HTTP/S bookmarks retiring

You would create WAF Rule with Backend Authentication. 

https://community.sophos.com/kb/en-us/126470

The WAF will only provide access to the http site (as HTTPS), if you are authenticated. 

Looks promising. Thank you.

This seems like a huge step in the WRONG direction. We recently purchased an XG firewall for a customer with a 3 year Enterprise Protect Plus plan with this feature as a main selling point. Now you are telling me we will have to upgrade to Total Protect just so we can allow the customer to access web servers behind the firewall? What about the ease of use and simplicity of the User Portal? How does that fit in with WAF? We too may now need to consider going with another vendor of firewalls as this was a feature we were planning on promoting to allow our clients to access their internal web servers remotely in a controlled and secure manner. You are supposed to be innovating and adding new features or improving existing ones, not taking them away. Please leave this feature in place even if you don't plan on improving or fixing it, at least we can keep using it the way it is. This reminds me a lot of Windows a few years back when we all stopped updating because we did not want to LOSE functionality, I sure hope Sophos isn't going down that road.

Hi Luca,

the bookmarks are very usefull because they are...well...bookmark available in the user portal and protect the web services from the Internet with a SSL VPN.
In this way the services are always available to the employees/customers/whoever, with just credential and OTP.

https://community.sophos.com/kb/en-us/133872

Luca, thanks for the link.

I really don't know anything about the risk of cross-site scripting, so I can't comment about that.

But still, the access to internal web pages with the HTTP/S bookmarks was VERY VERY VERY usefull, especially for users that access from anywhere with just a browser (with no possibility to establish a VPN). In the portal they could have "had" access to all the web services, in a secure way, with just 1 URL in mind: portal.company.com

That proofs that there will be no replacement for WebProxy with OTP authentication. Are you sure you want to retire functionality that you already sold to customers?  That could become expensive for Sophos (e.g. compensation) as this is done fully knowing about what it means!

Hmm i dont understand whats going on here. We have an ancient sonicwall SSL vpn that was EOL a long time ago. We have users using it for a clientless vpn. They can do RDP and in theory, there are bookmarks that work to our internal webservers which we do not let outside the firewall (such as intranet, hvac control, etc, as an example).

I started to set up a clientless VPN on our XG 330. I got to this point, but it seems that the XG330 has the same problem as my sonicwall, its not making an SSO connection.

So i  am trying to troubleshoot that and I see this message about HTTPS bookmarks being depreciated? I don't get it. How would one allow users on the clientless VPN to access internal websites? The WAF (web application firewall) article that is linked on the previous page, seems to be just for punching holes in the firewall, like what i would do to provide an external service access in. Has nothing to do with a user portal bookmark.

So how do i achieve accessing internal web services from an authenticated portal which is clientless? Are you saying you are removing this functionality and it won't be possible anymore? I see allusions to another product or license that can achieve this. Instead of buying a new appliance, i would be willing to spend money to get this working with existing gear. But can someone tell me if its possible and or direct me to a setup guide for this feature? I don't want to spend time setting up the bookmarks if they will just be obsoleted!

it all seems a bit weird.

Is it because you guys cant figure out how to proxy SSO that this is being removed? because thats the problem my sonicwall has. With most services going to SSO it is a must have feature for a clientless vpn for us!!!