Skip to content

Configure remote access SSL VPN with Sophos Connect client

You can configure remote access SSL VPN connections. Users can establish the connection using the Sophos Connect client.

Introduction

The Sophos Connect client allows you to enforce advanced security and flexibility settings, such as connecting the tunnel automatically. To configure and establish remote access SSL VPN connections using the Sophos Connect client, do as follows:

  • Configure the SSL VPN settings.
  • Send the configuration file to users.
  • Add a firewall rule.
  • Send the Sophos Connect client to users. Alternatively, users can download it from the user portal.

Users must do as follows:

  • Install the Sophos Connect client on their endpoint devices.
  • Import the configuration file into the client and establish the connection.

Currently, the Sophos Connect client doesn't support macOS for SSL VPN. It also doesn't support mobile platforms for IPsec and SSL VPN. For macOS and mobile platforms, we recommend that you use the OpenVPN Connect client.

Specify an IP address range for SSL VPN clients

When SSL clients sign in, they're assigned an address from the range specified here. You must use a private address range.

  1. Go to VPN and click Show VPN settings.

    VPN settings

  2. Specify a lease range. If required, you can also update the subnet mask.

    IPv4 lease range

  3. Click Apply.

Create a user group and add a user

You create a user group for the remote SSL VPN and add a user. The group specifies a surfing quota and access time. Users in the group are allowed unlimited access.

  1. Go to Authentication > Groups and click Add.
  2. Specify the settings.

    Name Description
    Name Remote SSL VPN group
    Surfing quota Unlimited internet access
    Access time Allowed all the time
  3. Click Save.

  4. Go to Authentication > Users and click Add.
  5. Specify the settings.

    Name Description
    Username john.smith
    Name John Smith
    Group Remote SSL VPN group
  6. Click Save.

Create IP hosts for local subnet and remote SSL VPN clients

The local subnet defines the network resources that remote clients can access. You need the IP host for the remote clients to create a firewall rule.

  1. Go to Hosts and services > IP host and click Add.
  2. Enter a name and network for the local subnet.

    IP host for local subnet

  3. Click Save.

  4. Click Add.
  5. Create an IP host for the remote clients.

    IP host for remote clients

  6. Click Save.

Add an SSL VPN remote access policy

You create a policy that allows clients in the Remote SSL VPN group to connect. These users are allowed to access resources on the local subnet.

  1. Go to VPN > SSL VPN (remote access) and click Add.
  2. Enter a name and specify policy members and permitted network resources.

    Specify policy members and permitted network resources

  3. Click Apply.

Check authentication services

In this example, we set the firewall and SSL VPN authentication methods to local authentication. Sophos Firewall then acts as the authentication server.

  1. Go to Authentication > Services.
  2. Check that the authentication server is set to Local.
    Alternatively, you can select an authentication server, such as the Active Directory server you've configured under Authentication > Servers > Firewall authentication methods.

    Authentication server set to Local in firewall authentication methods

  3. Scroll to SSL VPN authentication methods.

  4. Check that the authentication server is set to Local.

    Authentication server set to Local in SSL VPN authentication methods

Check device access settings

To establish the connection and ensure that users have access to the connection, you must turn on device access for SSL VPN and the user portal.

  1. Go to Administration > Device access.
  2. Check access to SSL VPN and the user portal.

    Turn on access from zones for SSL VPN and user portal

  3. Click Apply.

Add a firewall rule

  1. Go to Rules and policies > Firewall rules. Select IPv4 or IPv6 and select Add firewall rule.
  2. Specify the settings.

    Firewall rule's matching criteria

  3. Click Save.

Install and configure Sophos Connect client on endpoint devices

To establish remote access SSL VPN connections, users must install the Sophos Connect client on their endpoint devices and import the .ovpn file to the client.

You can download the Sophos Connect client installers from the Sophos Firewall web admin console and share these with users. Alternatively, users can download the Sophos Connect client from the user portal.

Here, we show how users can download the client from the user portal. Users must do as follows:

  1. Sign in to the user portal and go to VPN. Under Sophos Connect client (IPsec and SSL VPN), click Download client for Windows.

    Installers for the Sophos Connect client

  2. Click Download configuration for Windows to download the .ovpn configuration file.

    Download SSL VPN configuration for Windows

  3. Run the Sophos Connect client.
    You can then see it in the system tray of your endpoint device.

  4. Click the three dots button in the upper-right corner, click Import connection, and select the .ovpn file you've downloaded.

    Import connection

  5. Sign in using your user portal credentials.

    Sign in to the Sophos Connect client

Back to top