Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/22.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=remote-access-SSL-VPN-add-policy

Add a remote access SSL VPN policy

You can configure remote access SSL VPN policies to allow users and groups to access the permitted network resources. You can also require their internet traffic to flow through the firewall.

The gateway, client addresses, and other settings are based on SSL VPN global settings.

Configure the policy

  1. Go to Remote access VPN > SSL VPN and click Add.
  2. Click Configure manually.
  3. Enter a name.

  4. For Policy members, select the preconfigured users and groups.

    Guest users don't have access to remote access IPsec VPN and remote access SSL VPN. So, you can't add guest users and guest groups.

    Warning

    When users and groups included in the latest policy are also members of an earlier remote access SSL VPN policy, the firewall automatically removes them from the earlier one.

  5. Turn on Use as default gateway to send all remote user traffic, including traffic to the network and the internet, through the firewall.

    If you turn this feature on, make sure you create the following rules and policies:

    1. Firewall rules to allow traffic to the permitted networks.

    2. A firewall rule with the following settings to allow remote users' internet traffic:

      • Source zone set to VPN
      • Destination zone set to Any
      • Source networks and devices set to the system hosts ##ALL_SSLVPN_RW and ##ALL_SSLVPN_RW6

    3. The required protection policies for traffic to the internet.

    4. Check if the default IPv4 SNAT rule or a different SNAT rule exists to masquerade outbound traffic. If it doesn't, configure a linked NAT rule to translate the SSL VPN leased IP addresses to a public IP address in your firewall. See Check the SNAT rule.

  6. For Permitted network resources, select the internal networks you want the policy's remote access users to access only if you haven't turned on the Use as default gateway setting.

    • When you turn on Use as default gateway, the firewall doesn't enforce the permitted resources setting. Remote users' access isn't limited to the networks you specify in the SSL VPN policy. You must use firewall rules to control access to these networks.

    • You can also select FQDNs for permitted IPv4 networks. VPN logs show the resolved IP addresses rather than the FQDNs.

      Note

      Dynamic IP address changes for FQDNs aren't automatically updated for SSL VPN tunnels. Remote users must manually disconnect and reconnect to access the permitted resource.

  7. (Optional) Select Disconnect idle clients if you want to set a specific time at which the firewall disconnects clients with idle sessions.

  8. (Optional) For Override global timeout, enter the time in minutes.

    Note

    This time-out value only applies if it's lower than the idle peer value in SSL VPN global settings. If you specify a higher value, the global settings' value applies.

Next steps

You must allow all access to the required firewall services and resources as follows:

  1. Go to Administration > Device access and select the following zones to allow traffic to the services from specific zones:

    1. SSL VPN: WAN

    2. VPN portal: LAN, WAN

      Users must download the configuration file from the VPN portal.

  2. Go to Rules and policies > Firewall rules and add a firewall rule or update an existing one to allow access to resources through the remote access SSL VPN tunnels.