Sophos WiFi Marketing for MSP Resellers
Key Takeaways: Sophos WiFi access points managed through Sophos Central give MSP resellers a security-integrated guest WiFi platform with built-in synchronized security. MyWiFi connects through Sophos Central's API and RADIUS authentication to add captive portal, data capture, and marketing automation. Sophos's "Synchronized Security" feature lets the firewall (XGS) and APs share threat intelligence — if a guest device is compromised, the AP automatically quarantines it. For MSPs already selling Sophos firewalls and endpoint protection, adding WiFi marketing is a natural extension with minimal new infrastructure. All MyWiFi features work at full parity on Sophos hardware.
Sophos is a security company with a strong MSP channel. If you sell Sophos XGS firewalls, Sophos Central endpoint protection, or Sophos MDR to your clients, you already have the vendor relationship and the management platform. Sophos WiFi APs are managed through the same Sophos Central console you use for everything else. Adding guest WiFi marketing to a Sophos-managed network is a configuration task, not a new product deployment.
The security angle is the pitch differentiator. When you tell a clinic owner or financial advisor "we added guest WiFi marketing to your network, and it is protected by the same Sophos security stack that protects your business network," that conversation goes differently than "we installed a separate AP for guest WiFi." The guest network lives inside the security perimeter, not alongside it.
This guide covers the Sophos WiFi integration with MyWiFi: Sophos Central configuration, XGS firewall guest policies, captive portal redirect, RADIUS, synchronized security, and the MSP business model for Sophos-based WiFi marketing.
Sophos architecture for WiFi marketing
Sophos WiFi operates in two modes, both relevant to WiFi marketing:
Sophos Central managed APs. Sophos APX and AP6 series access points are managed through Sophos Central, the same cloud console used for firewalls, endpoints, servers, and mobile devices. SSID configuration, captive portal settings, and AP management are handled in Sophos Central. This is the simpler architecture and works for venues without a Sophos firewall on-site.
Sophos XGS firewall managed APs. When a Sophos XGS firewall is present (which is common in MSP-managed networks), the firewall can manage the APs directly. This enables Synchronized Security — the APs and firewall share threat intelligence through the Sophos Security Heartbeat protocol. Guest traffic passes through the XGS for inspection, and compromised devices are automatically quarantined.
For WiFi marketing, either architecture supports the MyWiFi integration. The XGS-managed path provides stronger security (important for compliance-sensitive verticals), while the Sophos Central path is lighter-weight for venues that only have APs without a firewall.
Prerequisites
- •Sophos Central account with partner/MSP access
- •Sophos APs deployed and managed (APX 120, APX 320, APX 530, AP6 420, AP6 840, or any supported model)
- •Sophos XGS firewall (optional but recommended for Synchronized Security)
- •MyWiFi account with a location created for the venue
- •VLAN infrastructure for guest network isolation
Step 1: Create the guest SSID in Sophos Central
Log into Sophos Central at central.sophos.com. Navigate to Wireless → SSIDs.
Click Add SSID and configure:
- •SSID name: Your client's guest network name
- •Security mode: Open (no encryption — captive portal handles authentication)
- •VLAN: Assign to a dedicated guest VLAN to isolate guest traffic from the business network
- •Band: 2.4 GHz + 5 GHz dual-band. Enable 6 GHz on AP6 series models for WiFi 6E support.
- •Client isolation: Enable to prevent guest-to-guest communication
- •Band steering: Enable to push capable devices to 5 GHz
Assign the SSID to APs. In Sophos Central, SSIDs can be assigned to specific APs or all APs at a site. For a retail store with one AP, assign to all. For a multi-floor office with distinct public and private areas, assign the guest SSID only to APs in public areas.
Step 2: Configure captive portal redirect
Under the SSID settings in Sophos Central, locate the Captive Portal configuration.
- •Captive portal: Enable
- •Type: External redirect (also called "Custom URL" in some Sophos Central versions)
- •Redirect URL: Enter your MyWiFi portal URL
https://portal.mywifi.io/location/{location-id}
Or with your MSP's white-label domain:
https://wifi.yourmsp.com/location/{location-id}
Sophos Central redirects unauthenticated guests to this URL. After the guest completes login through MyWiFi (social, email, WhatsApp, etc.), MyWiFi authorizes the session and Sophos grants internet access.
If using XGS firewall management: The captive portal redirect is configured on the XGS under Wireless → SSIDs → Guest Network Settings. The configuration fields are the same — external portal URL, authentication method, and walled garden entries.
Step 3: Walled garden (pre-authentication access)
Add these domains to the captive portal's allowed list so guests can reach the login page and social providers before authenticating:
*.mywifi.io
*.mywifinetworks.com
*.facebook.com
*.google.com
*.googleapis.com
*.gstatic.com
*.apple.com
*.whatsapp.com
*.cloudfront.net
In Sophos Central, the walled garden is configured under the captive portal settings for the SSID. In the XGS firewall, it is configured under the wireless guest network's exception list.
