Sophos Connect 2.1.20 with Support for SSL VPN still doesnt allow multiple Connections via the GUI

Hi All

We have recently recieved a notification that the Sophos Connect SSL VPN Client for windows will go EOL in 2022 and the reccomended path is the Sophos connect Client 2.1.20 that now supports SSL Vpn connections.

This is great. I have tested the SSL Functionality via the new Sophos connect client and it works great. Just as the now almost EOL SSL Client for windows did.

However we have noticed a flaw which we are hoping to get around.


The soon to be EOL SSL VPN Client for windows allowed multiple simultaneous connections to different firewalls via multiple installed TAP Adapters, which in my situation and many others is ideal as i have multiple XG / XGS firewalls and clients that i manage at one time. Thus the abililty to have multiple VPN Connections to Multiple firewalls is critical.

However the Sophos Connect Client with the newly included SSL Support to my knowledge only allowes one ssl or ipsec connection at a time, Once you connect the first connection the other connections are no longer available via the GUI and you are only able to see the statistics of the first / Current connected VPN.

Please can you assist with either letting me know how i can go about connecting more than one VPN via the Sophos Connect Client - 2.1.20.
If this feature is not included or possible at the moment, i have a feeling alot of people that use the SSL VPN Client ( EOL in 2022) wont migrate to Sophos Connect 2.1.20 as its loosing one of its biggest features allowing the connection of multiple ssl vpns at once.

Any help would be greatly appriciated.

  • I received a feedback from a customer that also multi-user support (e.g. if users share a laptop for homeoffice) is not possible like with the old SSL-Client. That means you can only import 1 config for 1 destination VPN IP/DNS and for 1 user. It´s not possible to import differnet user profiles for the same vpn destination.

    And it would be great if Sophos additionaly would support more than 1 TAP-Adapters so that multiple active VPN connections are possible.

    Sophos should fix that...

    regards

  • Can you tell me the use case of both features? Are you a partner or customer? 

    __________________________________________________________________________________________________________________

  • We are gold partner but this would be useful for a lot of our customers.

    Use cases:

    The customer have one shared laptop that is used by multiple users. Now every user have 1 week homeoffice per month and should use this laptop for homeoffice -> so 4 users share the same laptop within a month and every user should use a user specific VPN connection and not a generally VPN (users may have differnet access permissions to internal servers...).

    Other use case especially for partners/support:

    We use Sophos VPN also for VPN to our company (for server access and for VoIP with Software-Client especially for homeoffice). If a customer needs support now, we have to cut our company VPN and have to connect with Sophos Connect Client to the customer instead. So we also kill our company VoIP for the user... So it would be great if the Sophos Connect Client allow at least 2 active VPNs... At the moment I use the old V1 IPSec Sophos Connect Client for company VPN an use the "old" Sophos SSL Client for an additional VPN to customers...

    regards

  • Hi LuCar and Steve 

    Steve makes a very valid point with the use cases.

    From a support side we manage all the firewalls for our customers. Imagine as Steve said,  you are working from home with a VPN to your offices with your resourses on the office network, All of a sudden you get a call of a client needing support on their network. No problem ill just connect my VPN....But wait.... sorry let me just disconnect my office VPN so i can connect your VPN to help you, Ill just have to call you back as it will probably disconnect my Voip services.....No problem, Oh you are from XYZ company and need to know what your password was from a year ago. Sure i can help you, We have that info stored at our office....but ill have to disconnect from you and phone you back again once i have the information as i cant connect to my offices to get that information for you right now as im currently connected to you. What my client hears is "What do you mean you cant help me right now"

    Another use case is 

    I have a client that is a manager of say 2 or 3 branches. My client now wants to connect to all 3 of his branches at the same time so he can do month end and pay salaries. The inability to have multiple VPN Connections now forces him to do salaries individually for comapny A, Then disconnect and connect to company B, then disconnect and connect to company C. Something that he could have achieved in 1 hour has now taken him 3 individual hours since he could only connect to one firewall / VPN at a time.

    Allowing multiple Tap adapters for Sophos Connect client as was done with the Sophos SSL VPN Client is the way to go. The ability to add and remove tap adapters at ones will, as well as to then use said multiple tap adapters to have multiple active VPN connections is where the new Sophos Connect needs to be in order to be as competative as the SSL VPN Client. 

