I am deploying the SSL VPN client to around 60 users computers. Here are the challenges i am faced with this deployment: When you download VPN + config file from user portal, that is only valid for a specific individual. If i downloaded the VPN software and deployed it to machines by GPO or something similar, how would you get the individuals config file into their c:\program files(86)\sophos\sophos ssl vpn\config folder? The only ways i can see to do this is to Reset every single users password, log in as that user, get their configuration file, send the configuration file to each user, supply the user with a new password, then have the user reset their own password - what a nightmare that would be so no way i'm doing that Ask every user to log in to the user portal, download the config, then tell me when they have it so i can log on to every computer and put the file into their config folder - that also sounds like a horrible option because that will take hours and hours and many phone calls/emails and frustrated users. I could ask the users to copy it into their own config folder locally but as you already know you get those users who freak out about doing IT related things and get confused and frustrated and refuse to do it. Users do not have rights on their local machines to install software for security and company policy reasons. How have you done a similar deployment in the past considering these challenges?

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Deploying SSL VPN clients to many users

I am deploying the SSL VPN client to around 60 users computers. Here are the challenges i am faced with this deployment:

When you download VPN + config file from user portal, that is only valid for a specific individual.
If i downloaded the VPN software and deployed it to machines by GPO or something similar, how would you get the individuals config file into their c:\program files(86)\sophos\sophos ssl vpn\config folder? The only ways i can see to do this is to
1. Reset every single users password, log in as that user, get their configuration file, send the configuration file to each user, supply the user with a new password, then have the user reset their own password - what a nightmare that would be so no way i'm doing that
2. Ask every user to log in to the user portal, download the config, then tell me when they have it so i can log on to every computer and put the file into their config folder - that also sounds like a horrible option because that will take hours and hours and many phone calls/emails and frustrated users. I could ask the users to copy it into their own config folder locally but as you already know you get those users who freak out about doing IT related things and get confused and frustrated and refuse to do it.
Users do not have rights on their local machines to install software for security and company policy reasons.

How have you done a similar deployment in the past considering these challenges?

This thread was automatically locked due to age.

Parents

0 Richard Arends over 7 years ago

Really looking for an answer on this. If You need to deploy this software to a large group of off-premises users, so far I have run into the following issues:

1. There is no 'unattended' or 'silent' install of the Sophos client. This is pretty crucial in large, enterprise environments, where tools like PDQ Deploy or SCCM are used to push out deployed packages.

2. NONE of the .exe's (client, client+VPN config, OR the config.exe) run without Administrative privileges. In an enterprise environment, where the majority of users don't have these rights/permissions, they cannot "simply install..." any of the software on their machines. Makes it even more fun if your users are fully remote.

If anyone has deployed this in an enterprise environment, I'd love to hear any tips or recommendations.
Cancel
Vote Up 0 Vote Down

Cancel
0 M8ey over 7 years ago in reply to Richard Arends

Hey Richard,

What happens when you try and deploy the exe via PDQ Deploy and use the silent switches?

I use the ones below for most exe's but haven't tried the SSL VPN

/install /passive /norestart /silent
Cancel
Vote Up 0 Vote Down

Cancel
0 Derek Nadeau over 7 years ago in reply to M8ey

I'm wondering if anyone was able to do silent installs with PDQ or other? I'm testing today, no luck.... install just runs indefinitely.

I've opened a case with Sophos on this also, we are a few weeks away from a firewall cut with XG450's and trying to figure out how to deploy this other than having every user hit the firewall interface (which by the way, requires Admin rights, which they don't have here).

There has to be a way to this that makes sense, or it wouldn't make sense, right?

Currently attempting to use the .exe package to deploy via PDQ using a service account that has domain admin, so the install should work. The next hurdle would be the profiles.

Any ideas?
Cancel
Vote Up 0 Vote Down

Cancel
0 Brian Fisk1 over 6 years ago in reply to Derek Nadeau

Did you end up figuring this out? In my .org we use openvpn for other access and found that you can use the sophos configuration file with openvpn and not have to install the sophos client (which is just modified openvpn). There seems to be a lot more flexibility with openvpn to search with that for automation. Here was a link with some good info. I think the biggest thing for me is that each config is user specific so it needs to be downloaded from the firewall? I wonder if I can just use power shell to generate the file for logged in user through GPO. I am also interested in finding out how to force laptops to login to Vpn as soon as they log into their machine from off-net. We want all traffic to pass through security services on the XG for mobile Corp owned laptops. I am also evaluating MS EMS E5 for similar functionality plus much more.
Cancel
Vote Up 0 Vote Down

Cancel
0 Derek Nadeau over 6 years ago in reply to Brian Fisk1

I did get this working in PDQ (remote push of the Sophos SSL VPN Client)

Scroll to the post by "Alex Vincer" outlined in orange within the link below....

https://community.sophos.com/products/unified-threat-management/f/vpn-site-to-site-and-remote-access/55226/enterprise-unattended-deployment-of-ssl-vpn-client-2-10/202435

To get the tap driver cert on machines, I followed the steps in that post, tested local first, then used a GPO. The cert has to be resident by machine under "Trusted Publishers" before the PDQ job will work, otherwise the prompt for the TAP driver prompts a windows security message and the job hangs indefinitely.

Once I had the cert resident on the machine, I used these switches in the PDQ job, but change the value of SELECT TAP piece to "0".

/SELECT_SHORTCUTS=0 /SELECT_OPENVPN=1 /SELECT_SERVICE=1 /SELECT_TAP=1 /SELECT_OPENVPNGUI=0 /SELECT_ASSOCIATIONS=1 /SELECT_OPENSSL_UTILITIES=0 /SELECT_EASYRSA=0 /SELECT_PATH=1 /SELECT_OPENSSLDLLS=1 /SELECT_LZODLLS=1 /SELECT_PKCS11DLLS=1 /S

- I'm now trying to figure out how to get the OVPN files from our XG450 firewall, and have been told by Sophos that the only way to get these is to have users sign into the portal. If this truly is the case, I just went through this exercise for nothing... working on that today.
Cancel
Vote Up 0 Vote Down

Cancel
0 DomeP over 6 years ago in reply to Derek Nadeau

Hi Derek,

did you find a way to export the OVPN config files from XG?

We are migrating from UTM to XG and have the same problem - how to roll out SSL VPN without loggin in all users into the User Portal.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 DomeP over 6 years ago in reply to Derek Nadeau

Hi Derek,

did you find a way to export the OVPN config files from XG?

We are migrating from UTM to XG and have the same problem - how to roll out SSL VPN without loggin in all users into the User Portal.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data