Advisory: Sophos Endpoint - "Your connection isn't private." We're aware of a certificate issue and are actively working to resolve it. Please see: KB-000045954 for the latest updates.

Sophos Firewall: Sophos Connect Migration script from UTM SSL VPN

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Overview

This Recommended Read is in the Beta stage scripting and includes the following. 

  • Backup the old ".ovpn" configuration from SG UTM SSL VPN
  • Removes old SG UTM client
  • Installs Sophos Connect
  • Imports the old configuration into Sophos Connect so users can still connect to UTM.
  • Installs a provisioning file for the coming Sophos Firewall so that migration will be easier

The script has been tested and is working. Implementation in Test Environment is highly recommended before proceeding to the Production side,

@echo off

IF NOT EXIST "c:\Program Files (x86)\Sophos\Sophos SSL VPN Client\uninstall.exe" goto :eof
	REM Remove the old client
	REM Kill running programs, preventing uninstall
	taskkill /im openvpn* /F
	timeout 2
	REM Backup the OVPN config file
	rem rmdir "c:\!vpn" /s /q
	mkdir c:\!vpn
	copy "c:\Program Files (x86)\Sophos\Sophos SSL VPN Client\config\*.ovpn" c:\!vpn\
	REM Use uninstaller to remove the client
	cd\Program Files (x86)\Sophos\Sophos SSL VPN Client
	Uninstall.exe /S
	timeout 10
	REM Do folder cleanup - if not, Sophos Connect refuse to install
	cd\
	rmdir "c:\Program Files (x86)\Sophos\Sophos SSL VPN Client" /s /q

	SET Sophos_Connect=Sophos\Connect\scvpn
	IF "%PROCESSOR_ARCHITECTURE%" == "x86" GOTO X86_PROG
	IF NOT EXIST "%ProgramFiles(x86)%\%Sophos_Connect%" GOTO INSTALL
	exit /b 0
	:X86_PROG
	IF NOT EXIST "%ProgramFiles%\%Sophos_Connect%" GOTO INSTALL
	exit /b 0
	:INSTALL
	msiexec.exe /i "\\server\share\SophosConnect.msi" /QN
	timeout 5
	REM Deploying SSLVPN provisioning file - user must connect once with the client to fetch their profile when SF is in place.
	REM Userportal on SF must be accessible and with a valid certificate!
	copy /Y "\\server\share\xgsslvpn.pro" "C:\Program Files (x86)\Sophos\Connect\Import\"
	REM Deploying old SSLVPN for UTM 
	copy /Y "c:\!vpn\*.ovpn" "C:\Program Files (x86)\Sophos\Connect\Import\"
	Popd
	REM Start Gui - tray icon.
	start "" "C:\Program Files (x86)\Sophos\Connect\GUI\scgui.exe"

:eof

END && EXIT

[
    {  
        "gateway": "fw01.domain.dk", 
        "user_portal_port": 4445, 
        "otp": false, 
        "auto_connect_host": "", 
        "can_save_credentials": true, 
        "check_remote_availability": false, 
        "run_logon_script": false 
    } 
]

Attached are the bat file and the provisioning file

Let me hear your thoughts :-)




Revamped RR Corrected Grammar Added Horizontal Line at the End
[edited by: Erick Jan at 11:22 AM (GMT -7) on 22 Sep 2023]
Parents
  • Hej Martin,

    I tried just importing individual ovpn files in Sophos Connect and that has resulted in "VPN service is not running" messages.

    I'll run your script and see if I have better luck when the files are imported that way.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hej Martin,

    I tried just importing individual ovpn files in Sophos Connect and that has resulted in "VPN service is not running" messages.

    I'll run your script and see if I have better luck when the files are imported that way.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children