Skip to content

RED interfaces

A Remote Ethernet Device (RED) provides a secure tunnel between a remote site and Sophos Firewall.

REDs connect remote branch offices to your main offices as if the branch office is part of your local network. Using RED interfaces, you can configure and install RED appliances or create a site-to-site RED tunnel between two Sophos Firewall devices in a client-server configuration.

Warning

RED 15, 15 (w), and 50 are now end-of-life (EOL). We recommend you use SD-RED 20 or 60.

You can configure RED tunnels using the following options:

  • RED appliance: You can establish a tunnel between Sophos Firewall in the head office and a RED appliance (example: SD-RED) at the remote office. You can provision a RED device in one of the following ways:

    • Automatically via provisioning service: Sophos Firewall provisions the remote RED appliance automatically through the RED provisioning server. See Set up a RED device automatically.
    • Manually via USB stick: You provision the remote RED appliance using a USB device. In this method, you copy the provisioning file from Sophos Firewall to a USB device and install the file on the RED appliance. See Set up a RED device manually.

    Note

    For optimal performance, turn off the 802.3az setting on the switches connected to SD-RED 20 and 60.

  • Firewall RED device: You can create a site-to-site RED tunnel between two Sophos Firewall devices in a client-server configuration. Firewall RED devices are Sophos Firewall devices that communicate using the RED tunnel. You can use Firewall RED device types as follows:

    • Firewall RED server or client: Select this option if you're connecting two Sophos Firewall devices or two UTM devices.
    • Firewall RED server or client (legacy): Select this option if you're connecting Sophos Firewall to a UTM device.

RED network configuration

In a typical configuration, you set up the device at a branch office and connect it to the firewall at the head office.

The RED establishes a VPN tunnel to the firewall. So, anything connected to the RED becomes a part of the network. All traffic in and out of the branch office is routed through the RED. You can apply the same policies across local and remote traffic or create custom policies by location.

RED network diagram.

RED provisioning servers

When you configure a RED on Sophos Firewall, the firewall uploads the following configuration details to the RED provisioning servers:

  • IP address of the firewall's web admin console
  • WAN settings:

    • WAN uplink mode (DHCP, PPPoE, Static)
    • Mobile broadband connection settings for RED hardware
    • If you've selected static uplink mode, RED WAN IP address settings (IP address, netmask, default gateway, and DNS server)
  • Tunnel operation mode (example: Standard)

  • Unlock code

The cloud-based RED provisioning servers store the configurations. When you add a RED device, it performs a DNS lookup of red.astaro.com, securely connects to the closest provisioning server, and gets its configuration from the provisioning server. When an existing configuration doesn't work, it checks the provisioning servers for updated instructions. A working RED doesn't connect to the provisioning servers.

SD-RED 20 and 60 use ports TCP 3400 and UDP 3410. For a complete list of the RED provisioning server hostnames and ports, see Default services.

RED unlock codes

A RED unlock code allows the provisioning servers to accept a new configuration for a RED. It prevents a RED that is in use from being accidentally or maliciously redirected.

First-time use

If you're configuring a RED for the first time, leave the unlock code blank and save the configuration. The firewall uploads the RED configuration to the provisioning server. The provisioning server generates an unlock code specific to the RED. You can see it in the web admin console. It also sends the code to the email address you provided when you turned on the RED provisioning service. If you move the RED to a new firewall, you must enter the old unlock code to register the RED to the new firewall.

Previously used RED

When you delete a RED interface from the web admin console, the console shows the unlock code in a pop-up message confirming the delete action. It also sends the code to the email address you provided on System services > RED.

Warning

Retain the unlock code. Make sure this email address is up to date and accurate. You'll need the code to set up the RED on another firewall.

If you can't find the unlock code, contact Sophos Support.

How to configure a RED

You can configure a RED appliance or Sophos Firewall as a RED appliance.

How to configure a RED appliance

You can connect RED appliances, such as SD-RED, installed in the remote office, to Sophos Firewall installed in the main office.

  1. Go to System services > RED.
  2. Turn on the RED service, and register Sophos Firewall with the RED provisioning server. This is a one-time action.
  3. Configure the RED interface on your Sophos Firewall. See Add a RED interface.
  4. Connect the RED appliance to the internet at the remote site.

How to configure the firewall as a RED appliance

You can connect Sophos Firewall devices in the head and remote offices using a site-to-site RED tunnel.

  1. Go to System services > RED.
  2. Turn on the RED service, and register Sophos Firewall with the RED provisioning server. This is a one-time action.
  3. Configure firewall 1 as the Firewall RED Server. See Add a RED interface.
  4. Go to Network > Interfaces. Download the provisioning file for firewall 1.
  5. Configure firewall 2 as the Firewall RED Client. Upload the provisioning file.

See Create a site-to-site RED tunnel.

More resources