Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 20 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 10852 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Alternate VPN clients

Dave Hayes

Hello.  We recently rolled out a couple Sophos XG appliances to replace some SonicWall's.  Love the Sophos XG but were not overly happy about the VPN client options.  The SSL VPN client has been around for quite some time and while efficient it does not allow for a lot of the functionality of the SonicWall Netextender (Domain Login scripts, etc).  Although the Netextender has been very problematic with windows 10 upgrades as of late.

I see the Sophos Connect is there now with 17.5 and that is a good start but it is EAP and we need to roll this out to over 20 remote users initially.  I tested the Sophos Connect and it does not seem to work with AD back end even though the SSLVPN client does.  But we will likely wait to attempt to deploy sophos connect for 6 months or so until 18 is out.

That being said does anyone know of a VPN client that will work with Sophos XG firewalls that would provide the functionality we are looking for (Domain login scripts, etc) as well as AD backend authentication support?

 

Also should we be looking at clientless VPN?  Honestly, I was under the impression that IPSec VPN clients were going the way of the dodo.  

Thanks for any information

 

Dave



This thread was automatically locked due to age.
Parents
  • +1

    First of all, Clientless VPN is not a good alternativ to provide VPN for your user. It demands a high CPU / RAM usage per user on XG/SG. 

     

    Sophos Connect should use backend authentication. Most likely it will use the user, which is created on XG, but uses the credentials out of AD. 

    Domain Login script could be done with GPO´s etc. But not with the tool itself.

    https://community.sophos.com/kb/en-us/133280

     

    This is not in the EAP, right now, but there are couple of plans to implement them as well. 

     

    As a (paid) alternative, there are couple of Clients on the market. Thegreenbow, NCP etc. You name it. Most likely they will work with XG as IPsec is quite a standard nowadays. 

  • 0 in reply to LuCar Toni

    I apologize for the delay in responding.  The flu got me!  Thanks very much for your response.  I really appreciate it.

     

    Unfortunately, I am still not having any luck getting AD authentication to work.  The Sophos Connect tab has an "allowed user" but no options for AD.  I will dig around a little on this.

     

    Thanks again

    Dave

  • 0 in reply to Dave Hayes

    The User in XG should be a copy of your AD User. But you cannot use groups (right now). 

    So you have to "sync" all users into XG. To sync them, those user have to initial authenticate themself with XG. 

    STAS helps alot to get all users into XG in the first place. Also possible is a initial login via user portal. 

  • 0 in reply to LuCar Toni

    Thank you!!...It works perfecto!!  STAS worked perfectly with AD.  Love it.  Looking forward to groups but this is perfect.

     

    However, one question.  I noticed that it gives an address of 10.0.2.x which is not in our subnet.  I did add a range of IP's in the client section that are on our subnet so I assumed it would assign it from that.  However, it still assigns 10.0.2.x.  Does that sound right?  Once I set this up is it necessary to setup firewall rules (assuming I can NOT use our subnet?)

     

    Thanks again.  Love the client.

    Dave

  • 0 in reply to Dave Hayes

    The point is, you cannot "extend" your LAN Network to VPN. And there should not be a "real" use case for this. 

    Seems like, if you try to use a LAN Network IP address, XG fallback to this 10. IP Subnet. Never tried this. 

  • 0 in reply to LuCar Toni

    Thank you...All is working well Except it seems like split tunneling is not working.  Once we connect to the VPN we can no longer access Internet resources on the remote computer.  Is there a specific location where this could be enabled?  

     

    Thanks

    Dave

  • 0 in reply to Dave Hayes

    Did you configure something in SCadmin? 

    Because you can configure "Tunnel all" and SC will tunnel everything to XG. So literally you do not configure tunnel all. 

  • 0 in reply to LuCar Toni

    Hello...Thanks..I did not configure anything in SCadmin. Basically, just configured Sophos Connect in the VPN section and assigned the static IP address pool to something outside of the IP subnet.  It connects in perfectly (super fast too) and I am able to access LAN resources but all internet traffic from the remote is blocked.  I am certainly missing something.  Other than configuring the Sophos Connect in the VPN area is there anything else that needs to be configured?  I will say as per your recommendation I configured STAS and it works great.  Users are automatically registered in the XG.  In the Sophos Connect settings I just added the users that are allowed to use the VPN.  It works well. 