    It would be great if Sophos can correct the above issue but it sounds to me like it might require a code level change 

  • Most of your use cases are still partner uses cases. Why i bring this up: Sophos Connect is currently deployed on Millions of Endpoints and this request did not come up else where in the last years. Which means, this is likely something, partner are only using and not the customers, which are the primary target for Sophos Connect. 

    As i stated in other threads, maybe the better approach for your use cases is OpenVPN as a Client and using the ovpn config file. Did you try this one? Because likely this will work in a better approach than Sophos Connect or even the current Sophos SSLVPN implementation. 

    It is properly worth considering for the future to implement this into Sophos Connect. There are other items currently under review to implement, which have a higher priority for Sophos Connect. (Basically because of the points above: Its already deployed for millions of endpoints and nobody asked for this one, as far as i can remember). 

    __________________________________________________________________________________________________________________

  • Sorry Sophos but a hint for all others:

    You can also use the free SecurePoint SSL-VPN Client with Sophos .ovpn-configs. This SSL-Client-Software allows multiple TAP-adapters out-of-the-box...

    @Sophos your aspiration should normally be to do things better than others instead of telling us there is not really a use case for that... I have a lot of customers that use laptops with multiple user vpns at the moment (especially in time of corona-homeoffice)...

    Sophos killed the old SSL-Client and points to Sophos Connect Client now, but that VPN-Client lags of features the old SSL-Client had...

    It´s the same way Sophos did with UTM -> XGS/Sophos Firewall...at the beginning of XG they told there will be feature parity in later releases but it´s clear now there never will be feature parity! XGS/Sophos Firwall lags on simple features and I don´t know what the problem is to implement such things e.g. Let´s Encrypt

    There is a longer description available how you can do that manually with XG/XGS. What I´m asking myself now: Why is it not possible that a Sophos Engineer just implement that routine in the SF OS GUI?

    Sorry for a little bit "off topic" but I think Sophos should not move this way and it is not a big thing to do things better. Especially things Sophos already offered in other Sophos Products...

    regards

  • My response is not a official Sophos response, instead i am here just to help and give some insights. 

    __________________________________________________________________________________________________________________

  • I am a partner as well so i will mostly provide use cases from a partnet perspective.

    Ill give the SecurePoint SSL-VPN Client a try. 

    I see the Open VPN Client by default doesnt allow multiple connections but i see there is a community edition where they claimed to have rectified that issue. 

    "Sophos Connect is currently deployed on Millions of Endpoints and this request did not come up else where in the last years. Which means, this is likely something, partner are only using and not the customers, which are the primary target for Sophos Connect. "


     I understand the fact that Sophos might be trying to prioritize the customers with Sophos Connect Client but in the same breath it feels that Sophos are disregarding the needs of the Partners, The very same people and businesses that sell the Sophos products to said customers that Sophos is targeting

    Honest opinion - Do you think a partner would rush to reccomend a software that they themselves struggle to use every day?

    " It is properly worth considering for the future to implement this into Sophos Connect. There are other items currently under review to implement, which have a higher priority for Sophos Connect. (Basically because of the points above: Its already deployed for millions of endpoints and nobody asked for this one, as far as i can remember). "

    I personally beleive it is worth implemeing, And we, the Sophos Partners are asking for the feature not only to make our lives easier helping and supporting the very customers we sell the Sophos products too,  but to make our customers lives easier and encourage them to use the Sophos products, I know for a fact that alot of my customers would benifit from the multiple VPN feature, i also know for a fact that alot of my customers wont use the Sophos Connect client since it doesnt have the Multiple VPN feature.

    Im not trying to say partners should be more valuable that customers as each should be on the same level but it definitly feels as if customers are more valuable than Partners in your above reply.

    Just some food for thought!


    Thanks for your assistance, Ill look into opening a suggest a feature ticket 

  • Don´t take that personally... you´re not Sophos but you react like Sophos do. Just take our demands "inside" instead of telling there is not really a need for something (especially for things/features Sophos already offered).

    We all here just want one thing: improve products and give Sophos direct input what to do better - especially things you already did better in the past..

    A good product always consits of many small things and some people just need more than "standard" and that should be the aspiration of Sophos and that will also divide good vendors from the big standard.

    So thanks to take care of this and bring it inside :-)

    regards

  • I am not a Product Manager. Please feel free to reach out to your direct channels to give such valuable feedback to the proper channels. 

    __________________________________________________________________________________________________________________