Using Sophos Connect VPN Client

Hey everyone,

I wanted to highlight one of the features listed in XG v17.5 - Sophos Connect. Sophos Connect is a new IPsec VPN client, included with XG v17.5. This is a preview release, where we decided to make the client available now, before we've made all of the XG improvements we are planning. The client, as it stands now, is a cross platform (Windows and Mac) IPsec client with a simple user interface, and a compelling set of features, that are finished, and available for use now. We didn't want to sit on that while waiting for the rest of our plans to be completed, so we decided to get that out to you sooner, even though the total admin user experience still needs a few significant improvements. 

In XG, you'll notice that the Cisco VPN tab under VPN, has been re-named Sophos Connect, and now offers a download for the new IPsec clients and admin utility. While you can create a split tunnel remote access policy on the IPsec tab, this doesn't yet offer a client IP range. So clients will connect and communicate over the tunnel, using whatever IP they are using locally, on the network they're in. While this might work in some cases, it runs into problems, as soon as your users are connected from a subnet that conflicts with a network being accessed over the tunnel. Having visited a hotel or two that gave out addresses in massive 10.0.0.0/8 subnet ranges, the possibility of a conflict using that configuration is pretty significant. Meanwhile, the feature originally built to work with the now-antiquated Cisco IPsec VPN client solves this, and does offer a client IP range, but doesn't allow you to configure a split tunnel. Since the Cisco client is pretty outdated now, we decided to re-purpose that feature for now, and use it as the preferred method for configuring Sophos Connect. 

This makes for a more robust configuration, but the policy generated by that feature, only offers a full-tunnel. While that may be enough in some cases, most of you are looking for a VPN client that allows split tunneling. The tunnel will support split tunneling, but the UI doesn't yet offer that capability. We could slap in the feature, but we also want to move to a more modern method of pushing policy from the firewall when the tunnel connects, rather than leaving all of that up to the config file. So for now, we've taken a short-cut, (this is an early access release after all :) ) and provided a simple policy editor utility. This also let us expose some of the other great features Sophos Connect offers, like the ability to send Security Heartbeats over the tunnel, or an auto-connect when remote capability. 

Ultimately, we will resolve these limits in XG directly, but for the time being, Sophos Connect Admin will let you customize your policies then deploy them to your users.  It's a temporary solution needed to let you use these features, until we can add them into the firewall itself, and one of the big reasons this client will remain as a long term early access release, after 17.5 goes to GA. 

The client is free, and will remain free in the future, and is available to download from within XG today. The client is now available for early access, so we look forward to your testing and feedback. At the end of the XG EAP, the client code should also be considered at a GA quality at that time, but because of the limits I mentioned earlier, we'll continue to offer it as a longer term EAP release, until some time mid next year. 

The download is in the firewall now, under VPN > Sophos Connect client. Also, if you've just updated to v17.5, be sure the firewall has downloaded the client, under Backup & Firmware > Pattern updates, before you try to grab a copy. The package you'll get from the firewall will contain three programs. Sophos Connect for Windows, Sophos Connect for Mac, and Sophos Connect Admin, which is only available for windows. 

You can find instructions in installing and troubleshooting the client, here: https://docs.sophos.com/nsg/sophos-connect/help/en-us/nsg/scon/concepts/AboutSophosConnect.html

Looking forward to your feedback, and happy testing!

  • In testing I noticed logging-in via the Connect client does not use the one time password. In fact it allows connection without it. Is this by design? We certainly require MFA on all external>internal connections, VPN especially.

  • Any plans for a "status" type bubble when mousing-over the Connect client systray icon and right-click functionality? Anything potentially user-facing needs to be friendly but streamlined.

  • In reply to Big_Buck:

    Big_Buck
    Like some told before, GUI are like jokes, if you have to explain it, it's because it is no good at all.

    The thread is getting a bit longer now, so maybe it's a good time to remind everyone that this is early access to a set of features well before the admin experience is finished - much more so than we usually give. Even after v17.5 goes GA, Sophos Connect will remain in early access. The stability should be considered production safe at the end of the 17.5 beta, but again, the total user experience is not finished. We've gone to some lengths to improve some of the core problems we have with remote access tools today, namely around bulk deployment and management, and have been able to add some additional features to the client via the scadmin utility, but until v18 gives the rest of the firewall side improvements, and removes the need for the admin middleware, this will remain in early access. Until then, consider vpn management ux problems on the firewall, already on known issues list. 

