Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • +3 person also asked this people also asked this
  • Locked Locked
  • Replies 14 replies
  • Answers 1 answer
  • Subscribers 43 subscribers
  • Views 10664 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Connect Losing Connections/Profiles

ptho

We've moved to Sophos Connect and have found that some of our users are losing their connections in the app.

For instance, as part of a software deployment, we will push Sophos Connect and the Provisioning File to the client with an automatic import. This Provisioning File will then import two SSL VPN gateways to the client.From here, they can connect and everything seems well.

However, without a known reason these will at times vanish from the Connect app. The user has to then manually import the connections via the provisioning file to get these back - again, they can then vanish without explanation.

This is especially problematic as the users will then have to come back on site for the policy to download, as the User Portal is not available to them over the WAN.

Whilst we could enable the User Portal on the WAN, it exposes the Firewall to abuse. So this is a step we want to avoid. Additionally, it wouldn't appear to be the cause as to why the user's Connect Gateway Connections are vanishing.

We are running SFOS 19.5.0 GA-Build197 and Sophos Connect 2.2.90.1104.

Can anyone advise?



This thread was automatically locked due to age.
  • 0 in reply to Paul Kopalek

    We refused to open the User Portal up over the WAN because even with MFA, this isn't perfect; if someone's credentials are known to an attacker, and the victim had not/yet setup MFA on the User Portal, then an attacker can log in to the User Portal with just User/Pass and setup MFA with their own OTP/device.

    If the User Portal availability on the WAN had the caveat that it's only available if the user already has MFA enabled/enrolled, we would be more comfortable allowing this.

  • 0 in reply to ptho

    Precisely the reason that we only allow it during certain time windows, and even for case #2, we sometimes just ask them to go to whatismyip.com and then make the ACL exception for that IP for the user portal. But again unfortunately, this all falls apart if your SSL VPN port is 443. You literally can't disable its access from the WAN and it's a huge vulnerability for Sophos XG / XGS.

  • 0 in reply to LHerzog

    Not really. With the gateway's vanishing, they still need to import the .PRO file again. So we tell people to come on site so that they a) get the .PRO file and b) can connect to the Gateway's to get the policies. We don't inform the user that A is possible when off-network because they'd still need to be local to get the policies. Otherwise it causes more confusion. As below, we refuse to open the User Portal on the WAN. For those problematic users, they're given OpenVPN Connect client. So far, no issues with that. It's especially odd because Sophos Connect seems to be a branded version of OpenVPN Connect. Uses OpenVPN technology. And yet their own product is broken. Sadly you can't automate configuration with OpenVPN Connect like you can with Sophos Connect, but seeing as that's bugged for a considerable portion of users, you could say that you can't do so with Sophos Connect either.

  • 0 in reply to Paul Kopalek

    Hello Paul,

    Thank you for the extended feedback; the link I shared was related only to your comment, "so Sophos Connect is a MUST to even have a separate place for the OTP code to go."

    I will pass your feedback for the rest to PM.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Unfiltered HTML