I've been everywhere and can not figure out what I'm doing wrong or if I can even do this. Due to a new process with sending out new laptops for our completely remote company I need to automate everything I can out of box. Here is my situation. Currently: For a user to be able to VPN they must first go to the Sophos User Portal and download their config (*.ovpn) file, then import that file into Sophos Connect. This is what I’m trying to get around (remove the end user) Where I’m stuck: I believe, from what I have reviewed, that a Provisioning File should be able to be used so when a user connects it grabs their config without them having to do anything themselves. Notes: 1. Am I even able to use a provisioning file in this manner where I can save the user from having to go to the user portal themself to download the config and then import it 2. When I try this I keep getting a "Cannot connect to gateway policy". I am not Sophos savvy, hence why I am here, and am not sure what the gateway policy is 3. I'm thinking possibly that I'm getting this error because in the events it says "Please enter user credentials" but it never asks for any credentials and moves on to the gateway policy error. Any help is greatly appreciated. I've spent hours on this with zero progress.

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 9 SG330 - SSL VPN Provisioning File

I've been everywhere and can not figure out what I'm doing wrong or if I can even do this.

Due to a new process with sending out new laptops for our completely remote company I need to automate everything I can out of box. Here is my situation.

Currently:

For a user to be able to VPN they must first go to the Sophos User Portal and download their config (*.ovpn) file, then import that file into Sophos Connect.
This is what I’m trying to get around (remove the end user)

Where I’m stuck:

I believe, from what I have reviewed, that a Provisioning File should be able to be used so when a user connects it grabs their config without them having to do anything themselves.

Notes:

1. Am I even able to use a provisioning file in this manner where I can save the user from having to go to the user portal themself to download the config and then import it

2. When I try this I keep getting a "Cannot connect to gateway policy". I am not Sophos savvy, hence why I am here, and am not sure what the gateway policy is

3. I'm thinking possibly that I'm getting this error because in the events it says "Please enter user credentials" but it never asks for any credentials and moves on to the gateway policy error.

Any help is greatly appreciated. I've spent hours on this with zero progress.

This thread was automatically locked due to age.

0 Amodin over 1 year ago

I don't know that UTM has this capability, but I know that SFOS has a write-up for it. I haven't ever been that far with UTM and AD.

OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
(Former Sophos UTM Veteran, Former XG Rookie)
Cancel
Vote Up 0 Vote Down

Cancel

0 Janbo Noerskau over 1 year ago

Hi Michael
The function you are looking for is a feature of the Sophos XG/XGS.
So the Sophos Firewall OS (SFOS).
The provisioning solution does not exist on the SG and it will certainly not come in the future (SG development is dead).
On SFOS The principle is that the connect client connects to the user portal, authenticates the user and then downloads his profile.
A great feature (one of the very few on the XG). But no reason to buy an XG ;-)
If you find out any automated way yourself -> please post it here!
Cheers
Janbo

---

janbo.noerskau@comedia.de UTM lover ;-)

0 BAlfson over 1 year ago

Hi Michael and welcome to the UTM Community!

You can use the following to download the configuration for one or more users.

When you're logged into the new laptop to load the SSL VPN config, are you logged in as the future user of the laptop?

Cheers - Bob (200 miles west and a little south of you. :-)

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Michael Goodwin over 1 year ago in reply to BAlfson

BAlfson - Thanks for the reply. I did recently find this option, but what I'm trying to do is automate it. I guess the best example I can give is a powershell script (or some script) that can reach out the the UTM and based on the logged in user (or manually provided credentials) pull their config file then just run it so it imports into Sophos Connect VPN Client.

I may have to just consider this route of manually downloading and scripting around a repository, just if possible I'm trying to actually call to the UTM since it is already a repository and auto updates with new users assigned to the AD group.
Cancel
Vote Up 0 Vote Down

Cancel

0 BAlfson over 1 year ago in reply to Michael Goodwin

Michael, I copied the following lines from the source code on the 'Remote Access' tab of the User Portal:

	<script src="jape/jape_01_config.js" type="text/JavaScript"></script>
	<script src="jape/jape_05_ajax.js" type="text/JavaScript"></script>
	<script src="jape/jape_10_dflt.js" type="text/JavaScript"></script>
	<script src="jape/jape_20_util.js" type="text/JavaScript"></script>
	<script src="jape/jape_30_dom.js" type="text/JavaScript"></script>
	<script src="jape/jape_40_widget.js" type="text/JavaScript"></script>
	<script src="jape/jape_50_form.js" type="text/JavaScript"></script>
	<script src="jape/jape_60_grid.js" type="text/JavaScript"></script>
	<script src="jape/jape_99_common.js" type="text/JavaScript"></script>

I don't see the SSL_VPN configs anywhere in cc, so I believe they're only built using javascript programs when one is requested. That's beyond my skill sets.

Good luck!

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA