In case you are using split-tunnel with your Sophos UTM and an Access Point behind a RED, you need to configure some additional parameters. The Access Point always wants to connect to the WLAN Controller address 220.127.116.11 so you need to add this host to the split-network area:
after this the RED will reboot and the access point will try to connect to the controller address. You can see blocked packets in the firewall live log:
to allow the communication between the UTM WLAN controller address and the branch office, you need to add this network under the wireless protection / global settings:
after this configuration changes, you will see a new access point in the WebAdmin and can allow the joining. The access point will download the new firmware and restart itself. Keep in mind that you need to add the AP to your existing WLAN group to provision the configured SSIDs.