Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 9050 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN client ready for deployment with tools like SCCM?

Idriel

It’s useless to deploy instructions to every user how to login to User Portal (that we don’t want to use), and so on. So, how to export all configurations, and so on so we can create package for SCCM deploy ready.

Also, this is bad because every time when new user joins the company we need to export user certificate. But at least how to automate initial process? where can we export all user certs...



This thread was automatically locked due to age.
  • 0


    Hi Jura,

    Greeting.

    The User Portal of XG is a browser-based application providing among others personalized email and remote access services to authorized users. This is necessary for the User to import or access various information which are Personalized for the User as a security feature.

    From the information you provided, I think you want to export the SSL Configuration File in a package for all the Users ? Correct me if I am wrong.

    You cannot export the configurations for all the User in a package, as each User that connects on SSL VPN has to authenticate with his unique SSL Config File which provides him an unique authenticated identity to access you local resources hosted through VPN. This is a security feature and needs individual attention.

    Thanks

    Sachin Gurung

  • 0

    Due to how Sophos implements OpenVPN, you're going to be forced to either export out of, or import into, Sophos.

    • I'm not sure if Sophos requires all SSL VPN users to have Sophos user accounts, but if not, the latter step could be skipped and all that would be required to give the user are the four normal openvpn files: CA cert, user cert, user key, and client config (or a p12 and client config).  Since the CA cert and client config remains unchanged from user to user, the only custom files would be the client cert and key.

    • Provided one has the three openssl commands (csr, sign, p12 export) at the ready (a command or shell script could automate all three), from start to finish, each [import/export] takes the same amount of time (a few minutes).  The only way I could see the process being streamlined is if the option is ticked for same common name usage, which should be used extremely carefully and only in very specific environments due to the massive security risk it poses.   If a Sophos user account is required for any accessing OpenVPN, it would be less of a headache for you to simply provide them access to the user portal.

      • I personally dislike the lack of customization in the Sophos openssl.cnf (as well as the reliance on obsolete methods in OpenVPN, such as ns cert type and net30 usage), so I always generate my certs on my PC, then import the p12s into Sophos.  Generating the SSL certs off of Sophos provides the ability to specify SAN and EKU values, and if one does choose to generate certs off of Sophos, one must ensure under the SAN profile that user certs have email.1 listed first, and it must be the user's Sophos user email (this ensures RFC822 is specified under SAN, and without this, it will be impossible for the user to authenticate) and hosts must list their primary DNS name with DNS.1 being the first value (I've had issues with Sophos if this isn't specified as the first value under SAN, especially with the WebAdmin/host cert).  EKU can also be set for server and client auth, and if these are set, and one has a warranty, tech support must be consulted for permission to remove "remote-cert-tls server" from the default openvpn config, adding instead "remote-cert-ku f8" (For an explanation: https://www.v13.gr/blog/?p=386)

      Another option may be an ipsec/html5 vpn