Using Sophos Connect VPN Client

Hey everyone,

I wanted to highlight one of the features listed in XG v17.5 - Sophos Connect. Sophos Connect is a new IPsec VPN client, included with XG v17.5. This is a preview release, where we decided to make the client available now, before we've made all of the XG improvements we are planning. The client, as it stands now, is a cross platform (Windows and Mac) IPsec client with a simple user interface, and a compelling set of features, that are finished, and available for use now. We didn't want to sit on that while waiting for the rest of our plans to be completed, so we decided to get that out to you sooner, even though the total admin user experience still needs a few significant improvements. 

In XG, you'll notice that the Cisco VPN tab under VPN, has been re-named Sophos Connect, and now offers a download for the new IPsec clients and admin utility. While you can create a split tunnel remote access policy on the IPsec tab, this doesn't yet offer a client IP range. So clients will connect and communicate over the tunnel, using whatever IP they are using locally, on the network they're in. While this might work in some cases, it runs into problems, as soon as your users are connected from a subnet that conflicts with a network being accessed over the tunnel. Having visited a hotel or two that gave out addresses in massive 10.0.0.0/8 subnet ranges, the possibility of a conflict using that configuration is pretty significant. Meanwhile, the feature originally built to work with the now-antiquated Cisco IPsec VPN client solves this, and does offer a client IP range, but doesn't allow you to configure a split tunnel. Since the Cisco client is pretty outdated now, we decided to re-purpose that feature for now, and use it as the preferred method for configuring Sophos Connect. 

This makes for a more robust configuration, but the policy generated by that feature, only offers a full-tunnel. While that may be enough in some cases, most of you are looking for a VPN client that allows split tunneling. The tunnel will support split tunneling, but the UI doesn't yet offer that capability. We could slap in the feature, but we also want to move to a more modern method of pushing policy from the firewall when the tunnel connects, rather than leaving all of that up to the config file. So for now, we've taken a short-cut, (this is an early access release after all :) ) and provided a simple policy editor utility. This also let us expose some of the other great features Sophos Connect offers, like the ability to send Security Heartbeats over the tunnel, or an auto-connect when remote capability. 

Ultimately, we will resolve these limits in XG directly, but for the time being, Sophos Connect Admin will let you customize your policies then deploy them to your users.  It's a temporary solution needed to let you use these features, until we can add them into the firewall itself, and one of the big reasons this client will remain as a long term early access release, after 17.5 goes to GA. 

The client is free, and will remain free in the future, and is available to download from within XG today. The client is now available for early access, so we look forward to your testing and feedback. At the end of the XG EAP, the client code should also be considered at a GA quality at that time, but because of the limits I mentioned earlier, we'll continue to offer it as a longer term EAP release, until some time mid next year. 

The download is in the firewall now, under VPN > Sophos Connect client. Also, if you've just updated to v17.5, be sure the firewall has downloaded the client, under Backup & Firmware > Pattern updates, before you try to grab a copy. The package you'll get from the firewall will contain three programs. Sophos Connect for Windows, Sophos Connect for Mac, and Sophos Connect Admin, which is only available for windows. 

You can find instructions in installing and troubleshooting the client, here: https://docs.sophos.com/nsg/sophos-connect/help/en-us/nsg/scon/concepts/AboutSophosConnect.html

Looking forward to your feedback, and happy testing!



Tags
[edited by: FloSupport at 7:15 PM (GMT -7) on 28 Sep 2020]
Parents
  • Just been playing around with this feature and in general I like it. I do however find two things that I might have overlooked or am otherwise not able to find the answer:

    1. The connection to the VPN connects to the DDNS configured name (DDNS through Sophos) and I cannot find a way to override the DNS-name or IP-address to connect to. Is this possible?
    2. I cannot find a way to determine which IPSec policies should be used; once connected in the client I can see which policies are applied, but how or where can I determine that another policy should be used, it doesn't seem to be the "DefaultRemoteAccess" policy as there are other settings than are shown in the Sophos VPN client. How/where can the IPSec policy to be used be configured?

    Managing several Sophos UTMs and a Sophos XG both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Hi Apijnappels,

    Hope you find this mail in good health , im having a similar issue.

    Im testing Sophos XG ( installed on Mini PC ) for my home lab. I have SSL VPN ( remote access ) working fine for my environment

    I use Sophos's Dynamic DNS

    I tried to enable Sophos Connect Client  , and the message i get on the client machine is " No response from gateway : myfirewallname.co "

    Is this because i dont have a static Public IP from my ISP

    Have created Firewall rule with Source and Destination as ANY and allowed Services " IKE "

    Appreciate any assistance

    Regards

    Raju George

  • Hello Raju,

     

    Do you Sophos Connect Client and the stand alone Sophos SSL VPN client installed on the machine? If so that is a problem. You MUST uninstall both of them, and only then reinstall Sophos Connect 2.0 EAP which can do either IPsec VPN (tgb or scx file type) or SSL VPN (ovpn file type) based on the configuration file you import for the connection.

     

    After you import you need to create a firewall rule to allow VPN to LAN traffic and based on your requirements you MUST specify the destination networks allowed in this firewall rule to limit access to the resources behind the firewall. You can even attached specific users for this firewall rule to control it even further on who gets access to those destination networks.

     

    Please let me know if you have any further problems connecting with Sophos Connect.

     

    Regards,
    Ramesh

Reply
  • Hello Raju,

     

    Do you Sophos Connect Client and the stand alone Sophos SSL VPN client installed on the machine? If so that is a problem. You MUST uninstall both of them, and only then reinstall Sophos Connect 2.0 EAP which can do either IPsec VPN (tgb or scx file type) or SSL VPN (ovpn file type) based on the configuration file you import for the connection.

     

    After you import you need to create a firewall rule to allow VPN to LAN traffic and based on your requirements you MUST specify the destination networks allowed in this firewall rule to limit access to the resources behind the firewall. You can even attached specific users for this firewall rule to control it even further on who gets access to those destination networks.

     

    Please let me know if you have any further problems connecting with Sophos Connect.

     

    Regards,
    Ramesh

Children
  • Hi Ramesh,

    Thanks for your reply , i did try uninstalling VPN Client and Sophos Connect and reinstalled Sophos Connect , and imported tgb file

    Still getting IKE UDP Port blocked message

     

    Please refer to attachment

    Also this setup is in a home environment , i dont have static Public IP fro ISP , if that does matter

    Appreciate your assistance

    Have a good day

    Have created attached firewall rule for IKE Services3122.Sophos IKE Firewall rule.docx