Copyright © 2024 Sophos Ltd

Getting Started with

Remote Access VPNs
on Sophos Firewall

Sophos Firewall
Version: 20.0v1

[Additional Information]

Sophos Firewall
FW5005: Getting Started with Remote Access VPNs on Sophos Firewall

January 2024
Version: 20.0v1

© 2024 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written
consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the
trademarks or registered trademarks of Sophos Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express
or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon,
Oxfordshire, OX14 3YP.

Getting Started with Remote Access VPNs on Sophos Firewall - 1

Copyright
Copyright ©
© 2024
2023 Sophos
Sophos Ltd
Ltd

Getting Started with Remote Access VPNs

In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to configure SSL and IPsec ✓ Know which protocols are used for VPN access
remote access VPNs on Sophos ✓ How to configure authentication servers, users,
Firewall. and groups

DURATION 20 minutes

In this chapter you will learn how to configure SSL and IPsec remote access VPNs on Sophos Firewall.

Getting Started with Remote Access VPNs on Sophos Firewall - 2

Copyright © 2024 Sophos Ltd

Remote Access VPNs

IPsec SSL
Establish remote access IPsec Establish remote access SSL
VPNs using the Sophos Connect VPNs using the Sophos Connect
client or third-party clients client, legacy SSL VPN client, or
OpenVPN clients

Clientless SSL L2TP over IPsec PPTP

Provide access to internal Compatible with VPN client built Support for legacy PPTP
services and resources using a into Windows connections
browser (not recommended)

Sophos Firewall supports a range of common protocols for remote access VPNs.

The most used are IPsec and SSL, so in this chapter we will focus on these two, but it is useful to
remember that Sophos Firewall also supports L2TP over IPsec, which is compatible with the Windows
built-in VPN client, and PPTP, although we do not recommend you use it as it is less secure.

Getting Started with Remote Access VPNs on Sophos Firewall - 3

Copyright © 2024 Sophos Ltd
Additional information in
the notes
SSL and IPsec VPNs
SSL Remote Access VPN IPsec Remote Access VPN

▪ Sophos Connect VPN Client for Windows and ▪ Sophos Connect VPN Client for Windows and
Mac OS X Mac OS X

▪ Compatible with OpenVPN clients on all ▪ Compatible with third-party IPsec VPN clients
platforms
▪ Support for multi-factor authentication
▪ Support for multi-factor authentication
▪ Supports Synchronized Security
▪ Supports Synchronized Security
▪ Split tunnelling and tunnel all
▪ Split tunnelling and tunnel all

▪ Guided configuration wizard

Sophos Firewall’s SSL remote access VPN is based on OpenVPN, a full-featured VPN solution. The
encrypted tunnels between remote devices and the Sophos Firewall use both SSL certificates and
username and password to authenticate the connection, and you can also enable multi-factor
authentication for additional security.

The IPsec remote access VPN can be authenticated using a pre-shared key or digital certificate, with
users then authenticating with their username and password, and optionally multi-factor
authentication. As a standard IPsec VPN, it is compatible with third-party VPN clients.

For both the SSL and IPsec remote access VPNs we provide the Sophos Connect VPN client for
Windows and Mac OS X devices.

For SSL remote access VPNs, we still support the legacy Sophos SSL VPN Client; however, we
recommend upgrading to Sophos Connect when possible.

[Additional Information]
https://doc.sophos.com/nsg/sophos-firewall/20.0/help/en-
us/webhelp/onlinehelp/AdministratorHelp/RemoteAccessVPN/IPsecSSL/SophosConnect/RAVPNSConC
lient/index.html

Getting Started with Remote Access VPNs on Sophos Firewall - 4

Copyright © 2024 Sophos Ltd

SSL VPN Assistant

Sophos Firewall has a wizard to streamline and simplify the configuration of everything required for
remote access SSL VPNs. The assistant includes:
• Selecting the users and groups the policy will apply to.
• Configuring the authentication servers.
• Selecting the resources users will be able to access.
• Choosing between split tunneling or tunnel all.
• Selecting which zones can access the user portal to download the client and configuration.
• And selecting which zones users can establish an SSL VPN from.

As part of the assistant, a firewall rule will be created to control access to internal resources from the
VPN.

