Install SSL VPN User Config without admin permissions

Hi Peter,

i think there is no other way. Provide the user with permissions on the folder. Provide them a Userportal Access and let them install the config with this.

In case you have multiple users working on it and there are more than 1 profile on the Notebook activate MFA and get them to login via Token on their Mobile Phone to get it more secure.

Regards

Jason

Hallo Peter and welcome to the UTM Community!

Do you need to add the same new user to each and every laptop?

Cheers - Bob

Hi Bob,

not to all laptops. 

There are 10-20 different users per laptop. 

The laptops are shared devices. The users pick one from the pool and then he has to install the vpn config on the device.  

best regards,

Peter

Thanks for you answer Jason.

Hoped there is a better way. Seems not to be [:^)]

Regards!

Peter

Jason gave you the answer.

There are two downloads on the user portal, one for the program and user certificate as a bundle, one for the certificate only.   Installing software is an administrator privilege by design, but you have already taken care of this.   So all the user needs is the user bundle.  You just need to give users write permission to the certificate folder:

C:\Program Files (x86)\Sophos\Sophos SSL VPN Client\config

Please test it and provide feedback.

Hello, DouglasFoster,

thanks for the answer!
Yes, the manual editing of permissions works.
Unfortunately it is not possible to automate this reliable via GPO. If the SSL VPN client is already installed, a GPO can change the permissions on the folder. If the client is installed after the GPO has been applied, the GPO will not be applied again and the permissions remain default. 

The only reliable option is to manually check and adjust the permissions on each notebook.

Many thanks for all the suggested solutions!
Peter

Hi

we have had the same situation. We are using round about 650 Notebooks with several firewall clusters in different locations. The challenge was to copy the right config to the client, belonging to the user which is working on it.

We are using now a script, which exports all configs from the sophos via cronjob to a hidden fileshare.

At the logon procedure at the client we will start a script, which is searching for the username and copy the right config to the sophos configfolder.

We are now telling our users, that they need to logon at first in company / domain network a for minimum one time, before they can use vpn.

If you are interested in this solution let me know.

BTW: As i understand the gpo, it will set permisiion verytime it is applied, otherwise ypou can use a powershell-script, which will run at every logon in the background.

I am wondering about this gimmick but have not tried it yet.

The basic problem is that user-specific settings should be in the user profile.

According to the OpenVPN client documentation, the config directory can be moved using a registry key.   

My idea is to set it this way, which of course can be done with GPO:    HKLM\SOFTWaRE\OpenVPN-GUI\config_dir = "%AppData\OpenVPN\Config"

Then IF the Sophos install tool honors the registry setting, when a user kit is applied, it should be applied to the user profile folder.

Hope springs eternal...

Hi ToniKrope,

thanks for the information! Your solution sounds very very interesting to me!

It would be awesome if you can send me some more information about the scripts! ( e.g. by mail? peter.uebelhack@gmail.com ) 

Regarding the GPO. That was my understanding too, but tested it a hundred times, it does not apply a second time. --> no matter, i think the topic is better discussed in different forum ;)

The PowerShell Script is also a good idea! No idea why I haven't thought about it yet. I'll test!

Thanks a lot for your help!

Peter

Dear DouglasFoster,

also a very good point! I'll let you know if it worked out for me!

Thanks!!

Peter