diff --git a/homer/configmaps.yaml b/homer/configmaps.yaml
index 8092510..2a95a40 100644
--- a/homer/configmaps.yaml
+++ b/homer/configmaps.yaml
@@ -95,6 +95,11 @@ data:
             keywords: "firewall xg admin"
             url: "https://firewall-admin.apps.undercloud.dev"
             #target: "_blank" # optional html a tag target attribute
+          - name: "SophosXG"
+            logo: "assets/logos/userportal.png"
+            subtitle: "VPN Portal"
+            tag: "firewall xg user userportal"
+            url: "https://firewall-vpn.apps.undercloud.dev"
           - name: "SophosXG"
             logo: "assets/logos/userportal.png"
             subtitle: "Userportal"
@@ -278,6 +283,12 @@ data:
             tag: "ldap"
             keywords: "ldap phpldapadmin"
             url: "https://phpldapadmin.apps.undercloud.dev"
+          - name: "LDAP"
+            logo: "assets/logos/phpldapadmin.png"
+            subtitle: "LDAP Account Manager"
+            tag: "ldap"
+            keywords: "ldap lam"
+            url: "https://lam.apps.undercloud.dev"
           - name: "LDAP-Password"
             logo: "assets/logos/phpldapadmin.png"
             subtitle: "self-service-password"
diff --git a/ingress-external-devices/firewall.yaml b/ingress-external-devices/firewall.yaml
index 99ed52c..8f9f3ae 100644
--- a/ingress-external-devices/firewall.yaml
+++ b/ingress-external-devices/firewall.yaml
@@ -65,6 +65,65 @@ spec:
 ---
 apiVersion: v1
 kind: Service
+metadata:
+  name: firewall-vpn
+  namespace: ingress-external
+spec:
+  ports:
+  - name: https
+    port: 4443
+    targetPort: 4443
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: firewall-vpn
+  namespace: ingress-external
+subsets:
+- addresses:
+  - ip: 10.0.1.1          # Sophos XG IP
+  ports:
+  - port: 4443
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: firewall-vpn
+  namespace: ingress-external
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    cert-manager.io/cluster-issuer: letsencrypt
+
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+    nginx.ingress.kubernetes.io/upstream-vhost: "firewall.undercloud.local"
+    nginx.ingress.kubernetes.io/proxy-ssl-server-name: "true"
+    nginx.ingress.kubernetes.io/proxy-ssl-name: "firewall.undercloud.local"
+    nginx.ingress.kubernetes.io/proxy-ssl-verify: "false"
+
+    nginx.ingress.kubernetes.io/proxy-redirect-from: "https://firewall.undercloud.local:4443/"
+    nginx.ingress.kubernetes.io/proxy-redirect-to:   "https://firewall-vpn.apps.undercloud.dev/"
+    nginx.ingress.kubernetes.io/proxy-cookie-domain: "firewall.undercloud.local firewall-vpn.apps.undercloud.dev"
+
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
+spec:
+  tls:
+  - hosts: [firewall-vpn.apps.undercloud.dev]
+    secretName: firewall-vpn-tls
+  rules:
+  - host: firewall-vpn.apps.undercloud.dev
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: firewall-vpn
+            port:
+              number: 4443
+---
+apiVersion: v1
+kind: Service
 metadata:
   name: firewall-userportal
   namespace: ingress-external