Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

SSL VPN global settings

The SSL VPN global settings apply to all remote access SSL VPN policies.

These settings are part of the .ovpn configuration file imported to the SSL VPN client.

To specify the settings, go to Remote access VPN > SSL VPN and click SSL VPN global settings.

Protocol

SSL VPN clients can establish connections using the following protocols:

  • TCP: You can use TCP for applications that need high reliability, such as email, web surfing, and FTP.
  • UDP: You can use UDP for applications that need a fast, efficient transmission, such as streaming media, VoIP, DNS, and TFTP.

SSL server certificate

The SSL VPN server uses this certificate to authenticate the clients.

To select a certificate other than the default certificate, go to Certificates > Certificates and configure a locally-signed certificate or upload an external one.

If you use an intermediate CA generated using an external root CA for signing the SSL server certificate, you must upload the server certificate with its private key and the intermediate and root CAs to the firewall.

Override hostname (optional)

SSL VPN clients connect to the IP address or hostname specified here. If you leave this field blank, all the interfaces belonging to the zones from which you allow SSL VPN access (Administration > Device access under Local service ACL) are listed in the .ovpn file. Clients try to establish connections with the interfaces configured on Network > Interfaces.

Choose one of the following options based on your WAN interface address:

  • Single, static public IP address: You can leave Override hostname empty.
  • Multiple, static public IP addresses: Choose one of the following options:

    • Enter the domain name.
    • Leave the field empty. The firewall will use the available WAN addresses.
    • Enter an interface address if you want clients to connect only to this interface.
  • Upstream router: If the firewall has an upstream router, do as follows:

    1. Enter the router's public IP address or the domain name.
    2. Configure the router to port-forward SSL VPN traffic to the firewall.
  • Dynamic IP address: To resolve the firewall's dynamic public IP addresses, do as follows:

    1. Go to Network > DDNS and configure the settings. See Add a dynamic DNS provider.
    2. Under Override hostname, enter the DDNS Hostname. It's an FQDN.

The permitted networks configured in SSL VPN policies don't appear in the .ovpn file. When clients establish a connection, the permitted networks for the users are automatically added to the client.

Port (optional)

Change the port number to use for the connections if you want. See the following warnings:

Warning

We strongly recommend that you don't use the port configured for the user portal (Administration > Admin and user settings). This ensures the user portal isn't exposed to the WAN zone.

For example, if you use port 443 for the user portal and SSL VPN, the user portal will be accessible from the WAN zone even when you turn off WAN access to it.

Restriction

SSL VPN traffic and WAF rules must have different values for at least one of the following objects: WAN IP address, port, protocol.

SSL VPN traffic to the WAN IP address used by WAF rules is dropped if it shares a common port and protocol with the WAF rules. This applies only to IPv4 traffic.

The default HTTPS ports differ for WAF rules (443) and SSL VPN (8443). WAF traffic always uses the TCP protocol.

Here's an example of the configuration SSL VPN traffic can use when the network has two WAN IP addresses:

WAF

Option 1

(Different IP address)

SSL VPN

Option 2

(Different port)

SSL VPN

Option 3

(Different protocol)

SSL VPN

WAN IP address 203.0.113.1 203.0.113.2 203.0.113.1 or 203.0.113.2 203.0.113.1 or 203.0.113.2
Port 443 443 Don't use 443 Any port
Protocol TCP TCP or UDP TCP or UDP UDP

Assigning IP addresses

You can configure IPv4 and IPv6 networks.

Assign IPv4 and IPv6 addresses

The firewall leases IP addresses to SSL VPN clients from the network you specify.

You can only select an IPv4 subnet up to /24. For example, you can't select /25 and smaller subnets. See Troubleshoot remote access VPN.

Note

If you change these IPv4 and IPv6 address settings, and you've assigned static SSL VPN IP addresses to users, make sure the static addresses are within the updated static range.

Note

If traffic doesn't flow through remote access SSL VPN connections after you migrate to version 19.0, you may have added custom hosts for the leased IP addresses to the corresponding firewall rules.

Select the system host ##ALL_SSLVPN_RW (and ##ALL_SSLVPN_RW6 if required) instead. See Troubleshoot remote access VPN.

Lease mode

Select from the following:

  • IPv4 only: Leases only IPv4 addresses.
  • IPv4 and IPv6 both: Leases IPv4 and IPv6 addresses.

Use static IP addresses

If you select this checkbox, you can see the address range from which you can assign static IP addresses to remote access SSL VPN users. The firewall automatically splits this range based on the subnets you've specified for Assign IPv4 addresses and Assign IPv6 addresses.

To assign a static address to a user, go to Authentication > Users.

If you update the assigned IP addresses on SSL VPN global settings, make sure the address you assign to the user is within the updated static range.

Note

Currently, the firewall doesn't support simultaneous sign-ins for remote access users if you've assigned a static SSL VPN IP address to them.

DNS servers

You can configure the following:

  • IPv4 DNS: Enter the IP addresses of the primary and secondary DNS servers for the following:

    • To resolve the hostnames of network resources that remote users will access.
    • To resolve public hostnames if Sophos Firewall acts as the default gateway for remote access SSL VPN users.
  • IPv4 WINS: Enter the primary and secondary Windows Internet Naming Service (WINS) servers for your network.

  • Domain name: Enter the DNS suffix (example: company.com or test.local) to add to the remote endpoint's network adapter. The suffix is appended to hostnames, forming an FQDN, to resolve the endpoint's DNS queries.

Disconnecting the peer

You can configure the following:

  • Disconnect dead peer after: Time, in seconds, after which the firewall closes connections with unresponsive clients.
  • Disconnect idle peer after: Time, in minutes, after which the firewall closes an idle connection.

Other settings

You can configure the following:

  • Cryptographic settings:

    • Encryption algorithm: Select the algorithm for encrypting data sent through the VPN tunnel.
    • Authentication algorithm: Select the algorithm for authenticating the messages.
    • Key size: Select the key size (bits). Longer keys are more secure.
    • Key lifetime: Enter the time (seconds) after which keys expire.
  • Advanced settings:

    • Compress SSL VPN traffic: Select to compress data before it's encrypted.
  • Debug settings

    • Enable debug mode: Select to provide extensive information in the SSL VPN log file for debugging.