Sophos XG Firewall - Konfigurasi SSL VPN Client-to-Site Remote Access

Catatan ini akan menjelaskan langkah-langkah untuk mengkonfigurasi koneksi SSL VPN Client Remote Access, dimasa pandemi ini sangat dibutuhkan karyawan yang sedang bekerja dari rumah (Work From Home) untuk mengakses aplikasi-aplikasi kantor.

Berikut topologi dan skenarionya:

SSL VPN Remote Access Diagram - ITSTAFF.web.id


Location JAKARTA REMOTE USERS
Site Head Office Other Location
Device Sophos XG 210 Notebook/Handphone
Device IP 192.168.101.254 -
LAN Subnet 192.168.101.0/24 192.168.109.0/24
LAN Port Port6 -
WAN Bandwidth Dedicated 30 Mbps -
WAN IP 103.138.40.11 -
WAN Port Port1 -
SSL VPN Protocol TCP -
SSL Server Certificate CertTheHoneyLady -
SSL VPN Port 4443 -
JKTFA01 IP 192.168.101.231 -
JKTFS01 IP 192.168.101.241 -

PREREQUISITES
Please note that for the first-time configuration of SSL VPN, it is required to edit the attributes of the default certificate of the Sophos Firewall to be able to make the SSL VPN configuration work. Follow the steps in Update Default CA to edit the default certificate.

Oke lah kalau begitu, tanpa basa-basi lagi, langsung saja mari kita mulai konfigurasi.

1. Konfigurasi XG210-JAKARTA

  • Login ke Sophos XG 210 Firewall, lalu tambahkan LAN Subnet Jakarta dan Remote User, klik SYSTEM Host and services ⇒ IP host ⇒ Add 
    • Local LAN (Jakarta Subnet)

      IP host Jakarta - ITSTAFF.web.id

    • Remote User (SSL VPN Subnet)

      IP host SSL VPN - ITSTAFF.web.id

    •  Save

  • Selanjutnya adalah membuat Group SSL VPN, klik CONFIGURE Authentication ⇒ Groups ⇒ Add
    • Group name *: VPN IT Group
    • Group type *: Normal
    • Surping quota *: Unlimited Internet Access
    • Access time *: Allowed all the time
    • Network traffic *: None
    • Traffic shaping: None
    • Remote access *: No policy applied
    • Clientless *: No policy applied
    • Quarantine digest *: Enable
    • MAC binding: Enable
    • L2TP *: Enable
    • PPTP *: Enable 
    • Sophos Connect client *: Disable (default)
    • Login restriction *: Any node
    •  Save
       

      Dan buat User, klik CONFIGURE Authentication ⇒ Users ⇒ Add
    • Username *: it.staff
    • Name *: IT Staff
    • Password *: ITStaff098765
    • User type *: Administrator
    • Profile *: Profile (default)
    • Email *: IT.Staff@thehoneylady.co.id
    • Group *: VPN IT Group
    • Yang lain biarkan Default, nanti akan mengikuti pengaturan Group yang telah dibuat.
    •  Save 

  • Membuat SSL VPN Policy, klik CONFIGURE VPN SSL VPN (remote access) ⇒ Add 
    • Name *: SSL VPN IT Policy
    • Policy members: VPN IT Group
    • Use as default gateway: OFF
    • Permitted network resource (IPv4): Local LAN
    • Permitted network resource (IPv6): Biarkan kosong
    • Disconnect idle clients: OFF
    •  Save 

  • Verifying the authentication services for Firewall and SSL VPN Authentication, klik CONFIGURE Authentication ⇒ Services

    Firewall Authentication Services - ITSTAFF.web.id
    SSL VPN Authentication Services - ITSTAFF.web.id

    • Ceklis Local authentication server list  Save

  • Verifying the allowed zones for SSL VPN, klik SYSTEM Administration Device access

    Devices Access Sophos XG - ITSTAFF.web.id

    • Ceklis ZONE LAN (SSL VPN dan User Portal)
    • Ceklis ZONE WAN (SSL VPN)
    • Ceklis ZONE VPN (User Portal)
    •  Save

  • Configuring advanced SSL VPN settings, klik CONFIGURE VPN ⇒ Show VPN settings

    Show VPN Settins - ITSTAFF.web.id



    • Protocol *: TCP
    • SSL server certificate *: CertTheHoneyLady or ApplianceCertificate
    • Override hostname : Biarkan kosong
    • Port *: 4433
    • IPv4 lease range *: 192.168.101.11 - 192.168.101.200
    • Subnet mask *: /24 (255.255.255.0)
    • IPv6 lease (IPv6/prefix) *: 2001:db8::1:0 (biarkan default)
    • Lease mode *: IPv4 only 
    • IPv4 DNS : 192.168.101.251 - 192.168.101.254
    • IPv4 WINS : Biarkan kosong
    • Domain name : thehoneylady.co.id
    • Disconnect dead peer after *: 180 Seconds (default)
    • Disconnect idle peer after *: 60 Minutes (default)

    • Encryptografic algorithm : AES-256-CBC
    • Authentication algorithm : SHA2 256
    • Key size : 2048 bit
    • Key lifetime : 28800 Seconds

    • Compress SSL VPN traffic : checked

    •  Apply

  • Setelah itu, buat dua firewall rules SSL VPN Remote Access traffic, klik PROTECT Firewall (v17) / Rules and policies (v18) ⇒ + Add firewall rule ⇒ User/network rule
    • Rule name *: VPN_REMOTE
    • Action: Accept
    • Rule position: Top
    • Rule group: VPN to LAN
    • Source
      • Source zones * ⇒ Add new item: VPN
      • Source networks and devices * ⇒ Add new item: 109.168.192_SSL_VPN_JKT
      • During scheduled time: All the time
    • Destination & services
      • Destination zones * ⇒ Add new item: LAN
      • Destination networks * ⇒ Add new item: 101.168.192_JKT
      • Services *: Any
    • Identity (v17)
      • Match known users: checked
      • Show captive portal to unknown users: unchecked
      • User or groups: VPN IT Group
    • Web malware and content scanning (v17) / Security features (v18)
      • Unchecked all and none
    • Advanced (v17) / Other security features (v18)
      • Unchecked all and none
    • Log traffic
      • Log firewall traffic: checked
    • ⇒ Save

Itu saja yang perlu dilakukan untuk membuat koneksi SSL VPN Remote Access pada perangkat Sophos XG210, konfigurasi di atas bisa juga diterapkan pada Sophos XG Firewall Series dengan firmware v17 ataupun v18. Semoga catatan ini bisa berguna untuk saya dan yang membacanya.




whydnet-aboutITSTAFF.web.id
learning by doing!

[ADS] Bottom Ads

© 2020 - . All Rights Reserved.