Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 41 subscribers
  • Views 1455 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Connect Feature Request / Recommendation

Benjamin Cox

I’ll start this by saying I’m a huge fan of Sophos both in terms of the company and products and mean any criticisms that I make in the most constructive of ways – I would go as far to say that I’m a Sophos Fan Boy’ and often this is why I allow the often shortcoming to pass me by with the optimistic hope that the next maintenance release will see it gone.

I have been using Sophos connect as my primary VPN solution since last summer and whilst elements of it have really shown promise, there’s elements that I still find incredibly frustrating and limiting.

I feel with some more development Sophos connect could be one of the best Client VPN products on the market and potentially make Sophos Connect reason alone to invest in an XG.

But as with almost all VPN products, Sophos connect is clearly made by techies for techies (not for the average user – (sales account manager – accountant – lawyer – teacher – student etc)

 

My criticisms:

Currently I find Sophos connect fairly ideal for the smaller company but due to the fact that ever user must be manually created / added to Sophos connect (as opposed to AD/LDAP group based permissions) – this makes it tough to manage at any scale.

The way in which the import of credentials works is somewhat problematic, whilst a GPO/RMM deployment option is simple to do, for machines with multiple users (such as shared office laptops for users to take home) this is a problem as the GPO option of saving to the C:\Program Files (x86)\Sophos\Connect\import see’s the config deleted and imported into Sophos connect – so won’t load for other users – and if its pushed into this directory on every log on, it will wipe any saved credentials.

The config file is in plain text and this included the shared key – big no no – especially as a lot of companies will email users this config to self import.

There is too much in the application GUI out of the box – this can be manually stripped back by hacking about with the connections.html file in C:\Program Files (x86)\Sophos\Connect\GUI and pushed out globally via GPO but its not ideal – the average joe just needs simple ‘click to connect’ ‘click to disconnect’. – or in the case of auto connect, nothing at all. Just an indication of status. None of the complicated stuff.

 

The Sophos client uses the IPsec protocol that can often be blocked on certain public networks, and the Sophos SSL VPN client is geared towards techie users who can self install from the portal – none of my users could do this so anyone who says its not a techie solution has never worked with the average end user. If the Sophos connect client could incorporate the SSL functionality too – this would be great.

 

Suggestions for improvement:

Firstly, above anything else the next iteration of Sophos connect MUST have the ability to link with AD/LDAP and add users via that route – this is non negotiable and for any company with more then an handful of users, this is a must – until it does this, It can’t be considered enterprise ready.

In addition to this, when Sophos connect does allow users to be added via AD grouping, it would also be good if user credentials auto populated in Sophos connect from the windows credential manger so a configuration could be created that instructed Sophos connect to only use directly sourced AD creds, no option for manual type in.

The configuration file security aspect is a big one, but also a complicated one – and I don’t think Sophos central is the answer here either. A great way would be to give admins a way to bake their own custom Sophos Connect MSI that can include public keys for all the firewalls it will be used with options to pre-configure the application interface so certain menu options can be hidden for non technical users. It could also be an option to include a config file within the MSI its self so for simple environments with only one base VPN config, the MSI can be pushed out VIA RMM/GPO and assuming it was already set up with AD, it would just work! And any new configurations could be exported in either encrypted or unencrypted standards, but the encrypted ones would only work on installation of Sophos connect that have the public keys baked in (and new public keys could be manually imported or pushed out via GPO to the imports folder) (this is perfection from a sys admins perspective!) – this MSI generation could wither be achieved using a new more capable version of SCadmin (a lot of techs would prefer to perform this locally – and whilst a lot of people at Sophos may like this idea but want to do it via central, I would urge them not to)

The pushing out of configurations can still be done via RMM/GPO but it would be hugely useful if they could be an option to make a config ‘global’ so once on a machine, any user logged in has that config in their connect client.

There needs to be better 2fa support for Sophos connect, with easy duo, google auth, and even SMS options (as app based auth is an hurdle too steep for some very non technical users) and with a simple SMS API integration such as Clockwork SMS or Twilo and the ability to pull users mobile numbers from AD, this would be an easy solution to offer – and whilst not as secure or ideal as app/key based 2fa, its better than nothing. So make it happen!

And a final thing, that would be incredible but technically a big ask, is if there could be a version of Sophos VPN that sat at the base layer of windows and deployed at the time and used key/device based auth to auto connect before logon and was always on, with so many people now running their infrastructure in the cloud and with Sophos pushing their virtual XG’s in AWS / Azure, having this functionality would allow for domain auth / logon without the need for using the windows server AOVPN/Direct Connect – having Sophos be the entry and exit point to the network as well as the rest of the Sophos endpoint stack would make for a perfect package for businesses that for what ever reason, aren’t ready to go all the way over to the Azure AD/365 cloud and still need some traditional elements of  AD/DS but with the benefits of it being in the cloud. And given how after current COVID events have passed, attitudes towards home/remote working will be a lot different and this would really give Sophos the edge.

