{"id":23501,"date":"2025-06-11T17:17:38","date_gmt":"2025-06-11T10:17:38","guid":{"rendered":"https:\/\/vacif.com\/?p=23501"},"modified":"2025-08-08T15:38:03","modified_gmt":"2025-08-08T08:38:03","slug":"huong-dan-cau-hinh-mfa-cho-ssl-vpn-client-to-site-tren-sophos-firewall","status":"publish","type":"post","link":"https:\/\/vacif.com\/en\/huong-dan-cau-hinh-mfa-cho-ssl-vpn-client-to-site-tren-sophos-firewall\/","title":{"rendered":"H\u01b0\u1edbng D\u1eabn C\u1ea5u H\u00ecnh MFA Cho SSL VPN Client To Site Tr\u00ean Sophos Firewall"},"content":{"rendered":"\n

I – T\u1ed5ng quan:<\/span><\/h2><\/div><\/div><\/div>\n\n\n\n

Trong m\u00f4i tr\u01b0\u1eddng m\u1ea1ng ng\u00e0y nay, b\u1ea3o m\u1eadt truy c\u1eadp t\u1eeb xa l\u00e0 y\u1ebfu t\u1ed1 c\u1ef1c k\u1ef3 quan tr\u1ecdng, \u0111\u1eb7c bi\u1ec7t khi ng\u00e0y c\u00e0ng nhi\u1ec1u ng\u01b0\u1eddi d\u00f9ng k\u1ebft n\u1ed1i v\u00e0o h\u1ec7 th\u1ed1ng n\u1ed9i b\u1ed9 th\u00f4ng qua VPN. Multi-Factor Authentication (MFA)<\/strong> \u2013 hay c\u00f2n g\u1ecdi l\u00e0 x\u00e1c th\u1ef1c \u0111a y\u1ebfu t\u1ed1 \u2013 l\u00e0 m\u1ed9t l\u1edbp b\u1ea3o m\u1eadt b\u1ed5 sung nh\u1eb1m b\u1ea3o v\u1ec7 t\u00e0i kho\u1ea3n ng\u01b0\u1eddi d\u00f9ng kh\u1ecfi b\u1ecb truy c\u1eadp tr\u00e1i ph\u00e9p, k\u1ec3 c\u1ea3 khi m\u1eadt kh\u1ea9u b\u1ecb l\u1ed9.<\/p>\n\n\n\n

SSL VPN Client-to-Site<\/strong> tr\u00ean Sophos Firewall cho ph\u00e9p ng\u01b0\u1eddi d\u00f9ng t\u1eeb xa k\u1ebft n\u1ed1i an to\u00e0n v\u00e0o m\u1ea1ng c\u00f4ng ty. Khi k\u1ebft h\u1ee3p v\u1edbi MFA, m\u1ed7i l\u1ea7n \u0111\u0103ng nh\u1eadp VPN s\u1ebd y\u00eau c\u1ea7u th\u00eam m\u1ed9t m\u00e3 OTP (One-Time Password) \u0111\u01b0\u1ee3c t\u1ea1o t\u1eeb \u1ee9ng d\u1ee5ng x\u00e1c th\u1ef1c nh\u01b0 Google Authenticator<\/strong>, Microsoft Authenticator<\/strong>. <\/strong>\u0110i\u1ec1u n\u00e0y gi\u00fap \u0111\u1ea3m b\u1ea3o r\u1eb1ng ch\u1ec9 nh\u1eefng ng\u01b0\u1eddi d\u00f9ng h\u1ee3p l\u1ec7 m\u1edbi c\u00f3 th\u1ec3 truy c\u1eadp h\u1ec7 th\u1ed1ng.<\/p>\n\n\n\n

B\u00e0i vi\u1ebft n\u00e0y s\u1ebd h\u01b0\u1edbng d\u1eabn b\u1ea1n t\u1eebng b\u01b0\u1edbc c\u1ea5u h\u00ecnh MFA cho SSL VPN Client-to-Site<\/strong> tr\u00ean Sophos Firewall, t\u1eeb vi\u1ec7c b\u1eadt OTP, ch\u1ec9 \u0111\u1ecbnh ng\u01b0\u1eddi d\u00f9ng, \u0111\u1ebfn vi\u1ec7c bu\u1ed9c x\u00e1c th\u1ef1c khi k\u1ebft n\u1ed1i VPN.<\/p>\n\n\n\n

