Attempts to download Sophos Connect client (IPsec and SSL VPN) from an XG135 User Portal result in a text file

Howdy!

I'm getting used to the operations of my new XG135 firewall. I'm configuring users for IPSEC VPN client access. I can create a user on the firewall. I then navigate to the firewall's User Portal and log in as the user. The User Portal displays a QR that I scan using the Sophos Authenticator on my phone. I then log in to the User Portal as the user this time with the 2FA code appended to the user's password. I land on the User Portal page shown below.

When I try to download either of the Windows or macOS clients, I don't get any kind of executable or installer. Instead, I get a text file called "info.txt" with the following content.

Requested file could not be provided. Make sure Pattern Updates are working correctly.
You can find it under 'Backup & Firmware' -> 'Pattern Updates'

I've checked my firewall's Pattern Updates and the Sophos Connect clients are there and have been updated recently as shown below.

The firewall has the latest firmware (SFOS 18.0.4 MR-4) and all the Pattern Updates look good (populated and have recent timestamps).

I am able to download the Sophos Connect clients while managing the firewall through Sophos Central. This is from the "VPN > IPsec (remote access)" page. When I do this I get a zip file containing the files

  • scadmin(legacy).msi
  • Sophos Connect_1.4_(IPsec).pkg
  • SophosConnect_2.0_(IPsec_and_SSLVPN).msi

I have used the Sophos Connect_1.4_(IPsec).pkg successfuly to install on a Mac. Similarly, SophosConnect_2.0_(IPsec_and_SSLVPN).msi works fine for Windows.

Thanks for your attention to my problem. Let me know if you need more information. I look forward to getting this resolved.

Sincerely,

Chris



Edited TAGs
[edited by: emmosophos at 1:14 AM (GMT -8) on 11 Mar 2021]
  • I can't find any Item like 'Sophos Connect' in the vpn menue. SFOS 18.0.4 MR-4

    and the link 'Konfiguration für andere Betriebssysteme' in the user Portal will not work. 

    I can't see any advantage.

  • Sophos Connect is a endpoint client solution, which can work with SSLVPN and IPsec VPN.

    You can configure IPsec (remote access) and SSLVPN (Remote access) on XG. It will communicate with Sophos Connect. 

    Release notes shows how to configure this option: https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-connect-2-0-is-now-ga

    You need a configuration file, which points the Sophos Connect to XG. SC will connect to the XG, get the sslvpn config file and the ipsec config file. 

    __________________________________________________________________________________________________________________

  • The download results in a file which contains: 'Requested file could not be provided. Make sure Pattern Updates are working correctly.
    You can find it under 'Backup & Firmware' -> 'Pattern Updates''

    - the Pattern Updates are working

    no progress

  • This is still under investigation for the User Portal. 

    __________________________________________________________________________________________________________________

  • Are we close to a solution 20 days after the problem was reported? I'd say this is a critical bug, given I've tested on a number of Firewalls all on latest version, all have same issue, how does a critical bug like this even make it into production. 

  • Sophos has been paid, we can ship the firewalls to customers with this bug. The customer bought because of the SSL VPN. And we cannot invoice the customer. Of course we won't be offering any more XG's at the moment.

  • Still i do not understand the point of using SSLVPN compared to Sophos Connect. 
    Why would you publish to a new customer a old version of a product? 

    __________________________________________________________________________________________________________________

  • I don't care whether I can use Sophos connect or SSL VPN for the customer, I need something that works and neither of them works.

  • Are you for real? Neither work! Regardless! ‘Old version’ it might be just that, but it’s still supported by Sophos and for users who just need a basic SSL-VPN client there is no reason not to, if your saying it’s redundant compared to connect then why is it still included with XG? Instead of asking condescending questions, try fixing the product in the first place. All it leaves is a sour taste if Sophos response to a critical bug being ‘well if you used this other version, you’d have a workaround’

  • Maybe i need to quickly recap the possibilities and the current limitation.


    Limitation/Bug: Sophos Connect config + Installer cannot be downloaded by the User (user portal). PS: This option is new. 

    How do administrator publish VPN (Sophos connect): 

    You can download the software (Sophos connect installer) via Webadmin (Port4444). This File is a MSI Installer for general install purpose. Most administrator publish this software via GPO or software deployment tools to managed Clients. You can also give this MSI File to a user, if you want to install it locally (Admin privileges needed). 

    After the Sophos Connect is installed on the Client, the admin will build a config file for the user. For example a SSLVPN Config file: 

    https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/SConProvisioningFile.html?hl=sophos%2Cconnect%2Cprovisioning%2Cfile

    Generally speaking a file, which points the Sophos Connect to the XG WAN IP. 

    [
    {
    "gateway": "<Enter your gateway hostname or IP address>",
    "user_portal_port": 443,
    "otp": false,
    "auto_connect_host": "<Enter internal hostname or IP address>",
    "can_save_credentials": true,
    "check_remote_availability": false,
    "run_logon_script": false
    }
    ]

    This file will be imported via GPO/Software Deployment or manually.
    Push it to the client into the folder "import" in Sophos Connect install directory.

    The user will see this config immediately: The user will use his own credentials to login.
    The Connect client will do the rest and import its own, user based, config file.


    This process works fine.




    The (old) SSLVPN part also works fine.
    You can simply login to the user portal and download your old SSLVPN Config + SSLVPN Installer. This is a "per user view".


    PS: This is not a critical bug, as this process is new and not many people are using this approach.

    __________________________________________________________________________________________________________________