Configure IPsec remote access VPN with Sophos Connect client

You can configure IPsec remote access connections. Users can establish the connection using the Sophos Connect client.


The Sophos Connect client allows you to enforce advanced security and flexibility settings, such as connecting the tunnel automatically. To configure and establish IPsec remote access connections over the Sophos Connect client, the article shows how to do the following:
  • Specify the settings on the Sophos Connect client page.
  • Send the configuration file to users.
  • Add a firewall rule.
  • Send the Sophos Connect client to users. Alternatively, users can download it from the user portal.
  • Users install the client, import the configuration file into the client, and establish the connection.

Configure IPsec (remote access)

Specify the settings on the Sophos Connect client page.
  1. Go to VPN > Sophos Connect client and click Enable.
  2. Specify the general settings:




    Select a WAN port.

    Authentication type

    Specify a preshared key or the local and remote certificates.

    Local ID

    Remote ID

    Specify the IDs if required.

    Allowed user

    Select the users you want to allow.

    Here's an example:

    General settings
  3. Specify the client information. The following settings are an example:





    Assign IP from

    DNS server 1

    Sophos Connect client

    Click Download and share the client installers for Windows or macOS with users.
    • macOS: Sophos Connect_1.4_(IPsec).pkg
    • Windows: SophosConnect_2.0_(IPsec_and_SSLVPN).msi
    • Sophos Connect Admin tool: scadmin(legacy).msi

    Client information settings
  4. Click Export connection.

    Send the exported .tgb file to users.

    Export the configuration file
  5. Optional To assign a static IP address to a user connecting through the Sophos Connect client, do as follows:
    1. Go to Authentication > Users, and select the user.
    2. On the user's settings page, go down to Sophos Connect client, click Enable, and enter an IP address.

      Here's an example:

      Assign static IP address to a user connecting through the Sophos Connect client

Add a firewall rule

Configure a firewall rule to allow traffic from VPN to LAN and DMZ since you want to allow remote users to access these zones in this example.
  1. Enter a name.
  2. Specify the source and destination zones as follows and click Apply:



    Source zones


    Destination zones



    Here's an example:

    Source and destination zones in the firewall rule

Install and configure Sophos Connect Admin

If you want to configure advanced security settings, you can install the Sophos Connect Admin tool and specify the settings. This is an optional task.
  1. Install the Sophos Connect Admin tool (scadmin(legacy).msi) you've downloaded from XG Firewall.
  2. Run the tool.
  3. Click Open and select the .tgb file you exported.
  4. Change the settings if required. In this example, we enter the WAN port IP address
    Here's an example:

    Edit the configuration file in the Sophos Connect Admin tool
  5. Optional To send only traffic destined to XG Firewall through the tunnel, under Networks, click Add new, enter the subnets you want to allow users to access, and press Enter. This automatically turns off the Tunnel all option.

    In this example, we enter a subnet ( in the LAN zone and a subnet ( in the DMZ zone.

    Here's an example:

    Specify a subnet in the Sophos Connect Admin tool
    Note By default, XG Firewall implements a Tunnel all policy over the Sophos Connect client, sending all traffic, including traffic to the internet, from the remote user through the tunnel. If you specify the Tunnel all policy, the firewall rule must also have the Destination zone set to WAN.
  6. Optional Specify the following settings if required:



    Send Security Heartbeat

    If Sophos Endpoint Protection is installed on users' endpoint devices, it sends a heartbeat to XG Firewall through the tunnel.

    Allow password saving

    It allows users to save their credentials on their endpoints. User credentials are stored securely using keychain services.

    We recommend turning it on if you select Auto-connect tunnel.

    Prompt for 2FA

    Turn it on if you configure multi-factor authentication for VPN users on Authentication > Users or use third-party OTP tokens.

    XG Firewall asks users to enter an MFA token and then appends the token to the password when users sign in.

    Auto-connect tunnel

    Select this option to automatically turn on the connection when users sign in to their endpoints.

    Set client DNS suffix

    Enter the DNS suffix. XG Firewall appends the domain name to all clients when they connect.

    Run logon script

    Select this option to run the script that applies automatically to Active Directory users when they sign in. For example, you can run scripts that map network drives and set default resources the user can access.

  7. Click Save in the lower-right corner.

Sophos Connect Admin saves all the settings as a .scx configuration file. Share the file with users.

Import the connection to remote endpoints

You must share the Sophos Connect client and the .tgb or the .scx configuration file with users. They must install the Sophos Connect client on their endpoints and import the configuration file into the client.

Users must do as follows:

  1. Install the Windows or the macOS installer for the Sophos Connect client your IT administrator shares with you.
  2. Run the Sophos Connect client.

    You can then see it in the system tray of your endpoint.

  3. Click the more options button in the upper-right corner, click Import connection, and select the .tgb or the .scx file your IT administrator has sent.

    Import connection
  4. Sign in using your credentials.

    Sign in to the Sophos Connect client
  5. Enter the verification code if two-factor authentication is required.