Getting Started with Remote

Access VPNs on Sophos

Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]
Sophos Firewall
FW5005: Getting Started with Remote Access VPNs on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Getting Started with Remote Access VPNs on Sophos Firewall - 1

 Configuring SSL Remote Access VPNs on Sophos Firewall

In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to configure SSL and IPsec ✓ Protocols used for VPN access
remote access VPNs on Sophos ✓ Authentication servers, users and groups
Firewall.

DURATION

20 minutes

In this chapter you will learn how to configure SSL and IPsec remote access VPNs on Sophos
Firewall.

Getting Started with Remote Access VPNs on Sophos Firewall - 2

 Remote Access VPNs

IPsec SSL
Establish remote access IPsec Establish remote access SSL
VPNs using the Sophos VPNs using the Sophos
Connect client or third-party Connect client, legacy SSL VPN
clients client, or OpenVPN clients

Clientless SSL L2TP over IPsec PPTP

Provide access to internal Compatible with VPN client Support for legacy PPTP
services and resources using a built into Windows connections
browser (not recommended)

Sophos Firewall supports a range of common protocols for remote access VPNs.

The most used are IPsec and SSL, so in this chapter we will focus on these two, but it is useful to
remember that Sophos Firewall also supports L2TP over IPsec, which is compatible with the
Windows built-in VPN client, and PPTP, although we do not recommend you use it as it is less
secure.

Getting Started with Remote Access VPNs on Sophos Firewall - 3

 Additional information in
SSL and IPsec VPNs the notes

SSL Remote Access VPN IPsec Remote Access VPN

• Sophos Connect VPN Client for Windows • Sophos Connect VPN Client for Windows
and Mac OS X and Mac OS X

• Compatible with OpenVPN clients on all • Compatible with third-party IPsec VPN
platforms clients

• Support for multi-factor authentication • Support for multi-factor authentication

• Supports Synchronized Security • Supports Synchronized Security

• Split tunnelling and tunnel all • Split tunnelling and tunnel all

• Guided configuration wizard

Sophos Firewall’s SSL remote access VPN is based on OpenVPN, a full-featured VPN solution. The
encrypted tunnels between remote devices and the Sophos Firewall use both SSL certificates and
username and password to authenticate the connection, and you can also enable multi-factor
authentication for additional security.

The IPsec remote access VPN can be authenticated using a pre-shared key or digital certificate,
with users then authenticating with their username and password, and optionally multi-factor
authentication. As a standard IPsec VPN, it is compatible with third-party VPN clients.

For both the SSL and IPsec remote access VPNs we provide the Sophos Connect VPN client for
Windows and Mac OS X devices.

For SSL remote access VPNs, we still support the legacy Sophos SSL VPN Client; however, we
recommend upgrading to Sophos Connect when possible.

[Additional Information]
https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-
us/webhelp/onlinehelp/nsg/sfos/concepts/VPNSophosConnectClient.html

Getting Started with Remote Access VPNs on Sophos Firewall - 4

 SSL VPN Assistant

Sophos Firewall has a wizard to streamline and simplify the configuration of everything required
for remote access SSL VPNs. The assistant includes:
• Selecting the users and groups the policy will apply to
• Configuring the authentication servers
• Selecting the resources users will be able to access
• Choosing between split tunneling or tunnel all
• Selecting which zones can access the user portal to download the client and configuration
• And selecting which zones users can establish an SSL VPN from

As part of the assistant, a firewall rule will be created to control access to internal resources from
the VPN.

Getting Started with Remote Access VPNs on Sophos Firewall - 5

 Demo: SSL VPN Assistant

In this demo you will see how to use

the SSL VPN assistant to quickly
configure remote access for users.

PLAY DEMO CONTINUE

https://training.sophos.com/fw/demo/SslVpnAssistant/1/play.html

In this demo you will see how to use the SSL VPN assistant to quickly configure remote access for
users.

[Additional Information]

https://training.sophos.com/fw/demo/SslVpnAssistant/1/play.html

In this short demo we will look at the SSL VPN assistant, which brings together the configuration of
the VPN profile, creation of a firewall rule, as well as several global settings, to make setting up SSL
VPNs quick and easy.

The SSL VPN assistant is launched from the Remote access VPN section on the SSL VPN tab.

The first screen here gives you an overview of some of the global SSL VPN settings. These can be
configured using the SSL VPN global settings link here.

Give the VPN a name, then select the users and groups that can use this connection. I will select
the Training group here.

Next, you can customize the authentication servers for SSL VPNs. I will remove local
authentication. This setting is global for SSL VPNs, and if you need to update it you will find it in
Authentication > Services.

Select the resources you want users to be able to access through the VPN. This will be used to
configure a firewall rule.

Getting Started with Remote Access VPNs on Sophos Firewall - 6

Choose whether the VPN will be the default gateway for all traffic, or whether you
will be using split tunnelling.

Select which zones can access the user portal, where users can download the SSL
VPN client and configuration files. Note that this is a global setting that can be found
in Administration > Device access.

Finally, select from which zones users can establish SSL VPNs from. This is also a
global setting in device access.

Review the configuration, then click Finish.

In addition to creating the SSL VPN configuration you can see here; the assistant also
created a firewall rule to limit the scope of access for VPN users to the resources
selected.

Getting Started with Remote Access VPNs on Sophos Firewall - 6

 Security Heartbeat over SSL VPN

Split tunnel or tunnel all option

To enable using the Security Heartbeat over the SSL VPN, you need to add the built-in
‘SecurityHeartbeat_over_VPN’ host object. This contains the public IP address used for Security
Heartbeat and will ensure it is routed over the VPN to Sophos Firewall.

Getting Started with Remote Access VPNs on Sophos Firewall - 7

 SSL VPN Settings

By default, Sophos Firewall uses

port 8443

By default, Sophos Firewall hosts the SSL VPN on port 8443, however this can be changed to a
different available port in the SSL VPN settings. Note that the SSL VPN can share port 443 with
other services on Sophos Firewall, such as the user portal and web application firewall rules.

You can modify the SSL certificate for the connection and override the hostname used in the
configuration files.

You can configure the IP lease range, DNS, WINS and domain name that will be used for clients that
connect.

In addition to this, there are several advanced connection settings such as the algorithms, key size,
key lifetime and compression options.

The SSL VPN settings are global for both remote access and site-to-site SSL VPNs; if you make
changes here you may need to update any SSL site-to-site VPNs you have configured.

Getting Started with Remote Access VPNs on Sophos Firewall - 8

 SSL VPN Client

Recommended VPN Client for

Windows and Mac OS X

Legacy SSL VPN client for Windows

Configuration for all platforms

Once an SSL VPN profile has been created for a user, they can download an SSL VPN client from
their User Portal. For Windows and Mac OS X we recommend using the Sophos Connect client.
There is also a legacy SSL VPN Client for Windows, and configuration download for all platforms.

Getting Started with Remote Access VPNs on Sophos Firewall - 9

 Additional information in the notes

Sophos Connect Client and Legacy SSL VPN Client

If the legacy SSL VPN client is not installed in the default location the
Sophos Connect installer will not detect it

The legacy SSL VPN client and Sophos Connect client cannot be installed on the same computer as
they will conflict with each other. To prevent this, when installing Sophos Connect it will check for
the legacy VPN in the default installation path and display an error if found.

If the legacy SSL VPN client has been installed to a non-default location the Sophos Connect
installer will not detect it. This may render both VPN clients inoperable due to the conflict.

[Additional Information]
The default installation path of the legacy SSL VPN client is: C:\Program Files (x86)\Sophos\Sophos
SSL VPN)

Getting Started with Remote Access VPNs on Sophos Firewall - 10

 Simulation: Configure an SSL Remote Access VPN

In this simulation you will configure

an SSL remote access VPN using the
assistant. You will then review the
configuration created and test your
VPN using the Sophos Connect
client.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/SslUserVpn/1/start.html

In this simulation you will configure an SSL remote access VPN using the assistant. You will then
review the configuration created and test your VPN using the Sophos Connect client.

[Additional Information]

https://training.sophos.com/fw/simulation/SslUserVpn/1/start.html

Getting Started with Firewall and NT Rules on Sophos Firewall - 11

 IPsec VPN Configuration

Quick links to IPsec profile, Sophos Connect client download, and logs

At the top of the tab for the IPsec remote access VPN are quick links that provide access to IPsec
profiles, the Sophos Connect client download, and logs.

Getting Started with Remote Access VPNs on Sophos Firewall - 12

 IPsec VPN Profiles

IPsec profiles contain the security configuration for the IPsec connection, such as the encryption
algorithms that will be supported.

Sophos Firewall provides a default profile for remote access; however, you can clone this and
create your own to meet your security requirements.

