I'm getting used to the operations of my new XG135 firewall. I'm configuring users for IPSEC VPN client access. I can create a user on the firewall. I then navigate to the firewall's User Portal and log in as the user. The User Portal displays a QR that I scan using the Sophos Authenticator on my phone. I then log in to the User Portal as the user this time with the 2FA code appended to the user's password. I land on the User Portal page shown below.
When I try to download either of the Windows or macOS clients, I don't get any kind of executable or installer. Instead, I get a text file called "info.txt" with the following content.
Requested file could not be provided. Make sure Pattern Updates are working correctly.
You can find it under 'Backup & Firmware' -> 'Pattern Updates'
I've checked my firewall's Pattern Updates and the Sophos Connect clients are there and have been updated recently as shown below.
The firewall has the latest firmware (SFOS 18.0.4 MR-4) and all the Pattern Updates look good (populated and have recent timestamps).
I am able to download the Sophos Connect clients while managing the firewall through Sophos Central. This is from the "VPN > IPsec (remote access)" page. When I do this I get a zip file containing the files
I have used the Sophos Connect_1.4_(IPsec).pkg successfuly to install on a Mac. Similarly, SophosConnect_2.0_(IPsec_and_SSLVPN).msi works fine for Windows.
Thanks for your attention to my problem. Let me know if you need more information. I look forward to getting this resolved.
Yes, We are aware about the issue and working on the fix.
Thank you for contacting the Sophos Community.
This issue is being investigated under NC-70289
As a workaround, you can share the Client with users if you download it from the XG it self.
Configure >> VPN >> IPSec (Remote Access) >> Download Client
Thanks for getting back to me. I'll be handing out Clients manually for now.
Just to be sure...Does your reference to NC-70289 means that Sophos is aware of the issue (has a bug report or internal support ticket) and that a fix will be out sometime? If so, I'm satisfied.
So you cannot download the SSLVPN Config, as the user portal does nothing, if you click on SSLVPN configuration for other OS?
Did you check this KB? https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/119348/sophos-xg-firewall-troubleshooting-0-byte-ssl-vpn-file
It could be related to this issue, that you are not able to download this file, as the config file is broken. Thats not related to this issue.
I confirmed on multiple XG Firewalls, that i can download the SSLVPN and this is not related / affect in any case.
So you issues are not related to this particular issue. We are only tracking the Download of Sophos Connect on user portal as an issue. Your problems seems to be something else.
Do you have CA configured on the XG? SSL VPN cannot be downloaded if you dont have CA configured
I’ve not touched anything to do with the CA, do you need to change any of the default settings to get this to work? I didn’t see that listed in the configuration guide
Yes you have to first configure certificate authority for the XG. Its unfortunatelly not part of the guide for VPN, but its a prerequisite.
When you click to download SSL VPN client for new user it automatically generates certificate for this user that is signed by the Sophos XG appliance CA. If you do not have the CA configured it cannot create user certificate and therefore you cannot download the SSL VPN client. Unfortunatelly it doesnt throw any error. It just doest work.
But this is not anyhow related to the Sophos Connect case.
I had this issue yesterday with a brand new XG I installed for a customer. The old SSL VPN client wouldn't download. Click > nothing.
I called support and after a long wait on hold I spoke with support who went through and textbooked my setup (hate it when they do that). The very last thing he did was to fill out the information in System > Certificate Authorities > Default certificate. After that was filled out I logged out/in to the user portal and my SSL VPN client started downloading.
I've never filled this certificate out that I recall. It's always been pre-populated. I'm not even sure where they got the city & state from, but they're accurate. I went through several of our customers, even some that don't use VPN, and they all have the correct information in the default CA. So having to fill it out yesterday manually was new for me.
The Connect client still gives the text file error and the Apple IOS IPsec VPN client configuration logs me out of the firewall when clicked.
This issue can occur, if the data in MySophos is not correct or uses special characters. XG will fetch the data by wizard from mySophos. If there are special characters or other stuff in there, it can destroy the CA creation. Most likely in most setups, this works fine, sometimes there are corner cases, which shows this issue about the empty / corrupt CA.
If I regenerate the built-in Certificate, it can be affect the RED devices?
As far as i know - No. RED uses a own certificate, not visible for the enduser.
Hi, same issue here
When I try to download either of the Windows or macOS clients, I don't get any kind of executable or installer
The Problem is more than 30 days old an there is no Solution with a firmware update.
Did you check for this issue? https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/119348/sophos-xg-firewall-troubleshooting-0-byte-ssl-vpn-file
i checked the issue but it does not work. I dont unse Certificats on ipsec or ssl vpn.
i filled the ca, but still no download from the client an i get logged out if i download ipsec ios konfig file.
Sophos Connect Client is broken.
Apple iOS IPsec VPN is broken.
SSL VPN Client should work. If this is not working: Check https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/119348/sophos-xg-firewall-troubleshooting-0-byte-ssl-vpn-file all options. (Check the certificate, check for special characters etc.)
Ok, i hope it will be fixed. It is broken over 30days after it is reportet!
Sophos Connect Client is not needed, as this is a new option and most admins use the Webadmin anyway instead of the user configuration part. Sophos Connect works perfectly with the option presented in the XG webadmin. Apple iOS is a corner use case as most customer use MDM solutions to push this configuration anyway.
I know, we bought a xg with Licenses over 2500€ and the Firmware doesnt work 100%.
The old UTM worked.
They can’t even give us a progress update or eta fix which is the best part!
I still do not understand the use case, which we are talking about.
Could you please give me the use case, why you want to download the config in the user portal instead of simply use the webadmin and push this to the clients?
Why do you want to use this feature in the first place? It does not make sense to me, to advise the user to login to the user portal, if you can install the software remotely, install the config remotely.
PS: UTM does not include this feature. There is no Sophos Connect integration.
I still think we are not talking about the same. And i am not able to understand, where is the misunderstanding.
on the utm the User can Download its own IPSec konfig File, this doesnt work on the xg.
the User should install it self.
On the xg there is the feature but it is Broken, you told us.
please fix it instead of tell me, that our Solution is not your first way.
The XG never had a IPsec Config in the first place. The VPN Config for IPsec for iOS is a different format.
PS: UTM had only the NCP Client config. See: The IPsec VPN section contains the old NCP based executable endpoint computer software, configuration file, and certificate (if selected) for the remote access endpoint computer.
This new feature for the enduser to download a config + Client is new.
I am still pointing to a better solution compared to this user approach. As a administrator, my primary goal would be to distribute and maintain the software in a centralized approach. Talked to couple customers in the last days and nobody was using this (none-working) approach. Hence nobody really noticed a bug in the first place.
From a security perspective: I would highly encourage you to remove admin privileges from the users in the first place. But thats another story.
PS: The Apple iOS Download Link should be fixed in MR5. https://community.sophos.com/sophos-xg-firewall/b/blog/posts/xg-firewall-v18-mr5-is-now-available