Sophos Connect 2.0 - Early Access Program

Hey Everyone,

I'm excited to announce that Sophos Connect 2.0 for Windows is now available in early access!

Download link

Sophos Connect 2.0 for Windows EAP Download

 

Major new features

The main focus of this release is adding support for SSL VPN, while making it possible to bulk-deploy SSL VPN as easily as you can Sophos Connect v1.

  1. SSL VPN support for Windows
  2. Bulk Deployment of SSL VPN config via new provisioning file
  3. The same convenience features you expect in Sophos Connect for IPsec
    • OTP prompt support
    • Improved DUO MFA support (when connecting to XGv18)
    • Auto-Connect
    • Logon script execution on connect
    • Remote gateway availability probing
  4. Automatic re-fetch latest user policy if SSL policy updated on firewall (when using provisioning file to deploy)
  5. Manual re-fetch latest policy
  6. Automatic failover to next firewall WAN link when one link fails
  7. File extension association for policy files - Import a policy file into Sophos Connect just by double-clicking it in Windows Explorer, or opening the file attached in an email

 

Provisioning File

The key to a number of the features is the new provisioning file format. It allows a single file to be distributed to all users, exactly as you can for IPsec today. Currently, this file must be manually created, but it's very easy. Just take an example from the supplied documentation, and change the values you want.
 
The provisioning file works by pointing the client to the XG user portal address and port. When the provisioning file is pushed to a client, the user sees the connection listed, just like any other, and when they click connect, they will be prompted for credentials, just like any other connection. The client will then login to the XG user portal using the supplied credentials, and fetch the latest SSL VPN policy for that user, and connect the VPN using the same credentials just entered. This is all invisible to the user, and only adds a few seconds to the connection time. Then later, if the connection fails, the client will automatically fetch an updated VPN profile from the user portal, in case any of the policy settings have been changed. 
 
Bulk deployment works seamlessly when the user portal is accessible to clients where they are connecting from. If you are concerned about exposing the user portal to the internet on default ports, you may want to consider move it to a less commonly used port, that will lower its exposure to drive-by port 443 scans.  You can of course only expose the user portal to internal networks, though this will limit the effectiveness of the bulk deployment. 
 

Provisioning file documentation

 

Known Issues

  • If MFA is enabled for both the user portal and SSL VPN, users may receive two prompts for token/DUO Push on first connection, or when policy is updated
  • If user logon limit is set to 1 on XG, Connecting to the user portal, then immediately to the VPN may happen quickly enough, that XG counts the VPN connection attempt as a second concurrent login, and may be blocked. Set the logon limit to at least 2, to avoid the issue. 
  • Works great, no issues found so far.

    The provisioning process of ssl vpn configurations is straight forward.

    Also updating configurations works without any troubles.

    SSLVPN works in conjunction with IPSEC VPN.  If you label them accordingly, users can choose between SSL and IPSEC

    you can even add 3rd party .ovpn files for example from UTM firewalls, which is pretty handy for partners, since you have to deinstall/deactivate the legacy SSLVPN client during the installation of sophos connect 2.0.

    I'm very happy with this solution. this is the right direction, it's even more convenient than GPO Rollout.

  • Thanks Samuel, I should add that UTM9 ovpn files are expected to work, but not yet fully tested and supported. Third party ovpn files might work, but it will be much more likely that they won't work.

  • Are there any plans in the near future to release a MacOS Version with the SSL VPN Features or just the Version 2.0 ?

    Actually I'm waiting for an enduser friendly vpn client, which could be easily used under windows and MacOS systems.

    A MacOS Client with the new enhancements and at least IPSec would be really helpful.

  • I guess that Bulk Deployment of SSL VPN in SG9 dont work. o yes? Thank you.

  • I can't install it on an Windows 7 x64 .

    The OpenVPN service doesn't starts.

  • yes a mac version is planned, but I don't have a timeline for it yet.

    It won't work with UTM9 today. we are considering it, but not with this release

    please start a thread in the eap forum where this can be discussed in more depth. event log errors would be a good starting point to investigate.

  • Seems the new Captcha is interfering with the SSL VPN configuration, hopefully there will be a way to disable the Captcha so we can use this new client.

  • I can confirm. SSL VPN provisioning does not work after captchas were enforced.

    What a bummer.  please fix ASAP or provide solution to disabled captchas.

  • I'm sorry for any issues this has caused. the captcha change was an unfortunate necessity, that was not something that could wait for Sophos Connect to update, and account for, prior to release. We are working on a fix though, so please stay tuned.

  • Any update on this? Eta timeline ?

  • when will there be a possibility to disable the captcha in order to user the Connect 2.0 Client with SSL VPN again? Any Update?

  • The following bugs still exist:

    Case #9783398 - Sophos Connect client creates a network connection without "Register this connection in DNS" option selected

    Case #9783103 - Authentication fails if username or password contains german Umlauts (ä, ö, ü)

    Case #9783355 -  IKE SA lifetime does not match the setting in UTM9

    Any chance that the issues will be fixed?

  • :  Any news on Connect 2.0?  The auto provisioning was nice and now this is all moot with the captcha.  Any ETA on an updated build that supports captcha?  Updated build to run on Mac?  I know Sophos has a large Mac presence internally..how is Sophos deploying SSL-VPN connection to their Mac endpoints?

  • This is still not working due to CAPTCHA.

    Any updates???