Questions & Feedback about the future and performance of Sophos Connect.

Hi,

 

Thanks for the Early Access, It has really easy to create the provisioning file for SSL VPN, simultaneously SSL VPN worked without any issue with the user portal enabled on WAN;

But here's some things I've noticed:

  1. Will we be able to create a single provisioning file that contain both IPsec and SSL VPN in the future? Currently if a remote user, or a user that isn't connected through Microsoft AD, or even Mac User; That needs remote connection for both IPsec and SSLVPN, you will need to send two provisioning files. At the same time, it shows as two different connections on Sophos Connect for the same gateway.
  2. Will there be changes on SSL VPN? Currently is too resources intensive for any big deployment. Or any deployment that have a need for high throughput.
  3. Will there be support for AES-GCM on both IPsec and SSLVPN in the future?
  4. Will we have Sophos Connect for Android/IOS devices? Looking at Sophos Ideas, there's has an post in Q1/2018 about it, the Sophos Mobile Product Manager said it has "Under review for Sophos Mobile 9.0", but apparently things have changed since then.

 

Even that I'm just a home user, the number 2 and 3 from that list still somehow affects me, any file transfer over SSL VPN currently cripples my XG performance for a while. And my uplink isn't even that high. (200Mbit/s.)

Also, I'm sorry for "bring this off-topic issue" but It's somehow related to question 2, since SSL VPN uses the OpenSSL for crypto. I've noticed that XG v18 currently isn't using the AES-NI Instruction Set (On the Software Version) to accelerate anything related to crypto, I've already made a post about this on the XG forum.

Is it possible for everyone that's following that post to get an official answer about it? Or this is a issue with just Home Users?

 

 

I know Sophos Connect 2.0 Early Access just came out (literally), at the end - It's working as expected, and a lot of easy of life changes made are incredible for the end user. but of course, those questions above are just some concerning questions that I have right now.

 

Thanks!

  • Hi Prism, thanks for the feedback. Some quick answers below:

    Prism said:
    • Will we be able to create a single provisioning file that contain both IPsec and SSL VPN in the future? Currently if a remote user, or a user that isn't connected through Microsoft AD, or even Mac User; That needs remote connection for both IPsec and SSLVPN, you will need to send two provisioning files. At the same time, it shows as two different connections on Sophos Connect for the same gateway.

    Yes, That is the eventual plan, though not in this release. 

    Prism said:
    • Will there be changes on SSL VPN? Currently is too resources intensive for any big deployment. Or any deployment that have a need for high throughput.

    An upcoming XG update will make improvements to SSL VPN scalability (possibly in MR2)

    Prism said:
    • Will there be support for AES-GCM on both IPsec and SSLVPN in the future?

    Yes, though not in this release.

    Prism said:
    • Will we have Sophos Connect for Android/IOS devices? Looking at Sophos Ideas, there's has an post in Q1/2018 about it, the Sophos Mobile Product Manager said it has "Under review for Sophos Mobile 9.0", but apparently things have changed since then.

    It's on our backlog, though I don't have a timeline for when that might arrive.

     

    For performance improvements, if you enable compression on SSL VPN with Sophos Connect 2.0, you should now see a performance gain over. I'll leave the AES-NI topic for the XG forums to respond. 

  • As far as i know compression is recommended to be disabled  due to security.

    __________SETUP___________

    HP Small Form Factor:  i5 4Cores, 8Gb of RAM.
    Intel Network Card 5x Eth
    SSD: 256Gb