Sophos XG Firewall: How to configure SSL VPN remote access 


This article describes the steps to configure SSL VPN remote access. 

The following sections are covered: 

Applies to the following Sophos products and versions 

Sophos Firewall 

Configuring Sophos Firewall 

Defining SSL VPN group and users 

Go to Authentication > Groups and create a group for remote SSL VPN users. 


Go to Authentication > Users and create remote SSL VPN users. 

Defining local subnet and remote SSL VPN range 

Go to Hosts and Services > IP Host and define the local subnet behind Sophos Firewall. 

Go to Hosts and Services > IP Host and define the remote SSL VPN range. 

Note: Please make sure that the LAN and VPN assigned networks are not the same. 

Defining remote SSL VPN policy 

Go to VPN > SSL VPN (Remote Access) and select Add to create an SSL VPN policy. 

Verifying the authentication services for SSL VPN 

Go to Authentication > Services andmake sure that Local authentication server is selected under SSL VPN Authentication Methods section. 

Note: Also make sure that Local authentication server is selected under Firewall Authentication Methods section. This is needed for remote users to logon to the portal to download the SSL VPN client software later in this article. 

Verifying the allowed zones for SSL VPN 

Go to Administration > Device Access and allow SSL VPN and User Portal for the LAN and WAN zones under Local Service ACL section. Add other zones as required. 

Note: If you require your SSL VPN and User Portal to be available on the WAN zone, Sophos highly recommends enabling MFA/OTP


Configuring advanced SSL VPN settings 

Go to VPN and select Show VPN Settings

Under SSL VPN tab, verify the IPv4 Lease Range configured earlier and set the rest of options as required. 

Note: If the XG Firewall does not have a public IP assigned on the WAN interface but behind a NAT device, set the public IP in the Override Hostname field. This sets the SSL VPN client configuration file to use this public IP when establishing the connection. The NAT device has to be configured to forward the SSL VPN connection to the XG Firewall. 

Creating a firewall rule 

Go to Firewall,click + Add Firewall Rule and select User/Network Rule


  • If there is multiple firewall rules from VPN to LAN zones, then put the above firewall rule at the top of the list as described in Sophos XG Firewall: How to change firewall rule order
  • It is possible for the remote host to access the internet via the XG Firewall. To do this, create a firewall rule with VPN as the source zone and WAN as the destination zone. 

Configuring SSL VPN client 

Note: Sophos highly recommends enabling MFA/OTRmoteP for any WAN facing portals 

Downloading the SSL VPN client software 

From a browser, logon to the user portal. In this example, user portal is accessible at 


  • You can find the user portal https port configured in Sophos Firewall by going to Administration > Admin Settings under Port Settings for Admin Console section. 
  • We don’t recommend enabling either the user portal or the web admin console on external facing (WAN) interfaces. This could allow hackers to easily identify the firewall vendor and type, and launch a targeted attack. 
    To restrict XG Firewall user portal and web admin console to local interfaces, go to Administration > Device Access, then deselect User Portal and both Admin Services from the WAN zone.   

Once logged into the portal, download the SSL VPN client for the required endpoint accordingly. In this article, we will download and install the client and configuration for Windows 10. 

Installing the SSL VPN client software on Windows 

Run the downloaded SSL VPN client. 

Note: If you have an application control software, make sure to unblock OpenVPN and SSL VPN Client for Windows in order for the installation to be successful. 

Click Next and follow the wizard. 
Accept the license agreement. 
Choose the folder location and click Install  
Monitor the installation process.   
Click Finish to complete the installation.   
Once installed, start the VPN authentication by clicking on the traffic light symbol in the task bar.   
Log in using the same credentials for the user portal. 
The traffic light will change from red (disconnected) to red and amber (negotiating/connecting). As soon as the traffic light changes to green, a pop up message appers confirming the SSL VPN connection is established. 


From your Windows machine, verify that you have been assigned an IP address from the SSL VPN range configured earlier in Sophos Firewall. 

Note: You can also verify the route injected by the SSL VPN client by running route print command. 

From Sophos Firewall, go to Firewall and verify that rmote SSL VPN access rule allows ingress and egress traffic. 

Go to Current Activities > Live users to verify SSL VPN users. 


Go to Report > VPN to verify remote SSL VPN users list.