Skip to content
Last update: 2022-05-25

SSL VPN global settings

You can specify the global settings for remote access L2TP connections.

These settings apply to all remote access SSL VPN policies. You can specify the port and protocol, VPN server certificate, IP addresses assigned to the remote clients, and the cryptographic and advanced settings.

The SSL VPN settings are part of the .ovpn configuration file imported to the SSL VPN client.

To specify the settings, go to Remote access VPN > SSL VPN and click SSL VPN global settings.

Protocol: SSL VPN clients can establish connections using the following protocols:

  • TCP: You can use TCP for applications that need high reliability, such as email, web surfing, and FTP.
  • UDP: You can use UDP for applications that need a fast, efficient transmission, such as streaming media, VoIP, DNS, and TFTP.

SSL server certificate: The SSL VPN server uses this certificate to authenticate the clients.
To select a certificate other than the default certificate, go to Certificates > Certificates, and configure a locally-signed certificate or upload an external certificate.

Override hostname (optional): SSL VPN clients use the IP address or hostname you enter here rather than the WAN IP address of Sophos Firewall to establish the connection.

Enter your network's public IP address or hostname if Sophos Firewall is behind a router and doesn't have a public IP address.

If you leave this field blank, SSL VPN clients establish connections with the WAN IP address of the firewall in the listed order on Network > Interfaces.

Port (optional): Change the port number to use for the connections.


SSL VPN traffic and WAF rules must have different values for at least one of the following objects: WAN IP address, port, protocol.

SSL VPN traffic to the WAN IP address used by WAF rules is dropped if it shares a common port and protocol with the WAF rules. This applies only to IPv4 traffic.

The default HTTPS ports are different for WAF rules (443) and SSL VPN (8443). WAF traffic always uses the TCP protocol.

Here's an example of the configuration SSL VPN traffic can use when the network has two WAN IP addresses:

WAF Option 1
(Different IP address)
Option 2
(Different port)

Option 3
(Different protocol)
WAN IP address or or
Port 443 443 Don't use 443 Any port
Protocol TCP TCP or UDP TCP or UDP UDP

Assign IPv4 addresses: Sophos Firewall leases IP addresses to SSL VPN clients from the private address and subnet you specify.

Assign IPv6 addresses: Sophos Firewall leases IP addresses to SSL VPN clients from the private address and prefix you specify.


If traffic doesn't flow through remote access SSL VPN connections after you migrate to version 19.0, you may have added custom hosts for the leased IP addresses to the corresponding firewall rules.

Select the system host ##ALL_SSLVPN_RW (and ##ALL_SSLVPN_RW6 if required) instead.

Lease mode: You can choose to lease only IPv4 addresses or IPv4 and IPv6 addresses.

IPv4 DNS: You can enter the IP addresses of the primary and secondary DNS servers for the following:

  • To resolve the hostnames of network resources that remote users will access.
  • To resolve public hostnames if Sophos Firewall acts as the default gateway for remote access SSL VPN users.

IPv4 WINS (optional): You can enter the primary and secondary Windows Internet Naming Service (WINS) servers for your network.

Domain name (optional): The hostname or FQDN of Sophos Firewall used in notification messages. It helps you identify the firewall when you have more than one.

Disconnect dead peer after: Time, in seconds, after which the firewall closes connections with unresponsive clients.

Disconnect idle peer after: Time, in minutes, after which the firewall closes an idle connection.

Cryptographic settings

Encryption algorithm: Select the algorithm for encrypting data sent through the VPN tunnel.

Authentication algorithm: Select the algorithm for authenticating the messages.

Key size: Select the key size (bits). Longer keys are more secure.

Key lifetime: Enter the time (seconds) after which keys expire.

Advanced settings

Compress SSL VPN traffic: Select to compress data before it's encrypted.

Debug settings

Enable debug mode: Select to provide extensive information in the SSL VPN log file for debugging.

Back to top