Sophos Firewall Configuring SSL VPN for Remote Access Product Version: 1 Document date: October 2014
Contents 1 Introduction 3 2 Configuring Sophos Firewall 4 2.1 Defining a User Account 4 2.2 Configuring Advanced SSL Settings 9 2.3 Creating the Network Policy 11 3 Configuring the Remote Client 14 3.1 Getting SSL VPN Client Software 14 3.2 Installing the SSL VPN Client Software 16 3.3 Connecting to the VPN 19 4 Technical support 20 5 Legal notices 21 www.utimaco.c
SSL VPN for Remote Access 1 Introduction This guide is a step-by-step guide on how to configure remote access on Sophos Firewall using the Secure Sockets Layer (SSL) protocol. The SSL remote access feature in Sophos Firewall provides a two-factor authentication, securing the remote connection using X.509 certificates (have) and username/password (know). Sophos' SSL VPN establishes an encrypted tunnel to provide secure access to company resources through TCP port 443. The system administrator configures the Sophos Sophos Firewall to allow remote access and enables the User Portal of the Sophos Sophos Firewall for the remote access users. The User Portal offers the free Sophos SSL VPN Client software, including the configuration and necessary keys, and this configuration guide. Login data for the User Portal should be provided by the system administrator or could be the Users AD Credentials. The SSL VPN Client is available for Microsoft Windows XP, Vista, 7, 8/8.1 and 10 operating systems. 3 3
Sophos Firewall 2 Configuring Sophos Firewall Sophos Firewall is configured via the web-based WebAdmin configuration tool from the administration PC. Opening and using this configuration tool is extensively described in the Sophos Firewall administration guide. 2.1 Defining a User Account We start by creating a user account to allow access to the User Portal and to establish a VPN connection. 1. Open the Objects > Identity > Users 4
Configuring Sophos Firewall 2. Click on The Create New User dialog opens 5 5
Sophos Firewall 3. Enter the following information: Username Name Description Password User Type Email Policies SSL VPN Policy This will be the User Login for the User Portal The Users full name (optional) Create a Password for the new User and Confirm Select User Enter the Users E-Mail address Select a group for the User, if no Groups have yet been defined use Open Group Select the appropriate Surfing Quota, Access Time, Network Traffic and Traffic Shaping settings Open the drop-down menu of Remote Access and select Create new 6
Configuring Sophos Firewall General Settings Identity Tunnel Access Idle Timeout Name the Police (eg. SSL Remote Access) Give a Description (optional) Click on Add new item Select the Users Group and click Apply Switch Use as Default Gateway to on, if the User should use the VPN-Tunnel as Default Gateway For Permitted Network Resources Add New Item to select all Port that should be available to the Remote Access User By default Remote Access Clients get disconnected after an idle time of 15 minutes. Idle Timeout can be deactiviated or the allowed idle time can be changed 7 7
Sophos Firewall 2.2 Check Authentication Services for VPN Navigate to System > Authentication > Authentication Services Scroll down to VPN (IPsec/L2TP/PPTP) Authentication Methods The Local Authentication should be automatically added already. If an external Authenticaion Server is used, it should be added and confirmed by clicking Apply. 2.3 Check the allowed Zones for SSL VPN Navigate to System > Administration > Device Access Make sure all needed Zones are activated for SSL VPN.. 8
Configuring Sophos Firewall 2.4 Configuring Advanced SSL Settings Open System > VPN > SSL VPN Settings 9 9
Sophos Firewall SSL VPN Settings Protocol SSL Server Certificate Override Hostname IPv4 Lease Range/ IPv6 Lease Lease Mode TCP/UDP (Select UDP for better performance) The ApplianceCertificate is selected by default. Other Certificates can be added and used (e.g. Local CA, Public CA) By default the gateways hostname is used, only enter a hostname, if the gateway has to be reached through a different hostname from the WAN. Enter an IP range to be used by VPN-Clients Select if VPN Users get an IPv4 only or IPv4 and IPv6 addresses IPv4 DNS IPv4 WINS Domain Name Disconnect dead peer after Seconds(60-1800) Are optional settings, if unconfigured the gateways settings apply Set a time to consider a dead peer as disconnected (180 seconds by default) Disconnect idle peer after Minutes(15-60) Set a time to disconnect an idle peer (15 minutes by default) Cryptographic Settings Encryption Algorithm Authentication Algorithm Key Size Key Lifetime Compression Settings Debug Settings Apply By default AES-128-CBC, available are also DES-EDE3-CBC, AES-128-CBC, AES-192- CBC, AES-256-CBC and BF-CBC By default SHA2 256, available are also SHA1(should be avoided), SHA2 384, SHA2 512 and MD5 By default 2048 bit, 1024 bit also available By default 28800 seconds (8 hours) By default this is checked to enhance performance on slow connections By default unchecked, only check if the SSL VPN needs debugging To confirm all changes 10
Configuring Sophos Firewall 2.5 Creating a Network Policy 1. Defining a Network Policy Navigate to Policies and click Add New Rule. Select User / Network Rule 2. Select Bottom and enter a name for the Rule e.g. SSL VPN Masquerading and a Discription (optional) 3. Click Add New Item and select the VPN-Users-Group or Users than apply. 11 11
