Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
We'd love to hear about it! Click here to go to the product suggestion community
I wanted to highlight one of the features listed in XG v17.5 - Sophos Connect. Sophos Connect is a new IPsec VPN client, included with XG v17.5. This is a preview release, where we decided to make the client available now, before we've made all of the XG improvements we are planning. The client, as it stands now, is a cross platform (Windows and Mac) IPsec client with a simple user interface, and a compelling set of features, that are finished, and available for use now. We didn't want to sit on that while waiting for the rest of our plans to be completed, so we decided to get that out to you sooner, even though the total admin user experience still needs a few significant improvements.
In XG, you'll notice that the Cisco VPN tab under VPN, has been re-named Sophos Connect, and now offers a download for the new IPsec clients and admin utility. While you can create a split tunnel remote access policy on the IPsec tab, this doesn't yet offer a client IP range. So clients will connect and communicate over the tunnel, using whatever IP they are using locally, on the network they're in. While this might work in some cases, it runs into problems, as soon as your users are connected from a subnet that conflicts with a network being accessed over the tunnel. Having visited a hotel or two that gave out addresses in massive 10.0.0.0/8 subnet ranges, the possibility of a conflict using that configuration is pretty significant. Meanwhile, the feature originally built to work with the now-antiquated Cisco IPsec VPN client solves this, and does offer a client IP range, but doesn't allow you to configure a split tunnel. Since the Cisco client is pretty outdated now, we decided to re-purpose that feature for now, and use it as the preferred method for configuring Sophos Connect.
This makes for a more robust configuration, but the policy generated by that feature, only offers a full-tunnel. While that may be enough in some cases, most of you are looking for a VPN client that allows split tunneling. The tunnel will support split tunneling, but the UI doesn't yet offer that capability. We could slap in the feature, but we also want to move to a more modern method of pushing policy from the firewall when the tunnel connects, rather than leaving all of that up to the config file. So for now, we've taken a short-cut, (this is an early access release after all :) ) and provided a simple policy editor utility. This also let us expose some of the other great features Sophos Connect offers, like the ability to send Security Heartbeats over the tunnel, or an auto-connect when remote capability.
Ultimately, we will resolve these limits in XG directly, but for the time being, Sophos Connect Admin will let you customize your policies then deploy them to your users. It's a temporary solution needed to let you use these features, until we can add them into the firewall itself, and one of the big reasons this client will remain as a long term early access release, after 17.5 goes to GA.
The client is free, and will remain free in the future, and is available to download from within XG today. The client is now available for early access, so we look forward to your testing and feedback. At the end of the XG EAP, the client code should also be considered at a GA quality at that time, but because of the limits I mentioned earlier, we'll continue to offer it as a longer term EAP release, until some time mid next year.
The download is in the firewall now, under VPN > Sophos Connect client. Also, if you've just updated to v17.5, be sure the firewall has downloaded the client, under Backup & Firmware > Pattern updates, before you try to grab a copy. The package you'll get from the firewall will contain three programs. Sophos Connect for Windows, Sophos Connect for Mac, and Sophos Connect Admin, which is only available for windows.
You can find instructions in installing and troubleshooting the client, here: https://docs.sophos.com/nsg/sophos-connect/help/en-us/nsg/scon/concepts/AboutSophosConnect.html
Looking forward to your feedback, and happy testing!
In reply to EmileBelcourt:
Did you get any update on this?
In my testing one issue I have come up with is that if the XG becomes unavailable (due to what ever reason), the client will disconnect and allow non tunneled traffic to the internet, this is probably ok. My issue is that once the XG became available again the client did not auto reconnect to it.
Also what does the DNS Suffix/Monitoring Host in the Sophos Connect Admin do?
In reply to GaryBrown:
When XG becomes unavailable, the client will only have unidirectional traffic (transmit but no receive) since the gateway is down. At this point the Client will start Dead Peer Detection (DPD) and if there is no response for this request the client will ultimately timeout sending the DPD request. After this timeout, it will try one more renegotiate attempt and if it fails then it will give up trying. At this point the user has to manually enable the connection.
DNS Suffix/Monitoring host will help the Client to determine if it connected on the corp network or outside the corp network. This is done when Auto-Connect is enabled for the connection.
It is currently still missing 2 very important requirements.
1 - MSGina support. Corporate clients need simplistic logon features and the ability to execute logon scripts.
2 - Multiple IP range support. Corporate clients can have multiple address ranges behind their Sophos firewall. The VPN client needs to incorporate that.
The client may be free, but it is still years behind others.
Thankfully the green bow client still ticks all the boxes.
Can someone summarize the advange of this over SSL VPN? (openVPN)
It's more secure? faster? more stable?
In reply to l0rdraiden:
Most likely you should compare Remote SSL VPN against Remote IPsec.
In the short run, IPsec "should" be faster than SSL VPN and should be more performance optimized.
Some cons are: IPsec could be blocked in certain locations, while SSLVPN (443) is more likely to be open.
In reply to Younger Joseph:
Younger Joseph the architecture of a typical vpn client requires a back-end service that can run unattended, and a front-end user-interface to control it. Each runs as a separate process and must be able to communicate. Using websockets versus something else doesn't cause bloat. it's just an architecture choice, on how they communicate and adds some development efficiency. For example, the same client can be built for Windows and Mac with an absolute minimum of redundant effort.
l0rdraiden Sophos Connect isn't yet meant to be an SSL VPN replacement. It offers better support for bulk deployment, a more user-friendly user experience, and will eventually fully replace SSL VPN, but for now, we had a large demand for an IPsec client, and we needed one that we could offer at the right price point ($0). Right now, Sophos Connect and XG have a number of limits, so it might not be the right choice in every case, but right now, unless you specifically need SSL VPN, Sophos Connect might be the better choice.
GavinDaniels MS-GINA support is a legacy need, and we won't add it - but the ability to sync group policies and run AD login scripts on connect can be added without gina support, and it's on the backlog. As for multiple IP range support (aka split tunnel support), Sophos Connect fully supports that. The Sophos Connect tab in XG doesn't, but the scadmin utility will let you configure split tunnel support, as well as other features for your VPN profiles, before distributing them to your users. You can alternately use IPsec remote access policies with Sophos Connect, which do support split tunnel definition in the firewall, but do not support a client IP pool definition. As a result, they are less reliable than policies created on the Sophos Connect tab and edited with scadmin. I understand that process is less intuitive, and that's one of the key reasons we have continued to brand Sophos Connect as an EAP release. The client itself is GA quality and fully supported, but the overall management process is not finished yet.
In reply to AlanT:
Why do you want to discontinue SSL VPN? what is the reason behind?
Why do you want to discontinue SSL VPN? what is the reasing behind?
Why do you want to discontinue SSL VPN? what is the reasing behind?
We definitely don't want to discontinue SSL VPN - but admins shouldn't have to choose between SSL or IPsec. Sohos Connect will eventually support both protocols and even help select between them, automatically, depending on what will work best in any given situation.