Sophos Firewall: Enable separate (3rd) input box for SSLVPN MFA instead of Password+OTP.

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview
- Sophos Connect Provisioning file
  - Step1: Sophos Connect Client 1st Login
  - Step2: Logging next time in Sophos Connect Client

Overview

This Recommended Read describes how to configure Sophos Connect Client login using SSL VPN MFA instead of the normal setup of Password + OTP.

Sophos Connect Provisioning file

It's possible to turn on separate input for MFA/OTP in the case of SSLVPN using the Sophos Connect Cient and Sophos Connect provisioning file (pro).

Below is the configuration:

Sample .pro file:

[

{

"gateway": "<Enter your gateway hostname or IP address>",

"user_portal_port": 443,

"otp": true,

"2fa": 1,

"can_save_credentials": true

}

]

Step1: Sophos Connect Client 1st Login

You’ll be asked for a Username/Password/ OTP (3^rd separate input box). Click the checkbox for saving username/password.

Step2: Logging next time in Sophos Connect Client

As username and password are saved, it’ll prompt only for OTP.

Revamped RR Added Horizontal Lines
[edited by: Erick Jan at 1:11 PM (GMT -7) on 27 Sep 2023]

Top Replies

PhilippRusch 7 months ago +1

Why is this only working with SSL? And not with IPsec connections?

Erick Jan over 1 year ago

Hi Alok,

Thank you for sharing.I'll be moving this to Recommended Read

Erick Jan
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
generalissimo 7 months ago in reply to Erick Jan

Sophos Connect provisioning file URL is broken and should be adressed.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
Erick Jan 7 months ago in reply to generalissimo

Hi Generalissimo,

Thank you for the information. I have updated the link.

Erick Jan
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
PhilippRusch 7 months ago

Why is this only working with SSL? And not with IPsec connections?

Mit freundlichem Gruß, best regards from Germany,

Philipp Rusch

New Vision GmbH, Germany
Sophos Silver-Partner

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +1 Vote Down

Sign in to reply

Cancel
msw_fisit 6 months ago in reply to PhilippRusch

Is there a way to include the second factor field in an existing connection without using the provisioning templates?

In most cases, the users are no longer in the house with their notebooks and the Sophos Connect applications already installed there and therefore do not have direct access to the Sophos Firewall (via the next gateway IP address in the template) and therefore cannot obtain the latest provisioning from the firewall.

Is there a trick here to add the field for an existing imported connection?
Cancel
Vote Up +1 Vote Down

Sign in to reply

Cancel
msw_fisit 5 months ago in reply to msw_fisit

+ to get this working you need to publish the userportal to wan, is that correct?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel