Sophos Firewall

Configuring
SSL VPN for Remote Access

Product Version: 1
Document date: October 2014

Contents
1 Introduction

2 Configuring Sophos Firewall

2.1 Defining a User Account

2.2 Configuring Advanced SSL Settings

2.3 Creating the Network Policy

3 Configuring the Remote Client

11
14

3.1 Getting SSL VPN Client Software

14

3.2 Installing the SSL VPN Client Software

16

3.3 Connecting to the VPN

19

4 Technical support

20

5 Legal notices

21

www.utimaco.c
om

SSL VPN for Remote Access

1 Introduction
This guide is a step-by-step guide on how to configure remote access on Sophos Firewall using the
Secure Sockets Layer (SSL) protocol. The SSL remote access feature in Sophos Firewall provides
a two-factor authentication, securing the remote connection using X.509 certificates (have) and
username/password (know). Sophos' SSL VPN establishes an encrypted tunnel to provide secure
access to company resources through TCP port 443.

The system administrator configures the Sophos Sophos Firewall to allow remote access and
enables the User Portal of the Sophos Sophos Firewall for the remote access users. The User
Portal offers the free Sophos SSL VPN Client software, including the configuration and necessary
keys, and this configuration guide. Login data for the User Portal should be provided by the system
administrator or could be the Users AD Credentials. The SSL VPN Client is available for Microsoft
Windows XP, Vista, 7, 8/8.1 and 10 operating systems.

3
3

Sophos Firewall

2 Configuring Sophos Firewall

Sophos Firewall is configured via the web-based WebAdmin configuration tool from the
administration PC. Opening and using this configuration tool is extensively described in the
Sophos Firewall administration guide.

2.1 Defining a User Account

We start by creating a user account to allow access to the User Portal and to establish a VPN
connection.
1. Open the Objects > Identity > Users

Configuring Sophos Firewall

2. Click on
The Create New User dialog opens

5
5

Sophos Firewall

3. Enter the following information:

Username

This will be the User Login for the User Portal

Name

The Users full name

Description

(optional)

Password

Create a Password for the new User and Confirm

User Type

Select User

Email

Enter the Users E-Mail address

Policies

Select a group for the User, if no Groups have yet been defined use
Open Group
Select the appropriate Surfing Quota, Access Time, Network Traffic and
Traffic Shaping settings

SSL VPN
Policy

Open the drop-down menu of Remote Access and select

Create new

Configuring Sophos Firewall

General Settings

Name the Police (eg. SSL Remote Access)

Give a Description (optional)

Identity

Click on Add new item

Select the Users Group and click Apply

Tunnel Access

Switch Use as Default Gateway to on, if

the User should use the VPN-Tunnel as
Default Gateway
For Permitted Network Resources Add New
Item to select all Port that should be
available to the Remote Access User

Idle Timeout

By default Remote Access Clients get

disconnected after an idle time of 15
minutes. Idle Timeout can be deactiviated or
the allowed idle time can be changed

7
7

Sophos Firewall

2.2 Check Authentication Services for VPN

Navigate to System > Authentication > Authentication Services
Scroll down to VPN (IPsec/L2TP/PPTP) Authentication Methods

The Local Authentication should be automatically added already. If an external Authenticaion

Server is used, it should be added and confirmed by clicking Apply.

2.3 Check the allowed Zones for SSL VPN

Navigate to System > Administration > Device Access
Make sure all needed Zones are activated for SSL VPN.

Configuring Sophos Firewall

2.4 Configuring Advanced SSL Settings

Open System > VPN > SSL VPN Settings

9
9

Sophos Firewall

SSL VPN Settings

Protocol
SSL Server Certificate

Override Hostname

IPv4 Lease Range/ IPv6 Lease

Lease Mode

IPv4 DNS
IPv4 WINS
Domain Name
Disconnect dead peer after Seconds(60 - 1800)
Disconnect idle peer after Minutes(15 - 60)

TCP/UDP
(Select UDP for better performance)
The ApplianceCertificate is selected by default.
Other Certificates can be added and used (e.g.
Local CA, Public CA)
By default the gateways hostname is used, only
enter a hostname, if the gateway has to be
reached through a different hostname from the
WAN.
Enter an IP range to be used by VPN-Clients
Select if VPN Users get an IPv4 only or IPv4
and IPv6 addresses
Are optional settings, if unconfigured the
gateways settings apply
Set a time to consider a dead peer as
disconnected (180 seconds by default)
Set a time to disconnect an idle peer (15
minutes by default)

Cryptographic Settings
Encryption Algorithm

By default AES-128-CBC, available are also

DES-EDE3-CBC, AES-128-CBC, AES-192CBC, AES-256-CBC and BF-CBC

Authentication Algorithm

By default SHA2 256, available are also

SHA1(should be avoided), SHA2 384, SHA2
512 and MD5
By default 2048 bit, 1024 bit also available
By default 28800 seconds (8 hours)
By default this is checked to enhance
performance on slow connections
By default unchecked, only check if the SSL
VPN needs debugging
To confirm all changes

Key Size
Key Lifetime
Compression Settings
Debug Settings
Apply

10

Configuring Sophos Firewall

2.5 Creating a Network Policy

1. Defining a Network Policy
Navigate to Policies and click Add New Rule. Select User / Network Rule

2. Select Bottom and enter a name for the Rule e.g. SSL VPN Masquerading and a Discription
(optional)

3. Click Add New Item and select the VPN-Users-Group or Users than apply.

11
11

Sophos Firewall

4. Add items by clicking on Add New Item and selecting the appropriate Sources, then apply. For
Zone select WAN and for Networks Any since VPN-Users might access from various Networks.
Select Services available to VPN-Users, usually Any. Add a schedule if a User is only allowed
to VPN at certain times.

