Skip to content

Add a remote access SSL VPN policy

You can configure remote access SSL VPN policies to allow users and groups to access the permitted network resources. You can also send their internet traffic through the firewall.

The gateway, client addresses, and other settings are based on SSL VPN global settings.

  1. Go to Remote access VPN > SSL VPN and click Add.
  2. Enter a name.
  3. For Policy members, select the preconfigured users and groups.
  4. Turn on Use as default gateway to send remote access users' internet traffic through the firewall.


    You must also select the permitted network resources if you want remote users to access these internal resources.


    If you turn on the default gateway setting, the firewall's rules and protection policies apply to the remote users' internet traffic. So, configure a firewall rule with the source zone set to VPN and the destination zone set to Any to allow traffic to the internet and the permitted resources.

    You can also set the source networks to the system hosts ##ALL_SSLVPN_RW and ##ALL_SSLVPN_RW6.

  5. For Permitted network resources, select the internal networks you want the policy's remote access users to access.

  6. (Optional) Select Disconnect idle clients if you want to set a specific time at which the firewall disconnects clients with idle sessions.
  7. (Optional) For Override global timeout, enter the time in minutes.


    This time-out value only applies if it's lower than the idle peer value in SSL VPN global settings. If you specify a higher value, the global settings' value applies.

Next steps: Go to Administration > Device access and make sure you've selected the WAN zone for SSL VPN, and the LAN and WAN zones for the user portal to download the configuration file. See Configure remote access SSL VPN with Sophos Connect client.

We recommend that you turn off access to the user portal from WAN after users download the file.