Getting Started with Remote Access VPNs on Sophos Firewall - 5

Copyright © 2024 Sophos Ltd

Video Demo: SSL VPN Assistant

In this demo you will see how to use the SSL VPN assistant
to quickly configure remote access for users.

LAUNCH DEMONSTRATION CONTINUE

https://training.sophos.com/fw/demo/SslVpnAssistant/1/play.html

Please watch this video demonstration.

Click Launch Demonstration to start. Once you have finished, click Continue.

[Additional Information]
https://training.sophos.com/fw/demo/SslVpnAssistant/1/play.html

Getting Started with Remote Access VPNs on Sophos Firewall - 6

Copyright © 2024 Sophos Ltd

Security Heartbeat over SSL VPN

Split tunnel or tunnel all option

To enable using the Security Heartbeat over the SSL VPN, you need to add the built-in
‘SecurityHeartbeat_over_VPN’ host object. This contains the public IP address used for Security
Heartbeat and will ensure it is routed over the VPN to Sophos Firewall.

Getting Started with Remote Access VPNs on Sophos Firewall - 7

Copyright © 2024 Sophos Ltd

SSL VPN Settings

By default, Sophos Firewall uses

port 8443

By default, Sophos Firewall hosts the SSL VPN on port 8443, however this can be changed to a
different available port in the SSL VPN settings. Note that the SSL VPN can share port 443 with other
services on Sophos Firewall, such as the user portal and web application firewall rules.

You can modify the SSL certificate for the connection and override the hostname used in the
configuration files.

You can configure the IP lease range, DNS, WINS and domain name that will be used for clients that
connect.

In addition to this, there are several advanced connection settings such as the algorithms, key size, key
lifetime and compression options.

The SSL VPN settings are global for both remote access and site-to-site SSL VPNs; if you make changes
here you may need to update any SSL site-to-site VPNs you have configured.

Getting Started with Remote Access VPNs on Sophos Firewall - 8

Copyright © 2024 Sophos Ltd

SSL VPN Client

Recommended VPN Client for Windows and Mac

OS X

Once an SSL VPN profile has been created for a user, they can download an SSL VPN client from their
VPN portal. For Windows and macOS we recommend using the Sophos Connect client. There is also
SSL VPN configuration downloads for all platforms and an IPsec VPN profile download for iOS.

Getting Started with Remote Access VPNs on Sophos Firewall - 9

Copyright © 2024 Sophos Ltd

Simulation: Configure an SSL Remote Access VPN

In this simulation you will configure an SSL remote access

VPN using the assistant. You will then review the
configuration created and test your VPN using the Sophos
Connect client.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/SslUserVpn/2/start.html

Please complete this simulation.

Click Launch Simulation to start. Once you have finished, click Continue.

[Additional Information]
https://training.sophos.com/fw/simulation/SslUserVpn/2/start.html

Getting Started with Remote Access VPNs on Sophos Firewall - 10

Copyright © 2024 Sophos Ltd

IPsec VPN Configuration

Quick links to IPsec profile, Sophos Connect client download, and logs

At the top of the tab for the IPsec remote access VPN are quick links that provide access to IPsec
profiles, the Sophos Connect client download, and logs.

Getting Started with Remote Access VPNs on Sophos Firewall - 11

Copyright © 2024 Sophos Ltd

IPsec VPN Profiles

IPsec profiles contain the security configuration for the IPsec connection, such as the encryption
algorithms that will be supported.

Sophos Firewall provides a default profile for remote access; however, you can clone this and create
your own to meet your security requirements.

Getting Started with Remote Access VPNs on Sophos Firewall - 12

Copyright © 2024 Sophos Ltd

IPsec VPN Configuration

Select the IPsec profile

Pre-shared keys or digital

certificate

Select the users and groups

that can connect

To configure the IPsec remote access VPN, start by enabling it and selecting which interface it will
listen for connections on.

Select the IPsec profile.

The VPN can be authenticated by either pre-shared keys or with a digital certificate.

Select the users and groups that will be able to authenticate to use the VPN.

Getting Started with Remote Access VPNs on Sophos Firewall - 13

Copyright © 2024 Sophos Ltd

IPsec VPN Configuration

IP range to use for the VPN

DNS servers

You need to configure the IP range that will be used for clients that connect, and optionally you can
also assign DNS servers.

