Sophos Connect client

Sophos Connect client is VPN software that runs on Microsoft Windows 7 SP2 and later, and Mac OS 10.12 and later. It establishes highly secure, encrypted VPN tunnels for off-site employees.

You can download the Sophos Connect client and Sophos Connect Admin by clicking Download on the Sophos Connect client page. You can check if the pattern for the Sophos Connect client has been downloaded from Backup & Firmware > Pattern updates.

Note Version 2.0 of the Sophos Connect client supports IPsec and SSL connections. For instructions on how to allow remote access to your network through the Sophos Connect client using an SSL connection, see Sophos Connect SSL.
To allow remote access to your network through the Sophos Connect client using an IPsec connection you need to do as follows:
  • Enable the Sophos Connect client, specify VPN settings and add users on the Sophos Connect client page.
  • Add a firewall rule so that the Sophos Connect client can access the configured LAN networks. For information on how to add a firewall rule, see Firewall. If you want to allow LAN and VPN traffic in both directions, add both LAN and VPN to the source and destination zones. If you want to allow specific traffic for each direction, you need to create separate rules.
Note The Sophos Connect client policy is configured as “tunnel all” by default. You can modify the policy to use split tunneling from Sophos Connect Admin. See Sophos Connect Help for instructions on how to modify the policy.

To export a connection, enable the Sophos Connect client and click Export connection.

Restriction You cannot export the connection when an external certificate is selected as Remote certificate.

The remote users import the connection file and establish a connection using the Sophos Connect client. See Sophos Connect Help for more details.

To revert to factory settings, click Reset.

General settings

Sophos Connect client
Enable the Sophos Connect client.
Interface
Select the WAN port, which acts as the endpoint for your tunnel.
Authentication type

Authentication to use for the connection.

Preshared key Authenticate endpoints using the secret known to both endpoints.

Digital certificate Authenticate endpoints by exchanging certificates (either self-signed or issued by a certificate authority).

Local ID
For preshared key, select an ID type and type a value. DER ASN1DN (X.509) is not acceptable.
Remote ID
For preshared key, select an ID type and type a value. DER ASN1DN (X.509) is not acceptable.
Allowed users
Add users who are allowed to connect using the configured Sophos Connect client.
Note If you haven't configured the WAN interface of XG Firewall with its public IP address, you must modify the configuration file in Sophos Connect Admin. Configure the target host as the public IP address or FQDN of XG Firewall.

Client information

Assign IP from
Range from which an address will be leased to the client. The client uses the assigned address for the duration of the connection. This must be a private IP address range with at least a 24-bit netmask.
Note The IP address range leased to Sophos Connect clients must not contain IP addresses that are in use.
Allow leasing IP address from RADIUS server for L2TP, PPTP, and Sophos Connect client
When users are authenticated on a RADIUS server, use the IP address provided by the RADIUS server. If no addresses are provided by the RADIUS server, the static address configured for the user will be assigned or an address will be leased from the specified range.
DNS server 1
Primary DNS server to use for the connection.
DNS server 2
Secondary DNS server to use for the connection.
Sophos Connect client
Click Download to download the Sophos Connect client installers and the Sophos Connect Admin tool:

macOS: Sophos Connect_1.4_(IPsec).pkg

Windows: SophosConnect_2.0_(IPsec_and_SSLVPN).msi

Sophos Connect Admin tool: (scadmin(legacy).msi)

You can use the Sophos Connect Admin tool to specify advanced security and flexibility settings.

Advanced settings

Disconnect when tunnel is idle
Disconnect idle clients from the session after the specified time.
Idle session time interval
Time, in seconds, after which idle clients will be disconnected.