pfSense and Sophos Mobile Control Security

Leo used Ask the Experts™
We had a Certificate Server TMG, which was causing lots of issues, so its been taken down and replaced with pfSense, TMG server was also responsible for authenticating Mobile phone, for that Sophos Mobile Control application was used.

Now as TMG is out of the picture, how can we configure pfSense to pass the authentication process through Sophos Mobile Control?

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
btanExec Consultant
Distinguished Expert 2018

You may instead consider the TMG replacement using Sophos UTM otherwise it seems like pfsense is going to be some doing some sort of NAC or captive portal for Sophos backend. B it I see the key is the replacement has to be a reverse proxy which TMG is also assuming too. This efforts with pfsense will likely need support from Sophos but likely they going to be passive and recommend for such integration that is not stated by them.

Guide for sophos utm as replacement instead

why don't you try with ESA proxy which is fully compatible with mobile control...?
LeoSnr Network Eng


If i had a choice i would have choosen Sophos UTM, but pfSense is already in place and have replaced TGM, and i have been asked to get Sophos Mobile Security work through pfSense, and @btan is right that TGM and now pfSense is doing the role of reverse proxy, and Support from Sophos are not helpful, they have no idea about any product outside Sophos.
Exec Consultant
Distinguished Expert 2018
In fact, we will already expect such "response" from Sophos team - they are not pfsense staffs and will not be savvy into advising any integration efforts unlike TMG. Maybe more appropriate to consult in the pfsense forum if not done so concurrently  already.

In short, I do the focus for such integration will need to configure the EAP with pfSense fronting not only as RP but also as RADIUS to interface with existing "NAC" type of server to further verify against Enterprise AD. For example, EAP-Radius should allow to authenticate against a Windows NPS server, which perform a hash (based on submitted credential) look-up directly on AD.

This is common on network for Wi-Fi where Mobile device most will connect wirelessly. These device may use PEAP-EAP-MSCHAPv2 instead and NPS must do EAP-MSCHAPv2 directly for the TLS tunnel. So I am thinking Sophos play the part of "NPS" role to interface with pfSense. I did not delve further since there is limited pfSense or Sophos Mobile security open expertise shared.

Ref -

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial