VPN Project (2020)

Project Details

During the third week of March 2020, in the hasty wake of the Covid-19 pandemic, our organization had the urgent need to enable a percentage of its staff to work from home. Our ERP and most other resources are hosted on-premise.  Therefore we needed to establish a secure remote connection to our local network. 

After a research sprint within the team, we all agreed to go with Sophos. Hence the need to install Sophos appliance for our core branches in Nigeria. The initial devices were the XG135 series deployed with firewall and VPN services, after about 2 years, some of these devices were upgraded to XGS2100 series.

Firewall config:

The firewall configuration has 4 rules with varying application and web filtering defined. There is a general allow list and a general block list called in all 4 rules, so they apply to all connected devices. Users' devices are assigned to these rules (using their MAC addresses) based on their job requirements plus required approval.  

VPN Config:

First configured for a point-to-site VPN connected via Sophos client with a unique config.ovpn file generated for each user.  The VPN is configured to point to a public IP address (configured on one of the WAN ports) provided by an ISP. A locally hosted virtual server running Windows Server 2019 is used as the call server. The Sophos device is configured to allow inbound RDP requests to only the call server, and this request must be initiated by an IP within the IP range of the VPN tunnel for it to be accepted. 

Users have their profiles provisioned on the call server using a CAL license to allow multiple simultaneous connections. Users' workloads are all provisioned on their profiles with access to all required LAN resources for their job functions.

Later in 2022, we took advantage of the VPN license to configure a site-to-site VPN between core branches in Nigeria, using the the IPsec protocol. Now we can securely map local drives across branches and also initiate RDP connections between these branches.