** L\u01b0u \u00fd khi c\u1ea5u h\u00ecnh x\u00e1c th\u1ef1c 2 l\u1edbp (MFA) cho ng\u01b0\u1eddi d\u00f9ng SSL VPN Sophos<\/strong><\/span><\/h2><\/div><\/div><\/div>\n\n\n\n
    \n
  • N\u1ebfu ng\u01b0\u1eddi d\u00f9ng \u0111\u00e3 c\u00f3 s\u1eb5n file c\u1ea5u h\u00ecnh VPN (file .ovpn ho\u1eb7c file import v\u00e0o Sophos Connect)<\/strong> t\u1eeb tr\u01b0\u1edbc, qu\u1ea3n tr\u1ecb vi\u00ean v\u1eabn c\u00f3 th\u1ec3 th\u00eam x\u00e1c th\u1ef1c MFA<\/strong> m\u00e0 kh\u00f4ng c\u1ea7n t\u1ea1o l\u1ea1i file m\u1edbi<\/strong>.<\/li>\n\n\n\n
  • Qu\u1ea3n tr\u1ecb vi\u00ean ch\u1ec9 c\u1ea7n:\n
      \n
    • B\u1eadt OTP (2FA)<\/strong> tr\u00ean t\u01b0\u1eddng l\u1eeda Sophos.<\/li>\n\n\n\n
    • Y\u00eau c\u1ea7u ng\u01b0\u1eddi d\u00f9ng \u0111\u0103ng nh\u1eadp v\u00e0o VPN Portal<\/strong> (https:\/\/<ip-firewall>:445) m\u1ed9t l\u1ea7n<\/strong> \u0111\u1ec3 qu\u00e9t m\u00e3 QR v\u00e0 k\u00edch ho\u1ea1t m\u00e3 OTP<\/strong> b\u1eb1ng \u1ee9ng d\u1ee5ng nh\u01b0 Google Authenticator, Microsoft Authenticator.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
    • Sau khi k\u00edch ho\u1ea1t OTP, khi k\u1ebft n\u1ed1i VPN:\n
        \n
      • User v\u1eabn d\u00f9ng file VPN c\u0169 \u0111\u00e3 import tr\u01b0\u1edbc \u0111\u00f3<\/strong>.<\/li>\n\n\n\n
      • Nh\u01b0ng khi \u0111\u0103ng nh\u1eadp, user ph\u1ea3i nh\u1eadp: m\u1eadt kh\u1ea9u + m\u00e3 OTP<\/strong> (G\u1ed9p m\u1eadt kh\u1ea9u + m\u00e3 OTP li\u1ec1n nhau, kh\u00f4ng c\u00f3 kho\u1ea3ng tr\u1eafng) t\u1eeb \u1ee9ng d\u1ee5ng Google Authenticator ho\u1eb7c Microsoft Authenticator .<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n

        Nh\u01b0 v\u1eady, kh\u00f4ng c\u1ea7n ph\u1ea3i g\u1eedi l\u1ea1i file VPN<\/strong> cho ng\u01b0\u1eddi d\u00f9ng, ch\u1ec9 c\u1ea7n \u0111\u1ea3m b\u1ea3o h\u1ecd \u0111\u00e3 k\u00edch ho\u1ea1t OTP qua portal.<\/p>\n\n\n\n

        II – H\u01b0\u1edbng d\u1eabn c\u1ea5u h\u00ecnh:<\/span><\/h2><\/div><\/div><\/div>\n\n\n\n

        2.1 – B\u1eadt t\u00ednh n\u0103ng Multi-factor Authentication<\/strong><\/span><\/h2><\/div><\/div><\/div>\n\n\n\n
          <\/ol>\n\n\n\n
            \n
          • V\u00e0o Authentication > Multi-factor Authentication<\/strong><\/li>\n<\/ul>\n\n\n
            \n
            \"\"<\/figure>\n<\/div>\n\n\n
              \n
            • One-time password<\/strong>:\n
                \n
              • Ch\u1ecdn Specific users and groups n\u1ebfu ch\u1ec9 mu\u1ed1n b\u1eadt 2FA cho m\u1ed9t s\u1ed1 user ho\u1eb7c group c\u1ee5 th\u1ec3.<\/li>\n\n\n\n
              • Ch\u1ecdn All users n\u1ebfu mu\u1ed1n b\u1eadt 2FA cho t\u1ea5t c\u1ea3 ng\u01b0\u1eddi d\u00f9ng<\/strong>.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
              • OTP required for these users and groups<\/strong>:\n
                  \n
                • Khi ch\u1ecdn Specific users and groups, ch\u1ec9 \u0111\u1ecbnh user\/group c\u1ea7n d\u00f9ng 2FA t\u1ea1i \u0111\u00e2y.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
                • Generate OTP token with next sign-in<\/strong>:\n
                    \n
                  • Ch\u1ecdn Enable<\/strong> \u0111\u1ec3 h\u1ec7 th\u1ed1ng t\u1ef1 \u0111\u1ed9ng t\u1ea1o token OTP v\u00e0 y\u00eau c\u1ea7u ng\u01b0\u1eddi d\u00f9ng \u0111\u0103ng nh\u1eadp \u0111\u1ec3 qu\u00e9t m\u00e3 QR l\u1ea7n \u0111\u1ea7u.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
                  • Require MFA for<\/strong>:\n
                      \n
                    • T\u00edch ch\u1ecdn SSL VPN remote access<\/strong> \u0111\u1ec3 b\u1eaft bu\u1ed9c ng\u01b0\u1eddi d\u00f9ng ph\u1ea3i x\u00e1c th\u1ef1c OTP khi s\u1eed d\u1ee5ng SSL VPN.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
                    • Nh\u1ea5n Apply<\/strong> \u0111\u1ec3 l\u01b0u v\u00e0 \u00e1p d\u1ee5ng c\u00e1c thay \u0111\u1ed5i.<\/li>\n<\/ul>\n\n\n
                      \n
                      \"\"<\/figure>\n<\/div>\n\n\n

