Sophos Connect group authentication

Sophos Connect supports local and Active Directory (AD) users and groups.

If you haven't configured the Sophos Connect client, it's turned off by default for all groups.

If you have configured the Sophos Connect client, it's turned off by default for AD groups that you import to XG Firewall. It's also turned off for groups that you migrate, for example from an earlier version of XG Firewall. However, when you create a new local group on XG Firewall, Sophos Connect client is turned on by default.

You can check this setting under Authentication > Groups.

The image below shows a group with Sophos Connect client turned off.


Sophos Connect group authentication settings

If a remote user, for example an AD user, wants to sign in to Sophos Connect client for the first time, they must first sign in to another authentication client, such as the user portal.

If a user is a member of multiple groups, the policy from the group at the top of the list is applied.

If you change the settings for a group, they will override the Sophos Connect client settings.

If you turn off the Sophos Connect client for a group, all the users are disconnected. They won't be able to reconnect, and they will see an authentication error.

User policies always take priority over group policies. For example, if you turn off the Sophos Connect client for an AD group, then turn it on for a user in that group, the user can sign in.
Note If you turn on the Sophos Connect client for a group, you can't turn it off for a user in that group.