Hello Everyone,

I'm pleased to announce the release of Sophos Connect 2.1! This is primarily a security and maintenance update, but contains one significant enhancement for IPsec VPN provisioning. With this release, provisioning files will also allow import of IPsec policies.

Remote Access IPsec Policy provisioning
When provisioning users, the client and provisioning file may be pushed to users via standard automation procedures. When the client first attempts to conenct, the user will be prompted to authenticate, and the client will first connect to the firewall over HTTPS, and download the available VPN policy for SSL and IPsec connections for that user. If the user attempting to connect does not exist yet on the firewall, but are part of an AD user group with permission to connect over IPsec or SSL VPN, then the user will automatically be created at this point, and granted VPN permissions. This enhancement removes the need to pre-create AD users on XG, just to allow them to connect remotely via IPsec.

New Features

  • Remote Access IPsec policy provisioning 
  • Add new logs to indicate the policy download type using a provisioning file.

Issues Resolved

  • Resolved RCE in Sophos Connect client for Windows (CVE-2021-25265)
  • Fixed Sophos Connect client crash due to connection file corruption.

Known Limitations

  • If you have previously customized configuration for Sophos Connect using the scdmin utility, those settings are now available for IPsec connections, in the firewall GUI.
    Update the settings in the firewall to match the settings used in scadmin before provisioning your clients, or the settings configured via scadmin may be overwritten by those coming from the firewall
  • When both IPsec and SSL policies are found for a given user during provisioning, both policies will be downloaded, but only the SSL policy will offer the option to "Update policy". However, doing so will update both the IPsec and SSL policies.
  • If remote access IPsec networks are added or removed from the permitted networks list, in some cases, users may need to manually update the policy before changes will be applied.

Client Download

Related Links

Parents
  • I agree with NESCOM.

    Sophos XG even doesn't use the configured host name for the IPSEC Config to connect to.

    It uses the public IP.

    Also in SSL VPN the configured Hostname is not used by default like it was in Sophos UTM.

    Only when you set "Override Hostname" it uses a hostname instead of all IPs of all Interfaces for the configuration.

Comment
  • I agree with NESCOM.

    Sophos XG even doesn't use the configured host name for the IPSEC Config to connect to.

    It uses the public IP.

    Also in SSL VPN the configured Hostname is not used by default like it was in Sophos UTM.

    Only when you set "Override Hostname" it uses a hostname instead of all IPs of all Interfaces for the configuration.

Children
  • Hey Bjorn, that is an XG side limit, but the client does address this automatically if you use provisioning to apply the policy. The client will silently fetch a policy update with the new IP, if it ever changes, from whatever list of hostnames you specify in the provisioning file. If you're not using a provisioning file, you can setup a dynamic dns hostname on the interface you're using for client connections, ant that will automatically be used in the policy instead of the IP address. Nonetheless, more changes are planned on XG to improve differences like this, between IPsec and SSL.