Sophos – P6 Configure SSL VPN Client-to-Site

Step-by-Step Remote Access Setup

Secure remote access is no longer optional — it is essential. SSL VPN Client-to-Site allows users to securely access internal networks from remote locations using encrypted tunnels over the internet.

In this guide, you will learn how to Configure SSL VPN on Sophos Firewall step by step.

We will cover:

• User authentication

• VPN configuration

• Firewall rule behavior

• Portal access settings

• Client installation

• Testing and verification

This setup is ideal for:

• Remote workers

• IT administrators

• Home lab environments

• Small and medium businesses

Proper VPN configuration ensures encrypted and secure connections between remote devices and your internal network.

Follow this demo carefully to enable secure remote access using Sophos Firewall.

Why Configure SSL VPN on Sophos Firewall?

When you Configure SSL VPN, you gain:

🔐 Encrypted communication
🌍 Secure remote access
🏢 Internal network protection
👨‍💻 Centralized user control
📊 Controlled network segmentation

SSL VPN Client-to-Site is one of the most commonly used and reliable VPN methods in Sophos deployments.

Step 1: Create VPN User/Group

Navigate to:

Authentication > Groups/Users

Create a new user:

• Create user: vpnuser
• Assign to SSL VPN group

Make sure the user is properly added to the SSL VPN group to allow access.

User authentication is the foundation of secure VPN access.

Step 2: Enable SSL VPN

Go to:

CONFIGURE > REMOTE ACCESS VPN > SSL VPN (Remote Access)

Configure the following settings:

• Select the IP range assigned to the VPN client
Example: 10.81.0.0/24

• Select the network to be accessed
Example: LAN

• Select the allowed user or group of users

Allow access to which network (or host).

Define which internal networks VPN users are permitted to access.

After creating the SSL VPN configuration, a Firewall Rule will be automatically generated.

This rule allows VPN zone traffic to reach the internal network.

Important:
Always verify the generated firewall rule placement.

Step 3: Set Permissions for VPN Device Access

Next, configure portal and device permissions.

Change the VPN Portal port (avoid using port 443).

For example:

Change it to 8443.

This helps avoid conflicts with HTTPS services and improves security segmentation.

Set permissions for the VPN to access the Firewall.

Ensure appropriate Device Access settings are configured.

This step ensures that users can access the VPN service without exposing unnecessary management interfaces.

Step 4: Download Sophos Connect Client and Configuration File

Check which port the portal is using.

Example:

Portal link:
https://IP_FW:8443/

Access the portal from an external network.

Log in using:

vpnuser

Download:

• ✅ Sophos Connect Client
• ✅ .ovpn configuration file

Important Note:

If in Device Access you select the portal user incorrectly, the user will be redirected to the portal page instead of the VPN download page.

Make sure permissions are configured properly.

This is a common configuration mistake when you Configure SSL VPN for the first time.

Step 5: Install the Client on the Remote Machine

On the remote computer:

Install app msi → next → next → finish

After installation:

• Import the .ovpn file
• Connect to the VPN

Once connected, the machine will be assigned a private IP address.

Example:

10.81.234.6

This IP belongs to the VPN IP range defined earlier.

Verify VPN Connectivity

After connection, test internal access.

You can now access:

o Internal printer
o Internal web server
o Internal Sophos interface

To verify the connection:

• Ping test
ping 192.168.x.x (internal device)

• Access GUI
http://192.168.x.x

If ping and web access succeed, the VPN configuration is working correctly.

Always validate connectivity before closing the deployment session.

Common Mistakes When You Configure SSL VPN

❌ Using port 443 for VPN portal
❌ Incorrect user group assignment
❌ Wrong VPN IP range overlapping LAN
❌ Misconfigured Device Access permissions
❌ Testing from internal network instead of external

Avoiding these mistakes ensures stable remote access deployment.

Best Practices for SSL VPN Deployment

✅ Use strong passwords for VPN users

✅ Limit accessible internal networks

✅ Change default portal ports

✅ Monitor VPN logs regularly

✅ Disable unused services

Security should always be your top priority when deploying remote access solutions.

Conclusion

In this tutorial, you successfully learned how to Configure SSL VPN Client-to-Site on Sophos Firewall.

You have:

• Created VPN user and group

• Enabled SSL VPN

• Configured VPN IP range

• Adjusted portal port

• Downloaded client and .ovpn file

• Installed client on remote machine

• Verified internal connectivity

By properly configuring SSL VPN, you ensure:

✔ Secure encrypted remote access
✔ Controlled internal network visibility
✔ Professional firewall deployment

Your Sophos Firewall is now ready to support secure remote users in real-world production environments.

In the next part, you can extend this setup with:

• Site-to-Site VPN

• MFA integration

• Advanced VPN policies

• Network segmentation

Secure connectivity starts with properly configuring SSL VPN — and now you have done it the right way