Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 20 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 10852 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Alternate VPN clients

Dave Hayes

Hello.  We recently rolled out a couple Sophos XG appliances to replace some SonicWall's.  Love the Sophos XG but were not overly happy about the VPN client options.  The SSL VPN client has been around for quite some time and while efficient it does not allow for a lot of the functionality of the SonicWall Netextender (Domain Login scripts, etc).  Although the Netextender has been very problematic with windows 10 upgrades as of late.

I see the Sophos Connect is there now with 17.5 and that is a good start but it is EAP and we need to roll this out to over 20 remote users initially.  I tested the Sophos Connect and it does not seem to work with AD back end even though the SSLVPN client does.  But we will likely wait to attempt to deploy sophos connect for 6 months or so until 18 is out.

That being said does anyone know of a VPN client that will work with Sophos XG firewalls that would provide the functionality we are looking for (Domain login scripts, etc) as well as AD backend authentication support?

 

Also should we be looking at clientless VPN?  Honestly, I was under the impression that IPSec VPN clients were going the way of the dodo.  

Thanks for any information

 

Dave



This thread was automatically locked due to age.
Parents
  • +1

    First of all, Clientless VPN is not a good alternativ to provide VPN for your user. It demands a high CPU / RAM usage per user on XG/SG. 

     

    Sophos Connect should use backend authentication. Most likely it will use the user, which is created on XG, but uses the credentials out of AD. 

    Domain Login script could be done with GPO´s etc. But not with the tool itself.

    https://community.sophos.com/kb/en-us/133280

     

    This is not in the EAP, right now, but there are couple of plans to implement them as well. 

     

    As a (paid) alternative, there are couple of Clients on the market. Thegreenbow, NCP etc. You name it. Most likely they will work with XG as IPsec is quite a standard nowadays. 

  • 0 in reply to LuCar Toni

    I apologize for the delay in responding.  The flu got me!  Thanks very much for your response.  I really appreciate it.

     

    Unfortunately, I am still not having any luck getting AD authentication to work.  The Sophos Connect tab has an "allowed user" but no options for AD.  I will dig around a little on this.

     

    Thanks again

    Dave

  • 0 in reply to LuCar Toni

    Thank you...All is working well Except it seems like split tunneling is not working.  Once we connect to the VPN we can no longer access Internet resources on the remote computer.  Is there a specific location where this could be enabled?  

     

    Thanks

    Dave

  • 0 in reply to Dave Hayes

    Did you configure something in SCadmin? 

    Because you can configure "Tunnel all" and SC will tunnel everything to XG. So literally you do not configure tunnel all. 

  • 0 in reply to LuCar Toni

    Hello...Thanks..I did not configure anything in SCadmin. Basically, just configured Sophos Connect in the VPN section and assigned the static IP address pool to something outside of the IP subnet.  It connects in perfectly (super fast too) and I am able to access LAN resources but all internet traffic from the remote is blocked.  I am certainly missing something.  Other than configuring the Sophos Connect in the VPN area is there anything else that needs to be configured?  I will say as per your recommendation I configured STAS and it works great.  Users are automatically registered in the XG.  In the Sophos Connect settings I just added the users that are allowed to use the VPN.  It works well. 

    I just can't figure out why split tunneling is not working.  Are there firewall rules that also need to be defined?

    Thanks for your help on this.

  • 0 in reply to Dave Hayes

    Hey Dave,

     

    Are you using AD Credentials and STAS?

    Did you allow the remote subnet in the STAS monitoring settings?

  • 0 in reply to M8ey

    Thanks very much.  We are using AD authentication with STAS and have the monitoring subnet as the corporate subnet and not the remote subnet (assigned in the Sophos Connect settings).  The XG seems to be populating the users fine and we are able to login using AD users.  Are you saying that we need to add the remote subnet assigned to the remote users?  

    thx

    Dave

  • 0 in reply to Dave Hayes

    I sure am,

     

    I had the same issue where all internal resources were fine but nothing worked outside - I added my Remote Subnets to the STAS settings so it can authenticate the user and all worked again.

    Worth a try Dave.

  • 0 in reply to M8ey

    Thanks for the info sir.  Unfortunately, it did not work.  I added the remote subnet to the STAS monitoring settings and it still did not work.  This just seems like split tunneling is disabled and I can not find where that is.  

    I also noticed that (2) ethernet adapters are configured.  See below.  One LAN is 10.0.2.15 and the other is 192.168.60.10 (This subnet is the one I have defined in the Sophos Connect settings on the XG).  I am not sure if it is normal to have 2 lan adapters mapped out.

    See below (sorry kinda small).

     

     

  • 0 in reply to Dave Hayes

    I launched SCadmin and see that Tunnel All is set by default.  And it will not allow me to change it.  This looks to be the issue.  Tunnel all on the XG is definitely disabled.  I will continue to check things out.

  • 0 in reply to Dave Hayes

    So I bring in the tgb file into Sophos Connect Admin and the tunnel all option is enabled and does not allow me to click on it to disable it.  I then click Save at the bottom and to save it as a SCX file and then the network section opens up 0.0.0.0 in the network section and it allows me to turn tunnel all to off.  I save the file, exit Sophos connect Admin and load the SCX file and tunnel all is enabled again.  

    So something is definitely wrong with Sophos Admin.  Is there any way to change the default on the XG so Tunneling is disabled by default?  I look at the remote access policy and group assigned to these users and tunnel all is off.  

    Any thoughts on this?  Should I just force all traffic though the tunnel?  I am sure the remote users will not be happy about that will be reloading the SSLVPN client.  I hate users..lol

    Thanks again

    Dave

  • 0 in reply to Dave Hayes

    Hi Dave,

    This is going to be really "stoopid" but to "turn off" split tunneling, click the well hidden faded "Add New" button at the bottom right of the window and type a subnet like 192.168.1.0/24, once you press enter, it will turn off the full tunneling. It's a pretty naff design flaw there for usability.

    On the XG side, full tunnel is part of the config exportation because IPSEC client VPNs are designed by default to be full tunnels but the SCAdmin allows you to change the subnet splits :)

    Hope that helps!

    Emile

Reply
  • 0 in reply to Dave Hayes

    Hi Dave,

    This is going to be really "stoopid" but to "turn off" split tunneling, click the well hidden faded "Add New" button at the bottom right of the window and type a subnet like 192.168.1.0/24, once you press enter, it will turn off the full tunneling. It's a pretty naff design flaw there for usability.

    On the XG side, full tunnel is part of the config exportation because IPSEC client VPNs are designed by default to be full tunnels but the SCAdmin allows you to change the subnet splits :)

    Hope that helps!

    Emile

Children