We are migrating from Sonicwall's NetExtender remote access program to "hopefully" Sophos Connect. There's a fair amount of back story to this question, but the primary goal of my post is to see if someone can shed some light on why we are seeing a different behavior with the IPSEC VPN connection and the SSL VPN Connection.
Internally we have a basic Windows RemoteApp setup for delivering our ERP solution to our end users. We have SSO working while in the office, so that if a user opens the RemoteApp from their computer, the first "login" screen they are presented with is the login to the ERP product. I know that this requires delegated credentials and it's setup and working if they're in the office. As we are currently setup, 'in the office' still requires the end users to transit across a Sophos Central managed SDWAN because both the AD servers and the RemoteApp server are hosted offsite.
Historically if these same users connect to the Sonicwall firewall (also in our hosting location) with the NetExtender program they are able to "immediately" launch the ERP product once connected and the experience is the same as when they are in the office.
As part of our migration to the hosting service we tried using their SSLVPN solution (VMWare) and the user would receive a prompt to login to the server indicating that the delegated credentials were not working. When we initially began testing the Sophos SSLVPN I had the desired success connecting to the ERP solution while remote. But recently the Sophos Connect client began prompting the user to login to the server (before the ERP login).
This first happened while running Sophos virtual firewall running 19 GA release, and while trying to fix it on that version I added a DNS/AD access rule to the same firewall rule that granted users access to the ERP application and it seemed to work for a time. This was still during our testing phase. There was another rule already existing that granted the same access but it seemed like adding the DNS/AD server to the same rule fixed it.
A few weeks ago we 'replaced' the 19 GA firewall with an MR1 release (not an upgrade, a replace). I began noticing the issue again in our testing, but when I tried to connect to the GA firewall it too had the issue. Since the GA release now had the issue, I assumed it was client side and all other testing has been against the MR1 firewall.
I tried several different one-off rules that turned off Heartbeat requirements as well as granting access to the full network in a single rule but was unable to resolve the issue on the MR1 firewall. Admittedly during these test I was connecting, trying to open the ERP solution immediately, getting the prompt and deeming it a failure. (This becomes relevant later)
I next started trying to see if the same issue was present with the IPSEC VPN client (still using the same local Sophos Connect install). I have had success with the IPSec client IF I wait a few minutes (I've tested down to 5 minutes so far) after connecting before launching the ERP program. If I connect and immediately try opening the ERP program I still receive the Server logon prompt. I assume that in part this has to do with Heartbeat authentication and I'm okay if the answer is wait a few minutes for the heartbeats to finish.
I took the "delay" approach back to the SSLVPN connection and that does not seem to "fix" the issue, even if I wait 10 minutes after connecting.
My primary question is why the different experience between the SSLVPN connection and the IPSEC connection. The rules on the firewall are the same, the local client install is the same, the "location of connection" is the same.
Firewall Information: SFV4C6 (SFOS 19.0.1 MR-1-Build365)
Clients: Windows 10
Sophos Connect Client: 2.2.75
This thread was automatically locked due to age.