                      2.2 – K\u00edch ho\u1ea1t m\u00e3 OTP qua VPN Portal<\/strong><\/span><\/h2><\/div><\/div><\/div>\n\n\n\n
                        \n
                      • Truy c\u1eadp v\u00e0o VPN Portal<\/strong> b\u1eb1ng \u0111\u1ecba ch\u1ec9 IP ho\u1eb7c domain public c\u1ee7a Sophos Firewall, v\u00ed d\u1ee5:
                        https:\/\/<\u0111\u1ecba-ch\u1ec9-WAN>:445<\/li>\n\n\n\n
                      • \u0110\u0103ng nh\u1eadp b\u1eb1ng t\u00e0i kho\u1ea3n ng\u01b0\u1eddi d\u00f9ng<\/strong> \u0111\u00e3 \u0111\u01b0\u1ee3c b\u1eadt MFA\/2FA \u1edf b\u01b0\u1edbc tr\u01b0\u1edbc.<\/li>\n<\/ul>\n\n\n
                        \n
                        \"\"<\/figure>\n<\/div>\n\n\n
                          \n
                        • Sau khi \u0111\u0103ng nh\u1eadp, h\u1ec7 th\u1ed1ng s\u1ebd hi\u1ec3n th\u1ecb m\u1ed9t m\u00e3 QR<\/strong> \u0111\u1ec3 thi\u1ebft l\u1eadp m\u00e3 OTP.<\/li>\n<\/ul>\n\n\n
                          \n
                          \"\"<\/figure>\n<\/div>\n\n\n
                            \n
                          • M\u1edf \u1ee9ng d\u1ee5ng x\u00e1c th\u1ef1c tr\u00ean \u0111i\u1ec7n tho\u1ea1i nh\u01b0 Google Authenticator<\/strong>, Microsoft Authenticator<\/strong>.<\/li>\n\n\n\n
                          • Qu\u00e9t m\u00e3 QR hi\u1ec7n ra tr\u00ean VPN Portal \u0111\u1ec3 th\u00eam t\u00e0i kho\u1ea3n v\u00e0o \u1ee9ng d\u1ee5ng.<\/li>\n<\/ul>\n\n\n
                            \n
                            \"\"<\/figure>\n<\/div>\n\n\n
                              \n
                            • \u1ee8ng d\u1ee5ng s\u1ebd t\u1ea1o ra m\u1ed9t Token Code (m\u00e3 OTP)<\/strong> \u2013 b\u1ea1n s\u1ebd d\u00f9ng m\u00e3 n\u00e0y k\u00e8m v\u1edbi m\u1eadt kh\u1ea9u khi \u0111\u0103ng nh\u1eadp VPN ho\u1eb7c User Portal sau n\u00e0y.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"

