Register Now

Login

Lost Password

Lost your password? Please enter your email address. You will receive a link and will create a new password via email.

Install SSL VPN In Sophos XG With OTP

Overview:

Here in this article we will discuss how to install sophos SSL VPN with one time password (OTP) to increase more security when connected with remote access VPN.

Process:

First we will login to GUI of the sophos XG firewall and configure SSL VPN remote access policy. For that click on VPN and then on SSL VPN remote access and click on Add

SSL VPN

Give some name to SSL VPN policy and add required users under policy members tab. If you enable the option “Default Gateway” all traffic from the remote access client machine will go through sophos firewall. If you disable “Default Gateway” traffic destined to permitted networks will be routed through the SSL VPN tunnel. You can add permitted networks in the permitted network resources section.

If you enable “Disconnect idle Clients” option, remote access clients with no traffic through their tunnel will be disconnected. By default global disconnect time will be 15 mins, we can override that option, by giving some other value in place of Override global time-out

Click on Shown VPN settings to have the glance at all SSL VPN settings. Sample settings will be shown in below image

Show VPN settings
VPN settings

Here in these settings we will know the protocol “TCP or UDP”. If we select UDP VPN speed will be high. Sometimes if you face slowness issues, you can choose option UDP. There are some other settings like SSL VPN port, IP range for SSL VPN connected machines, DNS server for SSL VPN connected machines etc

OTP Configuration:

Click on OTP settings under Authentication OTP tab as shown in below image

Enable One Time Password option

OTP for all users: If we enable this option, OTP will be enabled for all users ( In this articlei would like to enable it only for specific user)

Auto Create OTP tokens for users: If we enable this option, OTP tokens will be automatically created ( In this article i will disable this option)

Add the concerned user in SSL VPN OTP group and enable OTP for the required services. In this article i will enable it only for SSL VPN remote access. Click on Apply.

OTP settings

Now you have configured OTP, you need to download SSL VPN configuration and sophos authenticator. I will explain you in below steps.

Install SSL VPN Client:

First enable the user portal and SSL VPN in the WAN zone. You can enable it under Administration >> Device Access as shown in below image

Device Access

Login to user portal with specific OTP user credentials, you will be able to see the QR code

User OTP

Now download the sophos authenticator and scan the QR code, it will start generating OTP codes.

OTP codes.

Click on proceed to login option and then enter username as “original username” and password as “password+OTP code“. Now download the SSL VPN configuration file from the user portal as shown in below image.

Download client

Once you download SSL VPN client install it in your windows machine. If SSL VPN client properly installed in your windows machine, ICON in the below image will be displayed in task bar.

Now right click on SSL VPN icon and connect to SSL VPN. In place of Username give “Original Username” and in place of password give “password+OTP

Authentication

Now click on OK it should be connected. In case if it fails to connect, try to synchronize OTP again. To perform those steps, follow this article:

https://community.sophos.com/sophos-xg-firewall/v16/f/sfos-v16-beta-issues-bugs/79827/otp-token-authentication-failed

Once you resynchronize OTP again it should be connected.

Hope this article helps you.