Client Authentication Agent

Jon,

CAA uses a technology called "ping pong" in order that CAA continuosly ping XG IP (1.2.3.4 on port 9922). Once you get connected on VPN, all traffic will go through the tunnel so even 1.2.3.4 and so you are not connected anymore.

If you are using a split tunnel, where only certain traffic goes through the tunnel, then your 1.2.3.4 will still go to XG lan interface and you keep the CAA connected.

Most of the time, VPN are full tunnel (which makes sense, because all traffic goes through the tunnel and this is more secure).

Regards

Jon,

CAA uses a technology called "ping pong" in order that CAA continuosly ping XG IP (1.2.3.4 on port 9922). Once you get connected on VPN, all traffic will go through the tunnel so even 1.2.3.4 and so you are not connected anymore.

If you are using a split tunnel, where only certain traffic goes through the tunnel, then your 1.2.3.4 will still go to XG lan interface and you keep the CAA connected.

Most of the time, VPN are full tunnel (which makes sense, because all traffic goes through the tunnel and this is more secure).

Regards

Hi Luk

So in other words the sophos firewall is totally useless to me.

Requirements:

Monitor users

use vpn connections

According to you the two will not work together. That is a major problem

What is the solution? Have Sophos not thought of this scenario??

John,

this is not a bug or a issue. Disabling "use default gateway on the SSL Remote Access" is the key to keep the CAA running and contacting your XG.

This is routing issue and not a product issue.

Regards

Luk

Not using Sophos SSL VPN. I said at the start the pc is on the lan.

Vpn connections are to other companies from the pc on the lan

Jon,

if the other end is an XG you can ask them to disable "use gateway". If the other end is not an XG you need to ask for a split VPN. This is not an issue with your XG. It is a routing issue, because all traffic is sent through the tunnel (even the famous 1.2.3.4).

You can try to add a static route on your pc saying traffic that goes to 1.2.3.4, please sent to my XG internal IP.

Regards

Hi Luk

Would Clientless work?

Can't add the route in my laptop, use lots of different places for internet.

I understand what you are saying about routing but surely i am not the first person to have this issue

Jon,

the only way to get CAA is to create a route on your Computer.

You can use Clientless, but take note that the Username must be created on the XG (you cannot use external Authentication integration like CAA) and Clientless binds Username to IP.

Regards