Skip to content

Remote access SSL VPN overview

You can enable remote users to connect to the network securely over the internet using remote access SSL VPN connections.

Users can establish IPv4 and IPv6 SSL VPN connections. These connections use OpenVPN. Remote access requires digital certificates and a username and password.

  • Go to Remote access VPN > SSL VPN.
  • Click SSL VPN global settings to specify settings for all remote access SSL VPN policies. See SSL VPN global settings.
  • Click Add to create an SSL VPN remote access policy.
  • Alternatively, click Assistant to launch the SSL VPN remote access assistant and configure the policy.

Additionally, you can do the following:

  • Click Logs to see the logs.
  • Click Download client to download the Sophos Connect client and share it with users. Alternatively, users can download the client from the user portal.

    Currently, the Sophos Connect client doesn't support some endpoint devices. See Compatibility with Sophos Connect client.

Warning

The legacy SSL VPN client reached end-of-life. It doesn't appear for download on the user portal any longer. See End-of-Life for Sophos SSL VPN client.

Configure remote access SSL VPN connections

To allow remote access to your network through the Sophos Connect client using an SSL connection, do as follows:

  1. Go to Remote access VPN > SSL VPN.
  2. Click SSL VPN global settings, specify the settings, and click Apply.
  3. Go to SSL VPN and add preconfigured users and groups. This creates a .ovpn configuration file, which appears on the user portal for the allowed users.
  4. Add firewall rules allowing traffic between the LAN and the VPN zones. The rule allows Sophos Connect clients to access the configured LAN networks.
  5. Optional: Configure a provisioning file and share it with users. The provisioning file imports the .ovpn configuration into the client.

Remote users

Users can download the Sophos Connect client from the user portal.

If you share the provisioning (.pro) file, users can double-click the file, which automatically imports the configuration into the client. Alternatively, they can download the .ovpn configuration file from the user portal and import it into the Sophos Connect client.

Sophos Connect client then establishes the connection.

Migrating to 19.0: Troubleshooting

If traffic doesn't flow through remote access SSL VPN connections after you migrate to version 19.0, you may have added custom hosts for the leased IP addresses to the corresponding firewall rules.

In version 19.0 and later, you can only configure SSL VPN global settings with a subnet instead of an IP range to lease IP addresses to remote access SSL VPN users.

Here's an example:

Subnet to assign IP addresses to remote access SSL VPN users

When you migrate to 19.0, Sophos Firewall converts the IP range and subnet mask configured in earlier versions to the subnet value.

Sophos Firewall dynamically adds the leased IP addresses to the system hosts ##ALL_SSLVPN_RW and ##ALL_SSLVPN_RW6 when remote users establish connections. So, the firewall applies the conversion to these system hosts automatically.

However, instead of adding these system hosts, if you've added a custom IP host for the lease range to the corresponding firewall rules, the host's lease range may not match the migrated subnet. So, traffic may not flow through the remote access SSL VPN connections after you migrate.

In the firewall rules, you must select the system host ##ALL_SSLVPN_RW (and ##ALL_SSLVPN_RW6 if required) rather than a custom IP host for the lease range. See Configure remote access SSL VPN with Sophos Connect client.

More resources

Back to top