Hello Everyone,

I'm pleased to announce the release of Sophos Connect 2.1! This is primarily a security and maintenance update, but contains one significant enhancement for IPsec VPN provisioning. With this release, provisioning files will also allow import of IPsec policies.

Remote Access IPsec Policy provisioning
When provisioning users, the client and provisioning file may be pushed to users via standard automation procedures. When the client first attempts to conenct, the user will be prompted to authenticate, and the client will first connect to the firewall over HTTPS, and download the available VPN policy for SSL and IPsec connections for that user. If the user attempting to connect does not exist yet on the firewall, but are part of an AD user group with permission to connect over IPsec or SSL VPN, then the user will automatically be created at this point, and granted VPN permissions. This enhancement removes the need to pre-create AD users on XG, just to allow them to connect remotely via IPsec.

New Features

  • Remote Access IPsec policy provisioning 
  • Add new logs to indicate the policy download type using a provisioning file.

Issues Resolved

  • Resolved RCE in Sophos Connect client for Windows (CVE-2021-25265)
  • Fixed Sophos Connect client crash due to connection file corruption.

Known Limitations

  • If you have previously customized configuration for Sophos Connect using the scdmin utility, those settings are now available for IPsec connections, in the firewall GUI.
    Update the settings in the firewall to match the settings used in scadmin before provisioning your clients, or the settings configured via scadmin may be overwritten by those coming from the firewall
  • When both IPsec and SSL policies are found for a given user during provisioning, both policies will be downloaded, but only the SSL policy will offer the option to "Update policy". However, doing so will update both the IPsec and SSL policies.
  • If remote access IPsec networks are added or removed from the permitted networks list, in some cases, users may need to manually update the policy before changes will be applied.

Client Download

Related Links

Parents
  • Software design is not done very well.
        • For SSL-VPN you can set "Override hostname" on XG, but not for IPsec (which is fundamental!)
        • If you use provisioning file for SSL as from Version 2.0 you have now no option to select if it's for SSLVPN and/or IPsec (always valid for both)
        • As from above, an existing working IPsec configuration will now be overwritten and is may not working anymore. (e.g. as gateway set incorrect from XG) ! ATTANTION: This means no backward compatibility!
        • IPsec VPN cannot be uses directly on XG interfaces e.g. if you run DMZ or public WLAN and want to get from there to internal network that is not possible by design
        • GUI does not consider Windows fonts settings for applications e.g. scaling. On 4K Displays it's almost impossible to read content (not accessible).

  • Hey Nescom, thanks for your feedback. I'm not sure what you mean by

    "As from above, an existing working IPsec configuration will now be overwritten and is may not working anymore. (e.g. as gateway set incorrect from XG) ! ATTANTION: This means no backward compatibility!"

    This client is fully backwards compatible with config created for older XG versions. if you have more details on this problem, please feel free to PM me about it. We will gladly look into it.

    As for the rest, there are still some limits on XG that will be updated in future firewall updates, and the scaling issue is known, and will be addressed in future also. 

  • We have oped a case for this critical behavior as we run into this issue (03752858).
    I know it's by design and support does usually not care about bad design. Anyway if the intention was backward compatibility I'm sorry to tell you failed.

  • Known Limitations
    "When both IPsec and SSL policies are found for a given user during provisioning, both policies will be downloaded"
    What you not mentioned: Even existing legacy configuration will them be overwritten! No way to disable IPsec provisioning anymore.

  • Ok, I think I understand what you're describing. I can see it possible for problems to occur, if there is a difference between the policy that the client already has installed, and the policy as it's defined in XG. If they don't match, or define different access levels or settings, then when the policy gets updated by provisioning, it would take the new settings from XG. I will add a cautionary note in the release post about this, and I'll talk to our dev team about it. Thanks again for reporting. 

Comment
  • Ok, I think I understand what you're describing. I can see it possible for problems to occur, if there is a difference between the policy that the client already has installed, and the policy as it's defined in XG. If they don't match, or define different access levels or settings, then when the policy gets updated by provisioning, it would take the new settings from XG. I will add a cautionary note in the release post about this, and I'll talk to our dev team about it. Thanks again for reporting. 

Children
No Data