Configure remote access SSL VPN as a split tunnel

You can configure remote access SSL VPN connections in split tunnel mode. Only traffic to the permitted network resources flows through the firewall.

Users can establish the connection using the Sophos Connect client.

Overview

The Sophos Connect client allows you to enforce advanced security and flexibility settings, such as connecting the tunnel automatically.

Preliminary configurations:

• Configure IP hosts for the local subnets.
• Configure users and groups. Alternatively, configure an authentication server.
• Check the authentication methods.

To configure and establish remote access SSL VPN connections using the Sophos Connect client, do as follows:

• Configure the SSL VPN settings.
• Send the configuration file to users.
• Add a firewall rule.
• Send the Sophos Connect client to users. Alternatively, users can download it from the user portal.

Users must do as follows:

• Install the Sophos Connect client on their endpoint devices.
• Import the configuration file into the client and establish the connection.

Create an IP host for local subnet

The local subnet defines the network resources that remote clients can access.

1. Go to Hosts and services > IP host and click Add.

2. Enter a name and network for the local subnet.

   

3. Click Save.

Create a user group and add a user

You create a user group for the remote SSL VPN and add a user. The group specifies a surfing quota and access time. In this example, users in the group are allowed unlimited access.

1. Go to Authentication > Groups and click Add.

2. Specify the settings.

   Name	Description
   Name	Remote SSL VPN group
   Surfing quota	Unlimited internet access
   Access time	Allowed all the time

3. Click Save.

4. Go to Authentication > Users and click Add.

5. Specify the settings.

   Name	Description
   Username	john.smith
   Name	John Smith
   Group	Remote SSL VPN group

6. Click Save.

Check authentication services

In this example, you set the firewall and SSL VPN authentication methods to local authentication. Sophos Firewall then acts as the authentication server.

1. Go to Authentication > Services.

2. Under User portal authentication methods, do as follows:

   1. Clear Set authentication methods same as firewall.
   2. Check that the Selected authentication server is set to Local.

   

3. Scroll to SSL VPN authentication methods.

4. Check that the authentication server is set to Local.

   

Specify a subnet for SSL VPN clients

When SSL VPN clients connect to Sophos Firewall, it assigns IP addresses from the subnet you specify here. You must use a private address.

1. Go to Remote access VPN > SSL VPN and click SSL VPN global settings.

   

2. Specify the private IP address and subnet to lease for remote users.

   

3. Click Apply.

Add an SSL VPN remote access policy

You create a policy that allows users in the remote SSL VPN group to connect. These users are allowed to access resources on the local subnet.

1. Go to Remote access VPN > SSL VPN and click Add.
2. Enter a name.
3. Select the policy members.

4. Select the permitted network resources that members are allowed to access.

   

5. Click Apply.

Add a firewall rule

1. Go to Rules and policies > Firewall rules.
2. Select IPv4 or IPv6.
3. Click Add firewall rule and New firewall rule.
4. Enter a rule name.
5. For Source zone, select VPN.

6. For Source networks and devices, select ##ALL_SSLVPN_RW or ##ALL_SSLVPN_RW6.

   These hosts contain the IP addresses leased to remote users who've established a connection.

7. For Destination zones, select the zones of the resources you want to give remote access to.

8. For Destination networks, select the IP host you've created for the permitted network resources.

9. Click Save.

   Here's an example:

   

Check device access settings

You must give access to some services for remote users from the required zones.

1. Go to Administration > Device access.

2. Under SSL VPN, select WAN.

   This allows remote users to establish SSL VPN connections.

3. Under User portal, select the following:

   1. WAN and Wi-Fi: Users can access the user portal from the WAN and the internal Wi-Fi zone. They can then download the VPN client and configuration from the user portal. LAN is selected by default.

      Allowing WAN access is a security risk.

   2. VPN: After users establish a VPN connection, they can access the user portal through the VPN. You can then turn off access from WAN.

4. Optional: Under Ping/Ping6, select VPN.

   Users can ping the firewall's IP address through VPN to check connectivity.

5. Optional: Under DNS, select VPN.

   Users can resolve domain names through VPN if you've specified the firewall for DNS resolution in VPN settings.

6. Click Apply.

   

Install and configure Sophos Connect client on endpoints

To establish remote access SSL VPN connections, users must install the Sophos Connect client on their endpoint devices and import the .ovpn file to the client.

You can download the Sophos Connect client installer from the Sophos Firewall web admin console and share it with users. Alternatively, users can download the client from the user portal as follows:

1. Sign in to the user portal.
2. Click VPN.

3. Under Sophos Connect client, click Download for Windows.

   Note

   For information about which endpoint platforms the Sophos Connect client supports, see Sophos Connect client: Compatibility with platforms.

   

4. Click Download configuration for Windows, macOS, Linux to download the .ovpn configuration file.

   

5. Click the downloaded Sophos Connect client.

   You can then see it in the system tray of your endpoint device.

6. Click the three dots button in the upper-right corner, click Import connection, and select the .ovpn file you've downloaded.

   

7. Sign in using your user portal credentials.