VPN & Remote Access for Melbourne Businesses

Traditional VPN (SSL or IPSec) creates an encrypted tunnel that places the remote device inside your network perimeter — the remote user has network-level access to resources based on the routing and firewall rules within your internal network. Zero Trust Network Access (ZTNA) takes a fundamentally different approach: rather than granting network access and then applying controls within it, ZTNA grants identity-based access to specific applications only. A user with ZTNA access to your accounting application can only reach that application — they cannot browse the network, scan for shares, or reach other systems even if they are on the same IP subnet. From a security perspective, ZTNA dramatically limits the damage a compromised account can do compared to traditional VPN. For Melbourne businesses with mixed access requirements, we often deploy SSL VPN for power users needing broad access and ZTNA for the majority of staff who need specific application access only.

VPN performance depends on several factors: the internet speeds at both ends of the tunnel, the processing capacity of your firewall (Sophos XGS handles VPN encryption in hardware, which maintains high throughput), and whether split tunnelling is configured correctly. With split tunnelling enabled, only traffic destined for your office network flows through the VPN — Microsoft 365, web browsing, and other cloud applications go directly to the internet at full speed. The primary performance limitation for most Melbourne remote workers is the upload speed of their home internet connection, which determines how quickly they can send files to the office. With a correctly configured Sophos XGS and split tunnelling, most users report that VPN performance is acceptable for all but the most bandwidth-intensive file operations.

For an existing Sophos XGS managed firewall deployment, configuring SSL VPN for your team typically takes 1-2 business days — configuring the VPN profile, creating user accounts and MFA enrolment, distributing the VPN client to staff devices, and testing connectivity for each access scenario. ZTNA deployment is a more involved project: defining application connectors, creating identity-based policies, integrating with your Entra ID for authentication, and configuring the Sophos ZTNA gateway. A full ZTNA deployment typically takes 1-2 weeks including testing. For organisations without a Sophos XGS firewall in place, firewall deployment is the prerequisite — which we can typically complete within 1 week for a standard Melbourne office.

Sophos SSL VPN supports Windows, macOS, iOS, and Android clients — covering all standard business devices. The Sophos VPN client is available from the Sophos XGS user portal and is straightforward to install. For ZTNA, the Sophos ZTNA client is similarly available on all major platforms, and the identity verification integrates with Microsoft Entra ID, meaning staff use their existing Microsoft 365 credentials plus MFA to authenticate. We can also configure device posture checks — ensuring that only devices with current operating system patches and endpoint protection connect to your network, regardless of who is authenticating.

Microsoft 365 is a cloud service that is accessed directly from the internet — it does not require a VPN connection to your office to function, and routing Microsoft 365 traffic through your office VPN actually degrades performance (the traffic goes from the user to your office to the internet to Microsoft's servers, rather than directly from the user to Microsoft). With split tunnelling configured correctly on your Sophos VPN, Microsoft 365 traffic bypasses the VPN tunnel and goes directly to Microsoft — giving you the performance of a direct connection. Only traffic to your on-premise office network (file servers, internal applications, printers) flows through the tunnel. This is the recommended configuration for any Melbourne business using Microsoft 365 with VPN.

VPN remote access via Sophos SSL VPN is included in the Sophos XGS managed firewall service — there is no separate per-user licence cost for SSL VPN on the XGS platform. If you are already on our managed firewall service, adding VPN for your remote workers is a configuration task rather than an additional product purchase. Sophos ZTNA is a separate subscription-based product priced per user per month — typically $8–$18 AUD per user/month at SMB volumes, depending on licensing tier. For a Melbourne business of 20 users deploying ZTNA, expect $160–$360/month in ZTNA licence costs plus CX IT Services management. We provide a pricing comparison of VPN versus ZTNA for your specific user count before you decide.

The Australian Cyber Security Centre's Essential Eight includes multi-factor authentication as a core control — and MFA enforced on VPN is a direct implementation of this requirement for remote access scenarios. Cyber insurers almost universally require MFA on all remote access methods as a policy condition; VPN without MFA is one of the most commonly cited reasons for claim denial following a network intrusion. CX IT Services configures MFA on all VPN and ZTNA deployments as a non-negotiable baseline. We provide documentation of your remote access architecture and MFA implementation for cyber insurance applications and Essential Eight assessments. ZTNA goes further by satisfying the "least privilege" principle that underpins more mature Essential Eight implementations.

Remote access connectivity issues are handled under our managed service support SLA. For business-hours faults, CX IT Services responds to VPN connectivity issues within 2 business hours for critical faults (all remote access down) and 4 business hours for individual user connectivity issues. Our engineers have remote visibility of the Sophos XGS configuration and active VPN sessions through Sophos Central — in most cases we can diagnose and resolve connectivity issues without requiring physical access to any device. After-hours support is available for complete remote access failures that prevent critical after-hours work. Common individual user issues (MFA token problems, client software issues) are resolved via phone or remote session during business hours.

Law firms and medical practices have particularly strong reasons to implement access controls on remote connectivity. For law firms, matter files and client data should only be accessible to authorised fee earners — ZTNA enables per-user access policies that restrict each solicitor or paralegal to the specific file systems and applications their role requires, rather than granting broad network access via VPN. For medical practices, remote access to patient records requires compliance with Privacy Act obligations around access control; ZTNA's granular, identity-based access model provides a more defensible control posture than traditional VPN. CX IT Services documents the remote access architecture and access control policies for law firms and medical practices in a format suitable for professional body compliance records.

If a VPN credential compromise is suspected or confirmed, CX IT Services can disable the affected user account in Sophos Central immediately — terminating any active session and preventing new connections within minutes of your call. Because we enforce MFA on all VPN sessions, a stolen password alone is insufficient to establish a connection — an attacker also needs access to the second factor, which significantly limits the window of exposure. For ZTNA deployments integrated with Microsoft Entra ID, the user account can be disabled at the identity provider level, simultaneously revoking access across VPN, Microsoft 365, and all connected applications. We review VPN access logs for the affected account to determine whether any unauthorised access occurred before the credential was disabled.