Attention: even new Sophos SSL-VPN is unreliable and potential insecure.

Almost all of our users did report problems using SSL-VPN. Heartbeat was not working properly and many other connection issues did occur frequently.

First issue I did figure out relays to the internet provider MTU. If they are using a lower MTU (e.g. less then 1472) you are facing this behavior. Smaler MTU's are quite common for cable, mobile or even hotel internet connections.

As this is a common behavior, OpenVPN (sophos ssl vpn is based on OpenVPN) provides specific option handle such issues e.g. by setting specific MTU/MSS on server or user base.

OpenVPN also provides an option to prevent dns leaks (more details on this).

Sophos implementation of OpenVPN did not respect many of this very important options. Support cases asking for implementation of already existing underlying functionality where rejected with advice to feature request.

As it seems functionality and security is not by design but a "feature" using Sophos software you may consider using different solutions as we are doing now.



tags
[edited by: FloSupport at 11:07 PM (GMT -7) on 16 Oct 2020]