Mirket Help Center
  • Mirket Help Center
    • End User License Agreement
    • Privacy Policy
    • Mirket On Premise
      • Mirket Installation
        • Mirket MFA Installation Requirements
        • Mirket Installation Steps
      • Mirket Admin Panel
        • Dashboard
        • Admin Accounts Configuration
        • User Management
          • Local Users Configuration
          • Local Group Configuration
          • Ldap Users
          • LDAP Group Configuration
        • Rules
          • Radius Rules
            • Radius Clients
            • Radius Rules
            • Authorization Profiles
          • RDP Rules
          • OWA Rules
          • API Rules
            • API Docs
        • Providers
          • Approve / Deny
          • Mirket OTP
          • TOTP
          • SMS Providers
          • Pauth
          • Pauth or Approve/Deny
          • Bypass
        • Logging
          • Radius Logging
          • RDP Logging
          • OWA Logging
          • API Logging
        • Reports
        • Settings
          • General Settings
          • Syslog Settings
          • Notification Settings
          • License
        • Mirket Upgrade Process
      • Mirket Agents
        • Mirket RDP Agent
        • Mirket OWA Agent
      • Mirket MFA App
      • Integrations
        • Array Networks SSL VPN Integration
        • Barracuda CloudGen Firewall Integration
        • Citrix Integration
        • Cisco ASA Integration
        • Cisco ISE RADIUS Integration
        • Checkpoint SSL VPN Integration
        • CyberArk Integration
        • Dell SonicWall Network Security Appliance Integration
        • Fortigate MFA for admin accounts
        • Fortigate SSL VPN Integration
        • F5 integration
        • Ivanti Pulse Secure Connect Integration
        • Palo Alto MFA for admin accounts
        • Palo Alto SSL VPN Integration
        • Sophos SSL VPN Integration
        • Watchguard SSL VPN Integration
        • Ubuntu Server 22.0.4 SSH connections
        • XLOG Integration
        • VMware Horizon 8 RADIUS Integration
      • Knowledge Base
        • User not found on logs even user exist
        • Global Protect authentication happened two time while using RADIUS
        • User is not withdrawn from LDAP.
        • Fortigate SSL VPN timeout
        • Provider not found error
        • How to install SSL certificate to Mirket
        • Can a Palo Alto be set up to forward client IP addresses to Mirket?
        • SMS not sent to the phone number
      • Release Notes
        • Mirket Version 4.1.2
        • Mirket Version 4.0.6
        • Mirket Version 4.0.0
        • Mirket Version 3.9.2
    • Mirket SAAS Platform
      • Mirket Gateways Installation Requirements
      • Mirket Portal
        • Dashboard
        • Administration
        • Users
          • LDAP Users
          • Local Users
        • Groups
        • External Sources
        • Authentication
          • Radius Rules
          • Proxy Rules
          • OWA Rules
          • ADFS
            • ADFS Management
            • ADFS Agent
          • Custom API
          • OS Logon
            • OS Logon Management
            • OS Logon Agent
        • User Portal
          • User Portal Management
          • User Portal Login Page
          • User Portal Dashboard
        • Connector
          • Radius Gateways
          • LDAP Gateways
          • Proxy Gateways
        • SMS Providers
        • Settings
          • General Settings
          • Syslog
          • Attribute Profiles
      • Monitor
        • Audit Logs
        • Radius Logs
        • Proxy Logs
        • OWA Logs
        • User Portal
        • ADFS Logs
        • OS Logon Logs
      • Mirket Mobile App
      • Integrations
        • Array Networks SSL VPN Integration
        • Barracuda CloudGen Firewall Integration
        • Citrix Integration
        • Cisco ASA Integration
        • Cisco ISE RADIUS Integration
        • Checkpoint SSL VPN Integration
        • CyberArk Integration
        • Dell SonicWall Network Security Appliance Integration
        • Fortigate MFA for admin accounts
        • Fortigate SSL VPN Integration
        • F5 integration
        • Ivanti Pulse Secure Connect Integration
        • Palo Alto MFA for admin accounts
        • Palo Alto SSL VPN Integration
        • Sophos SSL VPN Integration
        • Watchguard SSL VPN Integration
        • Ubuntu Server 22.0.4 SSH connections
        • XLOG Integration
        • VMware Horizon 8 RADIUS Integration
      • Knowledge Base
      • Release Notes
Powered by GitBook
On this page
  • General Overview
  • Preparation Steps
  • Configuring Sophos Firewall
  • Identify Remote SSL VPN Range and a Local Subnet
  • SSL VPN Group Configuration
  • SSL VPN Policy Configuration
  • SSL VPN Users Configuration
  • RADIUS Server Configuration
  • Authentication Services Configuration
  • Verify Device Access Settings
  • Verify SSL VPN Settings
  • Create a Firewall Rule
  • Configure Mirket
  • Add a Sophos as Resource in Mirket with NPS
  • User and Group configuration on Mirket
  • Create an Authorization Profile on Mirket
  • Add a Radius Rules to Mirket
  • Test the Integration
  1. Mirket Help Center
  2. Mirket On Premise
  3. Integrations

Sophos SSL VPN Integration

General Overview

This guide explains the instructions on configuring Mirket multi-factor authentication for Sophos Firewall SSL VPN client. Prior configuration and deployment of Sophos Firewall are required before setting up MFA with Mirket.

