Sophos Connect: Syncing AD User Groups

Disclaimer: This information is posted as-is and the content should be referenced at your own risk


Hey everyone,

We're planning to add support for user groups in Sophos Connect config on XG later this year, but since the current state of the world means more people are working from home, there's been a lot more demand for this feature, sooner. As a result, one of our more inventive professional services team put together a simple tool , to run on an AD workstation or server, and sync a chosen AD user group with XG and Sophos Connect permissions. The attached archive and pdf instructions can be used to automatically create new users on XG as they are added to a chosen group, and ensure they have permissions to connect with the Sophos Connect IPsec client. This is not a Sophos supported tool, so if you have issues or questions, please post them here. 

 Hopefully this helps ease your management efforts in the coming weeks!

Instructions: community.sophos.com/.../VPNSync-Usage-guide.pdf 

VPN sync utility:  8267.vpnsync.zip

 

Note: This zip file contains an un-signed exe. It is not an official Sophos product, but a tool created by the Sophos community (albeit a member who works for Sophos).

vpnsync.exe SHA-256 HASH: 5F40A81AC4132DC02473DAA280EF1CEB002AB835356541B77225F7BDC3FB50F9

vpnsync.zip SHA-256 HASH: 3E320BFD328391C1BF0B18D6DC38CA146FCE03629A957F62CE01FEA875C2F2BE

You can verify these hashes before running the exe at 

  • Thank you for this tool. 

    I would really love to see updates, as the AD Sync and Group limitation is still one of the biggest problems when deploying XG firewall in mid/large scale deployments. 

     

    I wrote a little tutorial based on the VPNSync-Usage-guide.pdf

    https://www.show-run.ch/sophos/sophos-connect-vpn-client-ad-group-sync/

     

    One issue I found so far is that the tool does not "update" existing users with the "Sophos Connect VPN" flag.  It only "add"s new users. 
    It's worth to mention here, that if you are using SSLVPN in conjunction with Sophos connect, deleting a user, will also delete his x509 certificated and breaks his existing SSLVPN config.

    It would be great to see an update function in further releases of this tool.

     

    also in longterm LDAPs support, since microsoft is planning to remove LDAP soon. 

  • In reply to Samuel Heinrich:

    Thanks Samuel, just at a quick glance, it looks like you've put some work into the guide. Thanks for sharing it!

    As a note to everyone, the attached tool has been updated, with one new function. it now supports user creation using either the sAMAccountName or the UPN. so if you're planning on using RADIUS based MFA, it will make your life a little easier. details on configuring are in the example config file in the zip file. 

    Looking forward

    This tool is purely a temporary measure till we add group support natively in Sophos Connect on XG. We're also planning to release an update to Sophos Connect client soon, to allow it to support SSL VPN connections on Windows. This will also solve the problem with group support for Sophos Connect, in another way. The biggest problem with SSL VPN today, is the difficulty to deploy it. Sophos Connect will solve that, by allowing admins to create a provisioning file, that simply points the client to the address and port of the user portal. Then, when the user hits connect, it will login to the user portal and fetch their vpn connection policy. So you can bulk deploy ssl vpn and its policy, and it will auto-update the policy if something changes, like the encryption settings. I hope to go into early access with that very soon, so stay tuned. 

  • In reply to AlanT:

    Hi Alan,

     

    Thanks a lot for this, useful tool. You state the updated version has the samaccountname etc option but I can't see it on the download link above. Is there another download somewhere?

     

    Thans,

     

    Tom

  • In reply to Tom Beech:

    Sorry Tom, looks like I messed up the included default yml file. I'll update it shortly, but just add this section after the apiurl: section.

    userformat:
        #By default vpnsync will use the upn (user@domain) for the XG username. Hower, if you plan on using RADIUS based MFA, un-comment the line "type: name".
        #type: upn
        type: name

  • Kudos!!

    One thing that jumped out at me in the PDF, Ldap access over 389.  Would you be able to add an option for secure LDAP access on 636??

    Thanks,

  • In reply to john_kenny:

     I had the same concern with the script, but it is a temporary solution. 

    1. We are adding group support in XG later this year (possibly even in an upcoming MR)
    2. Sophos Connect 2.0 for Windows will go into EAP in a matter of days, which will support SSL VPN and
      • SSL already supports user groups
      • SC 2.0 solves bulk deployment for SSL VPN client and policies
      • SC 2.0 improves performance of SSL VPN over current SSL client
    3. Recommended concurrent tunnel maximums for SSL VPN will be raised in a coming update to XG

    In short, we have a bunch of items rushing to release, which will largely remove the need for this script. It may still be useful as a tool to pre-fetch user objects or to create user accounts in a given name format, but group support for Sophos Connect will be solved within XG fairly soon. 

  • In reply to AlanT:

    Will the EAP be public or private by invite or signup??  If its the latter put me on the list pls or send me the required invite code??

