Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
Table of Contents
Overview
This Recommend Read shows you how to determine which changes under SSL Global VPN configuration will require a user to re-download the configuration.
Pre-requisites
An Established Configuration of the following:
Editing SSL GLOBAL VPN Settings
Go to CONFIGURE>Remote Access VPN>SSL VPN Tab> SSL VPN global Settings.
Changes from this configuration will require the user to “re-download” the configuration.
SSL VPN Settings
- Protocol
- SSL Server Certificate
*Override hostname
Note: The "Override hostname" would depend on your Firewall Hostname and whether you change your Public IP or use DDNS.
Cryptographic Settings
- Encryption Algorithm
- Authentication Algorithm
- Key Size
- Key Lifetime
*The "key lifetime" will “drop and reconnect” at a different time than expected by the Admin and the Firewall. Therefore, it’s recommended to re-download the configuration.
Other changes on the following configurations will cause a “disruption/disconnection” to the VPN, as marked by the yellow box.
- Override hostname
- Port
- DNS
- Assign IPv4 Addresses
- Assign IPv6 Addresses
- Lease mode
- Use static IP Addresses
- IPv4 DNS
- IPv4 WINS
- Domain name
- Disconnect dead peer after
- Disconnect idle peer after
Advanced Settings
- Compress SSL VPN Traffic
Note: If the VPN configuration was downloaded when compression was enabled (GUI) and afterward disabled, traffic won’t be compressed, but the following switch will remain active in the .ovpn file: comp-lzo yes.
Therefore, OpenVPN will provide this warning: WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets aren’t compressed unless "allow-compression yes" is also set.
To remove this OpenVPN warning, either have all users:
Re-download the configuration or change the value to no in the .ovpn file with editing in Notepad++
Debug Settings
This won’t restart and won’t require a re-download of the configuration.
- Enable debug mode
SSL VPN General Settings
All changes under Remote Access VPN>SSL VPN>SSL VPN Profile Name>General Settings, Identity, and Tunnel Access won’t cause any disconnection or need to re-download Config. However, any changes here will reflect once the user has disconnected and re-connected.
Replacing & Renewing
- Renewing an active certificate or replacing an expired certificate will require re-downloading.
Added New Info with regards to active and expired certificates
[edited by: Erick Jan at 3:43 AM (GMT -7) on 22 Apr 2024]