 

So in summary, I think Sophos connect is good, but if the above could be considered by the development team I think Sophos connect could be up there as one of the best VPN products on the market, I wrote a lot more then I intended but welcome any comments from other users of the XG’s such as my self incase I’ve missed out any additions that you feel would be game changing.



This thread was automatically locked due to age.
Parents
  • 0

    Hey Benjamin,

    Thanks for sharing, and I have some good news for you. :) Not only are your items being considered, we have plans to address almost everything you mention, and many of them are well underway! 

    Sophos Connect started with a single and simple purpose. We needed a competent IPsec client, that could support easy bulk deployment and provisioning, and we needed to do everything we could to deliver it without needing significant changes on XG. The relevant teams that would need to modify XG for us were highly focused on delivering XG v18, so we created thescadmin utility to expose features like auto-connect, split tunnel config, and others. XG limits such as the not-so-ideal VPN setup workflow, IP pool size limits, and the lack of support for setting user permissions by user group were un-touched. 

    v18 is out of the way now, you can expect some more meaningful XG-side improvements in v18.5 later this year. You won't need the scadmin utility any longer to fully configure the client, and we're planning to add group support to the IPsec configuration. In addition, we'll add the same support for SSL VPN on XG as well. There are some other changes as well, like improved scalability of SSL VPN, and increasing the IPsec IP pool size limit that we've accelerated due to the current increased demand for remote access, and are either available in MR1 (SSL VPN) or already delivered via hotfix (IPsec limit)

    Also coming imminently, is Sophos Connect 2.0. (Early access expected this month)  It won't change the client UI look and feel at all, but it will add support SSL VPN, and serve as a replacement for the current SSL VPN client. More importantly, it will allow you to push out a single policy to all users (in exactly the same way you do today for IPsec) that contains no key material at all. It will add the connection to users clients, and when they hit connect, and enter their credentials, it will auto-fetch the user-specific policy and certs securely, for the user. It can also auto-update the policy in the same way, if needed in the future. 

    Finally, we're planning to integrate Sophos Connect into Sophos Central, which will unlock some new capabilities. Even simpler deployment and policy updating, auto-client updates when necessary, multi-homing and failover, device identity enforcement, secure policy delivery, and more. 

     

     

     

     

     

Reply
  • 0

    Hey Benjamin,

    Thanks for sharing, and I have some good news for you. :) Not only are your items being considered, we have plans to address almost everything you mention, and many of them are well underway! 

    Sophos Connect started with a single and simple purpose. We needed a competent IPsec client, that could support easy bulk deployment and provisioning, and we needed to do everything we could to deliver it without needing significant changes on XG. The relevant teams that would need to modify XG for us were highly focused on delivering XG v18, so we created thescadmin utility to expose features like auto-connect, split tunnel config, and others. XG limits such as the not-so-ideal VPN setup workflow, IP pool size limits, and the lack of support for setting user permissions by user group were un-touched. 

    v18 is out of the way now, you can expect some more meaningful XG-side improvements in v18.5 later this year. You won't need the scadmin utility any longer to fully configure the client, and we're planning to add group support to the IPsec configuration. In addition, we'll add the same support for SSL VPN on XG as well. There are some other changes as well, like improved scalability of SSL VPN, and increasing the IPsec IP pool size limit that we've accelerated due to the current increased demand for remote access, and are either available in MR1 (SSL VPN) or already delivered via hotfix (IPsec limit)

    Also coming imminently, is Sophos Connect 2.0. (Early access expected this month)  It won't change the client UI look and feel at all, but it will add support SSL VPN, and serve as a replacement for the current SSL VPN client. More importantly, it will allow you to push out a single policy to all users (in exactly the same way you do today for IPsec) that contains no key material at all. It will add the connection to users clients, and when they hit connect, and enter their credentials, it will auto-fetch the user-specific policy and certs securely, for the user. It can also auto-update the policy in the same way, if needed in the future. 

    Finally, we're planning to integrate Sophos Connect into Sophos Central, which will unlock some new capabilities. Even simpler deployment and policy updating, auto-client updates when necessary, multi-homing and failover, device identity enforcement, secure policy delivery, and more. 

     

     

     

     

     

Children
No Data
Unfiltered HTML