VPN Active Directory Authentication.

For your work profile to load at home, your home computer needs to be part of your work Active Directory.   Then, your computer needs to connect to Active Directory using the Computer account, so that it has a channel to authenticate your User Account.   For the computer account to authenticate, it requires the VPN client to launch during Windows startup.   The Sophos SSL VPN client does not support this configuration, so you are out of luck.   Cisco VPN Clients with ASA Firewalls can do this, but I think you have to have a Cisco Firewall to be licensed for the Cisco VPN client (ask Cisco).   I note that UTM has a Remote Access section for Cisco VPN Client, but the help refers to cell phone implementations, so they have probably not tested the Cisco VPN Windows client in your desired configuration.   If you have all of this, you can certainly test it.   There is another post in this forum which mentions Microsoft Direct Access, which is a new Server 2016 feature, and seems designed for a request like yours, but it is also probably not compatible with UTM.

All of the above assumes that what you want to do is a good idea.  Any VPN configuration raises the question, "How  does the internal network know that your remote client is free of malware?"   The answer is that it does not know, and probably cannot know, since the universe of malware is large and constantly growing.  (Especially since your home defenses are probably not as good as the ones that UTM provides for work.)   Rather than hoping or assuming that a home PC is safe, it is better to assume that the home PC is infected and then configure the VPN tunnel so that no significant attack vector is provided through the VPN tunnel.  Consequently, I recommend  configuring a VPN tunnel that only allows RDP in, with drive and USB mapping disabled by policy.   Maybe DNS inbound as well.  Then add a rule to allow printer traffic out, if needed.  File transfer should be minimized, but should be implemented with email or a file sharing service rather than VPN.   Finally, configure a default rule to ensure that all other ports are blocked, since malware will find an open port if you give it the chance.   

To use UTM SSL VPN with Active Directory, you need to start by joining your UTM to Active Directory and configuring an Active Directory authentication server.   This requires SMB1 to be supported on your domain controllers, which has suddenly become controversial.   As an alternative, I have achieved good results using LDAP servers configured to Active Directory domains.  Realize that LDAP can be frustrating because the syntax is not intuitive and the Microsoft documentation is hard to locate.  

Next, you should turn on OTP (one-time password) for your remote access session.   PCI DSS requires it and widespread password-guessing attacks confirms its necessity.

UTM offers one VPN security feature that I have not found elsewhere.   The SSL VPN has certificates and code that must be preinstalled on the client device.   You can control access to this code by not making it available on the User Portal, but instead requiring users to bring their laptops to IT or requiring users to use an IT-issued laptop.   This helps to ensure that the connection is coming from a PC that IT has approved at some point in time, rather than coming from a random device anywhere in the world that may be trying to attack your network.

For your work profile to load at home, your home computer needs to be part of your work Active Directory.   Then, your computer needs to connect to Active Directory using the Computer account, so that it has a channel to authenticate your User Account.   For the computer account to authenticate, it requires the VPN client to launch during Windows startup.   The Sophos SSL VPN client does not support this configuration, so you are out of luck.   Cisco VPN Clients with ASA Firewalls can do this, but I think you have to have a Cisco Firewall to be licensed for the Cisco VPN client (ask Cisco).   I note that UTM has a Remote Access section for Cisco VPN Client, but the help refers to cell phone implementations, so they have probably not tested the Cisco VPN Windows client in your desired configuration.   If you have all of this, you can certainly test it.   There is another post in this forum which mentions Microsoft Direct Access, which is a new Server 2016 feature, and seems designed for a request like yours, but it is also probably not compatible with UTM.

All of the above assumes that what you want to do is a good idea.  Any VPN configuration raises the question, "How  does the internal network know that your remote client is free of malware?"   The answer is that it does not know, and probably cannot know, since the universe of malware is large and constantly growing.  (Especially since your home defenses are probably not as good as the ones that UTM provides for work.)   Rather than hoping or assuming that a home PC is safe, it is better to assume that the home PC is infected and then configure the VPN tunnel so that no significant attack vector is provided through the VPN tunnel.  Consequently, I recommend  configuring a VPN tunnel that only allows RDP in, with drive and USB mapping disabled by policy.   Maybe DNS inbound as well.  Then add a rule to allow printer traffic out, if needed.  File transfer should be minimized, but should be implemented with email or a file sharing service rather than VPN.   Finally, configure a default rule to ensure that all other ports are blocked, since malware will find an open port if you give it the chance.   

To use UTM SSL VPN with Active Directory, you need to start by joining your UTM to Active Directory and configuring an Active Directory authentication server.   This requires SMB1 to be supported on your domain controllers, which has suddenly become controversial.   As an alternative, I have achieved good results using LDAP servers configured to Active Directory domains.  Realize that LDAP can be frustrating because the syntax is not intuitive and the Microsoft documentation is hard to locate.  

Next, you should turn on OTP (one-time password) for your remote access session.   PCI DSS requires it and widespread password-guessing attacks confirms its necessity.

UTM offers one VPN security feature that I have not found elsewhere.   The SSL VPN has certificates and code that must be preinstalled on the client device.   You can control access to this code by not making it available on the User Portal, but instead requiring users to bring their laptops to IT or requiring users to use an IT-issued laptop.   This helps to ensure that the connection is coming from a PC that IT has approved at some point in time, rather than coming from a random device anywhere in the world that may be trying to attack your network.

Great comments, Doug - it pays to be a belt-and-suspenders kinda guy in IT security!

"To use UTM SSL VPN with Active Directory, you need to start by joining your UTM to Active Directory and configuring an Active Directory authentication server."

Joining is only necessary if you want to use AD-SSO with Web Filtering.

SMBv1 - If you have applied the patches released in March, there should be no problem with activating SMBv1.

"The SSL VPN has certificates and code that must be preinstalled on the client device.   You can control access to this code by not making it available on the User Portal, but instead requiring users to bring their laptops to IT or requiring users to use an IT-issued laptop."

That's a good first step, but it's possible to install the generic OpenVPN client on a computer and copy the contents of the config directory from a company computer to the corresponding directory on the other computer.  The CEO of the company should declare doing so a resume generating event.

Cheers - Bob