Enterprise unattended deployment of SSL VPN Client 2.10


I want to rollout the Sophos SSL VPN Client 2.10 to all Windows 7 computers as an unattended installation. I have the following questions:
- What are the comannd line parameters for the setup.exe?
- What are the comannd line parameters for the uninstall.exe?
- How can i add two VPN server configuration (UTMs)?

Any help is much apprieciated.
  • Not sure about the first two questions, but your last question is simple. The config folder under the installation folder of the VPN client holds all the configs, every .ovpn file (and they can be in subfolders) will be selectable as an entry to vpn into.
  • In reply to apijnappels:

    It's a bit tricky beacause of the unsigned tap driver that disturbs a silent install. So you have to extract the cert from the setup.exe (there is a howto to find by google - i don't remember how I did that) and import it prior to installation. Here is our AutoIt script to install:

    ShellExecuteWait("taskkill.exe", "/im openvpn* /f", "", "", @SW_HIDE)
    if FileExists("c:\services\astaro ssl vpn\uninstall.exe") Then
    RunWait("c:\services\astaro ssl vpn\uninstall.exe /S")
    RunWait (@ComSpec & " /c " & "certutil -addstore TrustedPublisher " & @ScriptDir & "\openvpnastarocert_der.cer", @SystemDir, @SW_HIDE)
    RunWait ("astaro_vpn_client_2_3.exe /S /D=c:\services\Astaro SSL VPN") //astaro_vpn_client_2_3.exe is a renamed setup.exe//
    RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\OpenVPN-GUI", "silent_connection", "REG_SZ", "0")

    After that you can copy the userconfig folder to the installdirectory.

    I hope that points you in the right direction.

  • Hi,

    thanks for the help.
    I also found out that I must kill the processes to (un)install.
    Installation with switch /S works fine.

    When user have their own config (Certifikate)... how they can put it there under ..\config\? Rights?

  • I finally figured out how to deploy the Sophos VPN Client used with XG firewalls to computers ahead of time, while still allowing users to log into the Client Portal, download their configuration, and paste it into the config folder without requiring membership in the local Administrators group.

    1) Extract the Publisher Certificate from the client executable with 7-Zip:
        a. Log into the Sophos Client Portal and click "SSL VPN > Download Client and Configuration for Windows"
        b. In the File Explorer location that you downloaded the file, right click the executable and extract all contents to a folder
        c. Navigate into that folder, then open the "driver" folder and double click the "tap0901.cat" file
        d. Click "View Signature", then "View Certificate", then the "Details" tab, then "Copy to File...", Next, Next, click "Browse..." to choose a filename and location to save the certificate file.
        e. Close all windows.
    2) Add that certificate to the Trusted Publishers on all of the relevant domain-joined PCs using Group Policy
        a. In your policy, drill down to "Computer Configuration" > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Publishers"
        b. Right click that "Trusted Publishers" folder and click "Import...", click Next, browse to the certificate that you extracted in step 1, click Next and Finish.
        c. Wait 24 hours for all of the computers in the scope of this policy to receive the certificate when Group Policy checks in on their PC
    3) Use PDQ Deploy to perform the following two steps:
        a. Install the client and configuration that you downloaded in step 1 with the /S parameter
        b. Run an icacls command to change the permissions of the config folder to allow members of the local Users group to Modify:
        icacls "C:\Program Files (x86)\Sophos\Sophos SSL VPN Client\config" /grant Users:(OI)(CI)M /T
    4) Then, when users are ready, they log into the Sophos Client Portal with their AD credentials, click “SSL VPN > Download Configuration for Other OSs”, copy the file, navigate to the config folder in step 3.b, delete the old config file, paste in the one they just downloaded, then empty the trash.
    5) Connect to the VPN with their AD credentials. It works!