Sophos Connect: Syncing AD User Groups

Disclaimer: This information is posted as-is and the content should be referenced at your own risk

Hey everyone,

We're planning to add support for user groups in Sophos Connect config on XG later this year, but since the current state of the world means more people are working from home, there's been a lot more demand for this feature, sooner. As a result, one of our more inventive professional services team put together a simple tool , to run on an AD workstation or server, and sync a chosen AD user group with XG and Sophos Connect permissions. The attached archive and pdf instructions can be used to automatically create new users on XG as they are added to a chosen group, and ensure they have permissions to connect with the Sophos Connect IPsec client. This is not a Sophos supported tool, so if you have issues or questions, please post them here. 

 Hopefully this helps ease your management efforts in the coming weeks!


VPN sync utility:


Note: This zip file contains an un-signed exe. It is not an official Sophos product, but a tool created by the Sophos community (albeit a member who works for Sophos).

vpnsync.exe SHA-256 HASH: 5F40A81AC4132DC02473DAA280EF1CEB002AB835356541B77225F7BDC3FB50F9 SHA-256 HASH: 3E320BFD328391C1BF0B18D6DC38CA146FCE03629A957F62CE01FEA875C2F2BE

You can verify these hashes before running the exe at 

  • Hello Alan,

    the tool generates an error if there is a comma in the AD object name. If the comma is removed, the sync works. The vpnssync log shows the following error "2020-06-18 14: 42: 18.285000, problem in outter except, fatal." Do you have a solution to this problem? Thanks.



  • In reply to SimA:

    The tool also doesn't account for any kind of other special characters.  Ours failed on ( ) and [ ]

    We removed those from the names of the accounts involved and it works great now.


  • In reply to AlanT:

    Hi Alan,


    We tried to use your tool for importing the, 100+,  AD users needed for Radius authentication. We changed the configuration File to not use UPN but still the tool imports the UPN ??

    Any idea why ? Maybe you can provide the correct configuration file ?


    Hope te hear from you soon.



    Hans Schenkelaars

  • In reply to Lars86:

    what does the vpnsync.log show when it runs? I just noticed that there is a typo in the example yml. It should have type: name commented out by default, and if nothing is defined for userformat, it should use upn.

  • In reply to AlanT:

    Results of the log:
    2020-07-22 20:09:15.242000,checking user: mfa-test,mfa-test@domain
    2020-07-22 20:09:16.102000,check returned<?xml version="1.0" encoding="UTF-8"?>
    2020-07-22 20:09:16.102000,check returned<Response APIVersion="1800.1" IPS_CAT_VER="1">
    2020-07-22 20:09:16.102000,check returned <Login>
    2020-07-22 20:09:16.102000,check returned <status>Authentication Successful</status>
    2020-07-22 20:09:16.102000,check returned </Login>
    2020-07-22 20:09:16.102000,check returned <User transactionid="">
    2020-07-22 20:09:16.117000,check returned <Status>No. of records Zero.</Status>
    2020-07-22 20:09:16.117000,calling setuser for. mfa-test,mfa-test@domain
    2020-07-22 20:09:17.849000,set returned<?xml version="1.0" encoding="UTF-8"?>
    2020-07-22 20:09:17.849000,set returned<Response APIVersion="1800.1" IPS_CAT_VER="1">
    2020-07-22 20:09:17.849000,set returned <Login>
    2020-07-22 20:09:17.849000,set returned <status>Authentication Successful</status>
    2020-07-22 20:09:17.849000,set returned </Login>
    2020-07-22 20:09:17.849000,set returned <User transactionid="">
    2020-07-22 20:09:17.849000,set returned <Status code="200">Configuration applied successfully.</Status>
    2020-07-22 20:09:17.849000,successfully created user. mfa-test,mfa-test@domain

    and this is the format of the usersetting in de vpnsync.yml file:

    #By default vpnsync will use the upn (user@domain) for the XG username. Hower, if you plan on using RADIUS based MFA, un-comment the line "type: name".
    #type: upn
    type: name

    Result is that the users are added with upn in the username field on the firewall and we cannot login with Radius / MFA...

  • I'm getting the following error trying to run the sync utility:


    2020-07-31 12:31:36.165000,verbose mymember output.CN=LastName\, FirstName,OU=Teachers,OU=Primary School,DC=school,DC=org

    2020-07-31 12:31:36.165000,problem in outter except, fatal.


    In Active Directory, for some reason the DN is showing the CN as "LastName\, FirstName" where i believe the comma is causing issues with this utility.  However, if I am importing users based on their UPN, why is it importing based on DN?


    I have type: upn uncommented.