Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 2 answers
  • Subscribers 27 subscribers
  • Views 450 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Connect - Some questions

BeEf

Hello,

I am currently doing some tests with Sophos Connect on SFOS 18.0.5 MR-5-Build586.

(Detailed versions are Sophos Connect Service: 2.1.20.0309; StrongSWan-Service 5.8.0; OpenVPN 2.5.0.0)

I was able to do an IPSec connection and login successfully. I have a couple of questions regarding this.

1) Is it correct that you need to redistribute the scx file each time you make changes on the firewall. The old config does not seem to work longer and there seems to be no dynamic pushing of the network from the firewall ... (like with SSL-VPN)

2) I noticed that I see sometimes the routes on the windows cli (route print) when connected with IPSec and sometimes not. This looks strange to me.

3) How do I use the old SSL-VPN connection with the Sophos Connect client? There seems to be no downloadable config file and/or client? I'd like to be able to use both clients for example if I am behind a firewall that blocks IPSec.

4) Is it possible to dynamically push out central configurations without GPOs. For us it will not be very practical to do this. We'd rather like to push everything from the client.

5) One of the most criticism of my colleages in the was that we were not able to do a general rollout as all the (SSL-VPN) Clients had individual configurations inside. Any thoughts how to streamline the rollout of the client and configs (multiple locations, SSL-VPN, frequent changes).


Regards,
BeEf



This thread was automatically locked due to age.
  • 0

    1. Yes currently there is no way to push the config (and changes) to the clients. Therefore i would recommend to stay open in the configuration (for example the networks) and include as much as you will going to need. You can later block networks via Firewalling. 

    2. This is not known to me. The IPsec works with SAs and Strongswan should publish the routes to the kernel. 

    3. You can simply use a .pro file and it will take care of the SSLVPN config. See: https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/VPNSConProvisioningFile.html

    4. Depending on the use case. Most customers use GPO or a own solution (SCCM, matrix etc.).

    5. See answer 3. 

  • 0 in reply to LuCar Toni

    Thanks. That clarifies some things but not everything. I have some questions regarding the Article on the link:

    1. Based on the IPsec remote access settings and SSL VPN policies you configure on Sophos Firewall, the provisioning file automatically imports the configuration files as follows:
      • IPsec remote access settings: Imports the .scx file for all users.
      • SSL VPN remote access policies: Imports the .ovpn file only for users specified in the remote access policies.
      • IPsec remote access and SSL VPN remote access policies: Imports both .scx and .ovpn files for users specified in SSL VPN remote access policies if you've also configured the IPsec remote access settings.
    2. To prevent users from seeing a certificate error (allow unsigned certificate) when the file is imported, you must create a new appliance certificate. Use the new certificate for the web admin console of Sophos Firewall. To do this, go to: Administration > Admin and user settings > Admin console and end-user interaction > Certificate. You must then push the default CA to users. The easiest way to do this is with Active Directory GPO.

    1) Point 1. IPsec remote access and SSL VPN remote access policies: How does the client distinguish between using IPSec and SSL/VPN connection? In case it is SSL VPN are the networks still pushed to the clients as it was the case with the old client?

    2) How does the Sophos get the configuration from the appliance? From the user portal or admin portal? Without authentication? This is the same certificate which you can use for access of the web/userinterface without getting an certificate error right? Using a sub ca from the AD Domain CA will also work for domain members. Is this correct?

  • 0 in reply to BeEf

    You should use a .pro file for the SSLVPN and a .scx file for IPsec. Then call both "SSLVPN" and "IPsec". So the user can decide, which protocol he want to use.

    Sophos connect will connect to user portal and download the specific file for this user. It simply replace the process of each and every user to connect to the user portal by doing this.