Create an SSL VPN tunnel using Sophos UTM9 to allow encrypted Windows Remote desktop connections. Topology consists of a Windows Active Directory, Sophos UTM, internal and external clients. Users want to be able to connect to internal desktop clients from external networks.
The main steps to this case were:
- Allow a user to authenticate logins to the ADUC using LDAP
- Configuring VPN SSL logins
- Configuring the End-User Portal
- Installing VPN Client
- Finishing up with RDP configuration
Step 1: LDAP connectivity
We need to know a few things:
- The domain name
- Credentials of a user that can add computers to the domain
- The OU of the userbase (usually just ‘users’)
To set up the LDAP connection, we need to add an authentication server within Authentication Services. With backend set as Active directory, we can set the Bind DN (the user that adds computers to the domain) and the Base DN (the Base points to where the users are located).
The Bind DN would specify the user, and the format would be “CN=Administrator,CN=Users,DC=DOMAIN,DC=local”. The Administrator user can be replaced with any other user with the privilege to add computers to the ADUC.
The password is needed to test connectivity; if the connection fails, there is something wrong with the privileges set for the Bind DN user.
To get users for the specific Organizational unit, OU must be specified as the following (with SBSUsers being the example): “OU=SBSUsers,OU=Users,OU=MyBusiness,DC=DOMAIN,DC=local”. This specifies users to be searched within the SBSUsers folder in the Active directory console.
Adding this connection allows Sophos to authenticate users against AD.
Step 2: SSL authentication for VPN
We need to allow a certain set of users to be allowed to connect to the Sophos UTM with SSL. Create a new profile with AD Users specified to access the Local internal network. Under settings, specify the public IP in the Override hostname portion with an obscure port. Chances are, the standard port is already occupied by other services in the network. By changing this, we are allowing connections to the IP without conflicting with an already used port.
Step 3: End user portal access
Sophos creates dynamic installers according to whoever logs in. Therefore we need to allow users to login to the user portal to retrieve their dedicated installer.
In the User portal page under the Management section, we need to enable End-User Portal, and also allowing any IPv4 network. Allow all users and under the Advanced tab, the hostname must be set to the same public IP we discovered before, and specify a port that is not in use.
Combined with the LDAP authentication, users can now log into the user portal with their AD credentials.
Step 4: Install VPN Client
As much as I like to use the built in VPN client in Windows, PPTP doesn’t allow for authentication against Active Directory – at least in the Sophos environment. Furthermore, OSX 10.12 Sierra completely removes the PPTP functionality due to security reasons. The VPN client is less daunting in terms of first time setup, but does introduce some annoyances such as requesting for the password everytime we connect.
We need to access the user portal using https://ip-address:portnumber
From there, users can access the “remote access” section and download the installer that includes the VPN Server address. Users can’t adjust this which is why Sophos includes a secondary download to update the keys and configuration.
Step 5: Configure RDP
Since the Sophos VPN client refuses to remember credentials and forces you right-click and press connect, then enter in your password, we’ll eliminate the need to type the password in again when user remotes into the internal desktop. Within Remote Desktop Connection, there is a checkbox that allows you to save credentials. A windows credential login box pops up and you should enter in the username and password of the internal AD user after clicking “use a different account”, along with checking the “remember me” check box. Connecting should sign you in immediately.
Although port forwarding allows for simpler setup, the VPN allows us to remote into the internal network and connect to any RDP enabled desktop with a single Public IP, but specifying internal computers.
The only drawbacks when it comes to scalability is that we need to specify static addresses either through the desktop network properties or create an IP reservation within the UTM if that is where the DHCP server resides.