Sophos Firewall 4. Add items by clicking on Add New Item and selecting the appropriate Sources, then apply. For Zone select WAN and for Networks Any since VPN-Users might access from various Networks. Select Services available to VPN-Users, usually Any. Add a schedule if a User is only allowed to VPN at certain times. 5. Click on Add New Item and select the Zone(s) and Network(s) VPN-Users are allowed to access 6. Select Accept and activate Rewrite source address and keep the default settings 12
Configuring Sophos Firewall 8. Activation of Malware Scanning is optional, but recommended 9. Applying Policies is optional 10. Logging should be activated for troubleshooting and monitoring purpose. Secure Heartbeat configuration is optional 11. Save the New Policy 13 13
Sophos Firewall 3 Configuring the Remote Client On the remote client you have to download the Sophos SSL VPN Client software including configuration data from the UTM User Portal. Then you install the software package on your computer. 3.1 Download the SSL VPN Client Software The Sophos Firewall User Portal is available to all remote access users. The portal, offers downloads, gudes and tools for Users. To access the User Portal navigate to the Sophos Firewalls IP-Address or Hostname using a webbrowser, in a standard configuration the user portal is reachable through HTTPS / port 443. The SSL VPN client supports most business applications such as native Outlook, native Windows file sharing, and many more. The Configuration for Windows is needed in case of a config change to the SSL policy. Furthermore other OS can be configured using a OpenVPN config file. Android and ios configuration are available as well. 1. Start your browser and open the User Portal. Start your browser and enter the management address of the User Portal as follows: https://ip address (example: https://218.93.117.220). A security note will be displayed. Accept the security note. Depending on the browser, click I Understand the Risks > Add Exception > Confirm Security Exception (Mozilla Firefox), or Proceed Anyway (Google Chrome), or Continue to this website (Microsoft Internet Explorer/Edge). 2. Log in to the User Portal. Enter your credentials: Username: Your username, which you received from the administrator. Password: Your password, which you received from the administrator. Please note that passwords are case-sensitive. Click Login. 14
Configuring the Remote Client 3. Navigate to SSL VPN. Download the SSL VPN Client for Windows or the needed configuration files for other OS. 15 15
Sophos Firewall 3.2 Installing the SSL VPN Client Software The setup program will check the hardware of the system, and then install the necessary software on your PC. 1. Start the installation. Open a file browser and go to the location of the installation file setup.exe. Launch the file from this directory. The installation wizard should start up now. Click Next to proceed. 2. Accept the software license agreement. If you agree to the terms of the license, click I Agree. 16
Configuring the Remote Client 3. Choose the install location. Click Browse, select the appropriate directory, and click OK. 4. Click Install to proceed. The installation wizard will copy the necessary files on your system. 5. Confirm the warning message. The setup-routine creates a virtual network card will fort he SSL VPN access. The drivers are not Microsoft certified but save tob e installed. Select Install to allow the driver installation. 17 17
Sophos Firewall 6. When the installation is Completed click on Next. 7. End the installation process by clicking Finish. The SSL VPN client is automatically started and is showing in the task bar as a 8. Then the SSL VPN icon will be 9. displayed in your task bar. 10. Further information is usually available 11. from the network administrator. 18
Configuring the Remote Client 3.3 Connecting to the VPN Start the VPN Authentication by clicking on the traffic light symbol in your Windows task bar: Log in by using the same credentials valid for your User Portal The traffic light will change from red (disconnected) to red and amber (negotiating/connecting). As soon as the traffic light changes to green, the SSL VPN Connection is established 19 19
Sophos Firewall 4 Technical support You can find technical support for Sophos products in any of these ways: Visit the SophosTalk forum at http://community.sophos.com/ and search for other users who are experiencing the same problem. Visit the Sophos support knowledgebase at http://www.sophos.com/support/. Download the product documentation at http://www.sophos.com/support/docs/. Send an email to support@sophos.com, including your Sophos software version number(s), operating system(s) and patch level(s), and the text of any error messages. 20
SSL VPN for Remote Access 5 Legal notices Copyright 1996-2014 Sophos Group. All rights reserved. SafeGuard is a registered trademark of Sophos Group. Sophos is a registered trademark of Sophos Limited, Sophos Group and Utimaco Safeware AG, as applicable. All other product and company names mentioned are trademarks or registered trademarks of their respective owners. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner. Limited Warranty No guarantee is given for the correctness of the information contained in this document. Please send any comments or corrections to nsg-docu@sophos.com. 21 21