Note: Please visit the Sophos Connect Early Access Program group to share your feedback and raise any issues you find!
Hey Everyone,
I'm excited to announce that Sophos Connect 2.0 for Windows is now available in early access!
Download link
Sophos Connect 2.0 for Windows EAP Download
Major new features
The main focus of this release is adding support for SSL VPN, while making it possible to bulk-deploy SSL VPN as easily as you can Sophos Connect v1.
- SSL VPN support for Windows
- Bulk Deployment of SSL VPN config via new provisioning file
- The same convenience features you expect in Sophos Connect for IPsec
- OTP prompt support
- Improved DUO MFA support (when connecting to XGv18)
- Auto-Connect
- Logon script execution on connect
- Remote gateway availability probing
- Automatic re-fetch latest user policy if SSL policy updated on firewall (when using provisioning file to deploy)
- Manual re-fetch latest policy
- Automatic failover to next firewall WAN link when one link fails
- File extension association for policy files - Import a policy file into Sophos Connect just by double-clicking it in Windows Explorer, or opening the file attached in an email
Provisioning File
The key to a number of the features is the new provisioning file format. It allows a single file to be distributed to all users, exactly as you can for IPsec today. Currently, this file must be manually created, but it's very easy. Just take an example from the supplied documentation, and change the values you want.
The provisioning file works by pointing the client to the XG user portal address and port. When the provisioning file is pushed to a client, the user sees the connection listed, just like any other, and when they click connect, they will be prompted for credentials, just like any other connection. The client will then login to the XG user portal using the supplied credentials, and fetch the latest SSL VPN policy for that user, and connect the VPN using the same credentials just entered. This is all invisible to the user, and only adds a few seconds to the connection time. Then later, if the connection fails, the client will automatically fetch an updated VPN profile from the user portal, in case any of the policy settings have been changed.
The caveat to this working seamlessly, is that the user portal must be exposed on the zones that users will connect from. Ideally, it should use a publicly signed certificate, though if it doesn't, users will see a warning before policies can be loaded from the user portal.
Provisioning file documentation
Known Issues
- If MFA is enabled for both the user portal and SSL VPN, users may receive two prompts for token/DUO Push on first connection, or when policy is updated
- If user logon limit is set to 1 on XG, Connecting to the user portal, then immediately to the VPN may happen quickly enough, that XG counts the VPN connection attempt as a second concurrent login, and may be blocked. Set the logon limit to at least 2, to avoid the issue.
[locked by: AlanT at 6:00 PM (GMT -7) on 21 Apr 2020]