Device Configuration : Configure : VPN : SSL VPN
SSL VPN
On this page you can configure general SSL VPN settings.
Device Configuration > Configure > VPN > SSL VPN Settings
The remote access SSL feature of Sophos Firewall OS is realized by OpenVPN, a full-featured SSL VPN solution. You can create point-to-point encrypted tunnels between remote employees and your company, requiring both SSL certificates and a username/password combination for authentication. This enables access to internal resources. In addition, Sophos Firewall OS offers a secure User Portal, which can be accessed by each authorized user. There a customized SSL VPN client software bundle can be downloaded. This bundle includes a free SSL VPN client, SSL certificates and a configuration that can be handled by a simple one-click installation procedure. The SSL VPN client supports most business applications such as native Outlook, native Windows file sharing, and many more.
* More information on how to use the SSL VPN client can be found in the Sophos Knowledgebase.
Following is a description of the different sections of this page:
Remote Access Settings
Make the following basic remote access settings:
Protocol Select the protocol to use. You can choose either TCP or UDP. UDP is recommended because it provides a better performance.
SSL Server Certificate Select a local SSL certificate to be used by the SSL VPN server to identify itself against the clients. Default is DeviceCertificate.
Override Hostname Here you can set the server IP address for client VPN connection. Usually this should be the external IP address of Sophos Firewall OS .
IPv4 Lease Range Set an IP address range which is used to distribute IP addresses to the SSL clients. This should be a private IP address range. There is a default range given.
Subnet Mask Select a netmask for the IP address range above. The netmask must not be greater than 29 bits, because OpenVPN cannot handle address ranges whose netmask is /30, /31, or /32. The netmask is limited to a minimum of 16.
IPv6 Lease (IPv6 / Prefix) If you want to lease IPv6 addresses to clients, set the IPv6 prefix in the first field and the netmask in the last field.
You then also have to select the option IPv4 and IPv6 both below.
Lease Mode Select if you want to only lease IPv4 addresses to SSL clients or both IPv4 and IPv6 addresses.
IPv4 DNS Specify up to two IPv4 DNS servers of your organization.
IPv6 DNS Specify up to two IPv6 DNS servers of your organization.
IPv4 WINS Specify up to two IPv4 WINS servers of your organization.
Windows Internet Naming Service (WINS) is Microsoft's implementation of NetBIOS Name Server (NBNS) on Windows operating systems. Effectively, WINS is to NetBIOS names what DNS is to domain names—a central mapping of hostnames to IP addresses.
IPv6 WINS Specify up to two IPv6 WINS servers of your organization.
The IP addresses of the DNS and WINS servers you enter here are provided for the use of remote access clients while establishing a connection to the gateway, thus providing full name resolution for your domain.
Domain Name Enter the hostname of your Sophos XG Firewall as a Fully Qualified Domain Name (FQDN). The FQDN is an unambiguous domain name that specifies the node's absolute position in the DNS tree hierarchy, for example utm.example.com. A hostname may contain alphanumeric characters, dots, and hyphens. At the end of the hostname there must be a TLD (top level domain) such as com, org, or de. The hostname will be used in notification messages to identify the Sophos XG Firewall.
Disconnect Dead Peer After Enter a time limit in seconds after which a dead connection will be terminated by Sophos XG Firewall. Default is 180 seconds.
Disconnect Idle Peer After Enter a time limit in minutes when an idle connection will be terminated. Default is 15 minutes.
Cryptographic Settings
Make the following cryptographic settings:
Encryption Algorithm Specifies the algorithm used for encrypting the data sent through the VPN tunnel. The following algorithms are supportedand all in Cipher Block Chaining (CBC) mode:
DES-EDE3-CBC
AES-128-CBC (128 bit)
AES-192-CBC (192 bit)
AES-256-CBC (256 bit)
BF-CBC (Blowfish (128 bit))
Authentication Algorithm
SHA-1 (160 bit)
SHA2 256 (256 bit)
SHA2 384 (384 bit)
SHA2 512 (512 bit)
MD5 (128 bit)
Key Size The key size (key length) is the length of the Diffie-Hellman key exchange. The longer this key is, the more secure the symmetric keys are. The length is specified in bits. You can choose between a key size of 1024 or 2048 bits.
Key Lifetime Enter a time period after which the key will expire. The default is 28,800 seconds.
Compression Settings
Make the following compression setting:
Compress SSL VPN Traffic If enabled, all data sent through SSL VPN tunnels will be compressed prior to encryption.
Debug Settings
Make the following debug setting:
Enable Debug Mode When enabling debug mode, the SSL VPN log file will contain extended information useful for debugging purposes.
Click Apply to save your settings.