Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 26 replies
  • Answers 3 answers
  • Subscribers 42 subscribers
  • Views 27818 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos VPN Client - disable autoconnect when in local network

Kam

Hi all,

I'm struggling with setting up Sophos VPN Client on user's Windows computers.

What behaviour I expect is to automatically connect when user connects any network except internal LAN/WIFI.

So if users is turning on the laptop at home and connects to his/her home WIFI, Sophos Client shoud connect VPN immediately. But when user comes to the office and connects to LAN network, Sophos Client should stop connecting. I edited ovpn config file and added auto_connect parameter as LAN VLAN network address (192.168.3.1), but it didn't help - after connecting to office's wifi, Sophos Client is connecting to VPN.

Next thing I tried was to block SSL VPN in firewall administration and it helped, but now Sophos Client is continuously trying to connect, fails, tries again, fails, and so on.

How to set it up so it just stops trying to connect when in LAN, and after network change (going back to home), connects VPN immediately?



This thread was automatically locked due to age.
  • 0 in reply to Nikhil Bhandari

    Exactly. Although it's connecting without a problem and I didn't change anything with the .pro file, auto-connect function isn't working.

  • 0 in reply to Kam

    Are you saying that now the .pro file is connecting properly but auto connect is a problem ? That is, if connection is broken, it doesn't try to reconnect if it is on WAN ?

  • 0

    Should I create another thread concerning proper setup for .pro file or someone will help in this thread? I wrote earlier about .pro file isn't working - doesn't matter if user is in LAN or on a hotspot. Now I can't even make this connection to connect automatically, even if it is checked in Sophos Client to auto-connect.

  • 0

    I'm thinking about auto_connect_host param - for now I set it to LAN VLAN interface address, let's say 192.168.3.1

    When user is on hotspot and connects through VPN, it has address from VPN IP pool. As I don't have firewall rule VPN2LAN enabled, Sophos Client can't reach 192.168.3.1 so it should connect automatically. But when users connects to office's wifi (so LAN VLAN), it has IP address from LAN DHCP pool. And obviously can reach 192.168.3.1 (I'll ping it later to confirm).

    So why Sophos Client is connecting anyway when in LAN network?

  • 0 in reply to TimFranken

    Ah, OK. Thanks for the updated link - will be definitely useful for others with the same problem.

    Before I sum up this thread, I'd like to have a chance to workout auto-connect feature. Let's hope it some minor thing that left. Will update here as soon as I testing device in my hands. 

  • 0 in reply to Kam

    In fact it has been updated, you have only been given the link to the KB of 19.5. The right link for version 20 is here and it is correct there. Slight smile

  • 0 in reply to TimFranken

    Ok, thanks for this useful information. That's a shame Sophos didn't update their KB on official site because that was thr f....n problem - after changing port in .pro file user established connection using .pro file.

    But now, on the other hand, it connects everytime, doesn't matter if on LAN or on hotspot. I have to check it out further but now I'm not on site so don't have direct access to testinng device..

  • +1 in reply to Kam

    The instructions are from an older version where there was only the user portal. As of version 20, they have split it into user and VPN portal. The .pro file is there to pull the .ovpn file from the VPN portal, so the port from the VPN portal and not from the user portal must be specified there.

    Kam said:
    What's another weird thing - when I enabled SSL VPN, in global settings there already was this incorrect IP set up. I didn't change anything, so it looks like Sophos has wrong data as default setup.

    Yes, this also results from an older version where an IP range still had to be specified. for example: 10.81.234.5-10.81.234.85
    At some point this was also changed to a whole subnet e.g. /24, but probably forgot to adjust the IP as well.

  • 0 in reply to Nikhil Bhandari

    What? So the manual is specifically saying to use port for user portal, and it's misleading? That's a bummer. Ok, I'll try to change port and see if it helps.

  • 0 in reply to Kam
    Kam said:
    You mean I should try to connect user using .pro file, get an error and then collect vpnportal.log to check if there's anything there?

    Yes, that is what I meant


    Kam said:
    I changed default port from 4443 to other one - maybe this is the problem?

    For .pro files, use the vpn portal port in the .pro file (which by default is 443)

Unfiltered HTML