SSL Client automated install over SCOM

Is SSL VPN client any way connected with user x.509 certificate?

Can we deploy and install one SSL Client over SCOM or other automated client install sw or user MUST connect with it’s account to WebPortal?
  • I asked this exact same question about 3 years ago. Didn't get a good answer then, I don't think there is a good answer yet. Kinda curious since they focus on selling this product to businesses. SCCM seems like something that should be defacto at this point. Anyway...

    Here is a script I created (install.bat).
    -Copy it to a shared folder someplace on your network, or on the SCCM server. Users need read access.
    -Download your own client install "setup.exe" from your UTM.
    -Adjust the batch file "" and "".

    It does the following.
    1. Remove Cisco VPN (only for a specific version we had, you can remove this portion)
    2. Remove any previous Sophos VPN installs
    3. Install Sophos VPN
    4. Copy VPN shortcut to "all users" profile
    5. Remove the config file of the "setup.exe" you downloaded (This makes your install generic, vs copying your profile to everyones PC).
    6. Change the "Config" folder permissions so everyone can install their own config files
    7. Kill Sophos VPN "Stoplight" icon
    8. Install the "OpenVPNGUi.exe" directly from "Open VPN client". (I did this because the stoplight gui started crashing on users. This one is solid)
    9. Reboot.

    Hope this helps!
    SophosVPN.zip
  • Thanks. 
    Too bad there is no clean VPN install for Clients. I don't see the reason why user need certificate if they are authenticated with Username and password. They are not authenticated with certificate so it's really stupid that you cannot install one client to all users and just write in IP address or DNS name for connection (or add it during install through GUI or switch in silent install).
  • I think you could run everybody on the same SSL token. Just remove that portion of the code and give it a shot. I'm a purist...OpenVPN (which is what this is based on) recommends separate SSL certs for each device.
  • So, basically install default and run

    REM Remove the config for the users who created "setup.exe"
    rmdir "%ProgramFiles(x86)%\Sophos\Sophos SSL VPN Client\config\" /S /Q

    REM Change permissions on the config folder so that users can install their on certificate
    cacls "%ProgramFiles(x86)%\Sophos\Sophos SSL VPN Client\config" /t /e /g Everyone:f >nul
  • In reply to Idriel:

    For me it was necessary to do the setup /S within the batch file. It requires a privately signed VPN driver. Which is why I pushed out the certmgr.exe command along with it. It applies the certificate before it installs the driver. Which then means it doesn't have to ask if it's trusted. You could do this with group policy as well.

    We have been running with this script for about 2 years now with no issues. You can definitely try and break it apart though if you would like.

    In SCCM I create a Package (not an application), that pushes out the batch command with admin rights. (see attached screenshots)


    "\\installs\SophosVPN\certmgr.exe" -add "\\installs\SophosVPN\sophos.cer" -c -s -r localMachine TrustedPublisher >nul
    "\\installs\SophosVPN\setup.exe" /S

    Big SmileoUntilLoop2
    tasklist /FI "IMAGENAME eq setup.exe" 2>NUL | find /I /N "setup.exe" >NUL
    if "%ERRORLEVEL%"=="0" GOTO DoUntilLoop2

    REM Copy a shortcut over because it usually doesn't copy itself
    xcopy "\\installs\SophosVPN\Sophos" "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Sophos\" /y /e >nul

    REM Remove the config for the users who created "setup.exe"
    rmdir "%ProgramFiles(x86)%\Sophos\Sophos SSL VPN Client\config\" /S /Q

    REM Change permissions on the config folder so that users can install their own certificate
    cacls "%ProgramFiles(x86)%\Sophos\Sophos SSL VPN Client\config" /t /e /g Everyone:f >nul

  • I am looking, why can't we then just install OpenVPN and configure it somehow for Sophos SSL VPN?
  • I do believe I tried that. I can't remember what specifically didn't work. It might work now though. It may have been the fact that the config file didn't install to the right directory from the UTM. If you are using a generic Certificate/config, it might work. Give it a shot and let me know. Smile
  • Thank you. 

    I'll go with default install for now. 
    I saw that under User Portal there is installation for all mobile phones also. : )
  • I finally figured out how to deploy the Sophos VPN Client used with XG firewalls to computers ahead of time, while still allowing users to log into the Client Portal, download their configuration, and paste it into the config folder without requiring membership in the local Administrators group.

    1) Extract the Publisher Certificate from the client executable with 7-Zip:
        a. Log into the Sophos Client Portal and click "SSL VPN > Download Client and Configuration for Windows"
        b. In the File Explorer location that you downloaded the file, right click the executable and extract all contents to a folder
        c. Navigate into that folder, then open the "driver" folder and double click the "tap0901.cat" file
        d. Click "View Signature", then "View Certificate", then the "Details" tab, then "Copy to File...", Next, Next, click "Browse..." to choose a filename and location to save the certificate file.
        e. Close all windows.
    2) Add that certificate to the Trusted Publishers on all of the relevant domain-joined PCs using Group Policy
        a. In your policy, drill down to "Computer Configuration" > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Publishers"
        b. Right click that "Trusted Publishers" folder and click "Import...", click Next, browse to the certificate that you extracted in step 1, click Next and Finish.
        c. Wait 24 hours for all of the computers in the scope of this policy to receive the certificate when Group Policy checks in on their PC
    3) Use PDQ Deploy to perform the following two steps:
        a. Install the client and configuration that you downloaded in step 1 with the /S parameter
        b. Run an icacls command to change the permissions of the config folder to allow members of the local Users group to Modify:
        icacls "C:\Program Files (x86)\Sophos\Sophos SSL VPN Client\config" /grant Users:(OI)(CI)M /T
    4) Then, when users are ready, they log into the Sophos Client Portal with their AD credentials, click “SSL VPN > Download Configuration for Other OSs”, copy the file, navigate to the config folder in step 3.b, delete the old config file, paste in the one they just downloaded, then empty the trash.
    5) Connect to the VPN with their AD credentials. It works!