Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

SSL VPN remote access assistant

The SSL VPN assistant helps you complete the entire remote access SSL VPN configuration, including the SSL VPN policy, VPN portal, authentication servers, firewall rule, and device access settings.

  1. Go to Remote access VPN > SSL VPN and click Add.
  2. Review the global settings and click Next.

    Note

    You can't change the SSL VPN global settings within the SSL VPN assistant. To change the global settings, go to Remote access VPN > SSL VPN > SSL VPN global settings.

  3. Specify the settings:

    Setting Description
    VPN name Enter a name to identify the connection. This is the name of your SSL VPN remote access policy. The name also appears as part of the firewall rule that the assistant creates.
    Users and groups Select the users and groups that can connect using this policy.
    Authentication servers

    Select the servers you want to use to authenticate users. Choose one of the following:

    • Same as VPN (IPsec, L2TP, PPTP)
    • Same as firewall
    • Set authentication method for SSL VPN
    To change this setting later, go to Authentication > Services > SSL VPN authentication methods.
    Access to resources

    Select the hosts and networks you want to allow users to access with the VPN.

    Scroll down to the bottom of the list to see the Apply selected items button.

    Dynamic IP address changes for FQDNs aren't automatically updated for SSL VPN tunnels. Remote users must manually disconnect and reconnect to access the permitted resource.

    Tunnel mode

    Select whether to use VPN for all the users' traffic (to the resources you've specified and the internet) or only to the resources.

    • Use VPN for all traffic
    • Use VPN only for traffic to resources

    If you select Use VPN for all traffic, make sure that the default IPv4 SNAT rule or an SNAT rule to masquerade outbound traffic exists in Rules and policies > NAT rules. See Check the SNAT rule.

    VPN portal access

    Select the zones from which users can access the VPN portal. Users can download the SSL VPN client and configuration files from the VPN portal.

    To change this setting later, go to Administration > Device access.

    SSL VPN access

    Select the zones from which users can establish SSL VPN tunnels.

    To change this setting later, go to Administration > Device access.

    Review your settings Click Finish to create the remote access SSL VPN policy and firewall rules automatically.

The assistant creates the SSL VPN policy, firewall rule, and device access settings. The first time the assisstant runs, it also creates the Automatic VPN rules firewall rule group and places it at the top of the rule table. The firewall rules created by the assistant are shown at the bottom of the Automatic VPN rules firewall rule group and are turned on by default.

Next steps

  • Reposition the firewall rule to meet your requirements. Sophos Firewall evaluates rules in the order shown.
  • Change the SSL VPN global settings, if required.
  • Have users download the SSL VPN client and configuration files from the VPN portal.