Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 38 subscribers
  • Views 3539 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to make IPsec Remote Access VPN can dial in when the user account didn't exist/sync in XG?

Shunze Lee

Hi All,
Our client has a question about the behavior between SSLVPN, L2TP & IPsec VPN.
Client uses AD authentication for user accounts.

When the user account didn't exist/sync in XG, user can use L2TP VPN to dial in XG directly.
After dial in with L2TP, the user account will show in XG.

But user can't dial in XG with IPsec remote access VPN when the account didn't show in XG.
User need to login XG with his AD account first (make the account shows in XG),
then user can dial in XG with IPsec VPN.
The behavior of IPsec VPN is similar with SSLVPN.
User need to login user portal first to get their configuration for use SSLVPN.

Is there a way to make AD users can dial in XG with IPsec VPN directly like L2TP?

Firmware version 18.0.5 MR5



This thread was automatically locked due to age.
Parents
  • FormerMember
    +1 FormerMember

    Hi ,

    Thank you for reaching out to Sophos Community.

    You can use the provisioning file (.pro) and can import it to Sopho connect client. This will provision IPsec and SSL VPN connections with Sophos Firewall. If the user/group has access to IPsec (remote access), then the provisioning file automatically imports the .scx configuration file into the Sophos Connect client.

    Click here to know more information on the Sophos Connect provisioning file.

  • 0 in reply to FormerMember

    Hi, the issue was described as following document.

    https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/VPNSophosConnectAuth.html

    IPsec remote access VPN uses the Sophos Connect client. If a remote user, for example, an AD user, wants to sign in to the Sophos Connect client for the first time, they must first sign in to another authentication client, such as the user portal.

    Client need their users can sing in Sophos Connect directly without sing in another authentication first.

    Any suggestion?

  • FormerMember
    0 FormerMember in reply to Shunze Lee

    As mentioned if the user has an access to IPsec (remote access), then the provisioning file will automatically import the .scx configuration file into the Sophos Connect client. The AD user will be authenticated and his profile will also be created automatically without sign in to any other authentication method.

    Try to follow the steps below and let me know if you've any queries.

    ==> Create a provision file with .pro extension

    [
    {
    "gateway": "<Enter your gateway hostname or IP address>",
    "user_portal_port": <User_Portal Port>,
    "otp": false,
    "auto_connect_host": "<Enter internal hostname or IP address>",
    "can_save_credentials": true,
    "check_remote_availability": false,
    "run_logon_script": false
    }
    ]

    ==> You can find user portal port from Administration > Admin & user settings > Admin console and end-user interaction

    ==> Import .pro file into Sophos Connect client and connect it. It’ll automatically import the IPsec remote access (.scx) configuration file into the Sophos Connect client on users' end machine.

    Refer to the below link to get more information on "Sophos Connect provisioning file".

    Sophos Connect provisioning file

  • 0 in reply to FormerMember

    HIi, 

    Can you tell me the different between gateway and auto_connect_host in pro config?

    What IP should i input?

    Shunze

Reply Children
Unfiltered HTML