Thread Info
  • State Verified Answer
  • +8 person also asked this people also asked this
  • Locked Locked
  • Replies 71 replies
  • Answers 3 answers
  • Subscribers 54 subscribers
  • Views 30569 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Attempts to download Sophos Connect client (IPsec and SSL VPN) from an XG135 User Portal result in a text file

Chris Mayer

Howdy!

I'm getting used to the operations of my new XG135 firewall. I'm configuring users for IPSEC VPN client access. I can create a user on the firewall. I then navigate to the firewall's User Portal and log in as the user. The User Portal displays a QR that I scan using the Sophos Authenticator on my phone. I then log in to the User Portal as the user this time with the 2FA code appended to the user's password. I land on the User Portal page shown below.

When I try to download either of the Windows or macOS clients, I don't get any kind of executable or installer. Instead, I get a text file called "info.txt" with the following content.

Requested file could not be provided. Make sure Pattern Updates are working correctly.
You can find it under 'Backup & Firmware' -> 'Pattern Updates'

I've checked my firewall's Pattern Updates and the Sophos Connect clients are there and have been updated recently as shown below.

The firewall has the latest firmware (SFOS 18.0.4 MR-4) and all the Pattern Updates look good (populated and have recent timestamps).

I am able to download the Sophos Connect clients while managing the firewall through Sophos Central. This is from the "VPN > IPsec (remote access)" page. When I do this I get a zip file containing the files

  • scadmin(legacy).msi
  • Sophos Connect_1.4_(IPsec).pkg
  • SophosConnect_2.0_(IPsec_and_SSLVPN).msi

I have used the Sophos Connect_1.4_(IPsec).pkg successfuly to install on a Mac. Similarly, SophosConnect_2.0_(IPsec_and_SSLVPN).msi works fine for Windows.

Thanks for your attention to my problem. Let me know if you need more information. I look forward to getting this resolved.

Sincerely,

Chris



This thread was automatically locked due to age.
Parents
  • 0

    Hello Chris,

    Thank you for contacting the Sophos Community.

    This issue is being investigated under NC-70289

    As a workaround, you can share the Client with users if you download it from the XG it self.

    Configure >> VPN >> IPSec (Remote Access) >> Download Client

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Thanks for getting back to me. I'll be handing out Clients manually for now.

    Just to be sure...Does your reference to NC-70289 means that Sophos is aware of the issue (has a bug report or internal support ticket) and that a fix will be out sometime? If so, I'm satisfied.

    Sincerely,

    Chris

  • 0 in reply to Sam Cunliffe

    Maybe i need to quickly recap the possibilities and the current limitation.


    Limitation/Bug: Sophos Connect config + Installer cannot be downloaded by the User (user portal). PS: This option is new. 

    How do administrator publish VPN (Sophos connect): 

    You can download the software (Sophos connect installer) via Webadmin (Port4444). This File is a MSI Installer for general install purpose. Most administrator publish this software via GPO or software deployment tools to managed Clients. You can also give this MSI File to a user, if you want to install it locally (Admin privileges needed). 

    After the Sophos Connect is installed on the Client, the admin will build a config file for the user. For example a SSLVPN Config file: 

    https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/SConProvisioningFile.html?hl=sophos%2Cconnect%2Cprovisioning%2Cfile

    Generally speaking a file, which points the Sophos Connect to the XG WAN IP. 

    [
     { 
     "gateway": "<Enter your gateway hostname or IP address>", 
     "user_portal_port": 443, 
     "otp": false, 
     "auto_connect_host": "<Enter internal hostname or IP address>", 
     "can_save_credentials": true, 
     "check_remote_availability": false, 
     "run_logon_script": false 
     } 
    ]

    This file will be imported via GPO/Software Deployment or manually. 
    Push it to the client into the folder "import" in Sophos Connect install directory. 

    The user will see this config immediately: The user will use his own credentials to login. 
    The Connect client will do the rest and import its own, user based, config file.


    This process works fine. 




    The (old) SSLVPN part also works fine. 
    You can simply login to the user portal and download your old SSLVPN Config + SSLVPN Installer. This is a "per user view". 


    PS: This is not a critical bug, as this process is new and not many people are using this approach.

    __________________________________________________________________________________________________________________

  • +1 in reply to Dirk Burg

    I would like to mention two points here about SSLVPN client

    a. if you are using Old SSLVPN client, its working as it is there is no issue with it. User can continue downloading client and config from user portal.

    b.if you are using Sophos connect client for SSLVPN its broken in v18MR4 release and getting tracked as part of NC-70289.

    Still there are two alternative ways to provide client to end user which are captured in following article.

    https://support.sophos.com/support/s/article/KB-000041377?language=en_US

  • 0 in reply to Alok

    This is affecting SSL-VPN old for me and I've replicated this on multiple XGs running latest Firmware, you press download Client and Configuration and get no response, dev tools shows Javascript errors.

