Connections

To create an SSLVPN site-to-site tunnel, it is crucial to create the server configuration first. The configuration of the client has always to be the second step.

To create a server configuration, proceed as follows:

  1. On the Connections tab, click New SSL Connection.

    The Add SSL Connection dialog box opens.

  2. Make the following settings:

    Connection type: Select Server from the drop-down list.

    Connection name: Enter a descriptive name for the connection.

    Use static virtual IP address (optional): Only select this option if the IP address pool is not compatible with the client's network environment: By default clients are assigned an IP address from the Virtual IP Pool (configurable on Settings tab). Rarely, it may happen that such an IP address is already in use on the client's host. In that case enter a suitable IP address in the Static Peer IP field which will then be assigned to the client during tunnel setup.

    Local networks: Select or add one or more local networks that are allowed to be accessed remotely. How to add a definition is explained on the Definitions & Users > Network Definitions > Network Definitions page.

    Remote networks: Select or add one or more remote networks that are allowed to connect to the local network(s).

    Note – You can change the Local networks and Remote networks settings later without having to reconfigure the client.

    Automatic firewall rules (optional): When enabled, Sophos UTM on AWS will automatically allow access to the selected local networks for all accessing SSL VPN clients.

    Comment (optional): Add a description or other information.

  3. Click Save.

    The new SSL server connection appears on the Connections list.

  4. Download the configuration file.

    Use the Download button, which is located in the newly created SSL server connection row, to download the client configuration file for this connection.

    Encrypt configuration file (optional): It is advisable to encrypt the configuration file for security reasons. Enter a password twice.

    Click Download peer config to save the file.

    This file is needed by the client-side administrator in order to be able to set up the client endpoint of the tunnel.

The next step is the client configuration which has to take place on client side and not on server side. Ensure that the downloaded client configuration file is at hand.

To create a client configuration, proceed as follows:

  1. On the Connections tab, click New SSL Connection.

    The Add SSL Connection dialog box opens.

  2. Make the following settings:

    Connection type: Select Client from the drop-down list.

    Connection name: Enter a descriptive name for the connection.

    Configuration file: Click the Folder icon, browse for the client configuration file and click Start Upload.

    Password (optional): If the file has been encrypted, enter the password.

    Use HTTP proxy server (optional): Select the checkbox if the client is located behind a proxy and enter the settings for the proxy.

    Proxy requires authentication (optional): Select the checkbox if the client needs to authenticate against the proxy and enter username and password.

    Override peer hostname (optional): Select the checkbox and enter a hostname here if the server system's regular hostname (or DynDNS hostname) cannot be resolved from the client host.

    Automatic firewall rules (optional): When enabled, Sophos UTM on AWS will automatically allow traffic between hosts on the tunneled local and remote networks.

    Comment (optional): Add a description or other information.

  3. Click Save.

    The new SSL VPN client connection appears on the Connections list.

To either edit or delete a client connection, click the corresponding buttons.

Click on the Site-to-site VPN menu to see the status of the SSL VPN connection on the overview page. The status icon there turns green when the connection is established. Then information about the interconnected subnets on both sides of the tunnel becomes available, too.