RED interfaces
A Remote Ethernet Device (RED) provides a secure tunnel between a remote site and Sophos Firewall.
REDs connect remote branch offices to your main offices as if the branch office is part of your local network. Using RED interfaces, you can configure and install RED appliances or create a site-to-site RED tunnel between two Sophos Firewall devices in a client-server configuration.
Warning
RED 15, 15 (w), and 50 are now end-of-life (EOL). Your existing tunnels with these devices will be disconnected when you upgrade to SFOS 20.0 MR1 or later versions. To continue to use them, you must run SFOS 20.0 GA or earlier versions. We recommend you use SD-RED 20 or 60. See End of life of RED 15/15(w) and RED 50 and Retirement calendar.
You can configure RED tunnels using the following options:
-
RED appliance: You can establish a tunnel between Sophos Firewall in the head office and a RED appliance at the remote office. The firewall supports the SD-RED 20 and 60 appliances. You can provision a RED device in one of the following ways:
- Automatically via provisioning service: Sophos Firewall provisions the remote RED appliance automatically through the RED provisioning server. See Set up a RED device automatically.
- Manually via USB stick: You provision the remote RED appliance using a USB device. In this method, you copy the provisioning file from Sophos Firewall to a USB device and install the file on the RED appliance. See Set up a RED device manually.
Note
For optimal performance, turn off the 802.3az setting on the switches connected to SD-RED 20 and 60.
-
Firewall RED device: You can create a site-to-site RED tunnel between two Sophos Firewall devices in a client-server configuration. Firewall RED devices are Sophos Firewall devices that communicate using the RED tunnel. You can use Firewall RED device types as follows:
- Firewall RED server or client: Select this option if you're connecting two Sophos Firewall devices or two UTM devices.
- Firewall RED server or client (legacy): Select this option if you're connecting Sophos Firewall to a UTM device.
RED network configuration
In a typical configuration, you set up the device at a branch office and connect it to the firewall at the head office.
The RED establishes a VPN tunnel to the firewall. So, anything connected to the RED becomes a part of the network. All traffic in and out of the branch office is routed through the RED. You can apply the same policies across local and remote traffic or create custom policies by location.
RED provisioning servers
When you configure a RED on Sophos Firewall, the firewall uploads the following configuration details to the RED provisioning servers:
- IP address of the firewall's web admin console
-
WAN settings:
- WAN uplink mode (DHCP, PPPoE, Static)
- Mobile broadband connection settings for RED hardware
- If you've selected static uplink mode, RED WAN IP address settings (IP address, netmask, default gateway, and DNS server)
-
Tunnel operation mode (example: Standard)
- Unlock code
The cloud-based RED provisioning servers store the configurations. When you add a RED device, it performs a DNS lookup of red.astaro.com
, securely connects to the closest provisioning server, and gets its configuration from the provisioning server. When an existing configuration doesn't work, it checks the provisioning servers for updated instructions. A working RED doesn't connect to the provisioning servers.
SD-RED 20 and 60 use ports TCP 3400 and UDP 3410. For a complete list of the RED provisioning server hostnames and ports, see Default services.
RED unlock codes
A RED unlock code allows the provisioning servers to accept a new configuration for a RED. It prevents a RED that is in use from being accidentally or maliciously redirected.
First-time use
If you're configuring a RED for the first time, leave the unlock code blank and save the configuration. The firewall uploads the RED configuration to the provisioning server. The provisioning server generates an unlock code specific to the RED. You can see it in the web admin console. It also sends the code to the email address you provided when you turned on the RED provisioning service. If you move the RED to a new firewall, you must enter the old unlock code to register the RED to the new firewall.
Previously used RED
When you delete a RED interface from the web admin console, the console shows the unlock code in a pop-up message confirming the delete action. It also sends the code to the email address you provided on System services > RED.
Warning
Retain the unlock code. Make sure this email address is up to date and accurate. You'll need the code to set up the RED on another firewall.
If you can't find the unlock code, contact Sophos Support.
How to configure a RED
You can configure a RED appliance or Sophos Firewall as a RED appliance.
How to configure a RED appliance
You can connect RED appliances, such as SD-RED, installed in the remote office, to Sophos Firewall installed in the main office.
- Go to System services > RED.
- Turn on the RED service, and register Sophos Firewall with the RED provisioning server. This is a one-time action.
- Configure the RED interface on your Sophos Firewall. See Add a RED interface.
- Go to Administration > Device access and allow RED services.
- Connect the RED appliance to the internet at the remote site.
How to configure the firewall as a RED appliance
You can connect Sophos Firewall devices in the head and remote offices using a site-to-site RED tunnel.
- Go to System services > RED.
- Turn on the RED service, and register Sophos Firewall with the RED provisioning server. This is a one-time action.
- Configure
firewall 1
as the Firewall RED Server. See Add a RED interface. - Go to Network > Interfaces. Download the provisioning file for
firewall 1
. - Configure
firewall 2
as the Firewall RED Client. Upload the provisioning file. - Go to Administration > Device access and allow RED services on both firewalls.
See Create a site-to-site RED tunnel.
More resources