific flag. Sure, it can be done, but that is a gigantic task that will take months.

    Yep, it's probably a change that needs to be made to Sophos Connect rather than the firewall, but Sophos is Sophos.

  • I am still try to think about a way to approach this. 

    As stated above: SFOSv21.0 will include more telemetry from other sources, which can help to prevent this in the future.

    This is not a new discussion, instead its there for years. 

    The VPN Portal is adapted by many customers like the user portal was and this kind of campaign targeting portals like the VPN Portal are not new. 

    The portals are build to be robust. 

    __________________________________________________________________________________________________________________