Making the most of Sophos Connect v2
By Chris McCormack
Working remotely and using VPN has become an important part of everyday life. With XG Firewall it’s extremely easy – and free!
XG Firewall is the only firewall to offer unlimited remote access SSL or IPSec VPN connections at no additional charge.
And we’ve significantly boosted SSL VPN capacity across our entire product range in XG Firewall v18 MR3 through several optimizations.
Our new Sophos Connect v2 remote access VPN client also adds new features that make remote access faster, better and easier.
What’s new in Sophos Connect v2
- SSL VPN support for Windows
- Bulk deployment of SSL VPN configurations (as with IPSec) via an enhanced provisioning file
- Enhanced DUO token multi-factor authentication support
- Auto-connect option for SSL
- Option to execute a logon script when connecting
- Remote gateway availability probing
- Automatic failover to the next active firewall WAN link if one link fails
- Automatic synchronization of the latest user policy if the SSL policy is updated on the firewall (when using the provisioning file to deploy) as well as a manual re-synchronization of the latest policy
- File extension association for policy files – import a policy file into Sophos Connect just by double-clicking it in Windows Explorer, or opening the file attached in an email
XG Firewall v18 MR3 remote access enhancements:
- Enhanced SSL VPN connection capacity across our entire firewall lineup. The capacity increase depends on your firewall model: desktop models can expect a modest increase, while rack mount units will see a 3-5x improvement in SSL VPN connection capacity.
- Group support for IPSec VPN connections, which now enables group imports from AD/LDAP/etc. for easy setup of group access policy.
Making the most of Sophos Connect remote access
The first decision you will want to make is whether you wish to use SSL, IPSec, or both. Then set up your firewall to accept Sophos Connect VPN connections before deploying the client and connection configuration to your users.
SSL vs IPSec
With Sophos Connect v2 now supporting SSL (on Windows) and with the enhanced SSL VPN capacity available in XG Firewall v18 MR3, we strongly encourage everyone to consider using SSL to get the best experience and performance for your remote access users.
While macOS support for SSL remote access via Sophos Connect is expected soon, we recommend any organizations using macOS take advantage of the new OpenVPN macOS client in the interim.
XG Firewall setup
SSL VPN Setup is very straightforward:
- Follow these initial setup instructions for creating an IP address range for your clients, user group, SSL access policy, and authentication.
- SSL VPN requires access to the XG Firewall User Portal. For optimal security, we strongly advise the use of multi-factor authentication. Set up two-factor authentication via Authentication > One-time password > Settings to ensure you’re only allowing MFA access to the user portal.
- Create a firewall rule that enables traffic from the VPN zone to access your LAN zone (or whatever zones are desired).
Deployment of the client is equally easy:
- Client installer: The client installer is available by navigating to VPN > Sophos Connect Client on your XG Firewall.
- Connection configuration: The SSL VPN connection configuration (OVPN) file is accessible via the user portal, but we strongly encourage the use of a provisioning file to automatically fetch the configuration from the portal. This requires a bit more up-front effort, but greatly simplifies the deployment process and enables changes to the policy without redeploying the configuration.
- Group Policy Management: The best way to deploy the remote access client and provisioning file is via Microsoft Group Policy Management. You will need the files mentioned in the steps above and then follow these step-by-step instructions. You can also use any other software deployment tool you have available – even email.
Monitoring active usage:
You can monitor connected remote users from the XG Firewall Control Center…