1. Sophos Ssl Vpn App
2. Sophos Xg Openvpn Server
3. Sophos Utm Vpn
4. Sophos Xg Firewall Openvpn

Firewall with synchronized security built in. MANAGED SERVICES. OpenVPN Technologies, Inc. Type: Proxy / VPN tool: Publisher URL. Try Sophos products for free Download now Download Sophos Home. Free business-grade security for the home. Endpoint Protection. Go to where the ovpn file was downloaded and execute the following command: openvpn -config client.ovpn Fill in the username and password. The client will now connect. Sign up to the Sophos Support Notification Service to get the latest product release information and critical issues. Does Sophos XG allow OpenVPN Clients to Connect? MarkRogers over 5 years ago. Hello, Currently I'm in the process of migrating from PFSense to Sophos XG and presently my devices use OpenVPN or the Viscosity VPN client (for Mac) to connect to the PFSense box which is running OpenVPN server.

Inspiration for this post, was taken from: https://rieskaniemi.com/azure-mfa-with-sophos-xg-firewall/

Some of the things that I’ve seen at work, is that Sophos XG VPN users are using one token for Sophos SSLVPN and another for ex. Office 365 services. Both tokens can be in Microsoft Authenticator, but only the one that Office 365 is using, can do the “pop-up”, letting the user easy sign-in, like this:

Nonetheless it’s easier for the IT dept. (and the user!) to maintain only one token solution 🙂

Here is the auth flow for Azure MFA with NPS Extension:

Nice isn’t it 😉

So how to fix?

We setup Sophos XG for RADIUS validation for SSLVPN and UserPortal access, and if you use the built-in OTP solution, disable that 🙂

To get started:

• If you do not have MFA enabled for your Office 365/Azure AD account’s you can enable it through following link: https://aka.ms/mfasetup
• And of course you need to have set Azure AD Connect to get your on-premise talking with Azure, I will not go into the details with this here, as I assume this is already setup and working 🙂

Let’s go:

Sophos Ssl Vpn App

1. Install the Network Policy Server (NPS) role on your member server or domain controller. Refering to the Network Policy Server Best Practices, then you will find this “To optimize NPS authentication and authorization response times and minimize network traffic, install NPS on a domain controller.” So we will go ahead and place this on the domain controller, but remember it’s also possible to do it on a domain joined member server!

2. Press “Next” and the installation begins:

3. After installation has ended, go and join the NPS to the Active Directory, right-click NPS (Local):
   
4. Download and install the NPS Extension for Azure MFA here:
   https://www.microsoft.com/en-us/download/details.aspx?id=54688
   Note: As i did try this on a server with already setup NPS, it failed with the other mechanisms, because of this:
   https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#control-radius-clients-that-require-mfa”

   Control RADIUS clients that require MFA

   Once you enable MFA for a RADIUS client using the NPS extension, all authentications for this client are required to perform MFA. If you want to enable MFA for some RADIUS clients but not others, you can configure two NPS servers and install the extension on only one of them.

   Configure RADIUS clients that you want to require MFA to send requests to the NPS server configured with the extension, and other RADIUS clients to the NPS server not configured with the extension.”

   So the “workround” is to run the MFA for the Sophos on a seprate NPS instance 🙂

5. After it’s installed, go and follow the configure is like it’s stated here (Find TenantID and run Powershell script):
   https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#azure-active-directory
6. Go and configure your radius Client, here it’s the XG:

   Remember the secret, we need it later on 🙂

7. Create a “Connection request policy”:
   

   
   Type here the IP of the XG

   Just set like above, and the rest of the settings, just leave them to their defaults 🙂

8. Now create a “Network Policy”

   Add a domain group, that shall have this access, to simplify, here I have choose domainDomain Users
   Now the EAP types, XG does only support PAP, as far as I have tested:

   
   You will get a warning telling you that you have choosen unencrypted auth (locally – not on the Internet!), just press OK.
   Just left the rest to their default’s and save the policy.

9. Now to create a firewall rule:
10. Now to setup the XG for this:

    Press ADD:

    Remember to choose RADIUS:

    Fill in as your environment matches:

    Type in the secret you wrote down earlier and create a host object for your NPS, also remember to change the timeout from 3 to 15 secs!

