Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 20 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 10872 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Alternate VPN clients

Dave Hayes

Hello.  We recently rolled out a couple Sophos XG appliances to replace some SonicWall's.  Love the Sophos XG but were not overly happy about the VPN client options.  The SSL VPN client has been around for quite some time and while efficient it does not allow for a lot of the functionality of the SonicWall Netextender (Domain Login scripts, etc).  Although the Netextender has been very problematic with windows 10 upgrades as of late.

I see the Sophos Connect is there now with 17.5 and that is a good start but it is EAP and we need to roll this out to over 20 remote users initially.  I tested the Sophos Connect and it does not seem to work with AD back end even though the SSLVPN client does.  But we will likely wait to attempt to deploy sophos connect for 6 months or so until 18 is out.

That being said does anyone know of a VPN client that will work with Sophos XG firewalls that would provide the functionality we are looking for (Domain login scripts, etc) as well as AD backend authentication support?

 

Also should we be looking at clientless VPN?  Honestly, I was under the impression that IPSec VPN clients were going the way of the dodo.  

Thanks for any information

 

Dave



This thread was automatically locked due to age.
  • +1

    First of all, Clientless VPN is not a good alternativ to provide VPN for your user. It demands a high CPU / RAM usage per user on XG/SG. 

     

    Sophos Connect should use backend authentication. Most likely it will use the user, which is created on XG, but uses the credentials out of AD. 

    Domain Login script could be done with GPO´s etc. But not with the tool itself.

    https://community.sophos.com/kb/en-us/133280

     

    This is not in the EAP, right now, but there are couple of plans to implement them as well. 

     

    As a (paid) alternative, there are couple of Clients on the market. Thegreenbow, NCP etc. You name it. Most likely they will work with XG as IPsec is quite a standard nowadays. 

  • 0

    Hey Dave,

     

    I have around 20 VPN users also and the SSL VPN was a PITA as each needed to be downloaded as the end user.

     

    I went the Sophos Connect Path with v17.5 and used PDQ Deploy to fire it out to all my VPN users. A second task to put the config file on the users desktop made it easy for them to import the connection and they use their AD credentials to login. You just need to make them understand its the username@domain-name format 

     

    The SC 1.1 came out 2 weeks ago and so far its solid and again the update pushed via PDQ fine.

     

  • 0 in reply to LuCar Toni

    I apologize for the delay in responding.  The flu got me!  Thanks very much for your response.  I really appreciate it.

     

    Unfortunately, I am still not having any luck getting AD authentication to work.  The Sophos Connect tab has an "allowed user" but no options for AD.  I will dig around a little on this.

     

    Thanks again

    Dave

  • 0 in reply to Dave Hayes

    The User in XG should be a copy of your AD User. But you cannot use groups (right now). 

    So you have to "sync" all users into XG. To sync them, those user have to initial authenticate themself with XG. 

    STAS helps alot to get all users into XG in the first place. Also possible is a initial login via user portal. 

  • 0 in reply to LuCar Toni

    Thank you!!...It works perfecto!!  STAS worked perfectly with AD.  Love it.  Looking forward to groups but this is perfect.

     

    However, one question.  I noticed that it gives an address of 10.0.2.x which is not in our subnet.  I did add a range of IP's in the client section that are on our subnet so I assumed it would assign it from that.  However, it still assigns 10.0.2.x.  Does that sound right?  Once I set this up is it necessary to setup firewall rules (assuming I can NOT use our subnet?)

     

    Thanks again.  Love the client.

    Dave

  • 0 in reply to Dave Hayes

    The point is, you cannot "extend" your LAN Network to VPN. And there should not be a "real" use case for this. 

    Seems like, if you try to use a LAN Network IP address, XG fallback to this 10. IP Subnet. Never tried this. 

  • 0 in reply to LuCar Toni

    Thank you...All is working well Except it seems like split tunneling is not working.  Once we connect to the VPN we can no longer access Internet resources on the remote computer.  Is there a specific location where this could be enabled?  

     

    Thanks

    Dave

  • 0 in reply to Dave Hayes

    Did you configure something in SCadmin? 

    Because you can configure "Tunnel all" and SC will tunnel everything to XG. So literally you do not configure tunnel all. 

  • 0 in reply to LuCar Toni

    Hello...Thanks..I did not configure anything in SCadmin. Basically, just configured Sophos Connect in the VPN section and assigned the static IP address pool to something outside of the IP subnet.  It connects in perfectly (super fast too) and I am able to access LAN resources but all internet traffic from the remote is blocked.  I am certainly missing something.  Other than configuring the Sophos Connect in the VPN area is there anything else that needs to be configured?  I will say as per your recommendation I configured STAS and it works great.  Users are automatically registered in the XG.  In the Sophos Connect settings I just added the users that are allowed to use the VPN.  It works well. 

    I just can't figure out why split tunneling is not working.  Are there firewall rules that also need to be defined?

    Thanks for your help on this.

  • 0 in reply to Dave Hayes

    Hey Dave,

     

    Are you using AD Credentials and STAS?

    Did you allow the remote subnet in the STAS monitoring settings?