Hello guys,
we have a Sophos XGS 3300 cluster (19.0.1 MR-1-Build365) and are using Sophos Connect Client for our HO users. All users have an IPSEC and and a SSL VPN profile in the connect client. In the future we want to use the provisioning file (see below)
[ { "display_name": "XXX Initial setup", "gateway": "XX.XXX.XXX.XXX", "user_portal_port": 444, "otp": true, "2fa": 1, "auto_connect_host": "", "can_save_credentials": false, "check_remote_availability": false, "run_logon_script": false }]
The import and the initial login for the SSL-profile is working but I have the following issues:
What am I doing wrong?
Hello there,
Thank you for contacting the Sophos Community.
I think your point number 2 is explained in our documentation:
" If you've configured the IPsec remote access settings, the provisioning file automatically imports the .scx configuration file into the Sophos Connect client for all users. It only imports the .ovpn configuration file for users you've assigned to an SSL VPN remote access policy."
.scx
.ovpn
The Display Name for SSL VPN is a known behavior, where currently it’ll only show the IP configured, the IPsec should show the name.
Regards,
Well, we only see one connection profile (SSL VPN) in the Connect client and not two (IPSec is missing). But both are configured for our users on the firewall?
"If you've configured the IPsec remote access settings, the provisioning file automatically imports the .scx configuration file into the Sophos Connect client for all users" => It does not import the .scx config.
display_name is definetely not mandatory. We have never used it (SSL only). It uses the gateway name. Either IP or FQDN.
Thank you for the follow-up.
Yes, correct it should download both of the connections.
I was able to replicate but GES wasn’t able to, just make sure that the appliance certificate is filled out, and the users belong to both the SSL VPN and IPsec policies, and if so, create a case with Support and share the Case ID so we can follow up.
In the document I found on the sophos website (/cfs-file/__key/communityserver-discussions-components-files/126/5710.Sophos-Connect-2.0-_2D00_-Provisioning-File-Instruction-Doc-_2800_1_2900_.pdf) the parameter is described as mandatory. I see now, that it is not an official Sophos document.
Anyway, we have to roll out these connections to approx. 400/500 users. How can I give the connections a "REAL" name without touching each client manually? E.g.
Company_SSL-Profile
Company_IPSec-Profile
At the moment the SSL connection profile is imported with the hostname in the SSL VPN setting.
I created a ticket, 05947561
I think you would have to use an ugly approach like a dedicated CNAME in public DNS like initial-VPN-config.yourcompany.com pointing to your userportal.
Other approach: use something like initial-VPN.config and put something in the hosts file of the OS, pointing that fake FQDN to your userportal.
Thank you for the Case ID, I have added a note to highlight the issue.