Automated post-connection logon script

Hi folks,

 

I'm new to using the VPN's on the Sophos XG appliance, and I've been comparing the SSL VPN and the Sophos Connect clients.  One thing I've managed to achieve with the SSL is automating a 'logon script' once the VPN connection is made.  Has anyone managed to get this working with the Sophos Connect client?

 

I've enabled the 'Run logon script' in the Sophos Connect Admin for the connection profile, but sadly it doesn't appear to do anything (at least, it doesn't run the logon script I've assigned to my test user within AD on the Profile tab of the user).  I'm not sure if there is some way of specifying a particular script too - I've had a look at the .scx profile file but the only reference to scripts is "run_logon_script": true; (or false, presumably).  For the SSL VPN it's quite straight forward as all you need is a <ssl connection name>_up.bat in the config folder and it runs automatically, so I was hoping there would be something similar for Sophos Connect.

 

If anyone has managed to get this to work, any pointers would be greatly appreciated!

 

Sam

  • Hi  

    Using the Sophos Connect Admin, you should be able to configure Sophos Connect Client to Auto-Connect Tunnel option. This will cause Sophos Connect to attempt to connect automatically after users have logged into the OS. Please refer to the KBA Sophos XG Firewall: Sophos Connect Client and refer [Optional] Sophos Connect admin tool installation and configuration part.

  • In reply to Jaydeep:

    Hi Jaydeep,

    Many thanks for your reply!

    That bit works fine, but I'd like to start a script file after the tunnel has been connected.  I've used the Sophos Connect admin tool to configure the .scx file for the VPN connection, but the bit I'd like to use, 'Run logon script' doesn't appear to actually run the Active Directory logon script (at least, I haven't managed to get it to successfully do anything):

    I was hoping that there may have been a method to specify a logon script to run, instead of the admin tool using the Active Directory logon script, but I'd settle for the AD script if needs be.

    I've managed to get this working fine for the SSL VPN Client, but not the Sophos Connect client - I'm trying to evaluate the two to determine which would be best to use organization-wide (there are pros and cons to both at the moment), and a post-connection logon script would be very useful.

    Many thanks,

    Sam

  • In reply to Sam Kirk:

    Thanks for explaining.

    I now understand what exactly you're trying to achieve. I need to check more details with someone who has more hands-on experience with Logon script in Sophos Connect Client.

  • Same problem here!

    you find the log here: c:\program files (x86)\sophos\connect\scvpn.log

    2019-10-18 12:54:32PM [2824] dbg RunLogonScript thread started
    2019-10-18 12:54:32PM [8444] dbg VPN state changed to connected
    2019-10-18 12:54:32PM [2824] dbg Executing logon script: 'login.bat'

    but it does nothing at all... 

  • In reply to Jah:

    An answer from Sophos on this subject would be helpful or at least provide some documentation on what the logon script option actually does eg which script on AD is it trying to run? An option to be able to run your own scripts after the VPN connection has connected would be even more useful.

    Sophos can you provide some clarification on this subject please?

  • Hi Sam Kirk,

    Sorry for the inconvenience, I think this issue is related to the known ID (NC-51227), and I will follow up to get more information regarding the ETA for the version where this issue is fixed. 

    Thanks,

  • Hi Sam Kirk,

    The tentative ETA for this internal ID NC-51227 is due in later this year in April. 

    Thanks,

  • In reply to H_Patel:

    Hello Sam,

    There was a patch delivered to Support to fix this issue sometime back. I hope you have got that patch. It will be in the general release in Sophos Connect 2.0

    Regards,

    Ramesh