Hello Everyone,

I'm pleased to announce the release of Sophos Connect 2.1! This is primarily a security and maintenance update, but contains one significant enhancement for IPsec VPN provisioning. With this release, provisioning files will also allow import of IPsec policies.

Remote Access IPsec Policy provisioning
When provisioning users, the client and provisioning file may be pushed to users via standard automation procedures. When the client first attempts to conenct, the user will be prompted to authenticate, and the client will first connect to the firewall over HTTPS, and download the available VPN policy for SSL and IPsec connections for that user. If the user attempting to connect does not exist yet on the firewall, but are part of an AD user group with permission to connect over IPsec or SSL VPN, then the user will automatically be created at this point, and granted VPN permissions. This enhancement removes the need to pre-create AD users on XG, just to allow them to connect remotely via IPsec.

New Features

  • Remote Access IPsec policy provisioning 
  • Add new logs to indicate the policy download type using a provisioning file.

Issues Resolved

  • Resolved RCE in Sophos Connect client for Windows (CVE-2021-25265)
  • Fixed Sophos Connect client crash due to connection file corruption.

Known Limitations

  • If you have previously customized configuration for Sophos Connect using the scdmin utility, those settings are now available for IPsec connections, in the firewall GUI.
    Update the settings in the firewall to match the settings used in scadmin before provisioning your clients, or the settings configured via scadmin may be overwritten by those coming from the firewall
  • When both IPsec and SSL policies are found for a given user during provisioning, both policies will be downloaded, but only the SSL policy will offer the option to "Update policy". However, doing so will update both the IPsec and SSL policies.
  • If remote access IPsec networks are added or removed from the permitted networks list, in some cases, users may need to manually update the policy before changes will be applied.

Client Download

Related Links

Parents
  • If the XG is connected behind a NAT Router only the internal IP of the WAN interface is provided to the IPSEC config. This makes autoprovisioning useless.

    You still have to download the config file and edit it with Sophos Connect Admin Tool.

    In XG there should be an override Hostname function.

Comment
  • If the XG is connected behind a NAT Router only the internal IP of the WAN interface is provided to the IPSEC config. This makes autoprovisioning useless.

    You still have to download the config file and edit it with Sophos Connect Admin Tool.

    In XG there should be an override Hostname function.

Children