Network Guys

Share your knowledge!

Aruba Mobility Controller with Sophos SG/XG hotspot Portal

Hello Guys,


today I will talk about how to configuring a guest Wifi with a Aruba Mobility Controller and the Sophos hotspot solution.

In this example I will using the Sophos SG hotspot solution. With Sophos XG, it’s basically the same.

Sophos SG

Create a new Interface

It’s recommandet, to use a own interface for the guests. If you use a hardware interface or a VLAN interface, it’s your choice. I using VLAN interfaces.

Create a firewall rule for the web access 

To avoid problems with VIP visitors, I recommend allowing any service to access the internet. I will come to the topic of proxy in a moment.

masquerading rule

Without it, the package also gets on the internet, but not back :D


Do not use your AD DHCP server. If you still have a server at all thanks to Azure. Always keep guest solutions as far away as possible from your infrastructure. That’s why I use the DHCP server from the Sophos SG and also send DNS queries directly to google DNS. Do not use the SG as DNS server for guest solutions. Because most UTMs have a query route to their own domain and the guest user can query your SG/XG via DNS queries about your environment.

hotspot portal

Here you have to put in the new interface and activate the hotspot type of your choice. I prefer the voucher solution.

And finally the proxy

For the guests, only the transparent proxy comes into consideration. No guest user wants to enter a static proxy into the system first. You should also only activate URL filtering, because no one wants to import the proxy CA. Now you have to define the policy and that’s it for the UTM configuration.

What web categories you allow via policy, you have to decide yourself.


Aruba Mobility Controller

My recommendation, configure everything under Mobility Controller level and not on the individual controller.

Add a new VLAN interface

We only need a VLAN interface with the same VLAN ID as the guest interface on the Sophos SG. No IP configuration is required on the mobility controller.

Create the SSID

I recommend using the tunnel mode. This way I don’t have to maintain all VLANs at the access points. Instead, I let the traffic first break out at the Mobility Controller.


We need a simple open WLAN.
Because we are using the Sophos SG guest solution in this example, I won’t go into detail about the possible Aruba solutions.

Now we have to remember the name of the default role. Because we have to edit these right away.

Edit  the role

For simplicity, we could write an Any rule because the Sophos SG takes care of security. But for the good feeling, we restrict the traffic a bit.

Because it’s a bit hard to read, here’s the content: We only allow the client to talk to the Sophos SG on the guest interface. Forbid the rest of the private IP address ranges and then allow Any for the Internet access.




Have a nice day!


2 Responses

Leave a Reply

Click on the button to load the content from

Load content

This site uses Akismet to reduce spam. Learn how your comment data is processed.


ekahau Certified Survey Engineer
Post Categories
Post Archives