Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Set up VPN and user portals

Users can access the VPN portal to download the Sophos Connect client and configuration files to establish remote access IPsec and SSL VPN connections. They can also establish clientless SSL VPN connections.

Users can use the user portal to see their personal details, such as the other client downloads, internet usage, email quarantine and exceptions, and policy overrides.

To set up VPN and user portals for your users, do as follows.

Portal settings

  1. Go to Administration > Admin and user settings and see the default port and certificate under Admin console and end-user interaction:

    1. VPN portal HTTPS port: 443

      If you want to change the default port, see Protocols and ports.

      Shows the VPN and user portal ports.

    2. Check Certificate for the certificate that signs the VPN portal.

      The default certificate is a locally-signed certificate. So, browsers show an untrusted certificate error. See Remove untrusted certificate error.

  2. Go to Administration > Device access and select the zones from which you want users to access the VPN portal, for example, WAN.

    Select the zones.

Authentication

  1. Go to Authentication > Services and select an authentication server under VPN portal authentication methods.

    Select an authentication server.

  2. Optional: Set up multi-factor authentication (MFA) as follows:

    1. Go to Authentication > Multi-factor Authentication.
    2. Under One-time password (OTP), select an option:

      • All users
      • Specific users and groups. Select the users and groups.
    3. Turn on Generate OTP token with next sign-in.

    4. Under Require MFA for, select VPN portal.
    5. Click Apply.

    Turn on MFA.

    The OTP token (QR code) appears on the VPN and user portals. Users can scan the code on either portal using an authenticator app on their mobile devices.

VPN settings and policies

  1. Go to Remote access VPN and add the users or their groups to one of the following remote access VPN policies:

    • IPsec
    • SSL VPN
    • Clientless SSL VPN
    • L2TP
    • PPTP

    Note

    The VPN portal only appears to users if they or their groups are selected in remote access policies.

Access the VPN portal

The URL format to open the VPN portal is as follows:

https://<firewall's IP address or hostname>:<VPN portal port>

Example

https://10.170.0.1:443

Portal settings

  1. Go to Administration > Admin and user settings and see the default port and certificate under Admin console and end-user interaction:

    1. User portal HTTPS port: 4443

      Note

      You can't share the user portal port with any other service. If you change its default port, make sure it's unique.

      Shows the VPN and user portal ports.

      Note

      VPN portal was introduced in SFOS 20.0. It uses the default port 443, which was previously used by the user portal. When you upgrade or restore a backup from an earlier version to SFOS 20.0 and later, the user portal's port (default 443 or custom port) is automatically assigned to the VPN portal. The user portal is then assigned the new default port 4443. If 4443 isn't available, 65040 is automatically assigned to the user portal. See New VPN portal in SFOS 20.0 and later.

    2. Check Certificate for the certificate that signs the user portal.

      The default certificate is a locally-signed certificate. So, browsers show an untrusted certificate error. See Remove untrusted certificate error.

  2. Go to Administration > Device access and select the zones from which you want users to access the user portal.

    Warning

    Don't select WAN for the user portal. It's a security risk. You can allow access from VPN, LAN, and Wi-Fi zones.

    Select the zones.

Authentication

  1. Go to Authentication > Services and select an authentication server under user portal authentication methods.

    Select an authentication server.

  2. Optional: Set up multi-factor authentication (MFA) as follows:

    1. Go to Authentication > Multi-factor Authentication.
    2. Under One-time password (OTP), select an option:

      • All users
      • Specific users and groups. Select the users and groups.
    3. Turn on Generate OTP token with next sign-in.

      User portal is selected by default.

    4. Click Apply.

    The OTP token (QR code) appears on the user portal. Users can scan the code using an authenticator app on their mobile devices.

Access the user portal

The URL format to open the user portal is as follows:

https://<firewall's IP address or hostname>:<user portal port>

Example

https://10.170.0.1:4443