ssl vpn query

Hello Akash, 

Good day, and thanks for reaching out. You may try to follow these steps as outlined. This was supposed to be uploaded as a Recommended Read for Sophos Firewall that I authored for the Forum but got delayed in Publishing. You may follow the steps and kindly let us know if it works for your setup.

This guide will show how to auto-connect a Windows device on start-up to Sophos Firewall SSL VPN Remote access.

The Sophos Connect provisioning file allows you to provision remote access IPsec and SSL VPN connections with Sophos Firewall. It also automatically imports any configuration changes you make later. Users don't need to download the configuration file from the VPN portal. 

Also, before proceeding, check your OS Compatibility with Sophos Connect Client: https://docs.sophos.com/nsg/sophos-firewall/20.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/RemoteAccessVPN/IPsecSSL/SophosConnect/RAVPNSConClient/index.html#download-the-client

Further, for more details about the Provisioning File you can refer on this document guide: https://docs.sophos.com/nsg/sophos-firewall/20.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/RemoteAccessVPN/IPsecSSL/SophosConnect/RAVPNSConProvisioningFile/index.html

Configuration:

1. Configure your SSL VPN Remote Access - You may follow this document guide: https://docs.sophos.com/nsg/sophos-firewall/20.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/RemoteAccessVPN/IPsecSSL/SSLVPN/index.html

2. Then, download and install Sophos Connect client: https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/RemoteAccessVPN/IPsecSSL/SophosConnect/RAVPNSConClient/index.html

Note: Starting V20 onwards you can download the client in VPN Portal: https://support.sophos.com/support/s/article/KB-000045105?language=en_US

3. Next, we'll configure and import the provisioning file to the Sophos Connect Client: https://docs.sophos.com/nsg/sophos-firewall/20.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/RemoteAccessVPN/IPsecSSL/SophosConnect/RAVPNSConConfigureProvisioningFile/index.html#requirement

We can open an editor such as Notepad and configure what we need to perform the auto-connect functionality, you may follow this template: 

In our scenario, We will fill "gateway":  "auto_connect_host": and "can_save_credentials" so when we import the .pro file later the user will have the capability to save username and password upon initial login on the client but the next logins would not require user intervention anymore.

[
    {
        "gateway": "203.0.113.1",
        "vpn_portal_port": 443,
        "otp": false,
        "auto_connect_host": "10.10.10.1",
        "can_save_credentials": true,
        "check_remote_availability": false,
        "run_logon_script": false
    }
]

Kindly take note as well of the needed requirements in creating the .pro file 

Then, after the configuration, save the file with .pro extension. 

4. Import the .pro file to the Sophos Connect Client

In your Sophos Connect Client > Import Connection

Then Double-click the .pro file. Alternatively, click Import connection in the client and select the file.

Also, you may import the .pro file using GPO. Kindly refer to this documentation guide: https://docs.sophos.com/nsg/sophos-firewall/20.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/RemoteAccessVPN/IPsecSSL/SophosConnect/RAVPNSConProvisioningFileGPOScript/index.html

5. Once you import the .pro file, it will now try to connect, then you'll face a Certificate Warning Error - 

You can "Continue to server" and still you will be able to connect, the error doesn't indicate a network problem.

To prevent users from seeing a certificate error (allow unsigned certificate) when the file is imported, do as follows:

- Generate a locally-signed certificate.
- Go to Administration > Admin settings > Admin console and end-user interaction > Certificate and select the certificate.
Push the default CA to users.

The easiest way to do this is with Active Directory GPO.

Reference document: https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/VPN/RemoteAccessVPN/RAVPNSConProvisioningFile/index.html#configure-the-provisioning-file

6. Authenticate the user and check on the option to Save username and password, then click Sign In. 

Connection should be established and successful:

You can also verify on Sophos Firewall > Current Activities > Live User

7. Ensure that Sophos Connect Client is Enabled on your Startup Programs on Windows:

Then, once a restart or startup happened on a device, the client would just connect automatically without user intervention. 

You can verify again under Sophos Firewall > Current Activities > Live User

I need to launch the Sophos client or click Connect after restarting the device, or it will connect without launching the Connect client.

Becase i want it without launching the connect client

I need to launch the Sophos client or click Connect after restarting the device, or it will connect without launching the Connect client.

Becase i want it without launching the connect client

Putting the program on Startup can launch the application but you need to at least initially login once for command "can_save_credentials in the pro file to be populated - then after the initial logon, the succeeding logins should connect automatically without user intervention.