Hi XG Community!
We're pleased to announce the public Early Access Program release of Sophos Connect 1.1!The VPN Client is now available from within the WebAdmin of your XG Firewall.
Sophos Connect will automatically determine if the user is connected to an inside or outside (guest) network. If on the guest network, then the VPN tunnel is automatically enabled with saved user credentials if available or else prompt the user for credentials or OTP.
Display popup notifications and change the Sophos Connect ICON app state (normal, warning or error) to alert the user when the tunnel is established, disabled or fails to connect.
DPD mechanism is used by Sophos Connect when there is unidirectional traffic. When Sophos Connect does not receive response from the gateway for configured dpd delay duration, it will send a R-U-There message to the gateway. If the gateway does not respond to these messages then after dpd timeout (currently configured to 200 seconds), it will delete the VPN tunnel and reinitiate to build a new VPN tunnel. This mechanism automatically rebuilds the tunnel after a gateway reboots while the VPN tunnel with Sophos Connect was active.
Upgrade to the current stable release (5.7.1) of strongSwan.
Configure DNS suffix to determine if the Sophos Connect user is on the inside or guest network. Prior to this release the admin could configure a host IP address or a FQDN.
[Update] Sophos Connect EAP is now officially supported starting with v1.1 MR-1. Please contact Sophos Support if you experience any issues.
We have also created this new community group for Sophos Connect discussion.
Much better way to VPN and allow us to push via GPO / PDQ - gets a tick from me :-)
Is the One Time Password functionality present in this release?
@ken9000 yes OTP functionality is supported. You enter the password followed by OTP (no space or comma between the two)
What version of XG is needed before you can access this?
isaacvv You need V17.5
The downlaod from the 17.5 firmware is showing Sophos Connect Version 220.127.116.116 Where can we get 1.1?
The Sophos Connect Client has great possibility, but the Client is not setting the DNS server values, logs were sent to VIP SUpport, but they pointed me back here.
The client is not getting the DNS settings as specified on the XG interface, here's part of the log. Showing DNS is failign to be set, it is the DNS in the XG GUI settings for the Connect Client
2019-01-07 11:50:57AM 15[IKE] <BurnsIPSEC|1> Adding DNS server 192.168.117.11 to the TAP adapter
2019-01-07 11:50:57AM 15[IKE] <BurnsIPSEC|1> 192.168.117.11 not in servers list, doing add
2019-01-07 11:50:57AM 15[IKE] <BurnsIPSEC|1> Add DNS server 192.168.117.11 to adapter: failure - IP not enabled on adapter
2019-01-07 11:50:57AM 15[IKE] <BurnsIPSEC|1> adding DNS server failed
2019-01-07 11:50:57AM 15[CFG] <BurnsIPSEC|1> handling INTERNAL_IP4_DNS attribute failed
Not liking that this EAP was released through Pattern Updates so any bugs that I raise are technically not supported by Sophos Support. EAPs should be manual opt in not automatic opt in. The Pattern Version should be like RED and AP firmware where you have to manually interact with the GUI to updated it and the EAP versions should clearly say "BETA" on them. I am going to raise my cases nonetheless as well as raise the automatic update to an EAP as a bug.
I am currently raising a case that DNS is not being provisioned when connecting in either split or full tunnnel. This is synonymous with JohnRutkowski issue.
As a workaround, you can manually configure the DNS settings on the interface but it is not ideal.
EmileBelcourt There is a patch released to fix this DNS server issue for the TAP adapter. You can download that from XG running SFOS v17.5. Thank you
Hello rmk_95128, can you let me know the pattern update and client version please as my lab has just been loaded and has v18.104.22.1684 installed?
Just received it about 45 minutes ago:
Sophos Connect Clients
15:37:40, Jan 08 2019
Really wish the pattern update number matched the connect client version. On top of that, I really think pattern updates involved with the Sophos Connect Client should be manual updates so they pop up in the alerts section of the dashboard. I will never know Sophos Connect has been updated unless you just said and I wasn't super vigilant about current/new versions. There is no information on the GUI to say that the pattern has been changed and because the update number does not match the actual client number, I cannot tell otherwise that my client and the one on the XG are the same. AlanT , just a suggestion here to help issues like this in the future (hopefully before v18).
Can confirm that Sophos Connect Client v1.1.12 fixed the missing deployment of DNS.
EmileBelcourt I would suggest to activate the notification in this release blog via Email.
Even on XG Dashboard, our customers could miss this information.
Partners and Customer, which want to be "up2date" should always keep an eye on this Release blog, we are releasing all patch notes for all products here. :)
Lucar, there are over 20,000 users of the XG and not all of them are going to register themselves against these forums to receives the updates via email as noted here.
My issue is that it automatically loaded an Early Access Program software on MY firewall without MY permission therefore reducing the level of MY support to that of this FORUM. That is unacceptable.
The way to fix this is to make the Sophos Connect software updates have to be manually allowed with a notification being in the alerts section of the XG GUI Dashboard. That is far more suitable than "check the forums daily".
Because 17.5 is now prompting at login (as 'We strongly recommend that you upgrade the device' I might add) and is marked as GA, I assumed that it was no longer in Beta. It now seems that 17.5 is some sort of Early Access and not ready for release...
In hoping to fix an issue with SSL VPN, I'm configuring Sophos Connect for a customer. Is the use of 'Sophos Connect Admin' just part of this EAP/Beta? I'd have hoped that Sophos Connect and it's configuration file would be available in the User Portal like the SSL VPN. It seems like a user could take the configuration file and adjust settings such as 'Allow Password Saving'.