Multi-Factor Authentication (2FA/MFA) for Sophos XG Firewall VPN

Last updated on July 8, 2025

MFA for Sophos XG Firewall VPN is a multi-layered approach to user authentication that adds an extra authentication step. After entering their password, a user must accept a Mobile Push authentication request sent to their phone or click an Email Link sent to their email address. If the user fails to perform the secondary authentication method, they are denied access. Thanks to Sophos Firewall MFA, a hacker who has a user’s password still cannot access the user’s account.

Overview of Sophos XG Firewall VPN MFA

Rublon Multi-Factor Authentication for Sophos Firewall VPN allows you to add an extra layer of security to your Sophos XG VPN and Sophos XGS VPN logins. Rublon integrates with Sophos Firewall using the Rublon Authentication Proxy.

This document explains how to enable Rublon Multi-Factor Authentication (MFA) by creating an authentication server in the Sophos web admin console, pointing it to the Rublon Authentication Proxy, and assigning it to one or more Sophos Firewall services. Thanks to this way of configuration, you can enable MFA for one or more of the following services:

• MFA for Sophos SSL VPN
• MFA for Sophos IPsec VPN
• MFA for Sophos PPTP VPN
• MFA for Sophos Firewall User Portal
• MFA for Sophos Firewall web admin console

Supported Authentication Methods

Authentication Method	Supported	Comments
Mobile Push	✔	N/A
WebAuthn/U2F Security Key	–	N/A
Passcode	✔	N/A
SMS Passcode	–	N/A
SMS Link	✔	N/A
Phone Call	✔	N/A
QR Code	–	N/A
Email Link	✔	N/A
YubiKey OTP Security Key	✔	N/A

Before You Start

Before configuring Rublon MFA for Sophos Firewall VPN:

1. Ensure you have prepared all required components.
2. Create an application in the Rublon Admin Console.
3. Install the Rublon Authenticator mobile app.

Required Components

1. User Identity Provider (IdP) – You need an external Identity Provider, such as Microsoft Active Directory, OpenLDAP, or FreeRADIUS.

2. Rublon Authentication Proxy – Install the Rublon Authentication Proxy if you have not already.

3. Sophos Firewall – Ensure you have correctly configured your Sophos Firewall, especially that user logins work properly before deploying MFA for Sophos XG or Sophos XGS.

Create an Application in the Rublon Admin Console

1. Sign up for the Rublon Admin Console. Here’s how.

2. In the Rublon Admin Console, go to the Applications tab and click Add Application. 

3. Enter a name for your application (e.g., Sophos XG Firewall VPN) and then set the type to Rublon Authentication Proxy.

4. Click Save to add the new application in the Rublon Admin Console.

5. Copy and save the values of the System Token and Secret Key. You are going to need these values later.

Install Rublon Authenticator

For increased security of Multi-Factor Authentication (MFA), end-users may install the Rublon Authenticator mobile app. So, as a person configuring MFA for Sophos Firewall, we highly recommend you install the Rublon Authenticator mobile app, too. Thanks to that, you will be able to test MFA for Sophos via Mobile Push.

Download the Rublon Authenticator for:

• Android
• iOS
• HarmonyOS

Configuring MFA for Sophos XG Firewall VPN

This section describes how to configure MFA for Sophos SSL VPN, Sophos PPTP VPN, Sophos IPsec VPN, Sophos Firewall User Portal, and Sophos Firewall web admin console on Sophos XG and Sophos XGS Firewall Appliances.

Configuring Sophos XG Firewall MFA consists of the two following parts:

1. Add Rublon Authentication Proxy as RADIUS server
2. Use Rublon Authentication Proxy as authentication method in selected Sophos services

MFA for Sophos XG Firewall VPN Configuration Part 1: Adding Rublon Authentication Proxy as RADIUS server

1. In the Sophos Firewall web admin console, go to Authentication → Servers and click Add to add a new server.

2. Fill in the form. Refer to the following image and table.

Server type	Select RADIUS server.
Server name	Enter a name for your server, e.g., Rublon Authentication Proxy.
Server IP	Enter the IP address of your Rublon Authentication Proxy.
Authentication Port	Enter the port number of your Rublon Authentication Proxy (1812 by default).
Time-out	Change to at least 60.
Enable accounting	Check. Rublon Authentication Proxy does not support accounting. However, Sophos Firewall requires this option to work correctly.
Accounting Port	Enter the RADIUS accounting port number (1813 by default).
Shared secret	Enter the RADIUS_SECRET you set in the Rublon Auth Proxy’s config file.
Domain Name	Enter your domain name (Optional).
Group name attribute	Enter the alias for the configured group name, which is displayed to the user, e.g., Rublon.

3. Click Save to save the changes you made.

4. Click Test connection and provide your user credentials to test your configuration. If your configuration is correct, you should receive a Mobile Push or an Email Link from Rublon. If you have not been prompted for MFA by Rublon, double-check your configuration.

MFA for Sophos XG Firewall VPN Configuration Part 2: Using Rublon Authentication Proxy in selected Sophos services

Sophos Firewall allows you to easily assign a new authentication method to the different services it offers, including VPNs. This way, you can assign the newly-created Rublon Authentication Proxy server to whichever part of Sophos Firewall you want.

1. Go to Authentication → Services.

2. Select the newly-created Rublon Authentication Proxy authentication server as the authentication method for each service you want to be protected with MFA.

