Thread Info
  • State Not Answered
  • +5 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Subscribers 35 subscribers
  • Views 22131 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Deploying SSL VPN clients to many users

S248

I am deploying the SSL VPN client to around 60 users computers. Here are the challenges i am faced with this deployment:

  1. When you download VPN + config file from user portal, that is only valid for a specific individual. 
  2. If i downloaded the VPN software and deployed it to machines by GPO or something similar, how would you get the individuals config file into their c:\program files(86)\sophos\sophos ssl vpn\config folder? The only ways i can see to do this is to
    1. Reset every single users password, log in as that user, get their configuration file, send the configuration file to each user, supply the user with a new password, then have the user reset their own password - what a nightmare that would be so no way i'm doing that
    2. Ask every user to log in to the user portal, download the config, then tell me when they have it so i can log on to every computer and put the file into their config folder - that also sounds like a horrible option because that will take hours and hours and many phone calls/emails and frustrated users. I could ask the users to copy it into their own config folder locally but as you already know you get those users who freak out about doing IT related things and get confused and frustrated and refuse to do it.    
  3. Users do not have rights on their local machines to install software for security and company policy reasons.

 

 

How have you done a similar deployment in the past considering these challenges? 



This thread was automatically locked due to age.
Parents
  • 0

    Really looking for an answer on this.  If You need to deploy this software to a large group of off-premises users, so far I have run into the following issues:

    1. There is no 'unattended' or 'silent' install of the Sophos client.  This is pretty crucial in large, enterprise environments, where tools like PDQ Deploy or SCCM are used to push out deployed packages.

    2. NONE of the .exe's (client, client+VPN config, OR the config.exe) run without Administrative privileges.  In an enterprise environment, where the majority of users don't have these rights/permissions, they cannot "simply install..." any of the software on their machines. Makes it even more fun if your users are fully remote.

     

    If anyone has deployed this in an enterprise environment, I'd love to hear any tips or recommendations. 

  • 0 in reply to Richard Arends

    Hey Richard,

     

    What happens when you try and deploy the exe via PDQ Deploy and use the silent switches?

     

    I use the ones below for most exe's but haven't tried the SSL VPN

     

    /install /passive /norestart /silent

  • 0 in reply to M8ey

    I'm wondering if anyone was able to do silent installs with PDQ or other?  I'm testing today, no luck.... install just runs indefinitely.

    I've opened a case with Sophos on this also, we are a few weeks away from a firewall cut with XG450's and trying to figure out how to deploy this other than having every user hit the firewall interface (which by the way, requires Admin rights, which they don't have here).

     

    There has to be a way to this that makes sense, or it wouldn't make sense, right?

    Currently attempting to use the .exe package to deploy via PDQ using a service account that has domain admin, so the install should work.  The next hurdle would be the profiles.

     

    Any ideas?

  • 0 in reply to Derek Nadeau
    Did you end up figuring this out? In my .org we use openvpn for other access and found that you can use the sophos configuration file with openvpn and not have to install the sophos client (which is just modified openvpn). There seems to be a lot more flexibility with openvpn to search with that for automation. Here was a link with some good info. I think the biggest thing for me is that each config is user specific so it needs to be downloaded from the firewall? I wonder if I can just use power shell to generate the file for logged in user through GPO. I am also interested in finding out how to force laptops to login to Vpn as soon as they log into their machine from off-net. We want all traffic to pass through security services on the XG for mobile Corp owned laptops. I am also evaluating MS EMS E5 for similar functionality plus much more.
Reply
  • 0 in reply to Derek Nadeau
    Did you end up figuring this out? In my .org we use openvpn for other access and found that you can use the sophos configuration file with openvpn and not have to install the sophos client (which is just modified openvpn). There seems to be a lot more flexibility with openvpn to search with that for automation. Here was a link with some good info. I think the biggest thing for me is that each config is user specific so it needs to be downloaded from the firewall? I wonder if I can just use power shell to generate the file for logged in user through GPO. I am also interested in finding out how to force laptops to login to Vpn as soon as they log into their machine from off-net. We want all traffic to pass through security services on the XG for mobile Corp owned laptops. I am also evaluating MS EMS E5 for similar functionality plus much more.
Children
  • 0 in reply to Brian Fisk1

    I did get this working in PDQ (remote push of the Sophos SSL VPN Client) 

    Scroll to the post by "Alex Vincer" outlined in orange within the link below.... 

    https://community.sophos.com/products/unified-threat-management/f/vpn-site-to-site-and-remote-access/55226/enterprise-unattended-deployment-of-ssl-vpn-client-2-10/202435

    To get the tap driver cert on machines, I followed the steps in that post, tested local first, then used a GPO.  The cert has to be resident by machine under "Trusted Publishers" before the PDQ job will work, otherwise the prompt for the TAP driver prompts a windows security message and the job hangs indefinitely.

    Once I had the cert resident on the machine, I used these switches in the PDQ job,  but change the value of SELECT TAP piece to "0".   

     /SELECT_SHORTCUTS=0 /SELECT_OPENVPN=1 /SELECT_SERVICE=1 /SELECT_TAP=1 /SELECT_OPENVPNGUI=0 /SELECT_ASSOCIATIONS=1 /SELECT_OPENSSL_UTILITIES=0 /SELECT_EASYRSA=0 /SELECT_PATH=1 /SELECT_OPENSSLDLLS=1 /SELECT_LZODLLS=1 /SELECT_PKCS11DLLS=1 /S

    - I'm now trying to figure out how to get the OVPN files from our XG450 firewall, and have been told by Sophos that the only way to get these is to have users sign into the portal.  If this truly is the case, I just went through this exercise for nothing... working on that today.

  • 0 in reply to Derek Nadeau

    Hi Derek,

     

    did you find a way to export the OVPN config files from XG?

    We are migrating from UTM to XG and have the same problem - how to roll out SSL VPN without loggin in all users into the User Portal.