Problem with SSL VPN client and O365 in windows 10

Hi There,

Putting this here to save someone else some time in the future.     We recently moved our users to a new O365 tenant. In this new tenant we had enabled MFA.   After we did that,  I started having an issue with outlook not working if I restarted outlook up after I had used the Sophos SSL(openvpn) client to connect.  I would have to open outlook first to get Authenticated,  then startup VPN.  I dont have the exact message any more but basically outlook popped up a Can't connect Message(and Please enter your password in lower right of outlook) when I had started the VPN client before starting outlook.

After doing some googling  and looking at other firewall vendors forums who also use a OpenVPN based SSL client, it appears that you have to set the gateway IP under the Sophos SSL Adapter or whatever yours is called under the network adapter listing.  Without doing this, the Sophos adapter's connectivity status will show "unknown" (instead of "Internet Access".  Setting the gateway address under tcp IPv4 properties in the  Sophos adapter remedies that. I just used the gateway address a netstat -rn showed me as the default route.

If I was using split tunneling this would not be an issue(I'm assuming), but I tunnel all traffic through the ssl vpn client.

So I think its a combination of Outlooks / MFA authentication process, windows 10 network location service, and the the openvpn client running in fully tunneled mode.

I hope this helps someone in the future. If anyone else has any other ideas, please chime in.

Thanks,

-Scott

  • When you tunnel all traffic, there should be a gateway on the adapter automatically, otherwise it wouldn't know how to route the traffic (unless it creates a 0.0.0.0/0 route when you connect, but that seems odd). Have you checked the logs if it somehow failed to apply some configuration when you connect because this shouldn't be the normal behavior. I'd expect there to be a gateway on the SSL VPN interface.

  • I am having the same issue. Started a few weeks ago where a user was unable to autosave in word because onedrive was having an issue authenticating. Off the SSL VPN everything works as designed. VPN enabled, apps that use O365 to authenticate start having issues. Outlook and Onedrive are the 2 we have the most issues with. I have noticed that there are similar issues with our AWS Openvpn as well.

    We have all traffic routed over the VPN.

     

    Any ideas besides manually adding a default gateway to the vpn adapter?

  • We are on the same boat. The workaround of adding a gateway is not a solution for effective management and deployment of our VPN. Our network engineer created a ticket with Sophos support but they are not able to provide a solution. Mostly they are giving us a run arounds by getting logs and more logs and more logs and then silence. 

  • Yes, it seems like the configuration is not adding a gateway to the SSL adapter if you're not doing split tunnel. We ended up deploying a Powershell script (see below) to our VPN users to set the default gateway on all of the local VPN adapters. It was a pain but it ended up working.

    {
        $VPNGateway = "X.X.X.X"
        $DestPrefix = "0.0.0.0/0"
        $AliasName = Get-NetAdapter -InterfaceDescription 'Sophos SSL VPN Adapter' | foreach { $_.Name}

        New-NetRoute -InterfaceAlias $AliasName -NextHop $VPNGateway -DestinationPrefix $DestPrefix
    }

    It would be nice if the configuration for the client added this when you applied it, but it does not.

  • First of all, thank you for the post. I've been meaning to create one but never got around to it. I have previously logged a ticket with Sophos support which ended with them advising that the issue is with Microsoft/Office 365 given everything else seems to be working.

     

    The following routes are added by the VPN connection which should have achieved the same effect as the below, however Office 365 authentication intermittently doesn't work.

    route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.81.234.5

    route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.81.234.5

    Adding the following route solves the issue with authenticating to Office 365.

    route.exe ADD 0.0.0.0 MASK 0.0.0.0 10.81.234.5

  • In reply to Wimar Aswan:

    This works indeed, however it is a workaround and no real solution. Any news on this?

  • In reply to Geert-Jan van Moorsel:

    Here's a thread going back to last year in the openvpn forums  for more info:

     

    https://forums.openvpn.net/viewtopic.php?t=27321

  • In reply to Geert-Jan van Moorsel:

    I've basically swapped over to using Sophos Connect. While it is not perfect, I find it better than the SSL VPN and it doesn't have this issue.

  • We had the exact same issue. 

    Adding the route manually resolves it but is indeed an ugly workaround.

  • In reply to Olivier Rombaut:

    I faced the same issue, to resolve this you have to login once in office.outlook.com to sync the credential then it will work.

     

    thank you  

  • This solved my issue, THANK YOU VERY MUCH FOR THAT, but why the heck is the adapter not doing this by default? I feel like there should be a blank in the SSL VPN (remote access) section or the VPN settings section to set the default gateway if the option is checked to use that. Or, just do it automatically as implied! If there are any Sophos engineers looking at this thread, PLEASE EXPLAIN! Manually setting this is not reasonable for all clients. 

  • In reply to Paul Schwegler:

    I've created a feature request to allow exceptions for Office 365 traffic when using full tunnel VPN as per recommended by Microsoft.

    https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/40494022-full-tunnel-vpn-exceptions-e-g-for-office-365-tra

  • In reply to Wimar Aswan:

    We managed to overcome this problem by using the latest OpenVPN client downloaded directly from their website:

    https://openvpn.net/community-downloads/