Sophos Connect client

Sophos Connect client is VPN software that runs on Microsoft Windows 7 SP2 and later, and Mac OS 10.12 and later. It establishes highly secure, encrypted VPN tunnels for off-site employees.

You can download the Sophos Connect client and Sophos Connect Admin by clicking Download on the Sophos Connect client page. You can check if the pattern for the Sophos Connect client has been downloaded from Backup & Firmware > Pattern updates.

Note Sophos Connect client version 2.0 and later supports IPsec and SSL connections. For instructions on how to allow remote access to your network through the Sophos Connect client using an SSL connection, see Sophos Connect SSL.
To allow remote access to your network through the Sophos Connect client using an IPsec connection you need to do as follows:
  • To turn on the Sophos Connect client, click VPN > Sophos Connect client and selecting Enable under General settings.
  • Specify the VPN settings and click Apply.
  • Add preconfigured users on the Sophos Connect client page.
  • Add a firewall rule so that the Sophos Connect clients can access the configured LAN networks. For information on how to add a firewall rule, see Add a firewall rule. If you want to allow LAN and VPN traffic in both directions, add both LAN and VPN to the source and destination zones. If you want to allow specific traffic for each direction, you need to create separate rules.
Note The Sophos Connect client policy is configured as tunnel all by default. You can modify the policy to use split tunneling from Sophos Connect Admin. See Sophos Connect editing configuration files for instructions on how to modify the policy.

To export a connection, enable the Sophos Connect client and click Export connection. This generates a .tgb file, which you can edit using the Sophos Connect Admin tool.

Restriction You cannot export the connection when an external certificate is selected as Remote certificate.

The remote users import the connection file and establish a connection using the Sophos Connect client. See Sophos Connect Help for more details.

To revert to factory settings, click Reset.

General settings

Name

Description

Sophos Connect client

Enable the Sophos Connect client.

Interface

Select the WAN port, which acts as the endpoint for your tunnel.

Authentication type

Authentication to use for the connection.

Preshared key: Authenticates endpoints using the secret known to both endpoints.

Digital certificate: Authenticates endpoints by exchanging certificates (either self-signed or issued by a certificate authority).

Local ID

For preshared key, select an ID type and type a value.

DER ASN1DN (X.509) is not acceptable.

The Local ID identifies the local gateway to connect to and can’t be the same as the Remote ID.

Local ID should always be configured so that clients connect to the correct XG Firewall.

The following values are available:

DNS: Enter an FQDN, for example, xg.example.com. This value is not checked against DNS and is only used to identify the tunnel. If the value is changed then the user must download the updated configuration file.

IP Address: Enter the WAN IP address of the XG Firewall.

Email: Enter an email address, for example, xg@example.com. This can be any email address. If the value is changed then the user must download the updated configuration file.

DER ASN1 DN [X509]: Only available when Authentication type is Digital certificate. The appliance certificate is automatically selected and the certificate values are populated.

Remote ID

For preshared key, select an ID type and type a value. DER ASN1DN (X.509) is not acceptable.

The Remote ID identifies the remote client and can't be the same as the Local ID.

Remote ID can be left blank. The system uses the value ANY. This is useful if you have a lot of clients connecting through the Sophos Connect client.

The following values are available:

DNS: Enter an FQDN, for example, xg.example.com. This value is not checked against DNS and is only used to identify the tunnel. If the value is changed then the end user must download the updated configuration file. This must be different from the one entered for Local ID.

IP Address: Enter an IP address. This must be different from the one entered for Local ID and can be a dummy IP address, for example, 1.1.1.1.

Email: Enter an email address, for example, xg@example.com. This can be any email address. If the value is changed then the user must download the updated configuration file. This must be different from the one entered for Local ID.

DER ASN1 DN [X509]: Only available when Authentication type is Digital certificate. You must upload the certificate to XG Firewall, then select it from the drop-down list next to Remote certificate.

Allowed user

Add users who are allowed to connect using the configured Sophos Connect client.

Note If you haven't configured the WAN interface of XG Firewall with its public IP address, you must modify the configuration file in Sophos Connect Admin. Configure the target host as the public IP address or FQDN of XG Firewall.

Client information

Name

Description

Assign IP from

Range from which an address will be leased to the client. The client uses the assigned address for the duration of the connection. This must be a private IP address range with at least a 24-bit netmask.

The IP address range leased to Sophos Connect clients must not contain IP addresses that are in use.

Allow leasing IP address from RADIUS server for L2TP, PPTP, and Sophos Connect client

When users are authenticated on a RADIUS server, use the IP address provided by the RADIUS server. If no addresses are provided by the RADIUS server, the static address configured for the user will be assigned or an address will be leased from the specified range.

Advanced settings

Name

Description

Disconnect when tunnel is idle

Disconnects idle clients from the session after the specified time.

Idle session time interval

Time, in seconds, after which idle clients will be disconnected.