AD password change in XG VPN client

You mean the "Build VPN before login" Feature (aka. msgina hack)? This is a "feature" which uses a binary in windows to be able to build up the VPN before the login mask actually logged in the user. 

This is actually not supported: https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/11195724-ssl-vpn-client-that-logs-on-before-windows 

The user should be able to change their password, while connect, as the windows protocol takes care of this process. 

But if the password expires and he needs to change this password, the VPN Client does not have the capabilities to change this. Therefore the old password is likely not usable, and he cannot change this password - Correct? 

Maybe you need to think about a new strategy to change the passwords before they expire. There are multiple roads to go: https://newsignature.com/articles/password-expiration-nightmare-vpn-users-solved/ etc. 

Azure AD has another approach to this issue. 

Hi.

So no not necessarily the MSGINA VPN before login option, but simply that AnyConnect will warn you of a password change due and then allow you to change it from within the client at the point you connect. Its a simple and very effective solution that Cisco have support for a long time on the ASA.

Cisco AnyConnect - Allow Domain Password Change via LDAP | PeteNetLive

Yes there are workarounds or other technologies, but this adds unnecessary complication to what should be as simple as;

user logins to workstation with cached creds, user launches AnyConnect, AnyConnect warns of password change required,

user changes password and completes VPN connection, user locks and unlocks workstation, everything now in sync.

Currently we have the issue that a user will attempt multiple times to connect to Sophos VPN and this eventually causes account lockout due to an expired password that they arent aware of, then a call to IT is required to resolve the issue.

Yes you could use something like AzureAD password writeback but this requires AD Connect and ideally MFA on all cloud accounts to prevent hackers using breached AzureAD accounts to penetrate the on-premise network (i appreciate MFA is best practice anyway). Or use Identity manager as you suggested, Again its added complexity for something that should be simple, and for small businesses they arent going to accept that we not only have the cost to replace the firewall but now the added cost of everything else just to get back a feature that they have always had with AnyConnect out of the box at no extra cost.

Its just frustrating that a simple feature cant be added in to the VPN client solution to prevent the need for all the "workarounds".

Hi.

So no not necessarily the MSGINA VPN before login option, but simply that AnyConnect will warn you of a password change due and then allow you to change it from within the client at the point you connect. Its a simple and very effective solution that Cisco have support for a long time on the ASA.

Cisco AnyConnect - Allow Domain Password Change via LDAP | PeteNetLive

Yes there are workarounds or other technologies, but this adds unnecessary complication to what should be as simple as;

user logins to workstation with cached creds, user launches AnyConnect, AnyConnect warns of password change required,

user changes password and completes VPN connection, user locks and unlocks workstation, everything now in sync.

Currently we have the issue that a user will attempt multiple times to connect to Sophos VPN and this eventually causes account lockout due to an expired password that they arent aware of, then a call to IT is required to resolve the issue.

Yes you could use something like AzureAD password writeback but this requires AD Connect and ideally MFA on all cloud accounts to prevent hackers using breached AzureAD accounts to penetrate the on-premise network (i appreciate MFA is best practice anyway). Or use Identity manager as you suggested, Again its added complexity for something that should be simple, and for small businesses they arent going to accept that we not only have the cost to replace the firewall but now the added cost of everything else just to get back a feature that they have always had with AnyConnect out of the box at no extra cost.

Its just frustrating that a simple feature cant be added in to the VPN client solution to prevent the need for all the "workarounds".

Actually that is not easy to perform at all. Its not as simple as you might think. Because this would actually require you to allow to change something from XG via LDAP. And Sophos is not doing this at all with any product. We never change anything on the AD. There are couple of reasons behind this approach. 

So this sounds "simple" in the first approach to "Simply push something to AD", but there is a huge impact on this.