  • 0 in reply to Sam Cunliffe

    Ok - Lets slow down. 

     - Do you get a cred auth page, which asks for your creds and a captcha portal. Or does it not start in general? If you go to the user portal (manually), can you download the config for sslvpn for different OS (not Sophos connect)? 

     That is correct, but that is not what should matter in any kind of scenario. If you download the SSLVPN for other OS, it still should work. And this ovpn should be importable in the Sophos Connect. 

    Alok posted the Link to the KB, which indicates the issue and the limitation is only the New MR4 version, presented to the end user. 

    If Sophos Connect/SSLVPN would be broken, there would be more feedback in the community than this. This feature is perfectly working for every Sophos customer today. Only the new option to give the user a own download link is broken, which basically is not in use by many customer. (Most likely because a user do not has admin privileges on their windows client). 

    __________________________________________________________________________________________________________________

  • 0 in reply to Alok

    No, the old ssl-vpn client cannot be downloaded under 18MR4, if that would work I would have no problem.

  • 0 in reply to Dirk Burg

    That seems to be an issue, not related to this one. If you try to download the old SSLVPN, what do you see in the user portal? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Yes, i Do get a cred auth page, then the Message with the  missing SSL-VPN-Polici folows. 

    And no, I can neither download the SSL VPN configuration nor the configuration for Sophos Connect from the user portal.
  • 0 in reply to LuCar Toni

    That seems to be an issue, not related to this one. If you try to download the old SSLVPN, what do you see in the user portal? 

    Nothing happens.

Reply Children
  • 0 in reply to Sam Cunliffe

    So you cannot download the SSLVPN Config, as the user portal does nothing, if you click on SSLVPN configuration for other OS? 

    Did you check this KB? https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/119348/sophos-xg-firewall-troubleshooting-0-byte-ssl-vpn-file

    It could be related to this issue, that you are not able to download this file, as the config file is broken. Thats not related to this issue. 

    I confirmed on multiple XG Firewalls, that i can download the SSLVPN and this is not related / affect in any case. 

    So you issues are not related to this particular issue. We are only tracking the Download of Sophos Connect on user portal as an issue. Your problems seems to be something else. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Do you have CA configured on the XG? SSL VPN cannot be downloaded if you dont have CA configured

  • 0 in reply to Alan Panec

    I’ve not touched anything to do with the CA, do you need to change any of the default settings to get this to work? I didn’t see that listed in the configuration guide 

  • 0 in reply to Sam Cunliffe

    Yes you have to first configure certificate authority for the XG. Its unfortunatelly not part of the guide for VPN, but its a prerequisite.

    When you click to download SSL VPN client for new user it automatically generates certificate for this user that is signed by the Sophos XG appliance CA. If you do not have the CA configured it cannot create user certificate and therefore you cannot download the SSL VPN client. Unfortunatelly it doesnt throw any error. It just doest work.

    But this is not anyhow related to the Sophos Connect case.

  • 0 in reply to Alan Panec

    I had this issue yesterday with a brand new XG I installed for a customer.   The old SSL VPN client wouldn't download. Click > nothing. 

    I called support and after a long wait on hold I spoke with support who went through and textbooked my setup (hate it when they do that).  The very last thing he did was to fill out the information in System > Certificate Authorities > Default certificate.  After that was filled out I logged out/in to the user portal and my SSL VPN client started downloading.  

    I've never filled this certificate out that I recall.  It's always been pre-populated.  I'm not even sure where they got the city & state from, but they're accurate.  I went through several of our customers, even some that don't use VPN, and they all have the correct information in the default CA.  So having to fill it out yesterday manually was new for me.  

    The Connect client still gives the text file error and the Apple IOS IPsec VPN client configuration logs me out of the firewall when clicked.  

  • 0 in reply to Michael Lynn

    This issue can occur, if the data in MySophos is not correct or uses special characters. XG will fetch the data by wizard from mySophos. If there are special characters or other stuff in there, it can destroy the CA creation. Most likely in most setups, this works fine, sometimes there are corner cases, which shows this issue about the empty / corrupt CA. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi There!

    If I regenerate the built-in Certificate, it can be affect the RED devices?

  • 0 in reply to Sergio Kojima

    As far as i know - No. RED uses a own certificate, not visible for the enduser. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi, same issue here

    The Connect client still gives the text file error and the Apple IOS IPsec VPN client configuration logs me out of the firewall when clicked.  

    When I try to download either of the Windows or macOS clients, I don't get any kind of executable or installer

    The Problem is more than 30 days old an there is no Solution with a firmware update.

Unfiltered HTML