Feedback to Sophos Connect client

Hey Oliver Regelmann,

There is already an investigation going  on NCL-1319,NCL-1507 where the issue will be fixed in Sophos connect 2.2 OR 2.3 - "password with spaces" 

Sophos Connect is not a Partner tool in that sense. So if you are using this to connect to multiple users (and some of your requirements are exactly that) you should consider OpenVPN for this work. Sophos Connect is build to be used for a customer. 

Sophos, you should release a fixed version of this software asap. 

Oliver Regelmann said:

GUI doesn't scale, unreadable on 4K

You can work around that issue with GPO. https://community.sophos.com/sophos-xg-firewall/f/discussions/126861/unhappy-with-lack-of-high-dpi-support-in-sophos-connect

Be aware of other characters in passwords also not working, not only space. Just search the forums.

Yes, i know that. FOR NINE MONTHS now. And with support being canceled for the old, almost perfectly working client.

BTW. What does "OR 2.3" mean? We'll have to wait even longer for a fix to this?

You mean, I sell Sophos Firewalls to my customers and then cannot use their own product to connect to them but instead a potentially unsupported third party tool? (I know it's technically the same as the old client but that's not the point).

You could potentially do this but it is actually quite likely dangerous to do this kind of support scenario. There are multiple reasons to actually consider to change this work approach as a Partner. 

1. What happen, if you are infected as a Partner? By Connecting to the customer, you build a layer 2/3 connection to your customer, which grants you (in general) high privileges within the customer network. You can potentially cause a lot of harm by doing this connection. (see supply chain attack in a nutshell). 

2. VPN as remote access will likely go out of date for "how to work in the future". Potentially ZeroTrust and ZTNA products will take over in the near future for several reasons. And if the customer goes full ZT, there is no "VPN to the customer" anymore. 

3. If your client gets exposed as a partner, you could potentially leak a lot of information/credentials to all your customers, as those data is likely saved on your client. This makes this kind of approaches unsecure as well. 

There are more points to it. I am not saying you should stop this. I am simply pointing out, there are other approaches for the future to consider working towards to rebuild security and partner business. 

Doing VPN to all your customers could be a bad idea in the future anyway. No matter what product you are using. 

Very insightful comment with a more general view, thanks.

i always compare this kind of approach to the "property security company" business. As a company you have access to multiple customers. So actually you as a Partner should rebuild and make sure, nothing can happen. For example, if i hire a company to watch for my buiding at night, i am expecting, they have mechanism to protect my building even in case of "they loose the key". 

In the past decades, i saw a lot of red flags in the business. From "Plain Text Databases with all credentials to all customers" to "We are building a site to site connection to ALL Customers". 

The point is always: If you can do this from a technical perspective, should you do it? 

You can create a Microsoft Notes database and place all passwords and credentials of all customers there and share it with other colleagues. Nobody is stopping you in doing so. But is it a bad idea? Likely yes. 

Considering you as a Security Partner has only one shot: Because the customer is placing his trust in you one time. If something happen, he will likely stop business with you, which can cause a lot of damage to the overall Partner business. 

As a attacker, such a partner PC, sitting in the homeoffice is something very valuable to attack. Because it potentially gives me access to a lot of customers with high privilege. So it saves me time and exposure by attacking customers 1 by 1. 

The older SSLVPN Client could be configured with a http proxy.  It seems this option is lacking in the new Connect Client.

Will it be included at some later point? Or does it use the system proxy from Windows? Couldnt get it to work, as a specific proxy is needed at the remote site to be able to reach the OpenVPN port of the XG.

Sophos Connect should use the system proxy for fetching the config. 

You are talking about SSLVPN over a proxy?