Hi XG Community!

We're pleased to announce the public Early Access Program release of Sophos Connect 1.1!
The VPN Client is now available from within the WebAdmin of your XG Firewall.

What's New in EAP Sophos Connect 1.1

Auto connect on changes to Network Connectivity

Sophos Connect will automatically determine if the user is connected to an inside or outside (guest) network. If on the guest network, then the VPN tunnel is automatically enabled with saved user credentials if available or else prompt the user for credentials or OTP.

Notifications and Error reporting

Display popup notifications and change the Sophos Connect ICON app state (normal, warning or error) to alert the user when the tunnel is established, disabled or fails to connect.

Dead-peer-detection (DPD)

DPD mechanism is used by Sophos Connect when there is unidirectional traffic. When Sophos Connect does not receive response from the gateway for configured dpd delay duration, it will send a R-U-There message to the gateway. If the gateway does not respond to these messages then after dpd timeout (currently configured to 200 seconds), it will delete the VPN tunnel and reinitiate to build a new VPN tunnel. This mechanism automatically rebuilds the tunnel after a gateway reboots while the VPN tunnel with Sophos Connect was active.

Upgraded to latest strongSwan

Upgrade to the current stable release (5.7.1) of strongSwan.

DNS Suffix option for auto-connect

Configure DNS suffix to determine if the Sophos Connect user is on the inside or guest network. Prior to this release the admin could configure a host IP address or a FQDN.

A feature is not working as expected? You have found a bug?

[Update] Sophos Connect EAP is now officially supported starting with v1.1 MR-1. Please contact Sophos Support if you experience any issues.

We have also created this new community group for Sophos Connect discussion.

Issues Resolved

  • NC-31831 [Remote Access] DPD delay and DPD timeout were not used
  • NC-37910 [Remote Access] Add handler to generate crash dump file on Windows
  • NC-38332 [Remote Access] Telemetry data can't be sent when telemetry host IP resolves to IPv6
  • NC-38440 [Remote Access] Generating a large number of error events instead of a single "No network error"
  • NC-38933 [Remote Access] [MAC Only] Tunnel All VPN tunnel is not getting terminated when network connectivity drops
  • NC-39042 [Remote Access] Monitor active SA statistics in the SC engine
  • NC-39373 [Remote Access] Conflict between Sophos Connect and Sophos SSL VPN Client
  • NC-39660 [Remote Access] Rekey time freezes to zero seconds when same username is used to establish tunnel from different SC endpoints
  • NC-40455 [Remote Access] Rename TAP-Windows Adapter V9 to Sophos TAP adapter
  • @rogermwl Sophos Connect admin is only available for download from the XG Web UI. The user does not have access to firewall UI.

  • That's kind of my point. There doesn't appear to be anything to stop a user downloading Sophos Connect Admin and adjusting the settings themselves.

  • Yes Sophos Connect Admin is part of the EAP for Sophos Connect. For now the firewall admin, will have to use this intermediate program to help configure some additional settings which are not available via Sophos Connect Client Policy configuration on the XG firewall. The plan is to release Sophos Connect Client that is fully managed by Sophos Central and that point the firewall admin will no longer need to use Sophos Connect Admin. Also the option to allow saving of the password is a choice the admin will make based on their compliance needs.

  • Because 17.5 is now prompting at login (as 'We strongly recommend that you upgrade the device' I might add) and is marked as GA, I assumed that it was no longer in Beta. It now seems that 17.5 is some sort of Early Access and not ready for release...

    In hoping to fix an issue with SSL VPN, I'm configuring Sophos Connect for a customer. Is the use of 'Sophos Connect Admin' just part of this EAP/Beta? I'd have hoped that Sophos Connect and it's configuration file would be available in the User Portal like the SSL VPN. It seems like a user could take the configuration file and adjust settings such as 'Allow Password Saving'.

  • Lucar, there are over 20,000 users of the XG and not all of them are going to register themselves against these forums to receives the updates via email as noted here.

    My issue is that it automatically loaded an Early Access Program software on MY firewall without MY permission therefore reducing the level of MY support to that of this FORUM. That is unacceptable.

    The way to fix this is to make the Sophos Connect software updates have to be manually allowed with a notification being in the alerts section of the XG GUI Dashboard. That is far more suitable than "check the forums daily".