Clientless Access VPN - BUG


I have an internal website that my external workers have been accessing via the portal (VPN > Clientless Access). As of yesterday my remote workers can't access pages correctly. I've restarted Sophos XG and the Server. I've noticed in the Log Viewer the following...

Log Comp: SSL VPN


Username: My Username

Message: Use "My Username" was allowed access of the HTTP resource http://images/logo.jpg

Is this correct? Does the IP address of the internal server need to be prefixed? Eg.

The portal website sometimes displays the page poorly or not at all and I can see the following source code...

The URL for this blank white page is  = https://myexternalip/userportal/CRSSL/http/ClientLogin.aspx

The source code for that page is...

"<!--#set var="TITLE" value="SSLVPN User Portal Error:"

--><!--#include virtual="include/top.html" -->

<!--#if expr="$REDIRECT_ERROR_NOTES" -->
<!--#include virtual="include/spacer.html" -->
<!--#echo encoding="none" var="REDIRECT_ERROR_NOTES" -->
<!--#endif -->"

Please can you help or throw any suggestions my way? Many thanks

EDIT: The first page kind of works. There's no neat formatting or styling. However I can see text. The URL displays the following...


When I click any link, a white page appears and the URL changes to https://externalip/userportal/CRSSL/pagename.aspx

It's not prefixing the URL and therefore nothing is displaying correctly. Please can others check this to see if it's just me :)

Many thanks

  • In reply to lferrara:

    I have the case #7060376 opened too on 2017/3/1.

  • In reply to ShunzeLee:

    I have the case #6562394 opened on 28 sept 20216........ starting to lose faith 

  • In reply to lferrara:

    These are my known issues still open:


    Please share yours


    It would be helpful to be able to see all the known issues...

  • In reply to lferrara:

    WoW! Thank you!

  • In reply to MassimoForni:

    Also my support told me there are 2 more issues under review which have not yet been published.

  • In reply to MassimoForni:

    Hey y'all,

    I spent sometime yesterday speaking to several people at Sophos.  At the end of the call I find out that Sophos does not an answer to the issues with both:

    HTML5 and Clientless VPN

    So now we get to tell our client, OOPS, sorry the manufacturer offers some features that can not be utilized.  As a company that is new to Sophos we are greatly concerned committing to their product line.  Not to mention their support took a little to long for our comfort to response and reach out to a critical issue.

    Not sure if this is a bad sign for their management, Dev team, or both.

  • Hi All,

    This is a known issue. Here, the access to HTTP/s bookmarks to web servers, which contains JavaScript based dynamically generated URLs, is not possible. 

    The workaround to this issue is to use a full tunnel configuration with SSL VPN instead of clientless VPN access.

    Thank You

  • In reply to sachingurung:

    Hello, this is not entirely true, you have a bug in css and js valuation even if is not dynamically generated.

  • In reply to sachingurung:

    This work around is not ideal for clients that need to browse different websites and use apps connecting to local resources.  That was the reason to create the Clientless VPN option.


    Dedicate more resources Sophos!!!!

  • In reply to lferrara:

    I have this problem, is different from other reported issues. The configuration is the same as PhilHalford1 .
    Two error on two different target
    These errors are bugs?

  • Hi All,

    I want to update about the issues related to Clientless VPN access, there are two reported NC-ID associated to this issue.

    1. NC-13570 - This is resolved in v16.05 MR-5. The bookmarks didn't resolve properly which was caused due to "Restrict Web Applications". When it is ON, it will only allow URLs which have same domain as given in URL of bookmark. It won't allow sub domains which are used in that website. To allow this sub domains, user has to mention "Referred Domains" while creating bookmark. There was an issue in the match condition which is not fixed.
    2. NC-10370 - This issue is a known behavior and the NC-ID is closed. When the URLs are generated dynamically at client side(Web Browser), then the code is not possible to rewrite. If you feel that this is not technically correct then let us know why and I would also request you to push your support case and ask for answers from the development team.


  • In reply to sachingurung:

    I just checked out the known issues list.  Its unfortunate that little-to-no energy is being spent on this.  its a feature I was excited to use, it fills in a nice feature gap for our business.


    unfortunately, I have tried 3 different web-based bookmarks and one is rdp.  None of them work.


    I don't have time to sort out if they are rewriting urls, etc...I just know that they don't work.  one of them is simply a link to google for testing purposes.  it loads everything except the google logo.  


    but trying to use these to access internal resources such as our intranet, web interfaces for networking equipment, or web interface for an internally-hosted app all fail miserably.


    I have opened a case, but haven't heard from anyone yet to start working on it.

  • I've been away for a while, I've come back to see other people experiencing the same issue.

    There are suggestions stating that this now works? I'll give it ago. I have another company buying the product and they sure could do with bookmarks working.