Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/22.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=remote-access-SSL-VPN-remote-access-assistant

Remote access SSL VPN assistant

The remote access SSL VPN assistant simplifies the setup of secure remote access in Sophos Firewall, helping you complete all the required configurations.

We recommend using the assistant, particularly when you configure remote access SSL VPN policies for the first time.

With step-by-step instructions and automated rule creation, the assistant helps you configure the following settings:

  • Users, groups, and authentication servers for tunnel access
  • Tunnel modes and permitted resources to access
  • Zone permissions for the VPN portal and the SSL VPN tunnel
  • The assistant automatically generates the required firewall rules.

Configure the settings

  1. Go to Remote access VPN > SSL VPN and click Add.

  2. Review the global settings and click Next.

    Note

    You can't change the SSL VPN global settings within the SSL VPN assistant. To change the global settings, go to Remote access VPN > SSL VPN > SSL VPN global settings.

  3. Specify the settings:

    Setting Description
    VPN name Enter a name to identify the connection. This is the name of your SSL VPN remote access policy. The name also appears as part of the firewall rule that the assistant creates.
    Users and groups

    Select the users and groups that can connect using this policy.

    When users and groups included in the latest policy are also members of an earlier remote access SSL VPN policy, the firewall automatically removes them from the earlier one.
    Authentication servers

    Select the servers you want to use to authenticate users. Choose one of the following:

    • Same as VPN (IPsec, L2TP, PPTP)
    • Same as firewall
    • Set authentication method for SSL VPN
    To change this setting later, go to Authentication > Services > SSL VPN authentication methods.
    Tunnel mode

    Select whether to use VPN for all the users' traffic (to the resources you've specified and the internet) or only to the resources.

    • Use VPN for all traffic
    • Use VPN only for traffic to resources

    If you select Use VPN for all traffic, make sure that the default IPv4 SNAT rule or a different SNAT rule to masquerade outbound traffic exists in Rules and policies > NAT rules. See Check the SNAT rule.
    Access to resources

    Only available if you set the tunnel mode to Use VPN only for traffic to resources. Select the hosts and networks you want to allow access to through the VPN. Scroll down to the bottom of the list to see the Apply selected items button.

    Dynamic IP address changes for FQDNs aren't automatically updated for SSL VPN tunnels. Remote users must manually disconnect and reconnect to access the permitted resource.
    VPN portal access

    Select the zones from which users can access the VPN portal. Users can download the SSL VPN client and configuration files from the VPN portal.

    To change this setting later, go to Administration > Device access.
    SSL VPN access

    Select the zones from which users can establish SSL VPN tunnels.

    To change this setting later, go to Administration > Device access.
    Review your settings Click Finish to create the remote access SSL VPN policy and firewall rules automatically.

Configurations created

The assistant creates the following configurations:

  • Remote access SSL VPN policy
  • Device access for the VPN portal and the SSL VPN tunnel

  • Firewall rule

    The first time you use the assistant, it creates the firewall rule group Automatic VPN rules, places it at the top of the rule table, and adds the firewall rule to it. The rule is turned on by default.

    When you use the assistant later, it places the automatic firewall rule it creates at the bottom of the group. Move the rule to the desired position because the firewall evaluates rules sequentially from the top until it finds a match for the traffic.

Next steps

You must do as follows on the web admin console:

  • Reposition the firewall rule to meet your requirements. The firewall evaluates rules in the order shown.
  • Change the SSL VPN global settings, if required.
  • (Optional) To use single sign-on (SSO), you must set up Microsoft Entra ID and use it as an authentication method in Authentication > Services. See Microsoft Entra ID SSO.

Users must sign in to the VPN portal and do as follows:

  • First-time users must download and install the Sophos Connect client.
  • The assigned users must download the SSL VPN configuration file and import it into the client.

See SSL VPN.