    Thanks, I look forward to all EAP's!!

  • In reply to john_kenny:

    Hello John,

    Here is the link for SC 2.0 EAP: https://community.sophos.com/products/xg-firewall/sfos-eap/sophos-connect-eap/

     

    Please provide feedback when you install SC 2.0.

     

    Regards,

    Ramesh

  • Hello;

    I'm new to Sophos and trying to use the VPNSync for the purpose of allowing AD users to use "Sophos Connect Client" that are specifically included in a AD security group.  VPNSync zip file was extracted and updated the vpnsync.yml file with the appropriate information; then created a batch file so that i can schedule it in the Task Manager.

    The vpnsync.log did not show any error and it was able to see all the AD users in that specified AD security group.  However, I do not see all of them in the Sophos XG Web Access on Authentication --> Users.

    In addition, it did not automatically added these users to the VPN --> Sophos Connect Client as Allowed Users.

    The Sophos XG Firewall Version Configured: VMware SFOS 17.5.11 MR-11

    It was working at first on the XG Firewall Evaluation.

    What am i missing?

  • I've got the VPNSync working and have installed the Connect 2.0 client.  I'm still having an issue with getting the Connect client to run my logon script.  Is there anything I can do to test/fix this?  I can work with manually setting up users (but thanks for the script making that part of life easier) but my users not having the logon script running kind sucks. Also it's making it hard to move off of my aging Sonicwall.  

    Anything I can do to test I'll give it a try.

     

    thanks,

  • In reply to cromwell uy:

    I'm not sure if it'll help you but I found that rebooting the Sophos device helped me when my users were not showing up.  I'm not sure if there is a manual way to "refresh" that list.  I gave up and the ol' I.T. fix of doing a reboot.  After that I started seeing my users.  From time to time it stops showing them in there and I come back later to the firewall after getting distracted by other issues to see them in there.  

  • In reply to IPA IT Department:

    Hello,

     

    If you running SC 2.0 with SSL VPN connection, then in the provisioning file you have set "run_logon_script": yes 

     

    Import the provisioning file again so this flag is set. Now after you connect with VPN, SC will query the logon server for logon script for the user who connected. If there is one provided then SC will run that on the end user computer. You can open the logs scvpn.log (found in the install folder: c:\program files (x86)\sophos\connect) and in there you will see the logs regarding the successful/error during this process. 

     

    Please Let us know what you find.

    Regards,
    Ramesh

  • In reply to IPA IT Department:

    Thank you for your response and it is working now.  I do like the AD VPNSYNC and it is really helpful especially when all users are getting registered in gigantic batch and working from home.

     

    Another issue that I experienced are when VPNSYNC runned, I do see 1 or 2 AD account for each users. 

    Active Directory Servers Root is a DC=abc,DC=local

    VPNSYNC Results:

    Example 1: user1@abc.local and user1@abc.com

    • Enabled Sophos Connect to username: user1@abc.local 
    • Disabled Sophos Connect to username: user1@abc.com
      • Connection: VPN Connects Successfully
    • Disabled Sophos Connect to username: user1@abc.local 
    • Enabled Sophos Connect to username: user1@abc.com
      • Connection: VPN Connects Failed

    Example 2: user2@abc.com (user2@abc.local will not get sync or will not show up in Sophos Users)

    • Enabled Sophos Connect to username: user2@abc.com
      • Connection: VPN Connects Failed

    My issue is with Example "2".  Since I VPNSYNC cannot find the user2@abc.local account for the user2, then the user cannot connect to the Sophos VPN.

    Do you know how to fix this?

  • Awesome idea, but I get this:

     

    C:\Users\rsmith\Downloads\8267.vpnsync>vpnsync.exe
    initializing gathering connecting via ldap.
    Traceback (most recent call last):
    File "vpnsync.py", line 76, in <module>
    TypeError: unsupported operand type(s) for +: 'INVALID_CREDENTIALS' and 'str'

     

    I even changed the admin password thinking a lot of special characters might mess things up but that didn't fix things...

     

    help!  I need this ASAP!

  • In reply to AlanT:

    Hi got a question about the RADIUS based MFA.. We using the sophos connect client 2.0 version and just used the sync tool to import our AD Users!

    Import works perfect only thing is we cannot connect the sophos connect client with our microsoft authenticator app.

     

    Settings used in the sync script is like this:

    userformat:
    #By default vpnsync will use the upn (user@domain) for the XG username. Hower, if you plan on using RADIUS based MFA, un-comment the line "type: name".
    #type: upn
    type: name

    but when the users are imported the usernames are still filled with upn!

    When we try to connect the sophos connect client with mfa i get the mfa message from the authenticator app but after a few seconds i get authentication failed message.

    In the firewall you see the error: failed to login to VPN through RADIUS authentication mechanism because of access not allowed

    When we try to sign in to the user portal with mfa everything works fine!

    Hope you know what is going wrong?

    Greetings