5. Click on Add New Item and select the Zone(s) and Network(s) VPN-Users are allowed to
access

6. Select Accept and activate Rewrite source address and keep the default settings

12

Configuring Sophos Firewall

8. Activation of Malware Scanning is optional, but recommended

9. Applying Policies is optional

10. Logging should be activated for troubleshooting and monitoring purpose. Secure Heartbeat
configuration is optional

11. Save the New Policy

13
13

Sophos Firewall

3 Configuring the Remote Client

On the remote client you have to download the Sophos SSL VPN Client software including
configuration data from the UTM User Portal. Then you install the software package on your
computer.

3.1 Download the SSL VPN Client Software

The Sophos Firewall User Portal is available to all remote access users. The portal, offers
downloads, gudes and tools for Users. To access the User Portal navigate to the Sophos Firewalls
IP-Address or Hostname using a webbrowser, in a standard configuration the user portal is
reachable through HTTPS / port 443.
The SSL VPN client supports most business applications such as native Outlook, native Windows
file sharing, and many more. The Configuration for Windows is needed in case of a config change
to the SSL policy. Furthermore other OS can be configured using a OpenVPN config file. Android
and iOS configuration are available as well.
1.

Start your browser and open the User Portal.

Start your browser and enter the management address of the User Portal as follows:
https://IP address (example: https://218.93.117.220).
A security note will be displayed.
Accept the security note. Depending on the browser, click I Understand the Risks >
Add Exception > Confirm Security Exception (Mozilla Firefox), or Proceed Anyway
(Google Chrome), or Continue to this website (Microsoft Internet Explorer/Edge).

2.

Log in to the User Portal.

Enter your credentials:
Username: Your username, which you received from the administrator.
Password: Your password, which you received from the administrator.
Please note that passwords are case-sensitive.
Click Login.

14

Configuring the Remote Client

3.

Navigate to SSL VPN.

Download the SSL VPN Client for Windows or the needed configuration files for other OS.

15
15

Sophos Firewall

3.2 Installing the SSL VPN Client Software

The setup program will check the hardware of the system, and then install the necessary
software on your PC.
1. Start the installation.
Open a file browser and go to the
location of the installation file
setup.exe. Launch the file from
this directory. The installation
wizard should start up now. Click
Next to proceed.

2. Accept the software license

agreement. If you agree to the
terms of the license, click I Agree.

16

Configuring the Remote Client

3. Choose the install location. Click

Browse, select the appropriate
directory, and click OK.

4. Click Install to proceed.

The installation wizard will copy
the necessary files on your
system.

5. Confirm the warning message.

The setup-routine creates a virtual
network card will fort he SSL VPN
access. The drivers are not
Microsoft certified but save tob e
installed. Select Install to allow
the driver installation.

17
17

Sophos Firewall

6. When the installation is

Completed click on Next.

7. End the installation process by

clicking Finish.
The SSL VPN client is
automatically started and is
showing in the task bar as a
8. Then the SSL VPN icon will be
9. displayed in your task bar.
10. Further information is usually
available
11. from the network administrator.

18

Configuring the Remote Client

3.3 Connecting to the VPN

Start the VPN Authentication by clicking on the traffic light symbol in your Windows task bar:

Log in by using the same credentials valid for your User Portal

The traffic light will change from red (disconnected) to red and amber (negotiating/connecting). As
soon as the traffic light changes to green, the SSL VPN Connection is established

19
19

Sophos Firewall

4 Technical support
You can find technical support for Sophos products in any of these ways:

20

Visit the SophosTalk forum at http://community.sophos.com/ and search for other users
who are experiencing the same problem.
Visit the Sophos support knowledgebase at http://www.sophos.com/support/.
Download the product documentation at http://www.sophos.com/support/docs/.
Send an email to support@sophos.com, including your Sophos software version
number(s), operating system(s) and patch level(s), and the text of any error
messages.

SSL VPN for Remote Access

5 Legal notices
Copyright 1996 - 2014 Sophos Group. All rights reserved. SafeGuard is a registered
trademark of Sophos Group.
Sophos is a registered trademark of Sophos Limited, Sophos Group and Utimaco
Safeware AG, as applicable. All other product and company names mentioned are
trademarks or registered trademarks of their respective owners.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted,
in any form or by any means, electronic, mechanical, photocopying, recording or
otherwise unless you are either a valid licensee where the documentation can be
reproduced in accordance with the license terms or you otherwise have the prior
permission in writing of the copyright owner.

Limited Warranty
No guarantee is given for the correctness of the information contained in this document.
Please send any comments or corrections to nsg-docu@sophos.com.

21
21