Sophos XG series VPN configuration
From Notes_Wiki
Home > Enterprise security devices or applications > Sophos Firewall or IPS > Sophos XG series VPN configuration
In case of Sophos firewall we can configure VPN as follows:
- Go to VPN -> "Show VPN Settings" and configure the LAN IPs (VPN IPs) to be allotted to users once they are connected over VPN. These are typically a small subnet (eg /24) from 10.0.0.0/8 (Preferable), 172.16.0.0/12 or 192.168.0.0/16.
- Avoiding 192.168.0.0/16 makes sense as many home routers by default use that range. We need the VPN IP range to be different then users home subnet/IP range for VPN to work properly.
- Go to Authentication -> Groups and create a group for "VPN users". Then add a few users to the group as per requirement.
- In future if additional users need to be allowed access to VPN only creating users and adding to group should be enough. Rest of the configuration described below is one time configuration only.
- Go to "Hosts and services" -> "IP hosts" and define both local subnets and VPN subnets.
- Go to "VPN" -> "SSL VPN" and Add policy allowing users of "VPN users" group access to local subnets (IP hosts) defined above.
- This is as per requirement. If you have different user groups who need access to different LAN resources, we can define multiple policies accordingly.
- Go to authentication services. Ensure that authentication to firewall and SSL VPN is via local authentication.
- Go to administration -> Device access. Ensure that SSL VPN is accessible over WAN. Based on requirement allow User portal also on LAN, wifi, WAN, etc. interfaces.
- As such user portal on WAN is not recommended for security reasons. However, if we use that then it makes things really simple. Users are able to download the VPN client, configuration and change password remotely without requiring to be connected to office over VPN first / present in office.
- Go to "Firewall" -> "Add firewall rule" -> "Add user/network rule". Here allow connections to/from VPN IP ranges (Subnets) and office LAN subnets as part of firewall policy. This is ideally duplication of access allowed as per VPN policy while defining which groups have access to which LAN resources.
- After this login into user portal. Download client and configuration. Test connectivity to firewall.
- For this test we should be outside offlice network. Or at least do this test using wifi hotspot / mobile network and not using offlice LAN/Internet.
Refer:
Home > Enterprise security devices or applications > Sophos Firewall or IPS > Sophos XG series VPN configuration