In those hard-times where the whole western civilization is in front of a new economical disaster because of the Coronavirus outbreak, many businesses are completely unprepared. Some of them are still in neglect and don’t believe that they would need to send their employees home. Unfortunately, it’s a matter of days and in some cases, hours where the governments will order companies to close their premises cause as we learned from Italy, China and Korea – isolation and social distancing is the only way to stop the pandemic. For many businesses, even in the service industry, it means bringing their operations to a standstill and that means unpredictable long term consequences. Only a few companies are prepared to send all employees home and still run the same level of service. It’s all because they have a well designed, high-capacity and redundant remote office solution which allows all employees to connect to internal networks over the internet using a VPN or similar solution. In this article, I would like to show you how in less than 30 minutes implement a working VPN solution that will be secure and reliable and free of cost, at least for one month.
- Generating the license
- Installing the virtual machine
- Connecting to the device
- Interface configuration
- Edge Router configuration
- Configuring Remote Access
- SSL VPN (Remote Access)
- Sophos Connect Client
- Clientless access
- Active Directory
If you’re running small to medium businesses most probably you either have a local user on every PC or you have a small Active Directory server that performs user authentication. In this guide, we will cover both options. The only thing you need is a server, workstation or ESX server on which we will deploy a virtual machine and a router that supports NAT. You can also buy a dedicated firewall with the needed licenses if you prefer or use an existing one. On the bottom, you’ll find a list of suggested firewalls that can be used. There are three critical factors which need to be considered:
- Your Internet link (both download and upload). I suggest a strong fiber connection with at least 20/20 Mbits per second connection. Asymmetric links with higher download rates are ok but check if your uplink is at least 20 Mbps.
- The higher the number of users the more licenses you need and of course more bandwidth will be consumed. 10 employees will easily consume a 20/20 Mbps link.
- A static IP assigned to our Internet router. It’s possible to make it work with dynamic IP using dynamic DNS and we will cover that later in this guide.
Generating trial license
In this guide, we will create a quick solution based on Sophos XG Firewall using a 30-day trial license. You can request a trial license here or by creating an account on Sophos Central. In the first option, you will be given a link to download a virtual machine. The second one can be used if you already have a machine or you want to register a new one. To generate a new trial license go to Firewall Management and choose Try Virtual Firewall.
Choose the option you prefer…
…and another tab will be opened where you can download a file. The license will be generated on the same page. Save the license code somewhere safe. You will need this later. Unpack the ZIP file.
Installing the virtual machine
Depending on the virtualization software your company is using, you should consider either deploying the image using your platform or read this part as we’re going to install the Sophos XG Firewall on VMware ESXi server. Here are the minimum requirements for the virtual machine:
- 1. One vCPU
- 2. 2 GB vRAM
- 3. 2 vNIC (LAN and WAN)
- 4. Primary Disk with a minimum of 4GB space
- 5. Report Disk with a minimum of 80GB space
First login to your ESXi server and go to File -> Deploy OVF Template…
Browse to the location of the unpacked ZIP file and find sf_virtual.ovf.
Click next and next. Name the virtual machine and again choose next until you’ll reach the finish button. If you want to double-check if all your settings are ok, you can compare them with the official installation guide.
Don’t start the machine yet as we want to configure a second interface. Choose your virtual machine and open the Edit virtual machine settings page.
Configure the interfaces according to your needs. I will bridge my first and second interface with my ethernet connection on the server, but it’s up to you how many interfaces you will configure and how. You can have only Port A and Port B if you wish and share management with one
Power on the machine and go to console. We’ll configure the management interface. The default password is admin.
Choose 1. Network Configuration
Press enter until you’ll be asked if you want to change IPv4 address. Write “y” and press enter.
Change the IP and mask to the correct one.
You should now be able to ping the device.
In case you got stuck at any point please check the following guides.
Connecting to the device
You should now be able to access your device using your browser on https://<ipaddress>:4444. In my case its https://192.168.1.30:4444. You’ll be notified that the website is not secure cause you don’t have a signed certificate but go to Advanced and open the page. You should see a welcome page.
Configure a new admin password and choose if you want to upgrade to the newest firmware during the initial configuration. You must have an Internet connection for that option to work. You can always do that later. Please remember to agree with the license agreement on the bottom of the page and click Continue.
If you don’t have a DHCP server you should check the manual configuration option. If you want to register the device later choose to Continue offline.
