Sophos Connect 2.2 is now GA

6 Jul 2022

Hello Everyone,

I'm pleased to announce Sophos Connect 2.2 has been released. this is primarily a security and quality update that addresses a number of issues in the libraries used by Sophos Connect, and addresses a number of issues in the client. The client is available for download, and has been distributed to SFOS firewalls via pattern updates.

Security Updates

NCL-1635 - Security fix for CVE-2022-0778
NCL-1585 - Security fix for CVE-2021-27406 in OpenVPN binary
NCL-1490 - Security fix for CVE-2021-3606 in OpenVPN
NCL-1667 - Security hygiene cleanup for CVE-2020-1967

Issues Resolved

NCL-1622 - Fix GCM Cipher parsing error
NCL-1399 - Fix rare issue with random SSL authentication failure
NCL-1616 - Fix connection issues with special characters in password
NCL-1372 - Fix connection issues with special characters in password
NCL-1319 - Fix provisioning issues with special characters in password
NCL-1256 - Fix provisioning issues with special characters in password
NCL-1261 - Fix SSL authentication with multiple spaces in username
NCL-569 - Fix provisioning issues with special characters in username

Download Links

The latest client can be downloaded from here: https://www.sophos.com/en-us/support/downloads/utm-downloads

Related Links

Deploying Sophos Connect via script or GPO: https://support.sophos.com/support/s/article/KB-000040793?language=en_US
Documentation on how to use provisioning: https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/VPN/RemoteAccessVPN/VPNSConProvisioningFile/index.html

Parents

Cedric Menzi1 over 1 year ago

Will the Client update itself?
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
Joe Pruett over 1 year ago in reply to Cedric Menzi1

Maybe it does. I just went to update mine and see that it is already at 2.2 and looks to have installed on 6/29. I don't recall that I did that.

A bigger issue for me is that this client disconnects me every 1:25. The old SSLVPN client didn't have this issue using exactly the same firewall and login. I opened a ticket, but no response yet.
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
Avinash Aathreya over 1 year ago in reply to Joe Pruett

Hey Joe, can you help me with the Firewall version you're trying to connect to. Also the config file extension would help.
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
Breakingcustom over 1 year ago in reply to Joe Pruett

Joe, I have a customer having somewhat similar issues. 8 hours on the dot after they connect for the first time, they get disconnected. It will show they were logged off in the firewall, but I have the AD/SSO setting set for 10 hours and VPN timeouts to unlimited. Also, makes me wonder if this is a MFA timeout as well.
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
Joe Pruett over 1 year ago in reply to Avinash Aathreya

This only happens with the new vpn client. The old client is continuing to work just fine. We have 12 hour key lifetime on the ssl vpn. I have no idea where this 1:25 interval is coming from, but looking at the client log was very consistent.

Our firewall is running 19.0.0 GA-Build317
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
njabi over 1 year ago in reply to Breakingcustom

should be related to the rekey timeout on server's side! with v19 you are able to set rekey time interval vi GUI.
The issue here is 2FA if enabled for Remote Access VPNs via SC, since the Client tries to reconnect after rekey-timeout, the connection can't be hold because 2FA proposals are out of date and must be reentered by the user with current OTP ;-)
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel

Comment

njabi over 1 year ago in reply to Breakingcustom

should be related to the rekey timeout on server's side! with v19 you are able to set rekey time interval vi GUI.
The issue here is 2FA if enabled for Remote Access VPNs via SC, since the Client tries to reconnect after rekey-timeout, the connection can't be hold because 2FA proposals are out of date and must be reentered by the user with current OTP ;-)
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel

Children

Joe Pruett over 1 year ago in reply to njabi

We already had the key lifetime set to 12 hours (43200 seconds). The old SSL VPN client doesn't have this problem, just the new Sophos Connect Client. openvpn client also is fine.
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel