Here in this article we will discuss how to install sophos SSL VPN with one time password (OTP) to increase more security when connected with remote access VPN.
First we will login to GUI of the sophos XG firewall and configure SSL VPN remote access policy. For that click on VPN and then on SSL VPN remote access and click on Add
Give some name to SSL VPN policy and add required users under policy members tab. If you enable the option “Default Gateway” all traffic from the remote access client machine will go through sophos firewall. If you disable “Default Gateway” traffic destined to permitted networks will be routed through the SSL VPN tunnel. You can add permitted networks in the permitted network resources section.
If you enable “Disconnect idle Clients” option, remote access clients with no traffic through their tunnel will be disconnected. By default global disconnect time will be 15 mins, we can override that option, by giving some other value in place of Override global time-out
Click on Shown VPN settings to have the glance at all SSL VPN settings. Sample settings will be shown in below image
Here in these settings we will know the protocol “TCP or UDP”. If we select UDP VPN speed will be high. Sometimes if you face slowness issues, you can choose option UDP. There are some other settings like SSL VPN port, IP range for SSL VPN connected machines, DNS server for SSL VPN connected machines etc
Click on OTP settings under Authentication OTP tab as shown in below image
Enable One Time Password option
OTP for all users: If we enable this option, OTP will be enabled for all users ( In this articlei would like to enable it only for specific user)
Auto Create OTP tokens for users: If we enable this option, OTP tokens will be automatically created ( In this article i will disable this option)
Add the concerned user in SSL VPN OTP group and enable OTP for the required services. In this article i will enable it only for SSL VPN remote access. Click on Apply.
Now you have configured OTP, you need to download SSL VPN configuration and sophos authenticator. I will explain you in below steps.
Install SSL VPN Client:
First enable the user portal and SSL VPN in the WAN zone. You can enable it under Administration >> Device Access as shown in below image
Login to user portal with specific OTP user credentials, you will be able to see the QR code
Now download the sophos authenticator and scan the QR code, it will start generating OTP codes.
Click on proceed to login option and then enter username as “original username” and password as “password+OTP code“. Now download the SSL VPN configuration file from the user portal as shown in below image.
Once you download SSL VPN client install it in your windows machine. If SSL VPN client properly installed in your windows machine, ICON in the below image will be displayed in task bar.
Now right click on SSL VPN icon and connect to SSL VPN. In place of Username give “Original Username” and in place of password give “password+OTP“
Now click on OK it should be connected. In case if it fails to connect, try to synchronize OTP again. To perform those steps, follow this article:
Once you resynchronize OTP again it should be connected.
Hope this article helps you.