                              Trong m\u00f4i tr\u01b0\u1eddng m\u1ea1ng ng\u00e0y nay, b\u1ea3o m\u1eadt truy c\u1eadp t\u1eeb xa l\u00e0 y\u1ebfu t\u1ed1 c\u1ef1c k\u1ef3 quan tr\u1ecdng, \u0111\u1eb7c bi\u1ec7t khi ng\u00e0y c\u00e0ng nhi\u1ec1u ng\u01b0\u1eddi d\u00f9ng k\u1ebft n\u1ed1i v\u00e0o h\u1ec7 th\u1ed1ng n\u1ed9i b\u1ed9 th\u00f4ng qua VPN. Multi-Factor Authentication (MFA) \u2013 hay c\u00f2n g\u1ecdi l\u00e0 x\u00e1c th\u1ef1c \u0111a y\u1ebfu t\u1ed1 \u2013 l\u00e0 m\u1ed9t l\u1edbp b\u1ea3o […]<\/p>\n","protected":false},"author":2,"featured_media":23137,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_eb_attr":"","ocean_post_layout":"","ocean_both_sidebars_style":"","ocean_both_sidebars_content_width":0,"ocean_both_sidebars_sidebars_width":0,"ocean_sidebar":"","ocean_second_sidebar":"","ocean_disable_margins":"enable","ocean_add_body_class":"","ocean_shortcode_before_top_bar":"","ocean_shortcode_after_top_bar":"","ocean_shortcode_before_header":"","ocean_shortcode_after_header":"","ocean_has_shortcode":"","ocean_shortcode_after_title":"","ocean_shortcode_before_footer_widgets":"","ocean_shortcode_after_footer_widgets":"","ocean_shortcode_before_footer_bottom":"","ocean_shortcode_after_footer_bottom":"","ocean_display_top_bar":"default","ocean_display_header":"default","ocean_header_style":"","ocean_center_header_left_menu":"","ocean_custom_header_template":"","ocean_custom_logo":0,"ocean_custom_retina_logo":0,"ocean_custom_logo_max_width":0,"ocean_custom_logo_tablet_max_width":0,"ocean_custom_logo_mobile_max_width":0,"ocean_custom_logo_max_height":0,"ocean_custom_logo_tablet_max_height":0,"ocean_custom_logo_mobile_max_height":0,"ocean_header_custom_menu":"","ocean_menu_typo_font_family":"","ocean_menu_typo_font_subset":"","ocean_menu_typo_font_size":0,"ocean_menu_typo_font_size_tablet":0,"ocean_menu_typo_font_size_mobile":0,"ocean_menu_typo_font_size_unit":"px","ocean_menu_typo_font_weight":"","ocean_menu_typo_font_weight_tablet":"","ocean_menu_typo_font_weight_mobile":"","ocean_menu_typo_transform":"","ocean_menu_typo_transform_tablet":"","ocean_menu_typo_transform_mobile":"","ocean_menu_typo_line_height":0,"ocean_menu_typo_line_height_tablet":0,"ocean_menu_typo_line_height_mobile":0,"ocean_menu_typo_line_height_unit":"","ocean_menu_typo_spacing":0,"ocean_menu_typo_spacing_tablet":0,"ocean_menu_typo_spacing_mobile":0,"ocean_menu_typo_spacing_unit":"","ocean_menu_link_color":"","ocean_menu_link_color_hover":"","ocean_menu_link_color_active":"","ocean_menu_link_background":"","ocean_menu_link_hover_background":"","ocean_menu_link_active_background":"","ocean_menu_social_links_bg":"","ocean_menu_social_hover_links_bg":"","ocean_menu_social_links_color":"","ocean_menu_social_hover_links_color":"","ocean_disable_title":"default","ocean_disable_heading":"default","ocean_post_title":"","ocean_post_subheading":"","ocean_post_title_style":"","ocean_post_title_background_color":"","ocean_post_title_background":0,"ocean_post_title_bg_image_position":"","ocean_post_title_bg_image_attachment":"","ocean_post_title_bg_image_repeat":"","ocean_post_title_bg_image_size":"","ocean_post_title_height":0,"ocean_post_title_bg_overlay":0.5,"ocean_post_title_bg_overlay_color":"","ocean_disable_breadcrumbs":"default","ocean_breadcrumbs_color":"","ocean_breadcrumbs_separator_color":"","ocean_breadcrumbs_links_color":"","ocean_breadcrumbs_links_hover_color":"","ocean_display_footer_widgets":"default","ocean_display_footer_bottom":"default","ocean_custom_footer_template":"","ocean_post_oembed":"","ocean_post_self_hosted_media":"","ocean_post_video_embed":"","ocean_link_format":"","ocean_link_format_target":"self","ocean_quote_format":"","ocean_quote_format_link":"post","ocean_gallery_link_images":"on","ocean_gallery_id":[],"footnotes":""},"categories":[617,70,618],"tags":[334],"class_list":["post-23501","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-case-study-thuc-te","category-firewall","category-huong-dan","tag-sophos-firewall","entry","has-media"],"_links":{"self":[{"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/posts\/23501","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/comments?post=23501"}],"version-history":[{"count":1,"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/posts\/23501\/revisions"}],"predecessor-version":[{"id":25591,"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/posts\/23501\/revisions\/25591"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/media\/23137"}],"wp:attachment":[{"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/media?parent=23501"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/categories?post=23501"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/tags?post=23501"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}