[ADS] Top Ads

[TUTORIAL] Sophos XG Firewall - Konfigurasi SSL VPN Client-to-Site Remote Access

Catatan ini akan menjelaskan langkah-langkah untuk mengkonfigurasi koneksi SSL VPN Client Remote Access di Sophos XG Firewall, dimasa pandemi Covid-19 ini sangat dibutuhkan oleh perusahaan yang diharuskan karyawannya bekerja dari rumah (Work From Home) dengan tujuan mengakses server atau aplikasi yang berada di kantor dari jarak jauh.

Berikut Topologi & Skenarionya


SSL VPN Remote Access Diagram - ITSTAFF.web.id

Location JAKARTA REMOTE USERS
Site Head Office Other Location
Device Name Sophos XG 210 Notebook/Handphone
Device FirmwareSFOS 17.5.15 MR-15
SFOS 18.5.4 MR4-Build418
-
Device IP 192.168.101.254 -
LAN Subnet 192.168.101.0/24 192.168.109.0/24
LAN Port Port6 -
WAN Bandwidth Dedicated 30 Mbps -
WAN IP 103.138.40.11 -
WAN Port Port1 -
SSL VPN Protocol TCP -
SSL Server Certificate CA_HLID -
SSL VPN Port 4443 -
JKTFA01 IP 192.168.101.231 -
JKTFS01 IP 192.168.101.241 -
PREQUISITES
Please note that for the first-time configuration of SSL VPN, it is required to edit the attributes of the default certificate of the Sophos Firewall to be able to make the SSL VPN configuration work. Follow the steps in Update Default CA to edit the default certificate.

Oke lah kalau begitu, tanpa basa-basi lagi, langsung saja mari kita mulai konfigurasi...

1. Konfigurasi SSL VPN Client-to-Site Remote Access

1.1. Login ke Sophos XG 210 Firewall, langkah pertama adalah menambahkan LAN Subnet Jakarta dan Remote User, klik SYSTEM Host and services IP hostAdd

  • Local LAN (Jakarta Subnet)
  • IP host Jakarta - ITSTAFF.web.id
  • Remote User (SSL VPN Subnet)
  • IP host SSL VPN - ITSTAFF.web.id
  • Save

1.2. Jika kalian sudah menghubungkan Sophos Firewall ke Active Directory server, kalian bisa SKIP 1.2 dan 1.2.1 atau ikuti panduan menambahkan Active Directory ke Sophos Firewall dan kalian bisa langsung login ke User Portal serta lanjut ke 1.3. SSL VPN Policy. Jika belum, kalian harus membuat Group SSL VPN, klik CONFIGURE Authentication Groups Add

  • Group name* : VPN IT Group
  • Group type* : Normal
  • Surping quota* : Unlimited Internet Access
  • Access time* : Allowed all the time
  • Network traffic : None
  • Traffic shaping : None
  • Remote access* : No policy applied
  • Clientless* : No policy applied
  • Quarantine digest* : Enable
  • MAC binding : Enable
  • L2TP* : Disable
  • PPTP* : Disable
  • Sophos Connect client* : Disable (default)
  • IPsec remote access* : Disable (default)
  • Login restriction *: Any node
  • Save

1.2.1. Selanjutnya adalah membuat User SSL VPN, klik CONFIGURE Authentication Users Add

  • Username *: it.staff
  • Name* : IT Staff
  • Password* : Passwd it.staff
  • User type* : Administrator
  • Email* : it.staff@thehoneylady.co.id
  • Group* : VPN IT Group
  • Yang lain biarkan Default, nanti akan mengikuti pengaturan Group yang telah dibuat pada point 1.2.
  • Save

1.3. Setelah itu, membuat SSL VPN Policy, klik CONFIGURE VPN SSL VPN (remote access) Add

  • Name *: IT SSL VPN
  • Policy members: VPN IT Group
  • Use as default gateway: OFF
  • Permitted network resource (IPv4): Local LAN
  • Disconnect idle clients: OFF
  • Save

1.4. Verifying the authentication services for Firewall and SSL VPN Authentication, click CONFIGURE Authentication Services 'Firewall authentication methods' and 'SSL VPN authentication methods'

  • Local: checked
  • Apply
Firewall Authentication Services - ITSTAFF.web.id
SSL VPN Authentication Services - ITSTAFF.web.id