Add your custom portal domain if applicable.
Step 4: RADIUS authentication
Configure RADIUS for authenticated guest sessions.
In Sophos Central or XGS:
- •RADIUS server: Add MyWiFi's RADIUS server
- •IP address: From your MyWiFi dashboard (Location → Hardware Settings → RADIUS Configuration)
- •Port: 1812 (authentication)
- •Shared secret: From MyWiFi
- •RADIUS accounting server:
- •IP address: Same
- •Port: 1813
- •Shared secret: Same
- •Enable accounting: Yes
RADIUS accounting tracks session start, duration, and data transfer. This feeds into MyWiFi's analytics dashboard for per-guest usage metrics.
Step 5: Synchronized Security (XGS firewall)
Synchronized Security is Sophos's signature feature and the reason Sophos deployments command a security premium over commodity AP vendors.
How it works:
- •Every Sophos-managed device (AP, endpoint, firewall) maintains a "Security Heartbeat" connection to Sophos Central
- •The firewall continuously evaluates the security posture of every device on the network, including guest devices
- •If a guest device exhibits malicious behavior (command-and-control communication, malware download, exploitation attempt), the XGS firewall changes the device's heartbeat status from "Green" to "Red"
- •The AP automatically quarantines the red-status device — it loses internet access and is isolated from other guests
- •This happens automatically without admin intervention
For WiFi marketing, this means:
- •Guest devices cannot attack the business network through the WiFi
- •Compromised guest devices are contained before they affect other guests
- •The venue's reputation is protected — a malware incident traced to their guest WiFi is a PR and legal liability
- •Compliance teams (especially in healthcare and finance) can approve the guest WiFi deployment because the security controls are provable
Configuring Synchronized Security for the guest SSID:
In the XGS firewall under Wireless → SSID → Security:
- •Enable Synchronized Security for the guest SSID
- •Set the minimum heartbeat status to Green (or Yellow if you want a warning-only mode)
- •Configure the quarantine action: restrict internet access, block all traffic, or redirect to a notification page
Combined with MyWiFi's guest WiFi security best practices, the Sophos + MyWiFi deployment provides the strongest security posture available for guest WiFi marketing.
Step 6: Guest network firewall policies
On the XGS firewall, create policies for the guest VLAN:
Allow policy (guest to internet):
- •Source zone: Guest WiFi zone
- •Destination zone: WAN
- •Services: HTTP, HTTPS, DNS
- •Web filtering: Apply a "Guest" web filter profile (block malware, phishing, explicit content)
- •Application control: Block bandwidth-heavy apps (P2P, streaming during business hours if needed)
- •IPS: Enable intrusion prevention with the recommended ruleset
- •Action: Allow with NAT
Deny policy (guest to LAN):
- •Source zone: Guest WiFi zone
- •Destination zone: LAN, DMZ, or any internal zone
- •Action: Drop
- •Priority: Higher than the allow policy
This ensures complete isolation between the guest network and business infrastructure. The XGS enforces this at the firewall level, not just at the AP level.
Bandwidth management: Apply a traffic shaping rule to the guest zone. Limit per-user bandwidth to 5-10 Mbps down / 2-5 Mbps up. Apply a total bandwidth cap for the guest zone to protect the WAN link for business operations.
Step 7: MSP multi-tenant management
Sophos Central's MSP mode is designed for managing multiple client tenants from a single console. Here is how it maps to WiFi marketing:
Sophos Central MSP dashboard:
- •Your MSP account contains all client tenants
- •Each tenant has its own APs, firewalls, and policies
- •You manage all tenants from one console with role-based access control
MyWiFi MSP structure:
- •Your reseller account contains all client locations
- •Each location has its own portal, analytics, and automation
- •Clients access their own white-label dashboard with your MSP branding
Onboarding workflow:
- •Client already has Sophos APs and/or XGS firewall managed in your Sophos Central tenant
- •Create a guest SSID (if one does not exist) following Steps 1-4 above
- •Create a MyWiFi location for the client and configure the hardware integration
- •Clone your portal template, customize branding for the client
- •Create a sub-user account for the client in MyWiFi with access to their location
- •Client's guest WiFi marketing is live
For MSPs already managing 30+ Sophos tenants, this is a repeatable 15-minute onboarding process per client.
Step 8: Reporting and client value delivery
Dual-layer reporting is the Sophos MSP advantage:
Network security reports (from Sophos Central / XGS):
- •Threats blocked on the guest network
- •Devices quarantined by Synchronized Security
- •Web filter violations
- •Bandwidth usage and top applications
Marketing reports (from MyWiFi):
- •Guest count (new vs. returning)
- •Login methods used
- •Demographic breakdown
- •Campaign engagement and conversions
- •ROI attribution
Combine both in your QBR: "This quarter, your guest WiFi captured 1,850 guest profiles, drove $12,400 in trackable repeat visits, and the Sophos security stack blocked 47 threats and quarantined 3 compromised devices on the guest network." That is a report that justifies both the managed network fee and the WiFi marketing fee.