Configure the name and time-zone and register your firewall using a serial number you received at the beginning.
After you fill in the serial number and click continue you should receive a confirmation page as follows.
For now, let’s not change the configuration of other interfaces. On the next pages, you’ll be asked to choose protections you want to enable and fill in your email for notifications. You’ll see the review at the end. Applying the configuration can take a while and your machine will be rebooted.
After the reboot, you’ll be asked to log in again. Remember that you’ve configured a new password.
Go to Configure -> Network. Click on Port you want to configure. In my case, it’s Port C. I’ve set this interface in LAN zone and assigned IP 172.16.1.1/24. I’ve also created a new MGMT zone with only HTTPS and SSH services enabled and assigned this zone to Port A.
Here is my interface configuration.
If you have configured everything correctly you should now be able to ping LAN interface from other machines and servers that are in this network. I’ve two test machines – Windows 7 and Windows Server. They’re assigned with IP addresses 172.16.1.10 and .11. Both ping and Internet browsing works as there is a default security policy that allows traffic from LAN to WAN and performs Hide NAT. We’ll use those machines as our internal resources.
Edge Router configuration
As Sophos is now deployed in our internal network without public IP address we need to configure either Port Forwarding or Static 1-to-1 NAT. Most of the routers are able to perform this action. Login to your Internet provider router and find NAT/PAT, Port Forwarding or DMZ option. The last one can be used to send the whole traffic from the Internet to one server in an internal network. Most probably you have some servers that are already accessible from the internet. In case port 443 is used you can use 4443 and change it to 443. Below you can find the example configuration from my Livebox.
If you consider Port Forwarding you need to remember that all ports required in this guide will need to be forwarded and some can experience problems. Ports that need to be considered: TCP 443, TCP 8443, UDP 8443, UDP 500, UDP 4500.
No matter which option you’ve chosen you should now be able to log in from the Internet to your Sophos User Portal over 443 or 4443. But you can’t use the same Internet connection to test this. The best way is to make a hotspot on your mobile phone, connect the laptop and browse to the public IP of your Internet router. You can check your IP using whatismyip.org or ping.eu. Open the browser and navigate to https://yourpublicIP or https://yourpublicIP:4443 You should see the following web portal.
Configuring Remote Access
There are plenty of options that can be used to configure a Remote Access solution on Sophos XG Firewall but for us, the 3 below are the most important:
I’ll describe the differences between those methods later. First, we need to configure a local group and add a user which we will use in all further tests. At the end of this guide, you will find the Active Directory part where we describe how to connect the firewall with our internal user database.
First, go to Configure -> Authentication and choose Groups. Click Add. Set the settings as follows.
Next step is to add user and assign to Local_remote_access_group.
Before we will configure the remote access itself we need to add a firewall rule. Let’s do this for communication between zone VPN and LAN in both directions. You can do this under Protect -> Firewall -> Add Firewall rule… -> User/Network Rule. Add log traffic at the bottom.
When you have a user, group and a firewall rule it’s time to configure the VPN service. Go to Configure -> VPN.
You will probably notice that LAN IP has changed to 10.0.1.4. This is because this part of the guide was written for a gateway deployed in Microsoft Azure. Nevertheless, the procedure is the same.
SSL VPN (Remote Access)
SSL VPN is an open standard which will work with many OS native application on Windows and MAC.
Users can download a customized SSL VPN client software bundle from the user portal. The bundle includes an SSL VPN client, SSL certificates, and a configuration. The client supports many common business applications. Remote access policies use OpenVPN, a full-featured SSL VPN solution.
SSL VPN works by default on TCP port 8443 but you can change it to UDP if you want to increase the performance. You can check this option by clicking on Show VPN settings in the right top corner.
Go to SSL VPN (remote access) tab and click Add… You can configure if a firewall should be a default gateway or split-tunneling will be in place by adding only some networks and hosts to the permitted resources. You can configure those objects under the System -> Hosts and Services tab.
To check if our SSL VPN policy works we need to browse to User Portal. You should now see the following options on the home page. Download client and configuration for your operating system and install SSL VPN Client. You can use your own application if you prefer. In this case, download only the configuration file.
Of course, the pre-generated configuration file needs some adjustment as a firewall is not aware of his public IP. At least in my case. The configuration file can be found by default in C:\Program Files (x86)\Sophos\Sophos SSL VPN Client\config. Look at the last 3 lines.
