Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: When will SSL VPN users need to re-download the configuration

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Overview

This Recommend Read shows you how to determine which changes under SSL Global VPN configuration will require a user to re-download the configuration.

Pre-requisites

An Established Configuration of the following:

Editing SSL GLOBAL VPN Settings

Go to CONFIGURE>Remote Access VPN>SSL VPN Tab> SSL VPN global Settings.

Changes from this configuration will require the user to “re-download” the configuration.

SSL VPN Settings

  • Protocol
  • SSL Server Certificate

*Override hostname

Note: The "Override hostname" would depend on your Firewall Hostname and whether you change your Public IP or use DDNS.

Cryptographic Settings

  • Encryption Algorithm
  • Authentication Algorithm
  • Key Size
  • Key Lifetime

*The "key lifetime" will “drop and reconnect” at a different time than expected by the Admin and the Firewall. Therefore, it’s recommended to re-download the configuration.

Other changes on the following configurations will cause a “disruption/disconnection” to the VPN, as marked by the yellow box.

  • Override hostname
  • Port
  • DNS
  • Assign IPv4 Addresses
  • Assign IPv6 Addresses
  • Lease mode
  • Use static IP Addresses
  • IPv4 DNS
  • IPv4 WINS
  • Domain name
  • Disconnect dead peer after
  • Disconnect idle peer after

Advanced Settings

  • Compress SSL VPN Traffic 

Note: If the VPN configuration was downloaded when compression was enabled (GUI) and afterward disabled, traffic won’t be compressed, but the following switch will remain active in the .ovpn file: comp-lzo yes.

Therefore, OpenVPN will provide this warning: WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets aren’t compressed unless "allow-compression yes" is also set.
To remove this OpenVPN warning, either have all users:

Re-download the configuration or change the value to no in the .ovpn file with editing in Notepad++

Debug Settings

This won’t restart and won’t require a re-download of the configuration.

  • Enable debug mode

SSL VPN General Settings

All changes under Remote Access VPN>SSL VPN>SSL VPN Profile Name>General Settings, Identity, and Tunnel Access won’t cause any disconnection or need to re-download Config. However, any changes here will reflect once the user has disconnected and re-connected.

Replacing & Renewing

  • Renewing an active certificate or replacing an expired certificate will require re-downloading.



Added New Info with regards to active and expired certificates
[edited by: Erick Jan at 3:43 AM (GMT -7) on 22 Apr 2024]