Skip to content

Editing configuration files

You can edit your configuration (.tgb) files in Sophos Connect Admin, which provides you with more granular VPN configuration options.

Open the .tgb file you've exported from Sophos Firewall in Sophos Connect Admin. You can:

  • Turn on Tunnel All to send all traffic through the VPN connection.
  • Turn on Send Security Heartbeat to allow Sophos Endpoint Protection to send a heartbeat to Sophos Firewall. This only works if the user has the Sophos Endpoint Protection client installed on their device.
  • Turn on Allow Password Saving to allow the users to save their username and password on their device. The user credentials are stored securely using keychain services.
  • Turn on Prompt for 2FA if you've configured two-factor authentication for the VPN users on Sophos Firewall.
  • Turn on Auto-connect Tunnel to automatically turn on the connection after the user logs on to Sophos Connect on their device. Sophos Connect won't automatically start the connection if the user is already connected to the corporate network.

    Auto-connect requires an additional configuration parameter: Enter a host/DNS Suffix. It determines whether the user's local system is inside or outside the corporate network. Use one of the following values:

    • An IP address.
    • A Fully Qualified Domain Name (FQDN). The hostname must only resolve when using the internal DNS server.
    • A DNS suffix.


    If you configure an IP Address or FQDN, ICMP must be allowed on this host.

  • Add, change, and delete the networks that the user can connect to. When you add specific networks to the list, you turn split tunneling on. The user accesses resources on those networks through the VPN connection but accesses internet resources straight through their remote gateway.


    If you delete all networks, tunnel all mode will be activated, meaning all traffic goes through the VPN connection.

  • Change the connection name and target host.

    If you clear the configuration, you'll need to import the .tbg file again.

    If you save the configuration, it's saved as a .scx file.


    You can import .scx files and re-edit them.

When you've saved the configuration file, you can send it to the user, who imports it into Sophos Connect.