When you add 2FA to a VPN login you add an extra dimension of security, meaning users may only log on after providing an additional piece of information to prove their identity, in this case a code from Google Authenticator.

This may be something that’s critical in order for your business to comply with industry regulations, or just a feature to give you peace of mind when it comes to the security of your business data. Either way, if you’d like to enable 2 FA for logging on to an SSL VPN, it’s a relatively easy task on the Sophos UTM.

Follow the below steps to set this up ready for 2 factor authentication.

1. Login to the UTM and go to Remote Access -> SSL. Here you’ll need to create a Profile for the VPN, so select ‘New Remote Access profile’. If you have integrated your UTM with Active Directory, you can drag ‘Active Directory Users’ into the Users and groups field, otherwise you will need to create users manually and drag the names into the field.
2. Next, drag the defined internal network, server or device name into the ‘Local networks’ field. Make sure that ‘Automatic firewall rules’ is ticked and save the profile.
3. Next, go to Definitions and Users -> Authentication Services-> One-time Password. Here we will setup the rules for 2 factor authentication. Under ‘Authentication Settings’ we will make changes based on your required setup. Presuming all users will need to authenticate, make sure the following are ticked for the least administration:

• All users must use one-time passwords.
• Auto-create OTP tokens for users
• User Portal
• SSL VPN Remote Access

This will enable all users to login to their UTM portal and view the Google Authenticator barcode on login.

4. To enable users to see the Remote Access tab for downloading the VPN Client, go to Management -> User Portal -> Advanced. Under ‘Disable Portal Items’, make sure that ‘Remote Access’ is not ticked.

Read the second part of this tutorial to find out how to set up 2FA for your VPN from the user end.