Built into Apple's iPhone is a Cisco IPSec VPN client. Beginning in 7.400 the ASG/UTM has added support for Cisco IPSec VPN clients and therefore can have an iPhone connect. Going further, Sophos has created an easy installation wizard for iPhone users. Please follow the steps below to start an iPhone to UTM IPSec connection.
Server side configuration, on the UTM 1 Configure the iPhone user's account
2 Configure the Cisco VPN client connection on the UTM
- Go to Definition & Users > Users & Groups > Users and click 'New User...'
- Enter all necessary user information in the 'Create New User' dialog box
- Click Save
- Go to Remote Access > Cisco VPN Client and click the toggle switch
- Set all necessary configurations.
- Interface: The interface that should be listening for connections. This is usually the external interface.
- Server Certificate: The certificate that the client verifies before connection. Usually left as default.
- Pool Network: The network range that will be assigned to clients upon log in. Usually left as default.
- Local Networks: The local networks that should be reachable through the VPN tunnel.
- Users and Groups: The groups that use Cisco VPN clients (iPhones). Add the users that you created in the first step.
- Automatic Firewall Rules: (Optional) enable this if you would like to automatically add firewall rules that allow traffic for this connection. The rules are added as soon as the connection is enabled, and they are removed when the connection is disabled.
3 Apply iPhone settings
- Go To Remote Access > Cisco VPN Client > iOS devices and click the toggle switch
- (Optional) Set a connection name. Usually this is left as default
- (Optional) Set an override hostname (if the UTM's hostname is not publicly resolvable)
- (Optional) Click 'establish VPN connection on demand to automatically initiate a VPN connection whenever the location matches one of the hostnames or domains listed in the box
- (Optional) Set a matching domain or host
- (Optional) Deactivate the checkbox 'establish only when DNS lookup fails'.
4 Configure the End User Portal for access
- Go to Management > User Portal > Global and click the toggle switch
- In the 'Allowed Networks' list, add the networks that you would like to have access. This is usually set to "any"
- Choose which users you would like to allow. You can choose to allow all configured users, or only allow specific users.
- Click apply
- (Optional) Click the 'advanced' tab and alter any necessary settings.
Client Side configuration, on the iPhone
- Open Safari on the iPhone
- Navigate to the end user portal (by default, this is the UTM's hostname on port 443, https://utm.domain.com for instance)
- Log in with the username and password for the iPhone user
- Click on 'Remote Access'
- Under the heading 'iPhone VPN Configuration' enter any password and click 'install'
- A wizard will appear on screen, click install and accept any warnings about verification.
- Enter the password that you chose when downloading the package when the wizard asks for a password.
- When the wizard finishes, to connect, just go to settings and slide the VPN Connection toggle switch to 'on'