Sophos Firewall offers various MFA configuration modes. In this integration, we've configured RADIUS authentication with Mirket.

This integration was tested using Sophos Firewall SFVUNL (SFOS 18.0.5 MR-5-Build586).

Preparation Steps

Before proceeding with these procedures, ensure the following:

  • You've completed the installation and configuration of the Mirket (go to Mirket Installation Steps).

  • End-users can access the Sophos Firewall SSL VPN client.

Configuring Sophos Firewall

Ensure your Sophos Firewall WAN, LAN, and DNS configurations are complete before proceeding with Sophos configuration. Also, confirm the installation and Internet connection of the Mirket (RADIUS server).

Identify Remote SSL VPN Range and a Local Subnet

  • Access the Sophos web UI. Then go to System > Hosts and services > IP host and click on Add.

  • Enter an IP hostname in the Name field. In this instance, we input the IP hostname as "Remote SSL VPN range".

  • Choose the IPv4 option in the IP version field.

  • Choose the Network option in the Type field.

  • Input the IP address utilized by the SSL VPN client to connect from the WAN in the IP address field.

  • Then click on Save to confirm settings.

  • Go to System > Hosts and services > IP host and click on Add.

  • Enter an IP hostname in the Name field. In this instance, we input the IP hostname as "Local subnet".

  • Choose the IPv4 option in the IP version field.

  • Choose the Network option in the Type field.

  • Input the IP address that remote clients can access in the IP Address field.

  • Then click on Save to confirm settings.

SSL VPN Group Configuration

  • Go to Configure > Authentication > Groups and click on Add.

  • Enter a group name in the Name field. In this instance, we input the group name as "Remote SSL VPN group".

  • Choose the "Normal" option from the Group type dropdown list.

  • Choose the "Unlimited Internet Access" option from the Surfing quota dropdown list.

  • Keep the remaining settings as default values.

  • Then click on Save to confirm settings.

SSL VPN Policy Configuration

  • Go to Configure > VPN > SSL VPN (remote access) and click on Add.

  • Enter a policy name in the Name field. In this instance, we input the policy name as "SSL VPN policy".

  • Under the Identity section, click on "Add new item" to add the group that you created previously in the Policy Members field. In this instance, we add the Remote SSL VPN group.

  • Under the Tunnel access section, click on "Add new item" to add the IP host that you created previously in the Permitted network resources (IPv4) field. In this instance, we add the Local subnet IP host.

  • Click on Apply to confirm settings.

SSL VPN Users Configuration

  • Go to Configure > Authentication > Users and click on Add.

  • Enter a username and name for this user account in the Username and the Name fields.

  • Choose the "User" option in the User Type field.

  • Enter a password for this user account in the Password field and re-enter it in the second Password field.

  • Enter the email address to associate with this user account into the Email field.

  • Choose the "Remote SSL VPN group" option from the Group dropdown list.

  • Choose the "SSL VPN policy" option from the Remote access dropdown list.

  • Keep the remaining settings as default values.

  • Then click on Save to confirm settings.

RADIUS Server Configuration

  • Go to Configure > Authentication > Servers and click on Add.

  • Choose the "RADIUS server" option from the Server type dropdown list.

  • Enter a RADIUS server name in the Server Name field. In this instance, we input the server name as "MirketRADIUS".

  • Input the host IP address of the machine where the Mirket is installed into the Server IP field.

  • Input 1812 for communication with the Mirket (Radius Server) in the Authentication port field. Also, you can use different ports to communicate.

  • Input 3 in the Time-out field.

  • Enter "radius" in the Group name attribute field.

  • Then click on Save to confirm settings.

Authentication Services Configuration

  • Go to Configure > Authentication > Services and click on Add.

  • Choose the "Set authentication method for SSL VPN" option in the SSL VPN authentication methods section.

  • Choose the RADIUS server that you configured previously. In this instance, we choose the server as "MirketRADIUS".

  • Then click on Apply to confirm settings.

Verify Device Access Settings

  • Go to System > Administration > Device access.

  • Make sure LAN, WAN, and WiFi checkboxes are checked in the SSL VPN section and LAN, DMZ, VPN, and WiFi checkboxes are checked in the User Portal section.

Verify SSL VPN Settings

  • Go to Configure > VPN. Then click on Show VPN Settings.