Getting Started with Remote Access VPNs on Sophos Firewall - 14

Copyright © 2024 Sophos Ltd

IPsec VPN Configuration

The advanced configuration can be found at the bottom of the page and allows you to configure split
tunneling, two-factor authentication, Security Heartbeat, and other connection settings.

Getting Started with Remote Access VPNs on Sophos Firewall - 15

Copyright © 2024 Sophos Ltd

IPsec VPN Configuration

Download configuration files

Using the buttons at the bottom of the page you can export the configuration for the VPN.

Getting Started with Remote Access VPNs on Sophos Firewall - 16

Copyright © 2024 Sophos Ltd

IPsec VPN Configuration

Only the .scx contains the

advanced settings

When you export the configuration from the web admin you will download an archive with two files:
• .scx: that includes the advanced settings.
• .tbg: which only contains the basic configuration and tunnels all traffic back to the Sophos Firewall.

Getting Started with Remote Access VPNs on Sophos Firewall - 17

Copyright © 2024 Sophos Ltd

IPsec VPN Client

Sophos Connect client can be

downloaded from the VPN portal

The Sophos Connect client can also be downloaded from the VPN portal; however, the configuration
for the IPsec VPN needs to be provided by the admin.

Getting Started with Remote Access VPNs on Sophos Firewall - 18

Copyright © 2024 Sophos Ltd

Sophos Connect Client

Import the configuration file for either IPsec or SSL

To use the Sophos Connect client you need to import a configuration file. This can be either for the
IPsec or SSL VPN.

Getting Started with Remote Access VPNs on Sophos Firewall - 19

Copyright © 2024 Sophos Ltd

Sophos Connect Client

Connect Login Connection Details

You can then connect to the VPN.

When the Sophos Connect Client contacts the firewall, you will be prompted to authenticate.

Once connected, the details will be shown.

Getting Started with Remote Access VPNs on Sophos Firewall - 20

Copyright © 2024 Sophos Ltd

Simulation: Configure an IPsec Remote Access VPN

In this simulation you will configure an IPsec remote

access VPN. You will then test your VPN using the Sophos
Connect client.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/IpsecUserVpn/2/start.html

Please complete this simulation.

Click Launch Simulation to start. Once you have finished, click Continue.

[Additional Information]
https://training.sophos.com/fw/simulation/IpsecUserVpn/2/start.html

Getting Started with Remote Access VPNs on Sophos Firewall - 21

Copyright © 2024 Sophos Ltd
Additional information in
the notes
Deploying Sophos Connect

1 Deploy the Sophos Connect MSI via a GPO script

2 Push the configuration as a file in the Windows Settings GPO

The Sophos Connect client can be easily deployed using Active Directory Group Policy. This requires
two elements to be configured.

First, you need to add the Sophos Connect MSI via a GPO, or group policy Object, script.

Secondly, you need to configure a Windows Settings file to push the configuration to the endpoints.

[Additional Information]
https://doc.sophos.com/nsg/sophos-firewall/20.0/Help/en-
us/webhelp/onlinehelp/AdministratorHelp/RemoteAccessVPN/IPsecSSL/SophosConnect/RAVPNSConC
lientGPOScript/index.html

Getting Started with Remote Access VPNs on Sophos Firewall - 22

Copyright © 2024 Sophos Ltd

Chapter Review

The VPN assistant streamlines the configuration of everything required for remote access SSL VPNs.

The default port for SSL VPNs is 8443. This can be changed in the SSL VPN settings. These settings are
global and apply to site-to-site SSL VPNs.

The Sophos Connect client supports both IPsec and SSL remote access VPNs and can be downloaded from
both the web admin console and user portal. The SSL VPN configuration is downloaded in the user portal,
whereas the IPsec VPN configuration is downloaded in the web admin console.

Here are the main things you learned in this chapter.

The VPN assistant streamlines the configuration of everything required for remote access SSL VPNs.

The default port for SSL VPNs is 8443. This can be changed in the SSL VPN settings. These settings are
global and apply to site-to-site SSL VPNs.

The Sophos Connect client supports both IPsec and SSL remote access VPNs and can be downloaded
from both the web and user portal. The SSL VPN configuration is downloaded in the user portal,
whereas the IPsec VPN configuration is downloaded in the web admin.

Getting Started with Remote Access VPNs on Sophos Firewall - 28

Copyright © 2024 Sophos Ltd

Getting Started with Remote Access VPNs on Sophos Firewall - 29