Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 4 replies
  • Subscribers 28 subscribers
  • Views 718 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG 18.5.3 and SSL VPN

Matthew LaComb

Trying to lab up and describe an upgrade process (outage windows and user impact) for some firewalls.  I have 2 XG310s in HA and have done the following:

1. Assigned static LAN and WAN addresses; added LAN2LAN rule (with lan/vpn source to lan/vpn dest)

2. Internet is reachable via WAN interface

3. Updated the CA Cert with info

4. Added a user, assigned to open group

5. created a test SSLVPN profile and attached the user to it

Now when I do a provisioning file for a windows virtual machine (same subnet as WAN), I tell the Sophos Connect client to connect to the WAN address of the Sophos device. It does that all well and good... but then after it downloads the provisioning file, it only tries to connect to the LAN address.

Additionally, I've found the "temporary" ovpn files it sprinkles into the c:\program files(x86)\Sophos\Connect directory, and opening them reveals the configuration file has every address in it EXCEPT the WAN address.  I.e. it has the "guest wifi" address, the LAN address, the DMZ (HA) address - and the RED tunnel address (I launched a RED tunnel on another virtual to watch that flow as well.)

What am I doing wrong here?  Has anyone else had this kind of thing happen?  The WAN address is an RFC1918 address behind a firewall, if that makes a difference... and I have no real way to change that without doing a creative NAT on my interior firewall...



This thread was automatically locked due to age.
  • 0

    can you share a screenshot of what you mean with the "configuration file has every address in it EXCEPT the WAN address"

    I would think would use it's WAN IP in the ovpn file but there are so many things that make no sense in SFOS.

    As long as we use SSL VPN, we have always set the option "Override hostname (optional): SSL VPN clients use the IP address or hostname you enter here rather than the WAN IP address of Sophos Firewall to establish the connection."

    So that should fix it fo your test lab?

    if using a FQDN, set a hosts file entry on the test computers in the WAN network.

  • 0 in reply to LHerzog

    I spun up yet another sophos instance (19.0.1 just for kicks) and did the above.  The setup is plain, I am using a .pro profile that only has the WAN address in it.

    I *think* what is happening is that since my virtual windows instance I'm using for testing is on the same "network" as the WAN, the Sophos device is not pushing the WAN interface address into the .ovpn configuration file when provisioning.  The interface setups are as follows:

    LAN: 172.16.16.5/24

    WAN:  10.10.15.187/24

    GuestAP:  10.255.0.1/24

    The .pro provisioning file has one address in it;  10.10.15.187.  My virtual machine sits in DHCP range on the 10.10.15.0/24 network.  Upon connect, I get prompted for credentials and the captcha - which passes, then the sophos client goes to "please wait, establishing connection" and the top bar which used to say "10.10.15.187" now says "172.16.16.5" as the endpoint.

    the .ovpn file that shows up (temporary downloaded provisioning for the sophos connect client after auth) shows the following:

    remote 172.16.16.5 8443 tcp-client

    remote 10.255.0.1 8443 tcp-client

    I can't configure this file because Sophos doesn't let you.  I feel that that's a stupid decision, but it likely keeps non-tech-peeps stay out of trouble.

    I'm going to spin up a router to put between my virtual machine and my internal network to "buffer" between the virtual sophos and the client.  I'm just frustrated if this fixes this issue for 2 reasons:

    1. There's no way to further tweak the configuration file out of the box with Sophos Connect.  It just does what it wants.

    2.  There's no reason you can't sit on the same WAN and connect back to the Sophos box.  Especially for testing, not sure what the rationale is for this, other than *maybe* it thinks the incoming client is on a corporate Network being NATted out to the internet - so it puts the internal addresses in scope.

    I'd love more nerd knobs to tweak what's going on behind the scenes.

  • 0 in reply to Matthew LaComb

    Added a router between the "WAN" and my Windows 10 tester.  Still no dice, the Sophos device will NOT expose the WAN address to the .ovpn configuration file.  

    Win10 - 10.10.14.254/24

    .pro file has 10.10.15.187 as endpoint and is routable/connectable

    At a loss here.  I really need to test the impacts of an upgrade for my customers and will be opening a support case next week unless others have any information on this.

  • +1

    Resolved.  Device access bites me again.  Not a fault of the Sophos - other than the fact that I don't like having to come to a separate page to ENABLE a feature.

    If you don't have "SSL VPN" enabled on WAN in device access, the .ovpn file that the device will deliver to you will not have the WAN interface as a target.  Hence, you will only get the LAN interfaces in the file.

    I do have instances in my environment where we use the LAN as transport - but in all honesty, would likely have that turned off as a standard in normal environments.

Unfiltered HTML