Sophos Connect client

Sophos Connect client is VPN software that runs on Microsoft Windows 7 SP2 and later, and Mac OS 10.12 and later. It establishes highly secure, encrypted VPN tunnels for off-site employees. You can download the Sophos Connect client and Sophos Connect Admin by clicking Download on the Sophos Connect client page. You can check if the pattern for the Sophos Connect clients has been downloaded from Backup & Firmware > Pattern updates.

  • To allow remote access to your network through the Sophos Connect client, specify settings, add users, enable the Sophos Connect, and click Apply.
    Note The Sophos Connect client policy configured here is a “tunnel all” policy. You can modify the policy to use split tunneling from Sophos Connect Admin. See Sophos Connect Admin for instructions on how to modify the policy.
  • To export a connection, enable the Sophos Connect client and click Export connection.
    Note You cannot export the connection when an external certificate is selected as Remote certificate.
    The remote users import the connection file (.tgb) and establish a connection using the Sophos Connect client. See Sophos Connect Help for more details.
  • To revert to factory settings, click Reset.

General settings

Sophos Connect client
Enable the Sophos Connect client.
Select the WAN port, which acts as the endpoint for your tunnel.
Authentication type
Authentication to use for the connection.
  • Preshared key: Authenticates endpoints using the secret known to both endpoints.
  • Digital certificate: Authenticates endpoints by exchanging certificates (either self-signed or issued by a certificate authority).

Local ID
For preshared key, select an ID type and type a value. DER ASN1DN (X.509) is not acceptable.
Remote ID
For preshared key, select an ID type and type a value. DER ASN1DN (X.509) is not acceptable.
Allowed user
Users who are allowed to connect using the configured Sophos Connect client.

Client information

Assign IP from
Range from which an address will be leased to the client. The client uses the assigned address for the duration of the connection. This must be a private IP address range with at least a 24-bit netmask.
Note L2TP and PPTP ranges must not overlap.
Allow leasing IP address from RADIUS server for L2TP, PPTP, and Sophos Connect client
When users are authenticated on a RADIUS server, use the IP address provided by the RADIUS server. If no addresses are provided by the RADIUS server, the static address configured for the user will be assigned or an address will be leased from the specified range.

Advanced settings

Disconnect when tunnel is idle
Disconnects idle clients from the session after the specified time.
Idle session time interval
Time, in seconds, after which idle clients will be disconnected.