After selecting the authentication sources for each service, confirm your choices by clicking the Apply button under each service. Note that you must click Apply under every service you change. There is no single button that saves changes to all services.

Firewall authentication methods

Source of user authentication for logging into the firewall. We recommend you set it to a local user base only during the testing phase so that you have a fallback method of access to Sophos Firewall should Rublon login be impossible, e.g., due to a configuration mistake.

User portal authentication methods

Source of user authentication for users logging in to the User Portal. Users can log in to the User Portal to download the VPN client and a VPN profile configuration. We recommend you select Rublon Authentication Proxy so that users must complete MFA before accessing the portal.

VPN (IPsec/dial-in/L2TP/PPTP) authentication methods

Source of user authentication for most VPN types. Select Rublon Authentication Proxy so that users must complete MFA when connecting via IPsec, dial-in, L2TP, or PPTP VPN.

Administrator authentication methods

Source of user authentication for Sophos Firewall web admin console. This setting only applies to administrators. We recommend you select Local only for the testing phase unless you have access to the Super Administrator account.

SSL VPN authentication methods

Source of user authentication for SSL VPN service. We recommend you select Rublon Authentication Proxy so that users must complete MFA when connecting via SSL VPN.

Testing MFA for Sophos Firewall

After configuring MFA for Sophos XG Firewall, test your setup by connecting to a selected VPN, User Portal, or web admin console. In all the following examples, Mobile Push has been set as the second factor in the Rublon Authentication Proxy configuration (AUTH_METHOD was set to push).

Testing MFA for Sophos User Portal

To test MFA for Sophos Firewall User Portal:

1. Open the Sophos User Portal by opening https://<Sophos Device IP Address> in your web browser.

2. Enter your Username and Password and enter the CAPTCHA code.

3. Rublon will send a Mobile Push authentication request to your phone. Tap APPROVE.

4. You will gain access to the User Portal.

Testing MFA for Sophos Firewall SSL VPN

To test MFA for Sophos Firewall SSL VPN, use the dedicated Sophos Connect client. You can download Sophos Connect from the Sophos User Portal (under the VPN tab).

1. To import the VPN profile into your Sophos Connect client, click Import connection, and select your .ovpn VPN profile file.

2. After importing your VPN profile, select it and click Connect.

3. Enter your username and password and click Sign in.

4. Rublon will send a Mobile Push authentication request to your phone. Tap APPROVE.

5. You will connect to the VPN.

Testing MFA for Sophos Firewall IPsec VPN

To test MFA for Sophos Firewall IPsec VPN, use the dedicated Sophos Connect client. You can download Sophos Connect from the Sophos User Portal (under the VPN tab).

1. To import the VPN profile into your Sophos Connect client, click Import connection, and select your .scx VPN profile file.

2. After importing your VPN profile, select it and click Connect.

3. Enter your username and password and click Sign in.

4. Rublon will send a Mobile Push authentication request to your phone. Tap APPROVE.

5. You will connect to the VPN.

Testing MFA for Sophos Firewall PPTP VPN

To test MFA for Sophos Firewall PPTP VPN, use the Windows VPN client or any other client that supports PPTP. Note that you have to select the PAP protocol in the settings of the VPN profile if you are using the Windows VPN client.

How to Add and Configure a Sophos Firewall PPTP VPN connection in Windows VPN

1. Go to Settings → Network & Internet → VPN → Add a VPN Connection and fill in the form. Refer to the following image and table.

Connection name	Set a name for your VPN connection, e.g., Sophos PPTP VPN.
Server name or address	Enter the IP address or hostname of your Sophos server.
VPN Type	Set to PPTP.
Type of sign-in info	Set to User name and password.
User name (optional)	We recommend you enter your user name. If you do not specify the optional User name and Password when adding a new connection, you will be asked to provide the credentials every time you connect to the VPN.
Password (optional)	We recommend you enter your password. If you do not specify the optional User name and Password when adding a new connection, you will be asked to provide the credentials every time you connect to the VPN.
Remember my sign-in info	Optional. Check to save your user credentials.

2. Click Save to save your new VPN connection profile.

3. Edit the VPN connection and specify the authentication protocol.

Go to Control Panel → Network and Sharing Center and select Change adapter settings from the menu on the left.

4. Right-click the newly created VPN profile and select Properties.

5. A new window with properties for this connection will open.

6. Go to the Security tab and change Authentication to Allow these protocols. Then, check Unencrypted password (PAP).

7. Click OK to save and confirm the changes.

Connecting to Sophos Firewall PPTP VPN

1. Select your VPN connection and click Connect.

2. If you have not set your user name and password while adding your VPN connection, a window will appear for you to provide your credentials. Provide your user name and password and click OK.

3. Rublon will send a Mobile Push authentication request to your phone. Tap APPROVE.

4. You will connect to the VPN.

Testing MFA for Sophos web admin console

If you enabled Rublon Multi-Factor Authentication for web admin console logins, you can test that feature in the following way:

1. Open the Sophos web admin console by opening https://<Sophos Device IP Address>:4444 in your web browser.

2. Enter your Username and Password and enter the CAPTCHA code.

3.  Rublon will send a Mobile Push authentication request to your phone. Tap APPROVE.

4. You will gain access to the web admin console.

Troubleshooting

If you encounter any issues with your Rublon integration, please contact Rublon Support.

Related Posts

Rublon Authentication Proxy

Rublon Authentication Proxy – Integrations

MFA for Sophos UTM

MFA for Sophos VPN