IPsec remote access group authentication

The Sophos Connect client supports local and Active Directory (AD) users and groups.

If you haven't configured IPsec remote access, it's turned off by default for all groups.

If you have configured IPsec remote access, it's turned off by default for AD groups that you import to XG Firewall. It's also turned off for groups that you migrate, for example, from an earlier version of XG Firewall. However, when you create a new local group on XG Firewall, IPsec remote access is turned on by default.

You can check this setting under Authentication > Groups.

The image below shows a group with IPsec remote access turned off.


Sophos Connect group authentication settings

IPsec remote access VPN uses the Sophos Connect client. If a remote user, for example, an AD user, wants to sign in to the Sophos Connect client for the first time, they must first sign in to another authentication client, such as the user portal.

If a user is a member of multiple groups, the policy from the group at the top of the list is applied.

If you change the settings for a group, they override the IPsec remote access settings.

If you turn off IPsec remote access for a group, all the users are disconnected. They won't be able to reconnect, and they'll see an authentication error.

User policies always take priority over group policies. For example, if you turn off the IPsec remote access for an AD group, then turn it on for a user in that group, the user can sign in.
Note If you turn on IPsec remote access for a group, you can't turn it off for a user in that group.