XG v18 Sophos Connect and DUO MFA - .Pro configuration.

We have been successfully using the SSL-VPN client for authenticating to our XG firewall.  We are now trying to implement DUO MFA for this, and are looking into the Sophos Connect  2.0 with SSL client, as that appears to be more suited than SSL-VPN.  After looking through the documentation I'm unable to figure out the exact sequence of how to configure a workstation for Sophos Connect and DUO.   

1. If I download the Sophos Connect client from our user portal, and import the existing ovpn configuration. Sophos Connect will connect fine 

2. There is no provision in the XG setup for adding Sophos Connect as a separate option?  Is this because we already have SSL implemented?  

3. If we use a .Pro file...what is the name of this file supposed to be and where is it supposed to reside for on the user's workstation?  

4. I'm assuming we need the .Pro file as there are parameters there which specify use of MFA 

4. Do we need both a .pro file and an .ovpn file on the user's workstation?  (where .ovpn appears to hold the certificates.) 

Any help would be greatly appreciated, and I will be happy to write up a final description of the provisioning process.  



Edited TAGs
[edited by: emmosophos at 7:06 PM (GMT -8) on 23 Feb 2021]

Top Replies

  • Hi ,

    Thank you for reaching out to the Community! 

    The Sophos Connect Client supports SSL VPN as well as IPsec(Remote Access). In your case, you want to use it for SSL VPN.

    You can still manually…

Parents
  • Hi ,

    Thank you for reaching out to the Community! 

    The Sophos Connect Client supports SSL VPN as well as IPsec(Remote Access). In your case, you want to use it for SSL VPN.

    You can still manually import the .ovpn configuration on Sophos Connect or use a provisioning file, but to configure DUO MFA you need to use .pro file. 

    There's no separate option to configure SSL VPN to use Connect Client on the firewall. 

    Check out the following document for more info on provisioning file and DUO 2FA:

    "The provisioning file works by pointing the client to the XG user portal address and port. When the provisioning file is pushed to a client, the user sees the connection listed, just like any other, and when they click connect, they’ll be prompted for credentials, just like any other connection. The client will then log in to the XG user portal using the supplied credentials, fetch the latest SSL VPN policy for that user, and connect the VPN using the same credentials just entered. This is all invisible to the user and only adds a few seconds to the connection time. Later, if the connection fails, the client will automatically fetch an updated VPN profile from the user portal if any of the policy settings have been changed." 

    Reference: Sophos Connect 2.0 is now GA

    Thanks,

     

     
    Harsh Patel (H_Patel)

    Community Support Engineer | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' button.

  • "You can still manually import the .ovpn configuration on Sophos Connect or use a provisioning file, but to configure DUO MFA you need to use .pro file. 

    "There's no separate option to configure SSL VPN to use Connect Client on the firewall."

    Hi...thanks....  H_Patel.  Coming from the SSL-VPN side of things, I was a little confused at how this works, but it appears that using the provisioning file is a one-time operation, implemented when first on-boarding a user, and essentially it automates having the user go to the user gateway and downloading and installing the .ovpm and client like they would do with SSL-VPN.  

    Oddly, if using only DUO push,  you make no specific provisions within the config file, and in fact you specify "0" for no MFA, as the trigger for MFA happens on the RADIUS side. Only if you wish to have the option for push, text, or voice, do you need to specify "2".  

    Many thanks for your help.   

Reply
  • "You can still manually import the .ovpn configuration on Sophos Connect or use a provisioning file, but to configure DUO MFA you need to use .pro file. 

    "There's no separate option to configure SSL VPN to use Connect Client on the firewall."

    Hi...thanks....  H_Patel.  Coming from the SSL-VPN side of things, I was a little confused at how this works, but it appears that using the provisioning file is a one-time operation, implemented when first on-boarding a user, and essentially it automates having the user go to the user gateway and downloading and installing the .ovpm and client like they would do with SSL-VPN.  

    Oddly, if using only DUO push,  you make no specific provisions within the config file, and in fact you specify "0" for no MFA, as the trigger for MFA happens on the RADIUS side. Only if you wish to have the option for push, text, or voice, do you need to specify "2".  

    Many thanks for your help.   

Children
No Data