    I just can't figure out why split tunneling is not working.  Are there firewall rules that also need to be defined?

    Thanks for your help on this.

  • 0 in reply to Dave Hayes

    Hey Dave,

     

    Are you using AD Credentials and STAS?

    Did you allow the remote subnet in the STAS monitoring settings?

  • 0 in reply to M8ey

    Thanks very much.  We are using AD authentication with STAS and have the monitoring subnet as the corporate subnet and not the remote subnet (assigned in the Sophos Connect settings).  The XG seems to be populating the users fine and we are able to login using AD users.  Are you saying that we need to add the remote subnet assigned to the remote users?  

    thx

    Dave

Reply
  • 0 in reply to M8ey

    Thanks very much.  We are using AD authentication with STAS and have the monitoring subnet as the corporate subnet and not the remote subnet (assigned in the Sophos Connect settings).  The XG seems to be populating the users fine and we are able to login using AD users.  Are you saying that we need to add the remote subnet assigned to the remote users?  

    thx

    Dave

Children
  • 0 in reply to Dave Hayes

    I sure am,

     

    I had the same issue where all internal resources were fine but nothing worked outside - I added my Remote Subnets to the STAS settings so it can authenticate the user and all worked again.

    Worth a try Dave.

  • 0 in reply to M8ey

    Thanks for the info sir.  Unfortunately, it did not work.  I added the remote subnet to the STAS monitoring settings and it still did not work.  This just seems like split tunneling is disabled and I can not find where that is.  

    I also noticed that (2) ethernet adapters are configured.  See below.  One LAN is 10.0.2.15 and the other is 192.168.60.10 (This subnet is the one I have defined in the Sophos Connect settings on the XG).  I am not sure if it is normal to have 2 lan adapters mapped out.

    See below (sorry kinda small).

     

     

  • 0 in reply to Dave Hayes

    I launched SCadmin and see that Tunnel All is set by default.  And it will not allow me to change it.  This looks to be the issue.  Tunnel all on the XG is definitely disabled.  I will continue to check things out.

  • 0 in reply to Dave Hayes

    So I bring in the tgb file into Sophos Connect Admin and the tunnel all option is enabled and does not allow me to click on it to disable it.  I then click Save at the bottom and to save it as a SCX file and then the network section opens up 0.0.0.0 in the network section and it allows me to turn tunnel all to off.  I save the file, exit Sophos connect Admin and load the SCX file and tunnel all is enabled again.  

    So something is definitely wrong with Sophos Admin.  Is there any way to change the default on the XG so Tunneling is disabled by default?  I look at the remote access policy and group assigned to these users and tunnel all is off.  

    Any thoughts on this?  Should I just force all traffic though the tunnel?  I am sure the remote users will not be happy about that will be reloading the SSLVPN client.  I hate users..lol

    Thanks again

    Dave

  • 0 in reply to Dave Hayes

    Hi Dave,

    This is going to be really "stoopid" but to "turn off" split tunneling, click the well hidden faded "Add New" button at the bottom right of the window and type a subnet like 192.168.1.0/24, once you press enter, it will turn off the full tunneling. It's a pretty naff design flaw there for usability.

    On the XG side, full tunnel is part of the config exportation because IPSEC client VPNs are designed by default to be full tunnels but the SCAdmin allows you to change the subnet splits :)

    Hope that helps!

    Emile

  • 0 in reply to Emile Belcourt

    Ahh..THANK YOU!!..That seemed to solve the split tunnel issue. I can now get to the internet while connected.

     

    However, DNS does not seem to be working for me where I can access Internet server names.  When connected I can not access internal servers by name.  I checked the DNS servers assigned and they look to be IPV6 addresses and not the IPV4 that I have assigned in the XG.  

    Any ideas?

    Again, Thanks so much

    Dave

  • +1 in reply to Dave Hayes

    Can you please update to MR1? 

    https://community.sophos.com/products/xg-firewall/b/xg-blog/posts/sophos-connect-1-1-mr1-released

    NC-41387 [Remote Access] DNS server is not assigned to the Sophos TAP adapter after tunnel is established on Windows

  • 0 in reply to LuCar Toni

    THANK YOU...I am good to go now.  It works perfecto!