Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Replies 4 replies
  • Subscribers 5 subscribers
  • Views 2397 views
  • Users 0 members are here
Options
Suggested

Possibility to run Sophos Connect user-independent

Steppenwolf

Hej,

currently, Sophos Connect is user-based and must be configured separately for each user. Is there, or will there be in the future, a way to set this up consistently for the whole PC?

  • 0

    Hey Steppenwolf, this is something we're discussing, but perhaps you could share a bit about how you would see this working and improving things in your use cases? It would help direct our own plans to understand how you would see it working.  

     

  • 0 in reply to AlanT

    Our remote workstations are VPN only. That means without VPN no internet and no management of this device. These devices are usually used by several users, who access the same resources and also switch during the connection. Also for maintenance purposes an independent connection would be necessary for us. We use software distribution software which forces the user to log off and currently the VPN connection is then disconnected. Our VPN connections are currently created per device, i that means one user per device.

    With best regards,

    Steppenwolf

  • 0

    Hi Sophos Connect team

     

    we also looking this feature to get our computers online and connected before the user logs in or windows tries to sync the group policies.

    that will also allow us to remote login to computers from company network to do support on problems with commuters connected by VPN with having the user all time sitting in front and waiting as we need his password etc again

     

    PS: At the moment we use Direct Access but that´s not working as we expected - with that feature we will get what we need :-)

    Expert-Zone.Net IT Consulting
    Neuenhofer Weg 23 • D-52074 Aachen

  • 0 in reply to AlanT

    some ideas..

     

    if you plan to introduce a  user-independent "vpn before" logon method, please consider leveraging machine certificate from external CA's, as most customers already have them setup for wired/wireless dot1x. 

     

    The setup would be:

    - XG trusts private CA (import Root/intermediate CA Certs)

    - XG uses a certificate signed from customers CA for VPN auth (for clients to verify the server)

    - clients use their machine certificate to establish the VPN connections

    --> XG checks client cert against private CA

    --> Client checks XG's cert against private CA

     

    Optionally also support user certificates from private CA, similar to what the XG already does with its own CA. 

     

    this setup would also eliminate the need to manage and user store certificates on the firewall itself.

     

     

     

Unfiltered HTML