Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 3 subscribers
  • Views 1228 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Synchronize x509 user certificates

Sophos Customer

Because of the second corona wave we try improve our VPN capabilities.

Currently we have ~1000 SSL-VPN user on a SG230 (only some 100 connect at a time right now, but number will grow).

The accounts are synchronized to AD SSO and manually added to the VPN group.

Now we want to throw another SG230 (currently only used for WAF and mail filtering) in the ring.

Both systems are in production and cannot be re-imaged or set to a HA config.

My current approach is

  • configure the VPN similar to the first one (other VPN IP network subset and other internet line though)
  • add a user to the second SD with identical settings of the first SG
  • export x509 user cert from first SG as .p12
  • import it to the second
  • assign this cert to the user, erase the previously auto-generated

VPN host cert is also imported and identical from first to second SG

If I connect the user to the second SG (either by DNS round-robin or manual override) everything works as expected

Is there a way to avoid doing the above steps manually for each user?

Adding a user in the GUI is easy, but then a new (other) x509 certificate is being auto-generated.

Exporting the certificate (.p12), importing it in the second SG and assigning it is much effort anyway.

Is there an easier way to do this?

I know the threads about user mass-creating using cc, but none seemed to be a supported solution, just console hacking.

Additionally, there is also no solution to synchronize the certificates.

I've seen, the system configuration can also exported in configd format (xml).

Is there a way to import only parts of this configuration (user accounts and their certificates)?



This thread was automatically locked due to age.
  • 0

    Why not using a virtual XG Firewall (maybe in azure / AWS) and deploy Sophos connect? 

    Single config file, much more performance as needed and you do not have to deal with this stuff at all. 

    Sophos connect + XG uses IPsec and SSLVPN with a own deployment mode. You only need to deploy the MSI and one config file. SC will fetch its own config file from the user portal and automatically deploy.

    Its free (in the base license) and you can deploy this installation within minutes. 

    Simple build a VPN back to your setup (UTM) and done. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thank you for your suggestion!

    We have several reasons:

    • due to corporate policy (we're EU anyways) cloud solutions are taboo, in particular US-based like Azure/AWS - the safe harbor agreement has been canceled by Trump, so on premise only
    • the two SG230 are here and have more than a year worth of full guard subscription and shall be used
    • the second lockdown starts in 28 hours - no time to deploy such a solution (in particular to end user devices like iphones, macbooks and laptops) - OpenVPN is fine here
    • the solution sketched above works - it's just a hassle to set up

    However thank you for your response

Unfiltered HTML