Multi-Factor Authentication (2FA/MFA) for Sophos UTM

Last updated on February 6, 2025

Overview

Multi-Factor Authentication (MFA) for Sophos UTM is an additional layer of security that requires users to authenticate with two separate factors to access Sophos UTM. The first factor requires the user to enter their Active Directory/RADIUS username and password. After the first layer of authentication has been completed, the user must pass the second factor of authentication using an available option such as Mobile Push or Email Link. After both authentication factors have been completed, the user can access Sophos UTM. Enabling Multi-Factor Authentication (MFA) or Two-Factor Authentication (2FA) for Sophos UTM helps to prevent malicious actors from entering the user’s account even if they know their login credentials.

Supported Authentication Methods

Authentication Method	Supported	Comments
Mobile Push	✔	N/A
WebAuthn/U2F Security Key	–	N/A
Passcode	✔	N/A
SMS Passcode	–	N/A
SMS Link	✔	N/A
Phone Call	✔	N/A
QR Code	–	N/A
Email Link	✔	N/A
YubiKey OTP Security Key	✔	N/A

Before you start

You need to install and configure the Rublon Authentication Proxy before configuring Sophos UTM VPN to work with it. Read Rublon Authentication Proxy and follow the steps in the Installation and Configuration sections. You can configure the proxy to work either as a RADIUS or an LDAP proxy. Afterwards, follow the Configuration section in this document.

Ensure that you have properly set up your authentication source, that is an external Identity Provider (IdP) like RADIUS, OpenLDAP, or Microsoft Active Directory.

Configuration

Follow the steps in this section to enable Rublon 2FA for your Sophos UTM VPN.

Add the Rublon Authentication Proxy server

1. Log in to the Sophos UTM WebAdmin interface.

2. Go to Definitions & Users → Authentication Services → Servers.

3. Click New Authentication Server.

4. Fill in the form and click Save to add your new authentication server.

• If your Rublon Authentication Proxy setup works as an LDAP Proxy, choose Active Directory or LDAP as the backend, depending on which type of server the proxy is proxying requests to:
  • In Bind DN, enter the Distinguished Name (DN) of the user to bind the server with. (See: How do I find the Bind DN for the Active Directory user (access_user_dn in Rublon Auth Proxy config)?)
  • In Password, enter the password of the bind user. 
  • In Base DN, enter the Base DN of your domain. It must be defined by the full distinguished name (FDN) in LDAP notation, using commas as delimiters
• If your Rublon Authentication Proxy setup works as a RADIUS Proxy, choose RADIUS as the backend.
  • In Shared secret, enter the RADIUS Secret of your Rublon Authentication Proxy.
• Regardless of the backend, do the following:
  • Click the green + (plus) button and enter a label for and the IP of your Rublon Authentication Proxy server.
  • In Port, enter the port of your Rublon Authentication Proxy (1812 by default)
  • We recommend you to set the Timeout to 180 seconds, although 60 should be sufficient in most cases.

5. Click Save to save the new authentication server.

Configure the Sophos UTM Users and/or Groups

You can either add users manually or let the Sophos UTM add users for you using the groups’ dynamic membership feature.

Add Users Manually

To add users manually:

1. Go to Definitions & Users → Users & Groups → Users.

2. Add or edit users who are to have access to the VPN. Set Authentication to Remote.

Configure a group

To configure a group that will add users dynamically, after successful logins to their corresponding backends:

1. Add a new group, set its group type to Backend membership, and Backend to the same value that was set during the Add the Rublon Authentication Proxy server step.
2. Go to Definitions & Users → Users & Groups → Groups.

Add Remote Access SSL Profile

A remote access profile is used to allow specific users and/or groups to connect to the VPN. 

1. Go to Remote Access → SSL → Profiles.

2. Click New Remote Access Profile.

3. Fill in the form. Click Save to add a new remote access profile. Refer to the following image and table. Note that in our example we use the previously added “Radius Users” group, to allow all the users from within that group to access our VPN.

Profile name	Enter a name for your profile, e.g. Rublon.
Users and Groups	Click the folder icon. Drag & drop the previously created group from the panel on the left to the Users and Groups section in the Add Remote Access Profile form.
Local Networks	Specify which local networks will be accessible for the selected SSL clients through the VPN SSL tunnel.

Log in to Sophos UTM User Portal with Rublon MFA

Sophos UTM User Portal is a place where users can download their VPN configuration files. It shares the same authentication flow as the VPN logins, which makes it a convenient place for testing the authentication process.

1. Go to the Sophos UTM user login page.

2. Provide your username and password.

3. You will be sent an automatic push notification on your phone.

4. Tap APPROVE.

5. You will be successfully logged in to the Sophos UTM User Portal.

How to skip MFA for some of the users

There are a few ways to skip MFA for chosen users:

1. Set the users’ status to Bypass in the Rublon Admin Console. (You can also create a new group, add users to the group, and then set the group’s Status to Bypass.)
2. Create two separate authentication servers in the Definitions & Users → Authentication Services → Servers tab: one for MFA, and the other for non-MFA authentication. However, this will only work with Active Directory (or LDAP) paired with the Rublon Authentication Proxy working as an LDAP proxy. 

The first way is straightforward. The second way is described in more detail below.

Creating two separate servers

Authentication servers in Sophos UTM are selected based on their position on the list, the lower the position number, the higher the priority. It works similarly to the Access Control Lists (ACL):

• If the server successfully logs in the user, the process stops and the next server is not called
• If the server fails to authenticate the user, another server is called
• If all the servers fail to authenticate, then the user is denied access

It is required to separate the users on an LDAP tree level so that an LDAP search will result in a narrowed-down list. You can achieve this by adding an Organizational Unit (OU) element in your Active Directory and moving the non-MFA users there. This will let Sophos distinguish the users between those who should have been challenged for MFA and the ones who shouldn’t. Unfortunately, Sophos doesn’t have a verbose LDAP search configuration, so changing the base DN is the only option left.

In this example, we will use “dc=rublon,dc=com” as our base dn and “ou=non-mfa” organizational unit for the non-MFA users.

Add two authentication servers, one pointing to your Active Directory (or LDAP server) with base dn set to “ou=non-mfa,dc=rublon,dc=com” and position 1, and the other pointing to the Rublon Authentication Proxy with base dn set to “dc=rublon,dc=com” and position 2.

The above configuration will cause Sophos first to look for the user in the actual AD using the “ou=non-mfa,dc=rublon,dc=com” base dn. If the user is found, they will get authenticated against that server. However, if the user is not found, Sophos will proceed to the Rublon Authentication Proxy server, with a wider base DN, which will start the MFA process.

Note that you could also do it the other way around, i.e. set the Rublon Authentication Proxy server on position number 1, with an example base DN “ou=rublon_users,dc=rublon,dc=com”. You would then put all the MFA users into an organizational unit named “rublon_users” in your AD instead.

Troubleshooting

If you encounter any issues with your Rublon integration, please contact Rublon Support.

Related Posts

Rublon Authentication Proxy

Rublon Authentication Proxy – Integrations

MFA for Sophos Firewall

MFA for Sophos VPN