Getting Started with Remote Access VPNs on Sophos Firewall - 13

 IPsec VPN Configuration

Select the IPsec profile

Pre-shared keys or
digital certificate

Select the users and

groups that can connect

To configure the IPsec remote access VPN, start by enabling it and selecting which interface it will
listen for connections on.

Select the IPsec profile.

The VPN can be authenticated by either pre-shared keys or with a digital certificate.

Select the users and groups that will be able to authenticate to use the VPN.

Getting Started with Remote Access VPNs on Sophos Firewall - 14

 IPsec VPN Configuration

IP range to use for the VPN

DNS servers

You need to configure the IP range that will be used for clients that connect, and optionally you can
also assign DNS servers.

Getting Started with Remote Access VPNs on Sophos Firewall - 15

 IPsec VPN Configuration

The advanced configuration can be found at the bottom of the page and allows you to configure
split tunneling, two-factor authentication, Security Heartbeat, and other connection settings.

Getting Started with Remote Access VPNs on Sophos Firewall - 16

 IPsec VPN Configuration

Download configuration files

Using the buttons at the bottom of the page you can export the configuration for the VPN.

Getting Started with Remote Access VPNs on Sophos Firewall - 17

 IPsec VPN Configuration

Only the .scx contains the

advanced settings

When you export the configuration from the web admin you will download an archive with two
files:
• .scx – that includes the advanced settings
• .tbg – which only contains the basic configuration and tunnels all traffic back to the Sophos
Firewall

Getting Started with Remote Access VPNs on Sophos Firewall - 18

 IPsec VPN Client

Sophos Connect client can be

downloaded from the user portal

The Sophos Connect client can also be downloaded from the user portal; however, the
configuration for the IPsec VPN needs to be provided by the admin.

Getting Started with Remote Access VPNs on Sophos Firewall - 19

 Sophos Connect Client
Import the configuration file for either
IPsec or SSL

To use the Sophos Connect client you need to import a configuration file. This can be either for the
IPsec or SSL VPN.

Getting Started with Remote Access VPNs on Sophos Firewall - 20

 Sophos Connect Client
Connect Login Connection Details

You can then connect to the VPN.

When the Sophos Connect Client contacts the firewall, you will be prompted to authenticate.

Once connected, the details will be shown.

Getting Started with Remote Access VPNs on Sophos Firewall - 21

 Simulation: Configure an IPsec Remote Access VPN

In this simulation you will configure

an IPsec remote access VPN. You
will then test your VPN using the
Sophos Connect client.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/IpsecUserVpn/1/start.html

In this simulation you will configure an IPsec remote access VPN. You will then test your VPN using
the Sophos Connect client.

[Additional Information]

https://training.sophos.com/fw/simulation/IpsecUserVpn/1/start.html

Getting Started with Firewall and NT Rules on Sophos Firewall - 22

 Additional information in
Deploying Sophos Connect the notes

Knowledgebase Article KB-000040793 Open KB-000040793

How to Deploy Sophos Connect via Group Policy Object (GPO)

1 Deploy the Sophos Connect MSI via a GPO script

2 Push the configuration as a file in the Windows Settings GPO

The Sophos Connect client can be easily deployed using Active Directory Group Policy. This requires
two elements to be configured.

First, you need to add the Sophos Connect MSI via a GPO, or group policy Object, script.

Secondly, you need to configure a Windows Settings file to push the configuration to the
endpoints.

[Additional Information]

Details on how to do this are covered in knowledgebase article KB-000040793.

https://support.sophos.com/support/s/article/KB-000040793

Getting Started with Remote Access VPNs on Sophos Firewall - 23

 Chapter Review

The VPN assistant streamlines the configuration of everything required for remote
access SSL VPNs

The default port for SSL VPNs is 8443. This can be changed in the SSL VPN settings.
These settings are global and apply to site-to-site SSL VPNs

The Sophos Connect client supports both IPsec and SSL VPNs and can be downloaded
from both the web admin and user portal. The SSL VPN configuration is downloaded in
the user portal, whereas the IPsec VPN configuration is downloaded in the web admin

Here are the main things you learned in this chapter.

The VPN assistant streamlines the configuration of everything required for remote access SSL
VPNs.

The default port for SSL VPNs is 8443. This can be changed in the SSL VPN settings. These settings
are global and apply to site-to-site SSL VPNs.

