This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to make IPsec Remote Access VPN can dial in when the user account didn't exist/sync in XG?

Hi All,
Our client has a question about the behavior between SSLVPN, L2TP & IPsec VPN.
Client uses AD authentication for user accounts.

When the user account didn't exist/sync in XG, user can use L2TP VPN to dial in XG directly.
After dial in with L2TP, the user account will show in XG.

But user can't dial in XG with IPsec remote access VPN when the account didn't show in XG.
User need to login XG with his AD account first (make the account shows in XG),
then user can dial in XG with IPsec VPN.
The behavior of IPsec VPN is similar with SSLVPN.
User need to login user portal first to get their configuration for use SSLVPN.

Is there a way to make AD users can dial in XG with IPsec VPN directly like L2TP?

Firmware version 18.0.5 MR5



This thread was automatically locked due to age.
Parents Reply Children
  • FormerMember
    0 FormerMember in reply to Shunze Lee

    As mentioned if the user has an access to IPsec (remote access), then the provisioning file will automatically import the .scx configuration file into the Sophos Connect client. The AD user will be authenticated and his profile will also be created automatically without sign in to any other authentication method.

    Try to follow the steps below and let me know if you've any queries.

    ==> Create a provision file with .pro extension

    [
    {
    "gateway": "<Enter your gateway hostname or IP address>",
    "user_portal_port": <User_Portal Port>,
    "otp": false,
    "auto_connect_host": "<Enter internal hostname or IP address>",
    "can_save_credentials": true,
    "check_remote_availability": false,
    "run_logon_script": false
    }
    ]

    ==> You can find user portal port from Administration > Admin & user settings > Admin console and end-user interaction

    ==> Import .pro file into Sophos Connect client and connect it. It’ll automatically import the IPsec remote access (.scx) configuration file into the Sophos Connect client on users' end machine.

    Refer to the below link to get more information on "Sophos Connect provisioning file".

    Sophos Connect provisioning file

  • HIi, 

    Can you tell me the different between gateway and auto_connect_host in pro config?

    What IP should i input?

    Shunze

  • FormerMember
    0 FormerMember in reply to Shunze Lee

    Gateway: Public IP or hostname of the Sophos Firewall

    auto_connect_host: Enter a hostname or IP address within the local network. It helps Sophos Connect client to monitor automatic connections.

  • So the "auto_connect_host" can be the LAN IP address of XG firewall?

  • FormerMember
    0 FormerMember in reply to Shunze Lee

    You can either keep the firewall LAN IP address or any internal server(always-on) IP address.

  • Hi,

    It works.

    But client didn't allow User Portal access from WAN.

    So cllient still use L2TP first, then use IPsec VPN.

    Anyway thanks for help.