Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote access setup.

Ok, I'm new to XG and well, Sophos in general.  I would like to be able to set up remote access for users on the public internet via a web site(User Portal) and have them authenticate via an AD group and connect via RDP to internal resources and access internal web servers.  I have some pieces of this working but keep having issues as detailed here.

What is this functionality called?  Captive portal, SSLVPN(remote access), clientless access, or User Portal?

I have a site I can log in to and see bookmarks but I had to manually create a user, how do I authenticate to this site via the AD group that I imported with Auth Server/Import?

I was able to create bookmarks and a bookmark group and get them visible in the User Portal but the HTTPS bookmark type gives me a 404 error and the RDP bookmark type gets me to a server login screen but never accepts any input either from keyboard or mouse.

Any advice on any of these issues would be greatly appreciated or a link to a step by step would be ideal.

I  



This thread was automatically locked due to age.
Parents
  • Hi RJ,

    Greetings.

    You have an interesting requirement.

    As per the requirement, User Portal is available by default.

    You can access it on :- https://UTM's public IP(x.x.x.x)

    If you want to authenticate Users through AD Server, you need to Sync AD Server with UTM,  you can find the below link to understand it further.

    https://www.sophos.com/en-us/support/knowledgebase/123155.aspx

    Remember that to import the Users  and sync to their respective groups in Firewall, these Users should be a member of secondary group in AD, as primary group membership won't be forwarded by AD to XG.

    What is Captive Portal ?

    Captive Portal authenticates users for Internet access. When users attempt to access the internet, a default Captive Portal is presented to authenticate the users. The default Captive Portal display can be customized in terms of organization name, logo, page - title, header, footer, background and font colours or links. Additionally, the default Captive Portal Settings can be changed as per the requirement.

    Now, the functionality you are trying to achieve is technically known as HTML 5.

    Before we suspect any wrong configurations, can you check if you have configured LAN_VPN Firewall rule (without MASQ) and VPN_LAN Firewall Rule (with MASQ).  if these Rules are in place, please provide us the screenshot of present configurations on XG.

    Cheers

    Sachin Gurung

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Thank you very much for the reply.  Thanks to your link, i know have authentication working, the piece i missed was adding the new Authentication method under System > System Services > Authentication.   I have authentication and the bookmarks working as I think they should so I think the one piece left is adding the rules you mentioned.  Can you give me any more detail or is there a document detailing setup?  I'm guessing that the MASQ rule is for egress and should be (Internal Server IPs)->Any allow and the non MASQ rule is for ingress and should be Any->(server IPs) allow?

  • Or should those 2 rules be Server IPs to and from the AD VPN Users group I imported?

  • Hi RJ,

    The ingress rule will be VPN_LAN (without MASQ). PFA Screenshot.

    Next Rule will be LAN_VPN (with MASQ).

    Let me know if you have any further questions.

    Thank

    Sachin Gurung

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Sorry to be dense but in the second rule you say with MASQ but Masquerading is not switched to on in the screenshots.  Should that be on?

  • Hi RJ,

    Thank you for correcting me :) 

    I did the necessary changes.

    Thanks

    Sachin

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Thank you, I think I have all the authentication working but I still have the same problem with the HTML5 RDP access.  I see the initial login screen for the RDP session but I cannot interact with it.  The mouse does not appear to work nor can I send the Ctrl-Alt-Del with the send Ctrl-Alt-Del option.

    Any ideas?

Reply
  • Thank you, I think I have all the authentication working but I still have the same problem with the HTML5 RDP access.  I see the initial login screen for the RDP session but I cannot interact with it.  The mouse does not appear to work nor can I send the Ctrl-Alt-Del with the send Ctrl-Alt-Del option.

    Any ideas?

Children