SSL VPN global settings
The SSL VPN global settings apply to all remote access SSL VPN policies.
These settings are part of the .ovpn
configuration file imported to the SSL VPN client.
To specify the settings, go to Remote access VPN > SSL VPN and click SSL VPN global settings.
Protocol
SSL VPN clients can establish connections using the following protocols:
- TCP: You can use TCP for applications that need high reliability, such as email, web surfing, and FTP.
- UDP: You can use UDP for applications that need a fast, efficient transmission, such as streaming media, VoIP, DNS, and TFTP.
SSL server certificate
The SSL VPN server uses this certificate to authenticate the clients.
To select a certificate other than the default certificate, go to Certificates > Certificates and configure a locally-signed certificate or upload an external one.
If you use an intermediate CA generated using an external root CA for signing the SSL server certificate, you must upload the server certificate with its private key and the intermediate and root CAs to the firewall.
Override hostname
SSL VPN clients connect to the IP address or hostname specified here. If you leave this field blank, all the interfaces belonging to the zones from which you allow SSL VPN access (Administration > Device access under Local service ACL) are listed in the .ovpn
file. Clients try to establish connections with the interfaces configured on Network > Interfaces.
Choose one of the following options based on your WAN interface address:
- Single, static public IP address: You can leave Override hostname empty.
-
Multiple, static public IP addresses: Choose one of the following options:
- Enter the domain name.
- Leave the field empty. The firewall will use the available WAN addresses.
- Enter an interface address if you want clients to connect only to this interface.
-
Upstream router: If the firewall has an upstream router, do as follows:
- Enter the router's public IP address or the domain name.
- Configure the router to port-forward SSL VPN traffic to the firewall.
-
Dynamic IP address: To resolve the firewall's dynamic public IP addresses, do as follows:
- Go to Network > DDNS and configure the settings. See Add a dynamic DNS provider.
- Under Override hostname, enter the DDNS Hostname. It's an FQDN.
The permitted networks configured in SSL VPN policies don't appear in the .ovpn
file. When clients establish a connection, the permitted networks for the users are automatically added to the client.
Port (optional)
Change the port number to use for the connections if you want. See the following warnings:
Note
You can't use the user portal port for any other service.
If the VPN portal and SSL VPN share the same port, login security settings won't work. See Login security.
Restriction
SSL VPN traffic and WAF rules must have different values for at least one of the following objects: WAN IP address, port, protocol.
SSL VPN traffic to the WAN IP address used by WAF rules is dropped if it shares a common port and protocol with the WAF rules. This applies only to IPv4 traffic.
The default HTTPS ports differ for WAF rules (443) and SSL VPN (8443). WAF traffic always uses the TCP protocol.
Here's an example of the configuration SSL VPN traffic can use when the network has two WAN IP addresses:
WAF | Option 1 (Different IP address) SSL VPN | Option 2 (Different port) SSL VPN | Option 3 (Different protocol) SSL VPN | |
---|---|---|---|---|
WAN IP address | 203.0.113.1 | 203.0.113.2 | 203.0.113.1 or 203.0.113.2 | 203.0.113.1 or 203.0.113.2 |
Port | 443 | 443 | Don't use 443 | Any port |
Protocol | TCP | TCP or UDP | TCP or UDP | UDP |
Assigning IP addresses
You can configure IPv4 and IPv6 networks.
Assign IPv4 and IPv6 addresses
The firewall leases IP addresses to SSL VPN clients from the network you specify.
You can only select an IPv4 subnet up to /24
. For example, you can't select /25
and smaller subnets. See Troubleshoot remote access VPN.
Note
If you change these IPv4 and IPv6 address settings, and you've assigned static SSL VPN IP addresses to users, make sure the static addresses are within the updated static range.
Note
If traffic doesn't flow through remote access SSL VPN connections after you migrate to version 19.5, you may have added custom hosts for the leased IP addresses to the corresponding firewall rules.
Select the system host ##ALL_SSLVPN_RW (and ##ALL_SSLVPN_RW6 if required) instead. See Troubleshoot remote access VPN.
Lease mode
Select from the following:
- IPv4 only: Leases only IPv4 addresses.
- IPv4 and IPv6 both: Leases IPv4 and IPv6 addresses.
Use static IP addresses
If you select this checkbox, you can see the address range from which you can assign static IP addresses to remote access SSL VPN users. The firewall automatically splits this range based on the subnets you've specified for Assign IPv4 addresses and Assign IPv6 addresses.
To assign a static address to a user, go to Authentication > Users.
If you update the assigned IP addresses on SSL VPN global settings, make sure the address you assign to the user is within the updated static range.
Note
Currently, the firewall doesn't support simultaneous sign-ins for remote access users if you've assigned a static SSL VPN IP address to them.
DNS servers
You can configure the following:
-
IPv4 DNS: Enter the IP addresses of the primary and secondary DNS servers for the following:
- To resolve the hostnames of network resources that remote users will access.
- To resolve public hostnames if Sophos Firewall acts as the default gateway for remote access SSL VPN users.
-
IPv4 WINS: Enter the primary and secondary Windows Internet Naming Service (WINS) servers for your network.
- Domain name: Enter the DNS suffix (example:
company.com
ortest.local
) to add to the remote endpoint's network adapter. The suffix is appended to hostnames, forming an FQDN, to resolve the endpoint's DNS queries.
Disconnecting the peer
You can configure the following:
- Disconnect dead peer after: Time, in seconds, after which the firewall closes connections with unresponsive clients.
- Disconnect idle peer after: Time, in minutes, after which the firewall closes an idle connection.
Other settings
You can configure the following:
-
Cryptographic settings:
- Encryption algorithm: Select the algorithm for encrypting data sent through the VPN tunnel.
- Authentication algorithm: Select the algorithm for authenticating the messages.
- Key size: Select the key size (bits). Longer keys are more secure.
- Key lifetime: Enter the time (seconds) after which keys expire.
-
Debug settings
- Enable debug mode: Select to provide extensive information in the SSL VPN log file for debugging.
More resources