Let’s remove all the lines starting with a word “remote” and add our public IP address instead of as follows. Save the file. Most probably you’ll need admin rights to do this.
Time to test. You can find the SSL VPN Client near the clock. It is a small traffic light sign.
Fill your username and password. If everything will be ok you should see a green light in around 15 seconds.
Details about the connection can be checked using Logs or View Status by right-clicking the icon.
If you want to improve the performance change the protocol in VPN settings to UDP.
Remember to change the protocol in the configuration file too.
Finished configuration should be pushed to all users or stored in the shared storage. You can use Clientless Access to simplify that.
Sophos Connect Client
Sophos Connect client is VPN software that runs on Microsoft Windows 7 SP2 and later, and Mac OS 10.12 and later. It establishes highly secure, encrypted VPN tunnels for off-site employees. You can download the Sophos Connect client and Sophos Connect Admin by clicking Download on the Sophos Connect client page. This option is available only to administrators.
Sophos Connect Client is using IPsec so the communication ports are UDP 500 and 4500. Remember to add those ports to your PAT/NAT configuration and enable them on any other firewall you own.
Below you can find the basic configuration of Connect Client using Pre-shared key. You can use certificates for improved security. IP pool assigned to clients can be any free pool.
You can Download the Sophos Connect and Sophos Connect Admin from the link above. The configuration can be exported using the Export connection button near Apply. Export the configuration and store it somewhere safe. We will need this later.
Now turn on Sophos Connect Admin. Use the Open button to browse our configuration file which we have exported a few minutes ago. We need to change Target Host to our Public IP and if we want we can configure split-tunneling by adding only the networks we want to be tunneled and let the rest of the traffic flow directly from user PC to his ISP. Do this if you want to spare your bandwidth.
Here’s how my configuration looks like.
After you’ve adjusted the configuration you should save it with the button in the bottom right corner and send it to all users.
When you have the new .scx file stored on your PC you can now open Sophos Connect. The configuration file can be imported using the Import connection button.
You’re now ready to Connect.
Fill in the username and password and sign in. In case of problems, you can check the errors in the Events tab.
You can check the information about the working connection using the three small icons.
The working connection should have values higher than 0 in both sent and received packets. If you use split-tunneling remember that only networks you’ve configured will be allowed.
The easiest option to configure that doesn’t require any additional software on the user’s PC but only a few protocols are supported.
Allow users to access services and areas on your networks such as remote desktops and file shares using only a browser, and without the need for additional plug-ins. Clientless access policies specify users (policy members) and bookmarks.
First, we need to configure some Bookmarks – servers that will be available for external access. Go to VPN -> Bookmarks and click Add. Below you can find an example configuration for RDP session to Windows 10.
Now we need to configure the Clientless access policy. Go to Clientless access tab and click Add… As simple as that we’re ready. No need for any new firewall rule.
To access Windows 10 using Clientless Access you should open User Portal, simply by browsing to the Public IP. The new option should be visible on the Home page. Click Windows_10 RDP to test the access.
We now have an RDP session to Windows 10 in our browser tab. How cool is that?
You can use Clientless Access to share files and configuration files to your SSL VPN or Sophos Connect Client. Simply add a network share in the Bookmarks tab.
Don’t forget to add a new Bookmark to Published bookmarks or to the group.
After refreshing the user portal you should see a new File share.
Please be aware that only shared folders will be visible here.
Sophos so as the other vendors support many authentication protocols but in this guide, we describe only local and Active Directory authentication. To configure a new authentication server go to Configure -> Authentication and click Add…
After you fill in all the details you should test the connection to the server. If everything works you can import the groups from the Domain Controller. To do this click the small icon as on the screenshot below. This will start a wizard.
Start and fill in the Base DN settings to query the database.
Check the groups which should have Remote Access.
Assign the policy to the group.
Under Groups check if the groups were imported correctly.
Under the Services tab you should add new authentication method to all VPN profiles.
The last step is to assign new Identity in Configure -> VPN -> SSL VPN(Remote Access).
After that, you should be able to authenticate using the same credentials used for Windows.
You can do the same in your network. Almost all vendors support Remote Access and they give trial licenses for free. The list below is my recommendation for you:
- Sophos XG Firewall
- Fortinet FortiGate
- Palo Alto Networks
- Check Point
- Cisco ASA and FirePower
- Juniper SRX
If you have any questions regarding this article please contact me here.