Skip to content

Sophos Firewall (XGS / SFOS)

The RTA requires one outbound connection: OpenVPN over TCP/443 to connect.remotetesting.secureworks.com. On Sophos Firewall (SFOS), two independent policies can block this even when port 443 is otherwise permitted — TLS/SSL inspection and Application Control. Both must be configured.

Note

For the full background on why OpenVPN-over-443 is blocked by NGFWs, see the firewall troubleshooting overview and the troubleshooting index.

1. Create an FQDN Host

All subsequent rules reference a single named object for the RTA endpoint.

  1. Go to Hosts and services > FQDN host.
  2. Click Add.
  3. Set Name to rta-connect (or any descriptive label).
  4. Set FQDN to connect.remotetesting.secureworks.com.
  5. Click Save.

2. TLS/SSL Inspection Exclusion (Don't Decrypt)

SFOS performs SSL/TLS inspection via Rules and policies > SSL/TLS inspection rules. If inspection is active for outbound traffic, it will attempt to intercept the OpenVPN session on TCP/443 and terminate it with a reset.

  1. Go to Rules and policies > SSL/TLS inspection rules.
  2. Click Add rule and position it above any existing decrypt rules that cover outbound traffic.
  3. Configure:
  4. Action: Don't decrypt
  5. Destination host/network: select the rta-connect FQDN host created above
  6. Destination port: HTTPS (443)
  7. Leave all other conditions at their defaults (any source zone/user/network).
  8. Click Save. The rule takes effect immediately.

Option B — Local TLS exclusion list

SFOS also maintains a global exclusion list that bypasses decryption regardless of rule order.

  1. Go to Rules and policies > SSL/TLS inspection rules.
  2. Click Exclusions (top-right of the page, or via the Local TLS exclusion list link depending on your SFOS version).
  3. Add connect.remotetesting.secureworks.com to the exclusion list.
  4. Click Save.

Tip

Option A gives you more control (scoped to the specific destination and port) and is easier to audit. Use Option B only if your SFOS version does not present a "Don't decrypt" action in the rule editor.

3. Application Control Exception

SFOS Synchronized App Control and the Application Filter may classify the OpenVPN flow as OpenVPN, Proxy and tunnel, or an unknown non-HTTPS application on port 443, and drop it if a blocking policy applies.

Check the existing firewall rule's App Control policy

  1. Go to Rules and policies > Firewall rules.
  2. Open the rule that handles outbound traffic from the RTA's network segment.
  3. Under Security features, check which Application filter policy is applied.
  4. If it is set to None, no app-control blocking is active — skip to section 4.

Add an application filter exception

If an Application filter policy is applied:

  1. Go to Protect > Application filter (some versions: Web > Application filter).
  2. Open the policy that is applied to the outbound firewall rule.
  3. Click Add exception (or locate the Exceptions tab).
  4. Set the destination to the rta-connect FQDN host and set the action to Allow.
  5. Click Save.

Alternatively, create a dedicated firewall rule (section 4) that covers only the RTA traffic and explicitly sets Application filter to None, placing it above the general outbound rule.

4. Firewall Rule and Verification

Firewall rule

If you do not already have an outbound rule covering the RTA's network segment, create one:

  1. Go to Rules and policies > Firewall rules.
  2. Click Add firewall rule > New firewall rule.
  3. Configure:
  4. Rule name: RTA outbound VPN
  5. Source zone: the zone containing the RTA (e.g., LAN)
  6. Source networks: the RTA's subnet or host object
  7. Destination zone: WAN
  8. Destination networks: rta-connect (FQDN host)
  9. Services: HTTPS (TCP/443)
  10. Action: Accept
  11. SSL/TLS inspection: set to None or ensure the "Don't decrypt" rule from section 2 applies
  12. Application filter: set to None, or use the exception from section 3
  13. Click Save. Rules take effect immediately — no separate deploy step is required.

Verify connectivity

From a host on the same network segment as the RTA, confirm that TCP/443 is reachable:

nc -vz connect.remotetesting.secureworks.com 443

A successful connection prints something like:

Connection to connect.remotetesting.secureworks.com 443 port [tcp/https] succeeded!

Then check the RTA's own status (via the deployment portal or local console) to confirm the OpenVPN tunnel comes up and remains stable.

Warning

A successful TCP connection (nc) only confirms the port is reachable. The OpenVPN session layer also requires that inspection is not intercepting the traffic — watch the RTA console for tunnel-establishment output.

Check the Sophos Firewall log viewer

If connectivity still fails after applying the above:

  1. Go to Log viewer (Diagnostics section, or the top-right log icon).
  2. Filter for the source IP of the RTA and destination connect.remotetesting.secureworks.com.
  3. Look for SSL/TLS inspection or Application control drop entries — these point to whichever exclusion was not applied correctly.