Sophos hardware recommendations
| Model | Use Case | WiFi Standard | MSP Positioning |
|---|---|---|---|
| APX 120 | Small venue (single room) | WiFi 5 | Budget |
| APX 320 | Standard SMB venue | WiFi 5 | Value |
| APX 530 | High-density indoor | WiFi 5 | Performance |
| AP6 420 | Standard indoor | WiFi 6 | Recommended |
| AP6 840 | High-density indoor | WiFi 6E | Premium |
| AP6 420E | Outdoor | WiFi 6 | Outdoor |
For new deployments, the AP6 420 is the standard recommendation. It supports WiFi 6, integrates with Synchronized Security, and is priced competitively for the MSP channel. Existing APX deployments work equally well with MyWiFi — there is no need to replace hardware to enable WiFi marketing.
Comparing Sophos to other MSP-focused options
| Feature | Sophos | Datto | FortiAP |
|---|---|---|---|
| Cloud management | Sophos Central | Datto Network Manager | FortiCloud / FortiGate |
| Synchronized Security | Yes (heartbeat) | No | Security Fabric |
| MSP multi-tenant | Native | Native | FortiCloud MSP mode |
| Firewall integration | XGS (tight) | None (separate) | FortiGate (tight) |
| Per-AP licensing | Central subscription | None | None (FortiGate license separate) |
| MyWiFi integration | Full parity | Full parity | Full parity |
The choice between Sophos and Datto often comes down to whether the MSP's security stack is Sophos or Fortinet. For MSPs without a strong security vendor preference, Datto's zero-licensing model is the lowest cost option. For the full hardware comparison, visit the hardware compatibility page.
FAQ
Do I need a Sophos XGS firewall, or can I use Sophos APs standalone?
Sophos APs work in two modes: managed by Sophos Central (standalone) or managed by an XGS firewall. For basic captive portal redirect and RADIUS authentication, Sophos Central management is sufficient. For Synchronized Security, web filtering on the guest network, and advanced firewall policies, the XGS is required.
How does Sophos Central pricing work for MSPs?
Sophos uses a subscription model per AP per year, managed through Sophos Central. MSPs purchase through Sophos distribution (Ingram Micro, TD SYNNEX, etc.) at MSP discount rates. The subscription includes cloud management, firmware updates, and support. Factor this per-AP cost into your WiFi marketing service fee.
Can I mix Sophos WiFi marketing with other hardware in the same MyWiFi account?
Yes. MyWiFi is hardware-agnostic. Your MSP account can contain locations using Sophos, Datto, UniFi, Meraki, or any other supported vendor. Each location is independently configured.
What happens if a guest device triggers Synchronized Security quarantine?
The guest's device loses internet access and is isolated from the network. The guest sees a "connection lost" or timeout in their browser. The quarantine event is logged in Sophos Central with the device details, threat type, and timestamp. The device can be manually released from quarantine or it is automatically released when the threat condition clears. From the guest's perspective, they would need to reconnect and re-authenticate.
Can I schedule different portals for different times of day?
Yes. MyWiFi supports portal scheduling. Configure a business-hours portal (branded for the venue, marketing-focused) and an after-hours portal (simplified, minimal data capture). The portal switch is managed in MyWiFi — the Sophos SSID configuration does not change. This is useful for venues like coworking spaces that have members during the day and event guests in the evening.
How does this compare to building a guest network on the Sophos XGS without MyWiFi?
The Sophos XGS has a basic built-in captive portal (hotspot feature) that supports click-through access and simple voucher-based authentication. It does not support social login, marketing automation, analytics dashboards, white-label branding, or data export. MyWiFi replaces the Sophos built-in portal with a full-featured marketing platform while preserving all of Sophos's security features (firewall policies, Synchronized Security, web filtering).
Next steps
- •Audit your Sophos client portfolio — Identify clients with deployed APs and high foot traffic for the first WiFi marketing deployments
- •Configure the first Sophos venue — Follow the steps above to set up the guest SSID, portal redirect, and RADIUS
- •Explore all supported hardware — Visit the hardware compatibility page for 20+ vendor options
- •Set your MSP pricing — Review MyWiFi pricing and the recurring revenue playbook for margin optimization
- •Book a demo — Schedule a live demo to see the Sophos integration with WiFi marketing
Sophos + MyWiFi gives security-focused MSPs a differentiated WiFi marketing offering. The Synchronized Security pitch opens compliance-regulated verticals, the Sophos Central console keeps management in your existing workflow, and MyWiFi's marketing platform turns guest connections into client revenue. Every Sophos AP you manage is already WiFi marketing-ready — the revenue is there for the activating.