sfosv1 remote access via ssl geng

8/15/2019 SFOSv1 Remote Access via SSL Geng

http://slidepdf.com/reader/full/sfosv1-remote-access-via-ssl-geng 1/21

Sophos Firewall

Configuring

SSL VPN for Remote Access

Product Version: 1

Document date: October 2014



ww.utimaco.c

Contents

1 Introduction 3

2 Configuring Sophos Firewall 4

2.1 Defining a User Account 4

2.2 Configuring Advanced SSL Settings 9

2.3 Creating the Network Policy 11

3 Configuring the Remote Client 14

3.1 Getting SSL VPN Client Software 14

3.2 Installing the SSL VPN Client Software 16

3.3 Connecting to the VPN 19

4 Technical support 20

5 Legal notices 21




3

3

1 Introduction

This guide is a step-by-step guide on how to configure remote access on Sophos Firewall using theSecure Sockets Layer (SSL) protocol. The SSL remote access feature in Sophos Firewall provides

a two-factor authentication, securing the remote connection using X.509 certificates (have) andusername/password (know). Sophos' SSL VPN establishes an encrypted tunnel to provide secureaccess to company resources through TCP port 443.

The system administrator configures the Sophos Sophos Firewall to allow remote access andenables the User Portal of the Sophos Sophos Firewall for the remote access users. The UserPortal offers the free Sophos SSL VPN Client software, including the configuration and necessarykeys, and this configuration guide. Login data for the User Portal should be provided by the systemadministrator or could be the Users AD Credentials. The SSL VPN Client is available for MicrosoftWindows XP, Vista, 7, 8/8.1 and 10 operating systems.



Sophos Firewall

4

2 Configuring Sophos Firewall

Sophos Firewall is configured via the web-based WebAdmin configuration tool from theadministration PC. Opening and using this configuration tool is extensively described in the

Sophos Firewall administration guide.

2.1 Defining a User Account

We start by creating a user account to allow access to the User Portal and to establish a VPNconnection.

1. Open the Objects > Identity > Users



Configuring Sophos Firewall

5

5

2. Click onThe Create New User dialog opens



Sophos Firewall

6

3. Enter the following information:

Username This will be the User Login for the User Portal

Name The Users full name

Description (optional)Password Create a Password for the new User and Confirm

User Type Select “User”

Email Enter the Users E-Mail address

Policies Select a group for the User, if no Groups have yet been defined use“Open Group” Select the appropriate Surfing Quota, Access Time, Network Traffic andTraffic Shaping settings

SSL VPNPolicy

Open the drop-down menu of Remote Access and select

Create new




7

7

General Settings Name the Police (eg. SSL Remote Access)Give a Description (optional)

Identity Click on “Add new item”

Select the Users Group and click Apply

Tunnel Access Switch “Use as Default Gateway” to on, ifthe User should use the VPN-Tunnel asDefault Gateway

For Permitted Network Resources “Add NewItem” to select all Port that should beavailable to the Remote Access User

Idle Timeout By default Remote Access Clients getdisconnected after an idle time of 15minutes. Idle Timeout can be deactiviated orthe allowed idle time can be changed



Sophos Firewall

8

2.2 Check Authentication Services for VPN

Navigate to System > Authentication > Authentication ServicesScroll down to VPN (IPsec/L2TP/PPTP) Authentication Methods

The Local Authentication should be automatically added already. If an external AuthenticaionServer is used, it should be added and confirmed by clicking Apply .

2.3 Check the allowed Zones for SSL VPN

Navigate to System > Administration > Device Access

Make sure all needed Zones are activated for SSL VPN.

.




9

9

2.4 Configuring Advanced SSL Settings

Open System > VPN > SSL VPN Settings



Sophos Firewall

10

SSL VPN Settings

Protocol TCP/UDP(Select UDP for better performance)

SSL Server Certificate The ApplianceCertificate is selected by default.

Other Certificates can be added and used (e.g.Local CA, Public CA)

Override Hostname By default the gateways hostname is used, onlyenter a hostname, if the gateway has to bereached through a different hostname from theWAN.

IPv4 Lease Range/ IPv6 Lease Enter an IP range to be used by VPN-Clients

Lease Mode Select if VPN Users get an IPv4 only or IPv4and IPv6 addresses

IPv4 DNSIPv4 WINSDomain Name

Are optional settings, if unconfigured thegateways settings apply

Disconnect dead peer after Seconds(60 - 1800) Set a time to consider a dead peer asdisconnected (180 seconds by default)

Disconnect idle peer after Minutes(15 - 60) Set a time to disconnect an idle peer (15minutes by default)

Cryptographic Settings

Encryption Algorithm By default AES-128-CBC, available are alsoDES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC and BF-CBC

Authentication Algorithm By default SHA2 256, available are also

SHA1(should be avoided), SHA2 384, SHA2512 and MD5

Key Size By default 2048 bit, 1024 bit also available

Key Lifetime By default 28800 seconds (8 hours)

Compression Settings By default this is checked to enhanceperformance on slow connections

Debug Settings By default unchecked, only check if the SSLVPN needs debugging

Apply To confirm all changes




11

11

2.5 Creating a Network Policy

1. Defining a Network PolicyNavigate to Policies and click Add New Rule. Select User / Network Rule

2. Select Bottom and enter a name for the Rule e.g. SSL VPN Masquerading and a Discription(optional)

3. Click Add New Item and select the VPN-Users-Group or Users than apply.



Sophos Firewall

12

4. Add items by clicking on Add New Item and selecting the appropriate Sources, then apply. ForZone select WAN and for Networks Any since VPN-Users might access from various Networks.Select Services available to VPN-Users, usually Any. Add a schedule if a User is only allowedto VPN at certain times.

