Sophos Connect provisioning file

The Sophos Connect provisioning file (.pro) allows you to provision IPsec and SSL VPN connections with XG Firewall.

If you've configured the IPsec remote access settings, the provisioning file automatically imports the .scx configuration file into the Sophos Connect client for all users. It only imports the .ovpn configuration file for users you've assigned to an SSL VPN remote access policy.

Using the provisioning file offers the following benefits:

  • Automatically imports the IPsec remote access (.scx) and SSL VPN remote access (.ovpn) configuration files into the Sophos Connect client on users' endpoints. You don't need to share the .scx file with users. Users don't need to sign in to the user portal and download the .ovpn file.
  • Automatically imports any configuration changes you make later.
  • Allows you to specify more than one gateway and their priority.
Note You can use the provisioning file for remote access IPsec VPNs for XG Firewall 18.0 MR4 and later. Additionally, users must install version 2.1 of the Sophos Connect client.

How to use the provisioning file

To create and send the provisioning file, do as follows:

  1. Copy the settings you require from the provisioning file settings section on this help page to a text editor, such as Notepad. You can't download the provisioning file from the user portal.
  2. Edit the settings to meet your network requirements. You must specify the gateway address. The other fields are optional.
  3. Save the .txt file with a .pro extension.
  4. Email the provisioning file to users or use an Active Directory Group Policy Object (GPO) to share it with users.
  5. Based on the IPsec remote access settings and SSL VPN policies you configure on XG Firewall, the provisioning file automatically imports the configuration files as follows:
    • IPsec remote access settings: Imports the .scx file for all users.
    • SSL VPN remote access policies: Imports the .ovpn file only for users specified in the remote access policies.
    • IPsec remote access and SSL VPN remote access policies: Imports both .scx and .ovpn files for users specified in SSL VPN remote access policies if you've also configured the IPsec remote access settings.
  6. To prevent users from seeing a certificate error (allow unsigned certificate) when the file is imported, you must create a new appliance certificate. Use the new certificate for the web admin console of XG Firewall. To do this, go to: Administration > Admin and user settings > Admin console and end-user interaction > Certificate. You must then push the default CA to users. The easiest way to do this is with Active Directory GPO.

Users must do as follows:

  1. Double-click the .pro file. This imports the remote access IPsec and SSL VPN configuration files to the Sophos Connect client on their endpoints.
  2. Turn on the connection, and follow the prompts for the Sophos Connect client to automatically download the IPsec and SSL VPN configuration files. The provisioning file enables the client to automatically import the configuration files .scx and .ovpn through the user portal, using the user’s credentials with or without multi-factor authentication.

Provisioning file settings

Name

Description

gateway

The FQDN or IPv4 address of the XG Firewall that provisions the connection.

gateway_order

Specifies how XG Firewall balances traffic when multiple gateways are configured.

Allowed values: distributed, latency and in_order. XG Firewall acts as follows:

  • distributed: Selects a gateway at random when a connection is attempted.
  • latency: Selects a gateway by how quickly it responds to a TCP connect request.
  • in_order: Tries the first gateway in the list is tried first, if that fails, the next gateway in the list is tried.

user_portal_port

The user portal port on which the provisioning connection is made.

Default port: 443. If you change the user portal port on XG Firewall, you must also change it in the provisioning file.

auto_connect_host

The target host used to determine if the Sophos Connect client is already on the internal network. If you specify a value, the Sophos Connect client checks if the host is reachable each time a network interface IP address is obtained or modified. If the host isn't reachable, then the connection is automatically enabled, and if the credentials are saved, then the VPN tunnel is established.

Default: empty string "" (auto-connect disabled).

To turn on auto-connect, set it to an IP address or hostname that exists on the remote LAN network.

otp

Specifies if a one-time password is required for authentication when connecting.

This will give the user a third input box to input the OTP code in the Sophos Connect client.

Allowed values: true or false.

Default value: false.

2fa

Specifies the method of two-factor authentication to use.

Allowed values: 0, 1, or 2.

Default value: 1.

0 specifies two-factor authentication isn't used.

1 specifies the use of XG Firewall as the two-factor authenticator. The password and OTP token is concatenated. You can use it with Sophos and Google Authenticator.

