SSL VPN: configure listening interface(s)
Ability to bind SSL VPN to a single interface.
Currently when SSLVPN is enabled it listens on all interfaces regardless of what is set in Local ACL's.
We need the ability to bind this to a single interface, if we use port 443 for SSL VPN as many want to it limits our ability to run WAF/DNAT for web servers on separate interfaces on 443.
The whole point of SSL VPN is that you can run it on 443 and the port won't get blocked by 'guest' networks etc. The current implementation is useless for anybody publishing websites.
Ewald Schlindwein commented
It's a shame for an enterprise firewall manufactor not to implement this important feature and to claim that this FW will be the next generation to the highly reputatetd UTM. How to explain this to your customers.
VPN will not work in many places unless 443. It is critical to have WAF and VPN both use 443.
It seems crazy if we have separate IPs for WAF and VPN, we cant use 443 on both.
There should be an option to chose which services (ports) on which WAN interface to listen as on UTM. Then it will be easy to assign SSL VPN 443 on desired WAN port.
I have 3 external IPs and with UTM is easy to manage all.
With XG i can use them only for active/pasive failover, or loadbalancing.
But in general is useless to have more than one public IP with this limitations.
Listen on interface is a must, but is not also not available in XG 18-GA.
UTM beats XG all the way exept home licensing.
Rick-Rainer Ludwig commented
There is another feature with the same functionality set to 'Already Possible;, but it is not: https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/16593775-assign-the-built-in-services-vpns-admin-etc-to
The functionality to set the user portal and SSL VPN to single IP addresses is crucial and under discussion for 3 years!?
Giovanni P. commented
I just started with Sophos. This feature is so important! Without this feature, the entire product is useless. I hope you will fix that soon. This is more of a bug report than a feature request!
Are there any plans for this? We work on a client site where outgoing traffic is filtered and really need to be able to use 443 for SSLVPN.
At the moment we can't because we run WAF on just one of our 16 IP addresses.
not just interface - also IP. as someone normally ends up with multiple IP's on one interface.
Please, We need this future very urgently! :(
What?? I surely hope this will be resolved soon! I have 16 external IP addresses and I need just 1 for SSL VPN! Now after a couple of hours it turns out WAF is not possible when using SSL VPN. I actually wonder who does NOT use SSL VPN :(
We NEED this! Customizable list of interfaces that listen and the order they are put into the configuration file! Right now we have a random list of ALL interfaces in the config file, or ONE host name/IP. Useless.
Nino Renzi commented
Like many ideas sophos is not listening, original post was on Jun 26th 2018.
We have WAF rules listening on 443. Many of our employees travel aboard and need to be able to connect to our VPN over 443 since hotels, countries, block most non-standard ports. Was a UTM admin for years, switched to XG with the reassurance from Sophos Engineers that XG is capable of doing everything UTM can and more....Feeling mislead ;(
Bradley Amm commented
This would be good. Just noticed I cant setup VPN on one IP and WAF rule on another
That's a really "must have". Could you please provide the ability to bind the service to one specific ip?
Really it works that way? And I almost called our ISP to get me some more static IP address... Well I guess not then. Shame on you Sophos. Why all nice features from UTM has been dropped on XG?
Heinrich Krebs commented
We have customer here requesting to have feature for XG SSL VPN Site To Site to assign traffic to specific WAN interface. For your assistance please. Thank You