5. Click on Add New Item and select the Zone(s) and Network(s) VPN-Users are allowed toaccess

6. Select Accept and activate Rewrite source address and keep the default settings




13

13

8. Activation of Malware Scanning is optional, but recommended

9. Applying Policies is optional

10. Logging should be activated for troubleshooting and monitoring purpose. Secure Heartbeat

configuration is optional

11.Save the New Policy



Sophos Firewall

14

3 Configuring the Remote Client

On the remote client you have to download the Sophos SSL VPN Client software includingconfiguration data from the UTM User Portal. Then you install the software package on your

computer.

3.1 Download the SSL VPN Client Software

The Sophos Firewall User Portal is available to all remote access users. The portal, offersdownloads, gudes and tools for Users. To access the User Portal navigate to the Sophos FirewallsIP-Address or Hostname using a webbrowser, in a standard configuration the user portal isreachable through HTTPS / port 443.

The SSL VPN client supports most business applications such as native Outlook, native Windowsfile sharing, and many more. The Configuration for Windows is needed in case of a config change

to the SSL policy. Furthermore other OS’ can be configured using a OpenVPN config file. Androidand iOS configuration are available as well.

1. Start your browser and open the User Portal. Start your browser and enter the management address of the User Portal as follows:https://IP address (example: https://218.93.117.220).

A security note will be displayed. Accept the security note. Depending on the browser, click I Understand the Risks > Add Exception > Confirm Security Exception (Mozilla Firefox), or Proceed Anyway(Google Chrome), or Continue to this website (Microsoft Internet Explorer/Edge).

2. Log in to the User Portal. Enter your credentials:

Username: Your username, which you received from the administrator.Password: Your password, which you received from the administrator.Please note that passwords are case-sensitive.Click Login.



Configuring the Remote Client

15

15

3. Navigate to SSL VPN .Download the SSL VPN Client for Windows or the needed configuration files for other OS’.



Sophos Firewall

16

3.2 Installing the SSL VPN Client Software

The setup program will check the hardware of the system, and then install the necessarysoftware on your PC.

1. Start the installation.Open a file browser and go to thelocation of the installation filesetup.exe. Launch the file fromthis directory. The installationwizard should start up now. ClickNext to proceed.

2. Accept the software licenseagreement. If you agree to theterms of the license, click I Agree.




17

17

3. Choose the install location. ClickBrowse, select the appropriatedirectory, and click OK.

4. Click Install to proceed.The installation wizard will copythe necessary files on yoursystem.

5. Confirm the warning message.The setup-routine creates a virtualnetwork card will fort he SSL VPNaccess. The drivers are notMicrosoft certified but save tob einstalled. Select Install to allowthe driver installation.



Sophos Firewall

18

6. When the installation isCompleted click on Next.

7. End the installation process byclicking Finish.

The SSL VPN client isautomatically started and isshowing in the task bar as a

8. Then the SSL VPN icon will be9. displayed in your task bar.10. Further information is usually

available11. from the network administrator.




19

19

3.3 Connecting to the VPN

Start the VPN Authentication by clicking on the traffic light symbol in your Windows task bar:

Log in by using the same credentials valid for your User Portal

The traffic light will change from red (disconnected) to red and amber (negotiating/connecting). Assoon as the traffic light changes to green, the SSL VPN Connection is established



Sophos Firewall

20

4 Technical support

You can find technical support for Sophos products in any of these ways:

Visit the SophosTalk forum at http://community.sophos.com/ and search for other users

who are experiencing the same problem.

Visit the Sophos support knowledgebase at http://www.sophos.com/support/ .

Download the product documentation at http://www.sophos.com/support/docs/ .

Send an email to [email protected], including your Sophos software version

number(s), operating system(s) and patch level(s), and the text of any error

messages.

http://community.sophos.com/



http://www.sophos.com/support/






http://www.sophos.com/support/docs/



http://c/Users/msc/Documents/SharePoint%20Drafts/[email protected]















5 Legal notices

Copyright © 1996 - 2014 Sophos Group. All rights reserved. SafeGuard is a registered

trademark of Sophos Group.

Sophos is a registered trademark of Sophos Limited, Sophos Group and Utimaco

Safeware AG, as applicable. All other product and company names mentioned are

trademarks or registered trademarks of their respective owners.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted,

in any form or by any means, electronic, mechanical, photocopying, recording or

otherwise unless you are either a valid licensee where the documentation can be

reproduced in accordance with the license terms or you otherwise have the prior

permission in writing of the copyright owner.

Limited Warranty

No guarantee is given for the correctness of the information contained in this document.

Please send any comments or corrections to [email protected].