2 specifies the use of an external OTP server. The password and OTP token are comma-separated. You can use it with authenticators such as Duo.

If you're using only Duo push as your two-factor authentication method for all users, you don't need to turn on OTP, and you can set 2FA to 0. Duo handles the authentication. If you have mixed mode 2FA (DUO push, DUO OTP, or DUO SMS), you must turn on OTP. In the third input box on the authentication page, you must enter the word push, phone, sms or enter Duo token based on what the user can do.

can_save_credentials

Allows users to save their username and password for the connection. If you enter true, a checkbox appears on the user authentication page. The checkbox is checked by default but the user can decide not to save credentials.

Allowed values: true or false.

Default value: true.

check_remote_availability

Performs a remote availability check at connection startup to eliminate unresponsive clients.

Allowed values: true or false.

Default value: false.

run_logon_script

Runs the logon script provided by the domain controller after the VPN tunnel is established.

Allowed values: true or false.

Default value: false.

The provisioning file can contain one or multiple connections.
Note You must save the provisioning file with a .pro extension.
Tip You can use the provisioning file examples below. Copy and paste the scripts, modify them, and save them with a .pro extension.

Example of a single connection:

[
    {  
        "gateway": "<Enter your gateway hostname or IP address>", 
        "user_portal_port": 443, 
        "otp": false, 
        "auto_connect_host": "<Enter internal hostname or IP address>", 
        "can_save_credentials": true, 
        "check_remote_availability": false, 
        "run_logon_script": false 
    } 
]

Example of multiple connections:

[  
    {  
        "gateway": "<Enter your gateway hostname or IP address>", 
        "user_portal_port": 443, 
        "otp": false, 
        "auto_connect_host": "<Enter internal hostname or IP address>", 
        "can_save_credentials": true, 
        "check_remote_availability": false, 
        "run_logon_script": false 
    },
    {  
        "gateway": "<Enter your gateway hostname or IP address>", 
        "otp": false, 
        "auto_connect_host": "<Enter internal hostname or IP address>",
        "check_remote_availability": false, 
        "run_logon_script": false 
    },
    {
        "gateway": "<Enter your gateway hostname or IP address>",
        "user_portal_port": 9443,
        "can_save": false
    }
]

When you don't specify fields, the default values are used. In the example above, the second connection will use port 443 for the user portal port, and users can save their credentials.

Note When you add multiple connections, you must separate them with commas.

You can add multiple gateways to the same connection.

Example of multiple gateways:

[
    {
       "display_name": "XG_SSL-VPN",
       "gateway_order": "in_order",
       "gateway": [ "xg1.some.company.com", "xg2.some.other.com", "xg3.yet.another.com" ],
       "user_portal_port": 433,
       "otp": false,
       "auto_connect_host": "inside.ad.local",
       "can_save_credentials": true,
       "check_remote_availability": true,
       "run_logon_script": true 
    }
]

Example of Sophos two-factor authentication with OTP:

[
    {  
        "gateway": "<Enter your gateway hostname or IP address>", 
        "user_portal_port": 443, 
        "otp": true,
        "2fa": 1,
        "auto_connect_host": "<Enter internal hostname or IP address>", 
        "can_save_credentials": true, 
        "check_remote_availability": false, 
        "run_logon_script": false 
    } 
]

Example of DUO two-factor authentication only using PUSH:

[
    {  
        "gateway": "<Enter your gateway hostname or IP address>", 
        "user_portal_port": 443, 
        "otp": false,
        "2fa": 0,
        "auto_connect_host": "<Enter internal hostname or IP address>", 
        "can_save_credentials": true, 
        "check_remote_availability": false, 
        "run_logon_script": false 
    } 
]

Example of DUO 2FA using multiple two-factor authentication configurations such as PUSH, SMS, PHONE, or DUO token:

[
    {  
        "gateway": "<Enter your gateway hostname or IP address>", 
        "user_portal_port": 443, 
        "otp": true,
        "2fa": 2,
        "auto_connect_host": "<Enter internal hostname or IP address>", 
        "can_save_credentials": true, 
        "check_remote_availability": false, 
        "run_logon_script": false 
    } 
]