Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 665 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG Remote VPN Feedback

Lukas Niewalda

Hello all,

I would like to express my displeasure here which I hope will be heard as feedback regarding the remote VPN functionality in the XG which I noticed during the migration from the SG/UTM to the XG and which creates problems for us to find a successor option for VPN here:

  • IPSec is out of the question because this is only limited to IKEv1 and here in Germany connections with Dual Stack Lite are widespread. With IKEv1, unfortunately, no connection is possible with DS-Lite on an IPv4 endpoint. Not to mention that IKEv1 is simply not state of the art anymore.
  • No IKEv2 support for remote VPN connections. It is a shame that this long desired feature has been ignored by Sophos for many years.
  • In the XG, we as admins no longer have the option of downloading SSL VPN profiles for the users, which was still possible in the SG. Here, the way via the user portal is mandatory, which requires the login data of the users. Unfortunately, it happens from time to time that users delete their profile and our service has to help out with Teamviewer and integrate the new profile. However, the service does not get to the profile without password or reset the password of the user. The accessibility of the user portal from WAN is not desired by our IT security officer. Firewall vendors, including Sophos itself, have often been found to have security flaws, so there is not much confidence that they are foolproof. Of course, this only concerns companies that do not want to rely on a publicly accessible user portal.
  • Sophos Connect does not allow to set certain settings that were possible with the SSL VPN client, e.g. saving the login data including password.
  • ZTNA as a better alternative is out of the question because of the obligation to Azure AD. The company policy, which is determined by the top management, refuses to outsource things to the cloud in almost all cases. Therefore, we are not allowed to run a hybrid AD in this case.

Currently, we have not found a satisfactory VPN solution using Sophos's own resources. Perhaps there are other possibilities that I have not considered. I would be grateful for any suggestions.

Best regards,
Lukas



This thread was automatically locked due to age.
Parents Reply Children
No Data
Unfiltered HTML