This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Connect vs. Sophos SSL VPN client - a new limitation regarding multiple connection options to the same firewall?

I regret that the new VPN software "Sophos Connect" brings a deterioration in one important point. At least, I can't find a way to eliminate this shortcoming:

One cannot use the application to apply multiple identities against the same firewall. Normally, I use my Active Directory account for normal VPN access via a Sophos SG (device A). However, if I want to enter a specially protected administration network, then I have to use a local account on the Sophos SG135 (device A). Storing two access identities is now no longer possible with "Sophos Connect", because a single identity can only be set there in relation to one Sophos SG135 (device A).

With the application "Sophos SSL VPN client" you can manage and use multiple accounts for one Sophos SG.

Am I wrong?



This thread was automatically locked due to age.
Parents
  • First of all, SSLVPN uses a client certificate, which is bound to a user. So basically you authenticate with a cert and a specific user. 

    So the way, how Sophos Connect and SSLVPN (trafficlight) works, should be the same. You should be not able to use a different user with the same ovpn file. 

    __________________________________________________________________________________________________________________

Reply
  • First of all, SSLVPN uses a client certificate, which is bound to a user. So basically you authenticate with a cert and a specific user. 

    So the way, how Sophos Connect and SSLVPN (trafficlight) works, should be the same. You should be not able to use a different user with the same ovpn file. 

    __________________________________________________________________________________________________________________

Children
  • Hello Lucar Toni,

    I think you misunderstood him, as I have the same problem here:

    we want to access a customer's XGS system with our technician laptops with a "normal" user account at that site OR with a more privileged "admin" account. As soon as we import a DIFFERENT .ovpn file for the same IP address or the same FQDN, Sophos connect replaces that config.

    This is not what we want. We want to have several entries, even if this is going to the same target. This is a very annoying characteristic of the new client.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Sorry, I forgot to mention that. Exactly as Philipp Rusch adds, the point is that any *.ovpn configuration of firewall A replaces an existing configuration. It is not possible to hold different configurations in parallel in Sophos Connect with respect to one target device.

  • In general, the Sophos Connect Client was designed to use for a customer. The use case of a Partner (connecting to different firewalls) is not covered by this tool in general and was not intended to do so. But to be honest, the market is full of tools for such scenarios with different scenarios.

    From a security perspective, personally found it to be "dangerous" to have a Partner network with full access to all customers. It comes down to the same scenario like: having a notepad document with all passwords on a desktop to all customers. This is something like a  supplychain attack scenario, which gives you full access to all customers by hacking a partner site. 

    __________________________________________________________________________________________________________________