This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Do you have a defence against VPN applications with Sophos UTM?

Since Sophos support couldn't help me with this case I decided to ask the community what is their solution. If I am missing something please let me know so I can correct my UTM accordingly.

 

Here are the details of the test, please compare with your own system and check if you are able to prevent a user/s who using a VPN application going restricted websites and other stuff.

  1. SSL Inspection operational on UTM- You have installed the certificate on the client machine (actually doesn't matter at all)
  2. Client installs a VPN app such as XVPN (do not turn on XVPN yet!) https://xvpn.io/
  3. Try to access a restricted website and ensure you are blocked!
  4. Turn on XVPN and try to access the restricted website again to see the result

 

Our findings are;

  • We absolutely have no control on a traffic if VPN applications in use by any client (with SSL certificate or without)
  • Clients even able to bypass the UTM with Chrome extensions (we removed extensions via GPO on domain joined workstations eventually as a workaround)


This thread was automatically locked due to age.
  • Hello All,

    So I was able to replicate the issue and resolve the issue. 

    When having the Application Control on, and Web Filter enabled with the certificate, the VPN would connect. 

    To fix this I modified the Firewall rule I had for Wireless Users, that had Service set as ANY and changed for HTTP/HTTPS only, the Client is pointing to the UTM for DNS resolution, after this the application was blocked. 

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • I have a little addition to it. On my side I could reproduce it too, but the application went thru. So I went into the firewall and concluded that the application uses a few ports to try to connect. 

    Blocking all but required ports will be effective (as stated before)

    To narrow down I will put the used ports below. If you require an any:any rule (not recommended) please place a blockrule with the following ports above your any:any (or on position "top")

    destination ports:

    14393

    19535

    20028

    2463

    7594

    7805

    8366

    By the way, the Sophos XG does do a better job in this and blocks the application properly, without extra firewall rules.

     I think the definitions for xvpn needs some adjustments.

    Regards,

    Arno