  • Check that the IPv4 Lease Range dropdown list under the SSL VPN tab displays the correct value.

  • Modify the other settings if required.

Create a Firewall Rule

  • Go to Protect > Rules and policies. Then select the Firewall rules tab and click on Add firewall rule > New firewall rule.

  • Enter a rule name in the Rule name field. In this instance, we input the rule name as "Remote SSL VPN access rule".

  • Choose the Accept option from the Action dropdown list.

  • Choose the "Top" option from the Rule position dropdown list.

  • Choose the None option from the Rule group dropdown list.

  • Click on "Add new item" to add the VPN option in the Source zones field.

  • Click on "Add new item" to add the IP host that you configured previously in the Source networks and devices field. In this instance, we add the "Remote SSL VPN range" IP host.

  • Click on "Add new item" to add the LAN option in the Destination zones field.

  • Click on "Add new item" to add the other IP host that you configured previously in the Destination networks field. In this instance, we add the "Local Subnet" IP host.

  • Check the "Match known users" checkbox.

  • Click on "Add new item" to add the group that you configured previously in the Users or groups field. In this instance, we add the "Remote SSL VPN group".

  • Keep the remaining settings as default values.

  • Then click on Save to confirm settings.

Configure Mirket

To enable Mirket to receive authentication requests from Sophos Firewall, follow these steps:

  • Define Sophos as a RADIUS client resource within Mirket.

  • Create an authentication policy for the Sophos RADIUS client resource or include it in an existing authentication policy.

  • Attach the Sophos resource to the Mirket Radius.

Add a Sophos as Resource in Mirket with NPS

Before starting, ensure that you have installed NPS (Network Policy Server) from Server Manager. Once installed, open the Network Policy Server. To add a Radius Client to the NPS, follow these steps:

  • Click on the 'Radius Clients and Server' folder and select the 'Configure Radius Clients' option.

  • Hover over the 'Radius Clients' option, right-click using the mouse, and select New.

  • In the window that appears, assign a name to your Radius Client in the Friendly Name section.

  • Enter the IP address of your firewall in the Address (IP or DNS) section.

  • Select either the 'Manual' or 'Generate' option to enter your secret key in the Secret Key section.

  • Click OK to confirm settings.

User and Group configuration on Mirket

To set up multifactor authentication, make sure you have at least one user group in Mirket.

If it is preferred to use a local user, first create a local group and then create a local user and make the user a member of the group.

If it is preferred to use LDAP users, the priority LDAP group is created by pulling users from Active Directory or OpenLDAP in Mirket.

Create an Authorization Profile on Mirket

After authentication, in scenarios requiring authorization (Example: Sending group name to the Radius client in SSL VPN), you can complete the process by creating an authorization profile in Mirket and selecting the created profile in Radius rules.

The following steps should be followed to create an authorization profile:

  • Select Authorization Profiles.

  • Click on Add New.

  • Enter an authorization profile name in the Name field.

  • Select the attribute type as "FilterId" from the Attribute Type dropdown list.

  • Enter the group to be granted authorization in the Value field. Please ensure that value is the same as the group name you specify in Sophos.

  • Click on Save to confirm settings.

Add a Radius Rules to Mirket

Radius Rules define user access to resources and the authentication methods available (such as SMS, Approve / Deny, OTP etc.).

First, you should follow these steps:

  • Select Rules > Radius Rules.

  • Click on Add New.

  • Enter a rule name in the Name field.

  • Enter the rule description in the Description field.

  • Select the group to which the rule applies from the Group dropdown list.

  • Select the provider to which the rule applies from the Provider dropdown list.

  • Select the authorization profile to which the rule applies from the Authorization dropdown list.

  • Click on Save to confirm settings.

Test the Integration

To validate the integration between Mirket MFA and your Sophos Firewall SSL VPN, perform authentication using a mobile token on your mobile device. For RADIUS resources, available authentication methods include Approve/Deny authentication.

In this example, we illustrate the use of the Approve/Deny authentication method.

  • Install the Sophos SSL VPN client that you downloaded on your computer. After the installation, click on the traffic light icon in the taskbar.

  • Enter your Mirket username in the Username field.

  • Input your password in the Password field.

  • Click on OK.

  • Then, select the 'Approve' option(found in the Mirket mobile app) immediately and make sure it doesn't time out.

Related Topics

PreviousPalo Alto SSL VPN IntegrationNextWatchguard SSL VPN Integration

Last updated 1 month ago

Input a shared secret key to communicate with the RADIUS server (Mirket Radius) in the Shared Secret field. In Mirket use this same secret key when .

configuring a RADIUS client resource
Create a Local Group to add users manually.
Add local Mirket users manually.
Create a LDAP group to include LDAP users.
Sync users from an external user database.
Radius Clients
Radius Rules
Local Group Configuration
Local Users Configuration
LDAP Group Configuration
LDAP Users