Good morning all! I have a Sophos XG behind which is a server which I’d like to access via RDP. I have DNAT setup to forward the port to the server, but I don’t want to leave it turned on all the time. I could turn on remote HTTPS to the FW, and turn the DNAT rule on and off as needed. Any other reasonably secure strategies?
Thanks!
setup VPN with TwoFactor authentication
It’s never a good idea to leave RDP open to the public internet. Set up remote ssl VPN access instead.
RDP open is a ransomware invitation to the general public…. Even whitelisting doesn’t work.
VPN to firewall, the RDP to host
Don’t turn on https configuration over wan.
I’ve set it up according to the guide. However, when I log into the User Portal, I can download the client, but not the config file. Nothing happens when I click on the SSL VPN Configuration - Download for Windows…
I’m guessing I setup something incorrectly for the user?
Got a good answer from Sophos. There’s a video which is more accurate than their guide:
https://support.sophos.com/support/s/article/KB-000035542?language=en\_US
Vpn and also a scheduled service to turn on and off rdp on server
This.
Setting up either IPSec or SSLVPN with MFA on the XG is easy and use Sophos Connect to establish the connection
Thanks! I’m doing so now. 1st time, so, noob question. When specifying the lease range in the SSL VPN Settings tab, should the lease range be in the same subnet as my LAN server?
How do you set up MFA on the VPN,?
No. VPN clients need their own range, and a rule to allow the RDP-traffic to the server.
Authentication > Multifactor authentication
Thanks! I saw that as I followed the Sophos Guide. I’ve set it up according to the guide. However, when I log into the User Portal, I can download the client, but not the config file. Nothing happens when I click on the SSL VPN Configuration - Download for Windows…
I’m guessing I setup something incorrectly for the user?
Saw this once. There it was that I had to config the default device certificate before I could download any user config. Maybe that’s the problem?
When logoff/logon doesn’t fix that, indeed.
Yup… that was it. Thanks!