  • In reply to ken9000:

    Hey Ken,

    XG supports use of MFA, either using the freely included OATH-TOTP based OTP feature on xg itself, or by integrating with an external MFA solution using RADIUS. This usually requires appending the MFA token to the password, but using the scadmin tool, you can set a flag that offers users a separate field to enter the mfa token. If that's enabled, then users can enter their password and token separately, and we'll append the token to the password field automatically, when sending the authentication request. 

    The feature can't know whether you've configured the firewall to use MFA at all, so the field is offered, if you enable the option, whether your back end auth service expects a token or not. Not sure if that answers your question, but let me know if not. 

    For the hover status, yes there's more we want to add to the tray icon. For now though, the only status shown is the icon itself. It'll show a green light when connected, and a red light when a connection attempt fails. Also, we'll put notifications into the windows notification tray for any events. 

  • In reply to AlanT:

    Appreciate the updates! I'll poke around the admin tool. I like the idea of having a separate prompt for the token versus appending the password. Less chance for users to get confused. It doesn't take much!

  • In reply to AlanT:

    Hi Alan,

    I'm not sure what part of my comment you are referring to.

    I am asking when is the Sophos Connect/Cisco VPN configuration on the XG side going to be possible to assign to groups and not direct to users?

    It's bad enough that the SSL VPN still uses the local Firewall Group membership and not dynamic AD backend but to limit the Sophos Connect VPN this way when there looks to be a big driver to get people onto it, that just seems highly irregular and bad feature examination.

    Remember in the v17 post I said there are things that make for a "death by a thousand cuts", this is another one of those cuts where the feature is good, but the minutiae details are poorly implemented.

    Please can you let me know if the assignment to groups is on the feature roadmap for v17.6 or v18 please?

    Emile

  • In reply to EmileBelcourt:

    EmileBelcourt
    Please can you let me know if the assignment to groups is on the feature roadmap for v17.6 or v18 please?

    Sorry I wasn't clear. yes, that's targeted for v18. 

  • Just been playing around with this feature and in general I like it. I do however find two things that I might have overlooked or am otherwise not able to find the answer:

    1. The connection to the VPN connects to the DDNS configured name (DDNS through Sophos) and I cannot find a way to override the DNS-name or IP-address to connect to. Is this possible?
    2. I cannot find a way to determine which IPSec policies should be used; once connected in the client I can see which policies are applied, but how or where can I determine that another policy should be used, it doesn't seem to be the "DefaultRemoteAccess" policy as there are other settings than are shown in the Sophos VPN client. How/where can the IPSec policy to be used be configured?
  • In reply to apijnappels:

    Hi Ajin,

    You can use the connect admin application to override the target and save the new config. Not sure about changing policies, they are confusing as well and seem to be sone default integration.

    Emile

  • In reply to EmileBelcourt:

    Thanks, didn't notice that it was possible to change the hostname from the admin tool. I had already looked at it and saw that it was there, but it's not quite obvious that the setting is configurable.

  • In reply to apijnappels:

    Hi Apijnappels,

    No problem, it's not very obvious and i glossed over it the first time i looked as well!

    Emile

  • Sophos Connect client is not working using the self signed certificate on IOS

    Every time i try to connect using the VPN profile i have installed i get an error saying "server certificate identity is incorrect" error.

  • In reply to waghelak:

    For iOS the Hostname of the certificate which is used for the VPN on the Appliance needs to match the hostname iOS uses to connect.

    Just create a new self-signed certificate with a matching hostname and it should work.

  • In reply to Bjoern Ebner:

    Hello

    I am confused what you mean, so say my IOS self signed certificate is called IPSEC, how do i match it to the hostname IOS uses?

    Thanks

  • In reply to waghelak:

    Hi all,

    Self signed certs with Connect are broken right now, i have raised a case which is now a jira bug track.

    I have made a thread in the EAP subforum with notes and will update it when i hear more on the fix.

    Emile