This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN for remote access - change username for large number of users

Suspect this is a bit of a long shot but I have a couple of thousand users that use the Remote Access SSL VPN on our Sophos UTM. Users register (autogenerate) on the UTM through the user portal then the config file for the user is copied off the UTM and placed on the users machine.

The company is now splitting into two divisions so all the users email addresses / UPNs are going to have one of two new email domains in their address. Each user has a unigue VPN config file based on the X509 Certificate generated for that UTM user account. I'm trying to work out the easiest way to get users email addresses / usernames changed on the UTM. Perhaps its not going to be possible without getting each user to re-register on the UTM and then send out new config files to each user.

Any suggestions?



This thread was automatically locked due to age.
Parents
  • What we did some time ago (on a domain migration) was indeed to have everyone log on to the user portal and download their new config.

    Our setup is that users are authenticated by AD. Based on AD-group membership the user has access to zero, one or more VPN profiles. Users are auto created at first logon in user portal.

    Setting this up for the was only a few minutes of work.

    For us we had 2 remaining issues (but with far less employees as in your case it was manageable): 1 OTP secrets needed to be copy/pasted from the old to the new account. Since we had a couple of dozen users we didn't seek for automation here (maybe it could have been easier with REST API), 2 Old user accounts needed to be removed (maybe not strictly necessary as they couldn't authenticate anymore to the old domain, but imho non-existent users should be removed, maybe could have also been done using the API).


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Reply
  • What we did some time ago (on a domain migration) was indeed to have everyone log on to the user portal and download their new config.

    Our setup is that users are authenticated by AD. Based on AD-group membership the user has access to zero, one or more VPN profiles. Users are auto created at first logon in user portal.

    Setting this up for the was only a few minutes of work.

    For us we had 2 remaining issues (but with far less employees as in your case it was manageable): 1 OTP secrets needed to be copy/pasted from the old to the new account. Since we had a couple of dozen users we didn't seek for automation here (maybe it could have been easier with REST API), 2 Old user accounts needed to be removed (maybe not strictly necessary as they couldn't authenticate anymore to the old domain, but imho non-existent users should be removed, maybe could have also been done using the API).


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Children
  • Thanks apijnappels.

    Ideally I was hoping that we could run some command on the UTM that might just modify the username and leave everything else as is (certificate etc.) so we didn't need to regenerate the config file. I know if I change my username in AD and manually update it on the UTM the VPN all still works with the original config file, so I guess if there is a way to script changing the username on the UTM e.g. from colin.fraser@oldcompany.com to colin.fraser@newcompany.com. Only problem is we would want to do this for selected oldcompany.com users as we are migrating them over in tranches of a few hundred at a time.

  • Awrite Colin,

    If you have usernames that include the company, then there's no practical solution.  In addition, I suspect that you will need to rename the UTM and cause the generation of all new X509 certificates.  In any case the X509 certs would have to be regenerated if the username changes.

    Good luck!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA