Escolar Documentos
Profissional Documentos
Cultura Documentos
Configuring
SSL VPN for Remote Access
Product Version: 1
Document date: October 2014
Contents
1 Introduction
11
14
14
16
19
4 Technical support
20
5 Legal notices
21
www.utimaco.c
om
1 Introduction
This guide is a step-by-step guide on how to configure remote access on Sophos Firewall using the
Secure Sockets Layer (SSL) protocol. The SSL remote access feature in Sophos Firewall provides
a two-factor authentication, securing the remote connection using X.509 certificates (have) and
username/password (know). Sophos' SSL VPN establishes an encrypted tunnel to provide secure
access to company resources through TCP port 443.
The system administrator configures the Sophos Sophos Firewall to allow remote access and
enables the User Portal of the Sophos Sophos Firewall for the remote access users. The User
Portal offers the free Sophos SSL VPN Client software, including the configuration and necessary
keys, and this configuration guide. Login data for the User Portal should be provided by the system
administrator or could be the Users AD Credentials. The SSL VPN Client is available for Microsoft
Windows XP, Vista, 7, 8/8.1 and 10 operating systems.
3
3
Sophos Firewall
2. Click on
The Create New User dialog opens
5
5
Sophos Firewall
Username
Name
Description
(optional)
Password
User Type
Select User
Policies
Select a group for the User, if no Groups have yet been defined use
Open Group
Select the appropriate Surfing Quota, Access Time, Network Traffic and
Traffic Shaping settings
SSL VPN
Policy
General Settings
Identity
Tunnel Access
Idle Timeout
7
7
Sophos Firewall
9
9
Sophos Firewall
Override Hostname
IPv4 DNS
IPv4 WINS
Domain Name
Disconnect dead peer after Seconds(60 - 1800)
Disconnect idle peer after Minutes(15 - 60)
TCP/UDP
(Select UDP for better performance)
The ApplianceCertificate is selected by default.
Other Certificates can be added and used (e.g.
Local CA, Public CA)
By default the gateways hostname is used, only
enter a hostname, if the gateway has to be
reached through a different hostname from the
WAN.
Enter an IP range to be used by VPN-Clients
Select if VPN Users get an IPv4 only or IPv4
and IPv6 addresses
Are optional settings, if unconfigured the
gateways settings apply
Set a time to consider a dead peer as
disconnected (180 seconds by default)
Set a time to disconnect an idle peer (15
minutes by default)
Cryptographic Settings
Encryption Algorithm
Authentication Algorithm
Key Size
Key Lifetime
Compression Settings
Debug Settings
Apply
10
2. Select Bottom and enter a name for the Rule e.g. SSL VPN Masquerading and a Discription
(optional)
3. Click Add New Item and select the VPN-Users-Group or Users than apply.
11
11
Sophos Firewall
4. Add items by clicking on Add New Item and selecting the appropriate Sources, then apply. For
Zone select WAN and for Networks Any since VPN-Users might access from various Networks.
Select Services available to VPN-Users, usually Any. Add a schedule if a User is only allowed
to VPN at certain times.
5. Click on Add New Item and select the Zone(s) and Network(s) VPN-Users are allowed to
access
6. Select Accept and activate Rewrite source address and keep the default settings
12
10. Logging should be activated for troubleshooting and monitoring purpose. Secure Heartbeat
configuration is optional
13
13
Sophos Firewall
2.
14
3.
15
15
Sophos Firewall
16
17
17
Sophos Firewall
18
Log in by using the same credentials valid for your User Portal
The traffic light will change from red (disconnected) to red and amber (negotiating/connecting). As
soon as the traffic light changes to green, the SSL VPN Connection is established
19
19
Sophos Firewall
4 Technical support
You can find technical support for Sophos products in any of these ways:
20
Visit the SophosTalk forum at http://community.sophos.com/ and search for other users
who are experiencing the same problem.
Visit the Sophos support knowledgebase at http://www.sophos.com/support/.
Download the product documentation at http://www.sophos.com/support/docs/.
Send an email to support@sophos.com, including your Sophos software version
number(s), operating system(s) and patch level(s), and the text of any error
messages.
5 Legal notices
Copyright 1996 - 2014 Sophos Group. All rights reserved. SafeGuard is a registered
trademark of Sophos Group.
Sophos is a registered trademark of Sophos Limited, Sophos Group and Utimaco
Safeware AG, as applicable. All other product and company names mentioned are
trademarks or registered trademarks of their respective owners.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted,
in any form or by any means, electronic, mechanical, photocopying, recording or
otherwise unless you are either a valid licensee where the documentation can be
reproduced in accordance with the license terms or you otherwise have the prior
permission in writing of the copyright owner.
Limited Warranty
No guarantee is given for the correctness of the information contained in this document.
Please send any comments or corrections to nsg-docu@sophos.com.
21
21