Sophos Connect vs DNS

So i finished all the instructions as posted on page https://community.sophos.com/kb/en-us/133109

Downloaded the client and exported the configuration. Set up the client and finally made a connection.

So far so good. Can ping hosts on the internal network by ip adress, however i can't seem to reach hosts by their name.

I did enter the ip of the DNS server but somehow hosts aren't being resolved.

 

Any thoughts or pointers on this.

 

Thnx, Peter-Paul

  • In reply to rmk_2018:

    It populated in the pattern updates and the 1.3.65.0614 client shows good initial results on win10 for TAP metric, Connection-specific DNS Suffix from the scx config, and internal dns lookups.  Thanks

  • Hello Peter-Paul,

     

    What is the Sophos Connect Client version you are running? On the About page it will show you the version. We just released Sophos Connect 1.3 today. 

     

    Sophos Connect 1.3 is released and it is now available via your firewall via pattern update. You can go to System->Backup & Firmware->Pattern Updates and click Pattern update now to get it downloaded in case it is not there already.

    Please do let us know how this new version works for you after a week of usage. Looking for feedback from customers for this new release.

     

    If you upgrade to this version and still run into problem please PM me the TSR and I can help take a look at it.

     

    Ramesh

  • In reply to rmk_2018:

    I've just tried the latest version of Sophos Connect and DNS is still not working. We have to use host@domain.com, instead of just host, to access any of our resources. Pinging works, just not DNS resolution.

    The Sophos Connect config page needs a field to enter the domain name like SSL VPN.

  • In reply to Nathan Kuhl:

    Nathan Kuhl

    The Sophos Connect config page needs a field to enter the domain name like SSL VPN.

     

    Install the latest scadmin.msi which provides a new "set client dns suffix" option that will add a specified domain into the tgb/scx file.  Import the new scx file into the client and confirm overwrite of any existing connection: https://community.sophos.com/kb/en-us/133109#Sophos%20Connect%20admin%20tool%20installation%20and%20configuration

  • In reply to momentum:

    Hi momentum, we're 95% macOS on our campus. Sophos Connect is available for macOS and can not execute MSI files. Is there a similar fix for macOS?

  • In reply to Nathan Kuhl:

    Nathan Kuhl

    Is there a similar fix for macOS?

     

    find a windows computer to run scadmin.msi to generate the new scx file for usage on the macos clients or add this line into an existing scx file with a text editor between the first set of {}'s :

        "domain_suffix":    "mydomain.com",

  • In reply to rmk_2018:

    Hi Ramesh,

    Great to learn that there's a fix available. For now i've moved to Sophos UTM so not able tot test the solution.
    Thank you however for contacting me about this. 

    Grtz, Peter-Paul

  • In reply to Peter-Paul Gras:

    Hello Peter-Paul,

    Thank you for the update. Just to let you know Sophos Connect is now supported on UTM also. You will also have a good experience with Sophos Connect on UTM so if possible please do give it a try.

    Ramesh

  • In reply to rmk_2018:

    I'm willing to try / test Sophos Connect with my UTM.

    Please give me some pointers: how do i setup and where can download the installables from within UTM?

     

    Grtz, Peter-Paul

  • In reply to LuCar Toni:

    Thnx! Just downloaded and installed Sophos Connect 1.3

    Now I need to set up UTM:

    1. setup the VPN

    2. export the connection for the client.

     

    I've done this on the XG FW but can't seem to find the settings in UTM. Any help will be appreciated so i can continue my testing.

     

    Grtz, Peter-Paul

  • In reply to Peter-Paul Gras:

    Hello Peter-Paul,

     

    Setting up UTM policy for Sophos Connect is very easy. Here are the steps.

    1) Go to Remote Access->IPsec page

    2) Add a New IPsec Remote Access …. 

        In this new policy you can define the networks (split or tunnel all), and the Remote Access users allowed to connect to this policy and the auth type. Based on the auth type you configure 

        the next step #3.

    3) On the Advanced tab, configure Local X509 Certificate or Preshared Key Settings (depending on your required configuration)

    4) Now Go to Remote Access->Advanced you configure DNS server, and Domain Name.

     

    After you configure the four steps above, login to the user portal as the user, download the configuration and import it Sophos Connect. Enable the connection and it works.

     

    Please let me know how it goes. Hope to hear back from you on how it went.

     

    Thank you,

    Ramesh

     

    PS: When connecting to UTM, there is ONLY function for which you will have to use Sophos Connect Admin and that is enable auto-connect. If you do not require auto-connect then you are good to go with the UTM policy configuration. Also note that on the UTM, you MUST configure IPsec Policy and NOT Cisco VPN Client.

  • We have a similar problem with some of our laptops. 

    Looking at the Connect Client status ( GUI) , this shows the correct IPV4 addresses for DNS

    Checking the details in a DOS / PS terminal shows 3 default IPV6 addresses for DNS.

    I have Sophserve ticket  9015034  open for this.

    "A number of our laptops (a mixture of new build and some that used to have SSL VPN) with the Sophos Connect Client V1.3  are not having the DNS settings for the TAP adapter set correctly.

    I have noticed that the DNS is being set to use 3 default IPV6 addresses and that the TAP adapter is being labelled as Sophos TAP adapter #2   
    I'll upload some screenshots which will assist
     
    comparing the connect client status (GUI)  , that shows the correct IPV4 address for DNS but those details aren't shown when displaying details of the network adaptor in a DOS or PS terminal.
    Have uploaded pics showing good & bad DNS. The good DNS was on one users WIn 7 laptop, the bad DNS was on her new WIn 10 laptop.  The other screenshots show TAP adapter #2  ( adapter #1 isn't present on the system - even showing hidden adapters)  and the IPV6 DNS"
     
  • In reply to David Bradbury:

    Hello David,

     

    Please generate technical support report from the client after the connection is established on the problem laptop. Then PM me the report and I will take a look at this issue. Also are you terminating to XG firewall or the UTM? 

     

    The TAP adapter used by Sophos Connect is "Sophos TAP adapter" and that is correct. This is to differentiate it from the TAP adapter used by SSL VPN.

     

    Thank you,
    Ramesh