    You can now test is the authentication through NPS and Azure MFA is working, change Group name attribute to “SF_AUTH”

    Press the TEST CONNECTION butoon:

    type in a users username (e.mail adress) and password, and your phone should pop-up with Microsoft Authenticator 🙂

    You should see this soon after you accept the token:

11. Now head over to the Authentication –> Services section:

    Add the new RADIUS server to:
    – User portal authentication methods
    – SSL VPN authentication methods

    Also make sure that the group your AD / RADIUS users are in, is added to the SSLVPN profile:

12. Now login to the User Portal and download a VPN client (You cannot use the old ones, if you already had thoose installed)
13. Now connect through VPN, type in your full email in username and your password, then wait for MS Authenticator to pop-up, accept the token and you are logged into VPN 🙂

Sources:

Related Posts

Working remotely and using VPN has become an important part of everyday life. With XG Firewall it’s extremely easy – and free!

XG Firewall is the only firewall to offer unlimited remote access SSL or IPSec VPN connections at no additional charge.

And we’ve significantly boosted SSL VPN capacity across our entire product range in XG Firewall v18 MR3 through several optimizations.

Our new Sophos Connect v2 remote access VPN client also adds new features that make remote access faster, better and easier.

What’s new in Sophos Connect v2

• SSL VPN support for Windows
• Bulk deployment of SSL VPN configurations (as with IPSec) via an enhanced provisioning file
  • Enhanced DUO token multi-factor authentication support
  • Auto-connect option for SSL
  • Option to execute a logon script when connecting
  • Remote gateway availability probing
• Automatic failover to the next active firewall WAN link if one link fails
• Automatic synchronization of the latest user policy if the SSL policy is updated on the firewall (when using the provisioning file to deploy) as well as a manual re-synchronization of the latest policy
• File extension association for policy files – import a policy file into Sophos Connect just by double-clicking it in Windows Explorer, or opening the file attached in an email

XG Firewall v18 MR3 remote access enhancements:

• Enhanced SSL VPN connection capacity across our entire firewall lineup. The capacity increase depends on your firewall model: desktop models can expect a modest increase, while rack mount units will see a 3-5x improvement in SSL VPN connection capacity.
• Group support for IPSec VPN connections, which now enables group imports from AD/LDAP/etc. for easy setup of group access policy.

Sophos Xg Openvpn Server

Making the most of Sophos Connect remote access

The first decision you will want to make is whether you wish to use SSL, IPSec, or both. Then set up your firewall to accept Sophos Connect VPN connections before deploying the client and connection configuration to your users.

SSL vs IPSec

With Sophos Connect v2 now supporting SSL (on Windows) and with the enhanced SSL VPN capacity available in XG Firewall v18 MR3, we strongly encourage everyone to consider using SSL to get the best experience and performance for your remote access users.

While macOS support for SSL remote access via Sophos Connect is expected soon, we recommend any organizations using macOS take advantage of the new OpenVPN macOS client in the interim.

Sophos Utm Vpn

XG Firewall setup

SSL VPN Setup is very straightforward:

1. Follow these initial setup instructions for creating an IP address range for your clients, user group, SSL access policy, and authentication.

Sophos Xg Firewall Openvpn

2. SSL VPN requires access to the XG Firewall User Portal. For optimal security, we strongly advise the use of multi-factor authentication. Set up two-factor authentication via Authentication > One-time password > Settings to ensure you’re only allowing MFA access to the user portal.

3. Create a firewall rule that enables traffic from the VPN zone to access your LAN zone (or whatever zones are desired).

Deployment of the client is equally easy:

1. Client installer: The client installer is available by navigating to VPN > Sophos Connect Client on your XG Firewall. Sophos Connect documentation is available here.
2. Connection configuration: The SSL VPN connection configuration (OVPN) file is accessible via the user portal, but we strongly encourage the use of a provisioning file to automatically fetch the configuration from the portal. This requires a bit more up-front effort, but greatly simplifies the deployment process and enables changes to the policy without redeploying the configuration. Review the full instructions on how to create a provisioning file with samples.
3. Group Policy Management: The best way to deploy the remote access client and provisioning file is via Microsoft Group Policy Management. You will need the files mentioned in the steps above and then follow these step-by-step instructions. You can also use any other software deployment tool you have available – even email.

Monitoring active usage:

You can monitor connected remote users from the XG Firewall Control Center…

And click to drill down to get the details…

Sophos Connect resources and helpful links