1.5. Verifying the allowed zones for SSL VPN, click SYSTEM Administration Device access

  • ZONE LAN (SSL VPN & User Portal): checked
  • ZONE WAN (SSL VPN & User Portal): checked
  • ZONE VPN (User Portal): checked
  • Save

Devices Access Sophos XG - ITSTAFF.web.id

1.6. Configuring advanced SSL VPN settings, click CONFIGURE VPN Show VPN settings

Show VPN Settins - ITSTAFF.web.id

  • Protocol *: TCP UDP
  • SSL server certificate *: CA_HLID
  • Override hostname :
  • Port* : 4443
  • IPv4 lease range* : 192.168.101.11 - 192.168.101.200
  • Subnet mask* : /24 (255.255.255.0)
  • IPv6 lease (IPv6/prefix)* : Default
  • Lease mode* : IPv4 only
  • IPv4 DNS : 192.168.101.251 - 192.168.101.252
  • Domain name : thehoneylady
  • Disconnect dead peer after* : 180 Seconds (default)
  • Disconnect idle peer after* : 60 Minutes (default)

  • Encryptografic algorithm : AES-256-CBC
  • Authentication algorithm : SHA2 256
  • Key size : 2048 bit
  • Key lifetime : 28800 Seconds

  • Compress SSL VPN traffic : checked
  • Apply

1.7. Terakhir adalah membuat dua Firewall Rules SSL VPN Remote Access traffic, klik PROTECT Firewall (v17) / Rules and policies (v18) + Add firewall ruleUser/network rule

    1.7.1. Group VPN to LAN
  • Rule name *: VPN_LAN_REMOTE
  • Action: Accept
  • Log firewall traffic checked
  • Rule position: Top
  • Rule group: VPN to LAN
  • Source
    • Source zones * ⇒ Add new item: VPN
    • Source networks and devices * ⇒ Add new item: 109.168.192_SSL_VPN_JKT
    • During scheduled time: All the time
  • Destination and services
    • Destination zones * ⇒ Add new item: LAN
    • Destination networks * ⇒ Add new item: 101.168.192_JKT
    • Services *: Any
  • Identity (v17): Match known users: checked
  • Show captive portal to unknown users: unchecked
  • User or groups: VPN IT Group
  • Web malware and content scanning (v17) / Security features (v18)
    • Web policy : None
    • Scan FTP for malware checked
    • Unchecked All
  • Advanced (v17) / Other security features (v18)
    • App control : None
    • IPS : None
    • Shape traffic : None
    • Scan email content : None
  • Save

    1.7.2. Group LAN to VPN
  • Rule name *: LAN_VPN_REMOTE
  • Action: Accept
  • Log firewall traffic checked
  • Rule position: Top
  • Rule group: LAN to VPN
  • Source
    • Source zones * ⇒ Add new item: LAN
    • Source networks and devices * ⇒ Add new item: 101.168.192_JKT
    • During scheduled time: All the time
  • Destination and services
    • Destination zones * ⇒ Add new item: VPN
    • Destination networks * ⇒ Add new item: 109.168.192_SSL_VPN_JKT
    • Services *: Any
  • Identity (v17): Match known users unchecked
  • Web malware and content scanning (v17) / Security features (v18)
    • Web policy: None
    • Scan FTP for malware checked
    • Unchecked All
  • Advanced (v17) / Other security features (v18)
    • App control: None
    • IPS: None
    • Shape traffic: None
    • Scan email content: None
  • Save

Berikut posisi atau penempatan Firewall Rules yang saya terapkan pada perangkat Sophos XG210 Firewall.

  • LAN to VPN
    • LAN_VPN_REMOTE (1.7.2)
  • WAN to LAN
  • LAN to WAN
  • LAN to LAN
  • VPN to LAN
    • VPN_LAN_REMOTE (1.7.1)

Selesai, itu saja yang saya lakukan untuk membuat koneksi SSL VPN Remote Access di Sophos XG210 Firewall, konfigurasi di atas bisa juga diterapkan pada Sophos XG Firewall Series dengan firmware v17, v18. Semoga catatan ini bisa berguna untuk saya dan kalian yang membacanya.


[ADS] Bottom Ads

© 2020 - . All Rights Reserved.