Mikes Custom

SSL VPN on Sophos XG

Demystifying SSL VPN on Sophos XG

If you have tried to use SSL VPN on Sophos XG you might have found it to be a bit intimidating and also irritating as it is a multi-step process. Though it seems straight forward at first to do the basic setup, it is just not very obvious on how to get it to actually work. In all my searching, I did not find a start to finish guide on how to setup it up from scratch. I found several guides from Sophos on each section but it relies on you to put it all together. I spent some time with it before I got it to work and decided to put this guide together in hopes of helping others. There may be other ways but this is what worked for me. After you do it once you will find that it is actually very easy and it does actually make sense even though they should have done a better job simplifying the process and more importantly in documenting it.

 

Setup

Before you can even attempt to use VPN, you need to setup several areas such as SSL settings, Remote Access Settings, Users, and a Firewall rule.  It sounds more complicated than it really is so here are the instructions to each section.  You should do these in this specific order to avoid confusion and issues along the way.

  • SSL VPN Setting: Lets first start with the SSL Settings. This is actually one of the easier sections and you will only make minor changes to the defaults.
    • All you have to do hear is select UDP and setup the DNS servers you want to use.  If you do not choose any DNS servers it will use the default that you have setup in your router so just leave them blank.

SNAG-0053 SNAG-0055

 

  • Users: It may not make sense now but you will need to create one or more users before going on to the next section. Users will be used in the remote access section as well as your VPN rule that you create later.  Once you see the settings in the remote section it will make sense as to why you want users created now. You can optionally create groups as well if you have many users and want to simplify setting up permissions later.

SNAG-0243SNAG-0244SNAG-0245SNAG-0246

 

  • SSL VPN (Remote Access): This section is fairly easy but is critical if you want to be able to access everything you need from your VPN connection. This is also the area where you can restrict certain users to only what you want them to see.

SNAG-0054SNAG-0057 SNAG-0058

 

  • Create the VPN rule: This is one of the most important steps in making the VPN work correctly and ties all the other sections together.  If you do not get this right your VPN will not work or give you access to everything you need on your network.

 

  SNAG-0058bSNAG-0065SNAG-0068SNAG-0067

 

  • User Portal for client installation: This is another area that is not hard to do if you know that you have to do it. Other services like OpenVPN allow you to download the client right form the server screen. XG makes you do it from the user portal which allows you to get pre-configured for the user.  Remember that Sophos is tailored toward mutilple users so doing it this way makes for multiple users.  For one user, it is a bit of an overkill.  There are also the options of downloading IOS and Android clients so you can use the VPN on your mobile or tablet.

SNAG-0070SNAG-0053SNAG-0057a

 

Summary

After all is setup I found it to work extremely well and after going through it the first time I can see that their approach does work well though be it tailored for multiple users.  It does make it easy to make future changes even if it is a bit confusing to get it set up the first time.  Like anything else, it is always easier when you know what to do and it seems so obvious now but I still wish they would consolidate some of steps.  I am still testing it and will be putting it through its paces and I hope that you found this useful.

, , , ,

4 Responses to SSL VPN on Sophos XG

  1. Mohd Manazir Siddiqui 11/17/2016 at 5:49 AM #

    Extremly highly Appreciate the hard work you did please keep updating all the configuration

    • pcdoc 11/24/2016 at 7:40 PM #

      Thanks for your comment. Labor of love

  2. Alessandro 01/16/2017 at 10:00 PM #

    Hi! Good job with your post.. but I don’t succeed into connecting to my office with VPN.. 🙁
    Do you know if port 8443 must be forwarded from router to firewall to access?
    Thanks in advance for your answer..

  3. jsc 01/27/2017 at 10:57 AM #

    Hello, very nice article !
    I lost a lot of time to configure SSL VPN on a Sophos XG85w for a customer.
    But I still can’t use UDP protocole, it works only with TCP. And the connection speed is terribly slow ~200ko/s of file transfer with a 50mbit/s internet connection.
    If anyone have an idea

Leave a Reply

Powered by WordPress. Designed by WooThemes