Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: v20.0 MR2: Feedback and experiences

Release Post:  Sophos Firewall OS v20 MR2 is Now Available    

The old V20.0 MR1 Post:  Sophos Firewall: v20.0 MR1: Feedback and experiences  

To make the tracking of issues / feedback easier: Please post a potential Sophos Support Case ID within your initial post, so we can track your feedback/issue. 

Release Notes:  https://docs.sophos.com/releasenotes/output/en-us/nsg/sf_200_rn.html 

Important Note on EOL Sophos RED Support:

The legacy EOL RED 15, RED 15w, and RED 50 are not supported in v20 MR1. Customers using these devices should upgrade to SD-RED or a smaller XGS appliance before upgrading to MR1 to maintain connectivity. See the following article for details: Sophos RED: End-of-life of RED 15/15(w) and RED 50



Edited TAGs
[edited by: Erick Jan at 8:29 AM (GMT -7) on 23 Jul 2024]

Top Replies

Parents Reply Children
  • HSTS was addressed (if the client tries to reach port 8091 on https) and the HA sync of kerberos. 
    most Kerberos situation are caused by the client not being correctly configured. For example the firewall fqdn is not setup as a trusted site. 

    __________________________________________________________________________________________________________________

  • It was not possible for us to get this working 100% with different customer environments and I´m not sure now if we should retry this and maybe wasting more time for things that have a stupid implementation...sophos support was useless in every case here - so we moved to STAS... But I´m not really happy to install 3rd party software on DCs and get a lot of ID 10028 errors on the DCs now... But so far the user auth with STAS is working.

  • The bottom line is: the Kerberos implementation is similar to the UTM one. It is just for some setups different, as SFOS in most setups is not the direct proxy / like in UTM in most cases was. 

    Those fixes here are not helping for initial setups. 
    Customers using SFOS as a direct proxy should not have much problems for Kerberos in the first place. For transparent proxy, you need to be careful with the internet proxy settings on the client. 
    One fix is about customer using HSTS for the proxy and this breaks the authentication in SFOS. 

    __________________________________________________________________________________________________________________