Sophos XG Firewall Web Interface Reference and Admin Guide v16.5

| Configure | 275

Figure 279: SSL VPN (Remote Access) Idle Timeout

6. Click Apply.

New remote access policies immediately appear on the SSL VPN (Remote Access) list.

Note: For remote access connections to work check that LAN and WAN zones are activated for the User

Portal on the System > Administration > Device Access page.

SSL VPN (Site to Site)

The SSL VPN (Site to Site) tab allows you to establish secure Site-to-site VPN tunnels via an SSL connection.

SSL VPN connections have distinct roles attached. The tunnel endpoints act as either client or server. The client always initiates the connection, the server responds to client requests. Keep in mind that this contrasts with IPsec where both endpoints normally can initiate a connection.

Server Connections

This section displays a list of all existing SSL VPN site-to-site server connections along with their status, connection name, connection. local and remote networks, received and sent bytes, and the date of connection. You can sort the list by the connection name, the local or remote networks. The list displays the status of each connection as follows:

Status

Indicates if the connection is active or not. You can activate/deactivate the connection by clicking the toggle switch.

Connection Name

Displays the name of the connection.

Connection

Indicates the status of the connection: online (green) or offline (red).

Local Networks

Displays the local networks that are allowed to be accessed remotely.

Remote Networks

Displays the remote networks that are allowed to connect to the local network(s).

Bytes

Indicates the number of bytes sent and received through this connection.

Connected Since

Displays the date the connection was established.

Figure 280: Server

Client Connections

This section displays a list of all existing SSL VPN site-to-site client connections along with their status, connection name, connection. usage of HTTP proxy server, received and sent bytes. You can sort the list by the connection name and the usage of the HTTP proxy server. The page also provides options to add, edit, download or delete a connection.

The list displays the status of each connection as follows:

Status

Indicates if the connection is activated or not. You can activate/deactivate the connection by clicking the toggle switch.

Connection Name

Displays the name of the connection.

Connection

Indicates the status of the connection: online (green) or offline (red).

Use HTTP Proxy Server

Displays the HTTP proxy server which is used for the connection.

Bytes

Indicates the number of bytes sent and received through this connection.

| Configure | 276

Figure 281: Client

Add SSL VPN Site-to-Site Server Connection

This page describes how to add a SSL VPN site-to-site server connection.

1. Go to Configure > VPN > SSL VPN (Site to Site) and click Add in the Server section.

2. Specify the server details:

Connection Name

Enter a descriptive name for the connection.

Description

Enter the description or other information.

Use Static Virtual IP Address

Only select this option if the IP address pool is not compatible with the client's network environment: By default, clients are assigned an IP address from a virtual IP pool. Rarely, it may happen that such an IP address is already in use on the client's host. In that case, enter a suitable IP address in the Static Peer IP field which will then be assigned to the client during tunnel setup.

Local Networks

Select or add one or more local networks to which remote network(s) are allowed toconnect. If you create a new network, you can either add a single IP host or an IP host group.

Remote Networks

Select or add one or more remote networks that are allowed to connect to the local network(s). If you create a new network, you can either add a single IP host or an IP host group.

| Configure | 277

Figure 282: Add SSL Server Connection

3. Click Save.

The new SSL VPN site-to-site server connection appears on the Server list.

The next step is the client configuration which has to take place on client side and not on server side. Download the client configuration file with help of the provided button in the Server list.

Note: If you want to send the file via mail it is recommended to use the encryption option which is provided in the download dialog.

How to configure the client is described in the Client section.

Add SSL VPN Site-to-Site Client Connection

This page describes how to add a SSL VPN site-to-site client connection.

1. Go to Configure > VPN > SSL VPN (Site to Site) and click Add in the Client section.

2. Specify the client details:

Connection Name

Enter a descriptive name for the connection.

Description

Enter the description or other information.

Configuration File

Browse for the client configuration file and click Open.

Note:

• The file has to be in .apc or .epc format.

• The file can be downloaded via the download icon in the Manage column of the server list on the System > VPN > SSL VPN (Site to Site) page.

Password (optional)

If the file has been encrypted, enter the password.

Use HTTP Proxy Server (optional)

Activate if the client is located behind a proxy server and enter the proxy settings:

• Proxy Server: Select or add a proxy server.

• Proxy Port: Enter a proxy port.