Any way to setup WebAdmin to be accessible from the WAN side, without a VPN, yet, without having to worry about brute force attacks?

If you got a static ip or use a dyn dns for your managing workstation/ device. So webadmin will only respond to this adress or ip and not every ip on wan side. That is how it's done.

Best

Alex

If I had a static IP available, I would just allow for that IP only, but I do not.

I also do not have a DynDNS since they discontinued their free accounts. I do not get enough use out of something like DynDNS to make it worth the $40 per year.

I was looking for some other route on the UTM. I was considered limiting connections to the AT&T cellular IP range, but I feel that is still too broad.

Yes, you should worry about brute force attacks.   Configure OTP 2-factor authentication for any remote access method (including VPN).

SSLVPN has the extra advantage of needing a certificate installed on your laptop, plus your username+password, plus your OTP code (3-factor!) 

Filtering on network address helps as well whenever possible, but it is not always possible.

Ok, dumb question, but then again, maybe not. Is is possible to create a second admin account and just require that account to use 2 factor authentication?

While at the same time, leaving the default one to work locally only, without 2 factor authentication?

I am educating myself with how Sophos does the 2 factor authentication. I like the concept, I am just concerned about locking myself out.

btw, thanks you everyone for you help!

That is a fine strategy.  Just let go of the idea that the admin page should be remotely accessible without VPN or other protection.

(1) If practical, configure the user portal so that it is only accessible internally (for risk reduction).  Depends on what you want to do with it, and whether this is for yourself at home or lots of people at work.   At least try to get all of your remote users configured with OTP before exposing the portal to the internet.   See more below.

(2) Enable OTP for your account.   When you login into the portal, you will immediately be required to scan the QR code to sync your phone with Sophos Authenticator.  Thereafter, any remote login for that user (including future logins to the user portal) will use the OTP, which is entered into the password field using the regular password immediately followed by the 6-digit OTP code.

(3) Configure your method for connecting to the user portal remotely.   Suggested options are:

• SSL VPN from your laptop (which as I said before requires a pre-configured device), but then you can connect directly to the admin page, or
• user portal with HTML5 VPN with an RDP resource configured to an internal desktop device, then a web browser in the RDP session connects to the admin page.  Obviously, this option requires that the user portal remain accessible to the internet.

Because the admin page is not exposed to the internet, you don't need OTP on the Admin account.  

OTP is not appropriate for shared accounts, so a business does not want OTP on Admin because it locks out all other potential admin users (current or future).

After searching online awhile, I discovered no-ip still allows for a free version of their dynamic DNS, as long as a person renews their dynamic DNS registration every 30 days. In the event that I forget to reregister my username, it would mean only 1 external IP address and/or no-ip username could access the UTM remotely.

As long as the UTM automatically blocks the IP address of failed login attempts for a period of time, I think it would have to be an incredibly small and remote possibility that some would be able to hijack the DNS settings and remotely gain access to the UTM.

I love the idea of the 2-factor authentication, but I do not think I am ready to go there yet. Maybe when I have more free time to play with the system.

Thanks for your help everyone!

Scott, Doug and Alex have given you good advice.  You still should take advantage of a dynamic DNS service.  There are several no-hassle free ones.  Go to the 'DynDNS' tab and you will see the choices in 'Type' field.  I moved to FreeDNS (freedns.afraid.org) after Dyn made their move.

Cheers - Bob

You will be pleasantly surprised by how easy OTP is to use.

My two cents on dynamic DNS

For my wife's business, we have a dynamic IP, but we don't use Dynamic DNS.   We just use HOSTS file entries on our home PCs to simplify use of the VPN client.   The IP address doesn't change very often, so it works pretty well.   If others need to find this IP, it should be a static IP registered with a respected DNS.   If only you or a small group of associates need to access this IP, then why add the risk of publicizing on a dynamic DNS service?  

I have seen the research which says that bad guys like Dynamic DNS, which is no surprise.   If it was possible, my primary business UTM would block any address associated with a dynamic DNS.   But right now, it is not feasible.

Have you got any instructions on how to set this up? I didn't know you could do it for the web admin login?

You missed the significance of some of my other comments.

I do NOT recommend putting OTP on the Admin account.   If you do, (a) you are the only one who can use the Admin account, and (b) if your cell phone gets damaged or replaced, you will quite possibly be locked out of the Admin account.

I do NOT recommend relying on lockout as an adequate defense against password guessing attacks.   I was in an IT Training course where an instructor told this story:   Another instructor had  bragged that he was not worried about password-guessing attacks.   So my instructor wrote a slow-rate password-guessing program that was configured to avoid the lockout defense.   It took about 6 months, but he had recently been able to tell his coworker his password.   This story is probably the best justification for policies that require regular password changes.

I have unhappy evidence, both from the media and from personal experience, that the bad guys are doing password-guessing on a widespread basis.  In priority order:   (a) if you have a Name Registration (who doesn't), make sure its password is VERY complex and uses 2-factor authentication if available.    If someone can take control of your name Registration, you have lost your organization's digital identity.   According to media reports, one bank had this happen to them, but was able to get it back after 6 painful hours.  (b) Have VERY complex password on any web hosting services.   If the password-guessers can get into your web presence, they can,. and will, add hidden malware links to your site.  (c) Verify that your web hosting service has security scanning configured on your website, or purchase a service to do so.  This is to ensure that if you do get hacked, you find out before the reputation services find out and blacklist you.  Finally (c) Protect your perimeter devices (including UTM or XG) from external compromise.

As a general principle, admin functions should be performed from an internal-network context, such as VPN or HTML5 VPRN RDP, as indicated in my previous note.

In UTM, you can create additional admin accounts, either locally or from a back-end authentication service, by putting the account or group into the local Admins group.   This is probably a good idea, so that if the Admin password is forgotten or even temporarily locked out, someone can still get into the admin role.

However, it seems that the better practice is to have one account configured for remote access, which is unprivileged.   Then after connecting with VPN or HTML5 VPN RDP, that session can be used to log into the UTM Admin portal with an admin-enabled account.   These need not be the same account, which means that to compromise your system, the bad guys must first hack your remote access login.  This is bad, but should not give them admin rights on your network.   Then as a separate hack, they have to guess a privileged password, either to UTM, Active Directory, or some other context.

Digression on cell-phone replacement:

1) It is possible to configure OTP on more than one device, such as both an IPad and a cell phone.   Then, one of them can break and the other can still get you in.

2) If your cell phone backup solution is able to preserve both application list and application settings, you may be able to restore your settings  to your new phone without needing synchronize the phone with UTM's QR code.   Obviously, this needs to be tested with your specific backup solution.

3) As long as someone can get into the Admin context, the administrator can clear the OTP information so that the user can log in without OTP for the purpose of re-establishing the OTP synchronization.