Sophos Connect provisioning file

The Sophos Connect provisioning file (pro) allows you to provision an SSL connection with XG firewall.

You can send the provisioning file to users through email or group policy (GPO). The users must double click on the file to import it into the Sophos Connect Client. The Sophos Connect client will automatically download the open VPN (ovpn) file from the user portal (using the user's credentials).
Tip The first time users import the file, they will get a certificate prompt (allow unsigned certificate). If you want to prevent this, you must create a new appliance certificate and use it for the XG web admin console, and also push the default CA from the XG to the end users.

You must write the provisioning file in JSON format.

Note You must specify a display name and gateway address. All other fields are optional.

Name

Description

display_name

Connection name. Users can change it later. If an existing connection has the same name, the user will be prompted at import to allow overwriting the connection.

gateway

The FQDN or IPv4 address of the XG Firewall which provisions the connection.

user_portal_port

The user portal port on which the provisioning connection is made.

Default port: 443. If the user portal port is changed on XG Firewall, it must also be changed in the provisioning file.

auto_connect_host

The target host used to determine if a Sophos Connect client is on the protected network. If a value is supplied, the connection can be set by the user to connect automatically when outside the protected network.

Default: empty string “” (auto connect disabled).

To enable auto connect, set it to an IP address or hostname that exists on the remote LAN network.

otp

Specifies if a one-time password is required for authentication when connecting.

Allowed values: true or false.

Default value: false.

can_save_credentials

Allows users to save their username and password for the connection. If you enter true, a checkbox appears on the user authentication page. The checkbox is checked by default but the user can decide not to save credentials.

Allowed values: true or false.

Default value: true.

check_remote_availability

Performs a remote availability check at connection startup to eliminate unresponsive clients.

Allowed values: true or false.

Default value: false.

run_logon_script

Runs the logon script provided by the domain controller after the VPN tunnel is established.

Allowed values: true or false.

Default value: false.

CAUTION If you use DUO authentication, you must not enable OTP. Only enable OTP if you are using one-time-password tokens.
The provisioning file can contain one or multiple connections.
Note You must save the provisioning file with a .pro extension.
Tip You can use the provisioning file examples below. Copy and paste the scripts, modify them, and save them with a .pro extension.

Example of a single connection:

[
    { 
        "display_name": "<Enter connection name>", 
        "gateway": "<Enter your gateway hostname or IP>", 
        "user_portal_port": 443, 
        "otp": false, 
        "auto_connect_host": "<Enter internal hostname or IP>", 
        "can_save_credentials": true, 
        "check_remote_availability": false, 
        "run_logon_script": false 
    } 
]

Example of multiple connections:

[  
    { 
        "display_name": "<Enter connection name>", 
        "gateway": "<Enter your gateway hostname or IP>", 
        "user_portal_port": 443, 
        "otp": false, 
        "auto_connect_host": "<Enter internal hostname or IP>", 
        "can_save_credentials": true, 
        "check_remote_availability": false, 
        "run_logon_script": false 
    },
    { 
        "display_name": "<Enter connection name>", 
        "gateway": "<Enter your gateway hostname or IP>", 
        "otp": false, 
        "auto_connect_host": "<Enter internal hostname or IP>",
        "check_remote_availability": false, 
        "run_logon_script": false 
    },
    {
        "display_name": "<Enter connection name>",
        "gateway": "<Enter your gateway hostname or IP>",
        "user_portal_port": 9443,
        "can_save": false
    }
]

When you don't specify fields, the default values are used. In the example above, the second connection will use port 443 for the user portal port and the user can save their credentials.

Note When you add multiple connections, you must separate them with commas.