Possibility to run Sophos Connect user-independent

Hey Steppenwolf, this is something we're discussing, but perhaps you could share a bit about how you would see this working and improving things in your use cases? It would help direct our own plans to understand how you would see it working.  

some ideas..

if you plan to introduce a  user-independent "vpn before" logon method, please consider leveraging machine certificate from external CA's, as most customers already have them setup for wired/wireless dot1x. 

The setup would be:

- XG trusts private CA (import Root/intermediate CA Certs)

- XG uses a certificate signed from customers CA for VPN auth (for clients to verify the server)

- clients use their machine certificate to establish the VPN connections

--> XG checks client cert against private CA

--> Client checks XG's cert against private CA

Optionally also support user certificates from private CA, similar to what the XG already does with its own CA. 

this setup would also eliminate the need to manage and user store certificates on the firewall itself.

some ideas..

if you plan to introduce a  user-independent "vpn before" logon method, please consider leveraging machine certificate from external CA's, as most customers already have them setup for wired/wireless dot1x. 

The setup would be:

- XG trusts private CA (import Root/intermediate CA Certs)

- XG uses a certificate signed from customers CA for VPN auth (for clients to verify the server)

- clients use their machine certificate to establish the VPN connections

--> XG checks client cert against private CA

--> Client checks XG's cert against private CA

Optionally also support user certificates from private CA, similar to what the XG already does with its own CA. 

this setup would also eliminate the need to manage and user store certificates on the firewall itself.