Set up 2FA for your VPN: Server instructions

Asset 33

Add two factor authentication to a VPN using Sophos UTM: Part one

Posted on 18 February 2019 by Beaming Support

When you add 2FA to a VPN login you add an extra dimension of security, meaning users may only log on after providing an additional piece of information to prove their identity, in this case a code from Google Authenticator.

This may be something that’s critical in order for your business to comply with industry regulations, or just a feature to give you peace of mind when it comes to the security of your business data. Either way, if you’d like to enable 2 FA for logging on to an SSL VPN, it’s a relatively easy task on the Sophos UTM.

Follow the below steps to set this up ready for 2 factor authentication.

  1. Login to the UTM and go to Remote Access -> SSL. Here you’ll need to create a Profile for the VPN, so select ‘New Remote Access profile’. If you have integrated your UTM with Active Directory, you can drag ‘Active Directory Users’ into the Users and groups field, otherwise you will need to create users manually and drag the names into the field.
  2. Next, drag the defined internal network, server or device name into the ‘Local networks’ field. Make sure that ‘Automatic firewall rules’ is ticked and save the profile.
  3. Next, go to Definitions and Users -> Authentication Services-> One-time Password. Here we will setup the rules for 2 factor authentication. Under ‘Authentication Settings’ we will make changes based on your required setup. Presuming all users will need to authenticate, make sure the following are ticked for the least administration:
  • All users must use one-time passwords.
  • Auto-create OTP tokens for users
  • User Portal
  • SSL VPN Remote Access

This will enable all users to login to their UTM portal and view the Google Authenticator barcode on login.

  1. To enable users to see the Remote Access tab for downloading the VPN Client, go to Management -> User Portal -> Advanced. Under ‘Disable Portal Items’, make sure that ‘Remote Access’ is not ticked.

Read the second part of this tutorial to find out how to set up 2FA for your VPN from the user end.

Found this useful?

Beaming is an Internet Service Provider for businesses so we’re experts in networking and all-things connectivity. Subscribe to receive our how-to guides, cyber security advice and business research direct to your inbox once a month.

  • This field is for validation purposes and should be left unchanged.

Business cyber security advice.

Straight to your inbox every month.

  • How-to guides to boost productivity and efficiency
  • Changes in voice and internet tech that your business should know
  • Cyber security advice anyone can follow

  • This field is for validation purposes and should be left unchanged.