The Sophos Connect client supports both IPsec and SSL remote access VPNs and can be
downloaded from both the web and user portal. The SSL VPN configuration is downloaded in the
user portal, whereas the IPsec VPN configuration is downloaded in the web admin.

Getting Started with Remote Access VPNs on Sophos Firewall - 28

Getting Started with Remote Access VPNs on Sophos Firewall - 29
 Configuring Clientless Access
on Sophos Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]
Sophos Firewall
FW5020: Configuring Clientless Access on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Configuring Clientless Access on Sophos Firewall - 1

 Configuring Clientless Access on Sophos Firewall
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to create and manage ✓ Configuring Remote Access VPNs on Sophos
bookmarks for clientless SSL VPN Firewall
access.

DURATION

8 minutes

In this chapter you will learn how to create and manage bookmarks for clientless SSL VPN access.

Configuring Clientless Access on Sophos Firewall - 2

 Clientless Access Portal

Clientless SSL VPN connections can be found in the user portal and can be used to provide access
to internal resources without the need for a VPN client to be installed. They are in the VPN section
and will appear below any IPsec and SSL VPNs that have been enabled for the user.

This form of remote access is most useful for providing IT staff with access to internal systems
without exposing them directly to the Internet. For example, providing access to TELNET, SSH, and
RDP, so that IT staff can securely administer key pieces of infrastructure remotely.

Other examples for using this include providing special access for a user to a specific machine with
RDP, often for accounting or finance, or access to timesheets, client tracking, web-based ticking
systems and so forth.

Configuring Clientless Access on Sophos Firewall - 3

 Configuration

Assign bookmarks to users

and groups
2

Define the internal resources

as bookmarks
1

Configuration for Clientless SSL VPN is done in two parts:

• First you create bookmarks, which define the internal resources to be accessed
• Then you create policies to assign the bookmarks to users and groups

Configuring Clientless Access on Sophos Firewall - 4

 Bookmarks

Protocols
• RDP
• TELNET
• SSH
• FTP/FTPS
• SMB
• VNC

When you create the bookmarks, start by selecting the protocol in the ‘Type’ field, this will change
the remaining fields that need to be completed. Bookmarks can be created for: RDP, TELNET, SSH,
FTP, SMB, and VNC.

You can choose to enable automatic login for the bookmark, where you can provide a username
and password that will be used to connect to the resource. This will not be the username and
password for the person using the bookmark in the user portal.

It is important to note that each bookmark represents a session to a resource, so if you wanted to
give five people access to a resource, you would create a bookmark for each. You can enable
session sharing, which means that two users can use the bookmark at the same time, but there
will still only be a single session.

Configuring Clientless Access on Sophos Firewall - 5

 Bookmark Groups

You can also create bookmark groups, which can then be used to assign multiple bookmarks in a
policy.

Configuring Clientless Access on Sophos Firewall - 6

 Clientless Access

Select individual users and user

groups

Once the bookmarks have been created, and optionally added to bookmark groups, they need to
be assigned to a specific user or group using a policy. This simple policy has just three settings:
• A name for the policy
• The users and groups the policy applies to

Configuring Clientless Access on Sophos Firewall - 7

 Clientless Access

Select individual bookmarks and

bookmark groups

• And the bookmarks that can be used

Configuring Clientless Access on Sophos Firewall - 8

 Simulation: Configure Clientless SSL VPN Access

In this simulation you will configure

bookmarks and policies for
clientless SSL VPN access. You will
then login to the user portal to test
your configuration.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/ClientlessVpn/1/start.html

In this simulation you will configure bookmarks and policies for clientless SSL VPN access. You
will then login to the user portal to test your configuration.

[Additional Information]

https://training.sophos.com/fw/simulation/ClientlessVpn/1/start.html

Getting Started with Firewall and NT Rules on Sophos Firewall - 9

 Chapter Review

Clientless SSL VPN provides access to internal resources through bookmarks in the VPN
section of the user portal

Bookmarks can be created for: RDP, TELNET, SSH, FTP, SMB, and VNC. Each bookmark is
a single session for that resource

Policies assign bookmarks to users and groups

Here are the main things you learned in this chapter.

Clientless SSL VPN provides access to internal resources through bookmarks in the VPN section of
the user portal.

Bookmarks can be created for: RDP, TELNET, SSH, FTP, SMB, and VNC. Each bookmark is a single
session for that resource.

Policies assign bookmarks to users and groups.

Configuring Clientless Access on Sophos Firewall - 12

Configuring Clientless Access on Sophos Firewall - 13