SSL VPN 2FA options - or how to prompt for the OTP token?

Have a look at the Provisioning file template for the Sophos Connect: https://docs.sophos.com/nsg/sophos-firewall/20.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/RemoteAccessVPN/IPsecSSL/SophosConnect/RAVPNSConProvisioningFile/index.html#templates

[
    {
        "otp": true,
        "can_save_credentials": true,
    }
]

These Options should do what you want.

Then you could deploy the file for your Users and the connect client will get the VPN config from the firewall.

Oh hey - that looks promising - there's a note there that says I can set it to show a third box for totp.  If I can get that to go it's the perfect fix.
I'll update the thread after I test.
Thank you!

Yay!  I created a .pro file and double clicked it to import it, and it set the third field for otp, and allowed user/pass saving, and even set up the multi gateway and auto log in options for me.

Now I just need to test and document a roll out proceedure with staff.  I see GPO is an option, but if they were in the office for the policy to take effect, I wouldn't need the SSL VPN :-)

Thanks again!

Yay!  I created a .pro file and double clicked it to import it, and it set the third field for otp, and allowed user/pass saving, and even set up the multi gateway and auto log in options for me.

Now I just need to test and document a roll out proceedure with staff.  I see GPO is an option, but if they were in the office for the policy to take effect, I wouldn't need the SSL VPN :-)

Thanks again!