Sophos Connect provisioning file

The Sophos Connect provisioning file (pro) allows you to provision an SSL connection with XG Firewall.

You can send the provisioning file to users through email or group policy (GPO). If you give the user the file directly, for example, by email, the user can double-click the file to import it in the Sophos Connect client. Turn on the connection, and follow the prompts for the Sophos Connect client to automatically download the OpenVPN .ovpn file for SSL VPN connections. The file allows the client to automatically download the .ovpn files through the user portal (using the user's credentials with or without multi-factor authentication).

Tip To prevent users from seeing a certificate error (allow unsigned certificate) when the file is imported, you need to create a new appliance certificate. Use the new certificate for the web admin console of XG Firewall. To do this, go to Administration > Admin settings > Admin console and end-user interaction > Certificate. You must then push the default CA to users. The easiest way to do this is with Active Directory GPO.

You can't download the provisioning file from the user portal. Copy it from this document, edit the settings, and save the file with a .pro extension. For details of the settings, see the table below.

Note You must specify the gateway address. All other fields are optional.


Name	Description
`gateway`	The FQDN or IPv4 address of the XG Firewall device with which you want to establish the connection.
`gateway_order`	Specifies how XG Firewall balances traffic when multiple gateways are configured. Allowed values: `distributed`: Selects a gateway at random when a connection is attempted. `latency`: Selects a gateway by how quickly it responds to a TCP connect request. `in_order`: Tries the first gateway in the list. If that fails, it tries the next gateway in the list.
`user_portal_port`	The user portal port on which the provisioning connection is made. Default port: 443. If the user portal port is changed on XG Firewall, you must also change it in the provisioning file.
`auto_connect_host`	The target host used to determine if the Sophos Connect client of an endpoint device is already on the internal network. The target host is within the network. The Sophos Connect client checks if the host is reachable each time a network interface IP address is obtained or modified. If the host isn't reachable, it means the endpoint device is outside the network. The connection is then automatically enabled, and if the credentials are saved, then the VPN tunnel is established. Default: empty string `“”` (auto connect disabled). To enable auto-connect, set it to an IP address or hostname that exists on the remote LAN network.
`otp`	Specifies if a one-time password is required for authentication when connecting. This will give the user a third input box to enter the OTP code in the Sophos Connect client. Allowed values: `true` or `false`. Default value: false.
`2fa`	Specifies the method of two-factor authentication to use. Allowed values: `0`, `1`, or `2`. Default value: 1. `0` specifies two-factor authentication isn't used. `1` specifies the use of XG Firewall as the two-factor authenticator. The password and OTP token is concatenated. You can use it with Sophos and Google Authenticator. `2` specifies the use of an external OTP server. The password and OTP token are comma-separated. You can use it with authenticators such as Duo. If you're using only Duo push as your two-factor authentication method for all users, you don't need to turn on OTP, and you can set 2FA to `0`. Duo handles the authentication. If you have mixed mode 2FA (DUO push, DUO OTP, or DUO SMS), you must turn on OTP. In the third input box on the authentication page, you must enter the word `push`, `phone`, `sms` or enter the Duo token based on what the user can do.
`can_save_credentials`	Allows users to save their username and password for the connection. If you enter `true`, a checkbox appears on the user authentication page. The checkbox is checked by default but the user can decide not to save credentials. Allowed values: `true` or `false`. Default value: true.
`check_remote_availability`	Performs a remote availability check at connection startup to eliminate unresponsive clients. Allowed values: `true` or `false`. Default value: false.
`run_logon_script`	Runs the logon script provided by the domain controller after the VPN tunnel is established. Allowed values: `true` or `false`. Default value: false.

The provisioning file can contain one or multiple connections.

Note You must save the provisioning file with a .pro extension.

Tip You can use the provisioning file examples below. Copy and paste the scripts, modify them, and save them with a .pro extension.

Example of a single connection:

[
    { 
        "gateway": "<Enter your gateway hostname or IP address>", 
        "user_portal_port": 443, 
        "otp": false, 
        "auto_connect_host": "<Enter internal hostname or IP address>", 
        "can_save_credentials": true, 
        "check_remote_availability": false, 
        "run_logon_script": false 
    } 
]

Example of multiple connections:

[  
    { 
        "gateway": "<Enter your gateway hostname or IP address>", 
        "user_portal_port": 443, 
        "otp": false, 
        "auto_connect_host": "<Enter internal hostname or IP address>", 
        "can_save_credentials": true, 
        "check_remote_availability": false, 
        "run_logon_script": false 
    },
    { 
        "gateway": "<Enter your gateway hostname or IP address>", 
        "otp": false, 
        "auto_connect_host": "<Enter internal hostname or IP address>",
        "check_remote_availability": false, 
        "run_logon_script": false 
    },
    {
        "gateway": "<Enter your gateway hostname or IP address>",
        "user_portal_port": 9443,
        "can_save": false
    }
]

When you don't specify fields, the default values are used. In the example above, the second connection will use port 443 for the user portal port and the user can save their credentials.

Note When you add multiple connections, you must separate them with commas.

Example of Sophos two-factor authentication with OTP:

[
    { 
        "gateway": "<Enter your gateway hostname or IP address>",
        "user_portal_port": 443,
        "otp": true,
        "2fa": 1,
        "auto_connect_host": "<Enter internal hostname or IP address>",
        "can_save_credentials": true,
        "check_remote_availability": false,
        "run_logon_script": false
     }
]

Example of DUO two-factor authentication only using PUSH:

[
      {  
         "gateway": "<Enter your gateway hostname or IP> address",
          "user_portal_port": 443,
          "otp": false,
          "2fa": 0,
          "auto_connect_host": "<Enter internal hostname or IP address>",
          "can_save_credentials": true,
          "check_remote_availability": false,
          "run_logon_script": false
       }
]

Example of DUO 2FA using multiple two-factor authentication configurations such as PUSH, SMS, PHONE, or DUO token:

[
       {  
          "gateway": "<Enter your gateway hostname or IP address>",
          "user_portal_port": 443,
          "otp": true,
          "2fa": 2,
          "auto_connect_host": "<Enter internal hostname or IP address>",
          "can_save_credentials": true,
          "check_remote_availability": false,
          "run_logon_script": false
        }
]