Sophos Connect 1.1 Public EAP Released!

Hi XG Community!

We're pleased to announce the public Early Access Program release of Sophos Connect 1.1!
The VPN Client is now available from within the WebAdmin of your XG Firewall.

What's New in EAP Sophos Connect 1.1

Auto connect on changes to Network Connectivity

Sophos Connect will automatically determine if the user is connected to an inside or outside (guest) network. If on the guest network, then the VPN tunnel is automatically enabled with saved user credentials if available or else prompt the user for credentials or OTP.

Notifications and Error reporting

Display popup notifications and change the Sophos Connect ICON app state (normal, warning or error) to alert the user when the tunnel is established, disabled or fails to connect.

Dead-peer-detection (DPD)

DPD mechanism is used by Sophos Connect when there is unidirectional traffic. When Sophos Connect does not receive response from the gateway for configured dpd delay duration, it will send a R-U-There message to the gateway. If the gateway does not respond to these messages then after dpd timeout (currently configured to 200 seconds), it will delete the VPN tunnel and reinitiate to build a new VPN tunnel. This mechanism automatically rebuilds the tunnel after a gateway reboots while the VPN tunnel with Sophos Connect was active.

Upgraded to latest strongSwan

Upgrade to the current stable release (5.7.1) of strongSwan.

DNS Suffix option for auto-connect

Configure DNS suffix to determine if the Sophos Connect user is on the inside or guest network. Prior to this release the admin could configure a host IP address or a FQDN.

A feature is not working as expected? You have found a bug?

[Update] Sophos Connect EAP is now officially supported starting with v1.1 MR-1. Please contact Sophos Support if you experience any issues.

We have also created this new community group for Sophos Connect discussion.

Issues Resolved

  • NC-31831 [Remote Access] DPD delay and DPD timeout were not used
  • NC-37910 [Remote Access] Add handler to generate crash dump file on Windows
  • NC-38332 [Remote Access] Telemetry data can't be sent when telemetry host IP resolves to IPv6
  • NC-38440 [Remote Access] Generating a large number of error events instead of a single "No network error"
  • NC-38933 [Remote Access] [MAC Only] Tunnel All VPN tunnel is not getting terminated when network connectivity drops
  • NC-39042 [Remote Access] Monitor active SA statistics in the SC engine
  • NC-39373 [Remote Access] Conflict between Sophos Connect and Sophos SSL VPN Client
  • NC-39660 [Remote Access] Rekey time freezes to zero seconds when same username is used to establish tunnel from different SC endpoints
  • NC-40455 [Remote Access] Rename TAP-Windows Adapter V9 to Sophos TAP adapter
  • Much better way to VPN and allow us to push via GPO / PDQ - gets a tick from me :-)

  • Is the One Time Password functionality present in this release?

  • @ken9000 yes OTP functionality is supported. You enter the password followed by OTP (no space or comma between the two)

  • What version of XG is needed before you can access this?

  • The downlaod from the 17.5 firmware is showing Sophos Connect Version Where can we get 1.1?

    The Sophos Connect Client has great possibility, but the Client is not setting the DNS server values, logs were sent to VIP SUpport, but they pointed me back here.

    The client is not getting the DNS settings as specified on the XG interface, here's part of the log. Showing DNS is failign to be set, it is the DNS in the XG GUI settings for the Connect Client

    2019-01-07 11:50:57AM 15[IKE] <BurnsIPSEC|1> Adding DNS server to the TAP adapter

    2019-01-07 11:50:57AM 15[IKE] <BurnsIPSEC|1> not in servers list, doing add

    2019-01-07 11:50:57AM 15[IKE] <BurnsIPSEC|1> Add DNS server to adapter: failure - IP not enabled on adapter

    2019-01-07 11:50:57AM 15[IKE] <BurnsIPSEC|1> adding DNS server failed

    2019-01-07 11:50:57AM 15[IKE] <BurnsIPSEC|1> Adding DNS server to the TAP adapter

    2019-01-07 11:50:57AM 15[IKE] <BurnsIPSEC|1> not in servers list, doing add

    2019-01-07 11:50:57AM 15[IKE] <BurnsIPSEC|1> Add DNS server to adapter: failure - IP not enabled on adapter

    2019-01-07 11:50:57AM 15[IKE] <BurnsIPSEC|1> adding DNS server failed

    2019-01-07 11:50:57AM 15[CFG] <BurnsIPSEC|1> handling INTERNAL_IP4_DNS attribute failed

  • Not liking that this EAP was released through Pattern Updates so any bugs that I raise are technically not supported by Sophos Support. EAPs should be manual opt in not automatic opt in. The Pattern Version should be like RED and AP firmware where you have to manually interact with the GUI to updated it and the EAP versions should clearly say "BETA" on them. I am going to raise my cases nonetheless as well as raise the automatic update to an EAP as a bug.

    I am currently raising a case that DNS is not being provisioned when connecting in either split or full tunnnel. This is synonymous with issue.

  • As a workaround, you can manually configure the DNS settings on the interface but it is not ideal.

  •  There is a patch released to fix this DNS server issue for the TAP adapter. You can download that from XG running SFOS v17.5. Thank you

  • Hello , can you let me know the pattern update and client version please as my lab has just been loaded and has v1.1.11.1214 installed?

  • Just received it about 45 minutes ago:

    Sophos Connect Clients



    15:37:40, Jan 08 2019


    Really wish the pattern update number matched the connect client version. On top of that, I really think pattern updates involved with the Sophos Connect Client should be manual updates so they pop up in the alerts section of the dashboard. I will never know Sophos Connect has been updated unless you just said and I wasn't super vigilant about current/new versions. There is no information on the GUI to say that the pattern has been changed and because the update number does not match the actual client number, I cannot tell otherwise that my client and the one on the XG are the same. , just a suggestion here to help issues like this in the future (hopefully before v18).

  • Can confirm that Sophos Connect Client v1.1.12 fixed the missing deployment of DNS.

  •  I would suggest to activate the notification in this release blog via Email.

    Even on XG Dashboard, our customers could miss this information.

    Partners and Customer, which want to be "up2date" should always keep an eye on this Release blog, we are releasing all patch notes for all products here. :)

  • Lucar, there are over 20,000 users of the XG and not all of them are going to register themselves against these forums to receives the updates via email as noted here.

    My issue is that it automatically loaded an Early Access Program software on MY firewall without MY permission therefore reducing the level of MY support to that of this FORUM. That is unacceptable.

    The way to fix this is to make the Sophos Connect software updates have to be manually allowed with a notification being in the alerts section of the XG GUI Dashboard. That is far more suitable than "check the forums daily".

  • Because 17.5 is now prompting at login (as 'We strongly recommend that you upgrade the device' I might add) and is marked as GA, I assumed that it was no longer in Beta. It now seems that 17.5 is some sort of Early Access and not ready for release...

    In hoping to fix an issue with SSL VPN, I'm configuring Sophos Connect for a customer. Is the use of 'Sophos Connect Admin' just part of this EAP/Beta? I'd have hoped that Sophos Connect and it's configuration file would be available in the User Portal like the SSL VPN. It seems like a user could take the configuration file and adjust settings such as 'Allow Password Saving'.