Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 2 subscribers
  • Views 14625 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Deploy Sophos SSL VPN Client

helpmesir
Is there a way to deploy the SSL VPN Client to windows 7 computers?  

Thanks


This thread was automatically locked due to age.
  • 0
    Download the installer file (.exe) from the user portal or webadmin and install it on the win7 computer.
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • 0
    And make sure the client is run with admin rights.

    Barry
  • 0
    And how do i setup a client for not privileged users? Without admin rights.
    All competitors can it, just Astaro cannot.
  • 0
    Sure, it can. You only have to do the installation with admin privileges. It installs a service which then handles the parts that require admin level.

    ----------
    Sophos user, admin and reseller.
    Private Setup:

    • XG: HPE DL20 Gen9 (Core i3-7300, 8GB RAM, 120GB SSD) | XG 18.0 (Home License) with: Web Protection, Site-to-Site-VPN (IPSec, RED-Tunnel), Remote Access (SSL, HTML5)
    • UTM: 2 vCPUs, 2GB RAM, 50GB vHDD, 2 vNICs on vServer (KVM) | UTM 9.7 (Home License) with: Email Protection, Webserver Protection, RED-Tunnel (server)
  • 0
    Why don't you use your AD to install the client via Group Policies?

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • 0
    Be aware that the config for the SSL VPN (config & cert) are per user.
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • 0
    So to deploy.  Install VPN with generic account, so the adapter appears in windows. 
    Then delete files in C:\Program Files (x86)\Sophos\Sophos SSL VPN Client\config
    give users full access to C:\Program Files (x86)\Sophos\Sophos SSL VPN Client\config. 

    Now users can download only the config file and install it with no errors.
  • 0

    I finally figured out how to deploy the Sophos VPN Client used with XG firewalls to computers ahead of time, while still allowing users to log into the Client Portal, download their configuration, and paste it into the config folder without requiring membership in the local Administrators group.

    1) Extract the Publisher Certificate from the client executable with 7-Zip:
        a. Log into the Sophos Client Portal and click "SSL VPN > Download Client and Configuration for Windows"
        b. In the File Explorer location that you downloaded the file, right click the executable and extract all contents to a folder
        c. Navigate into that folder, then open the "driver" folder and double click the "tap0901.cat" file
        d. Click "View Signature", then "View Certificate", then the "Details" tab, then "Copy to File...", Next, Next, click "Browse..." to choose a filename and location to save the certificate file.
        e. Close all windows.
    2) Add that certificate to the Trusted Publishers on all of the relevant domain-joined PCs using Group Policy
        a. In your policy, drill down to "Computer Configuration" > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Publishers"
        b. Right click that "Trusted Publishers" folder and click "Import...", click Next, browse to the certificate that you extracted in step 1, click Next and Finish.
        c. Wait 24 hours for all of the computers in the scope of this policy to receive the certificate when Group Policy checks in on their PC
    3) Use PDQ Deploy to perform the following two steps:
        a. Install the client and configuration that you downloaded in step 1 with the /S parameter
        b. Run an icacls command to change the permissions of the config folder to allow members of the local Users group to Modify:
        icacls "C:\Program Files (x86)\Sophos\Sophos SSL VPN Client\config" /grant Users:(OI)(CI)M /T
    4) Then, when users are ready, they log into the Sophos Client Portal with their AD credentials, click “SSL VPN > Download Configuration for Other OSs”, copy the file, navigate to the config folder in step 3.b, delete the old config file, paste in the one they just downloaded, then empty the trash.
    5) Connect to the VPN with their AD credentials. It works!

Unfiltered HTML