IPsec and SSL VPN
You can configure remote access IPsec and SSL VPN connections using the Sophos Connect client.
You can also use the legacy clients for both. However, we recommend using the Sophos Connect client for advanced security settings and greater flexibility in configuration.
How Sophos Connect client works
Configuring remote access policies and settings:
IPsec (remote access): Configure the settings. To learn more, see IPsec remote access VPN.
SSL VPN (remote access): Configure the following settings and policies:
Sophos Connect client: You can download the client as follows:
- Administrators: Click Download client on VPN > IPsec (remote access).
- Users: On the user portal, users can download the client from VPN > Sophos Connect client (IPsec and SSL VPN).
Provisioning file: Currently, the provisioning file imports the configuration files for remote access IPsec (
.scx) and SSL VPN configuration (
.ovpn) files into the Sophos Connect client. It also automatically imports any configuration changes you make later. Configure this file in a text editor and save it with a
.pro extension. You then share it with users.
When users double-click the provisioning file, it automatically imports the
.ovpn files corresponding to the user. To learn more, see Configuring the provisioning file.
Configuration files: These files are automatically created when you configure the IPsec remote access connection and the SSL VPN remote access settings and policy. If you use the provisioning file, users don't need to manually import the SSL VPN configuration files.
For IPsec (remote access), click Export connection on VPN > IPsec (remote access) to download the files. You must share one of the following configuration files manually with users:
.scxfile: You can only use this file with the Sophos Connect client. It contains advanced settings in addition to the other settings. You configure all the settings on the web admin console. We recommend that you use this file.
If you update any of the advanced settings, send the updated
.scxconfiguration file to users for import into the Sophos Connect client.
.tgbfile: You can use this file with third-party clients and the Sophos Connect client. Don't use this file if you configured the advanced settings on the web admin console of Sophos Firewall.
SSL VPN remote access uses the
.ovpnconfiguration file. On the user portal, users can download the file from VPN > SSL VPN client.
Sophos Connect Admin: For versions 18.0 MR3 and earlier, you can use this application to edit the IPsec remote access configuration files. For versions 18.0 MR4 and later, you can make the changes on the IPsec remote access page. You can't use this application to edit the
The application is part of the package (
scadmin(legacy).msi) you download when you click Download client on the IPsec remote access page. Learn more about Sophos Connect Admin.
User portal: For more information about the VPN clients and configurations that users can download, see VPN clients and configuration files on the user portal.
Sophos Firewall versus Sophos Connect Admin
The advanced settings on the web admin console of Sophos Firewall are the same settings you'd update on Sophos Connect Admin for version 18.0 MR3 and earlier.
If you update the advanced settings on VPN > IPsec (remote access) on the web admin console, send the updated
.scx configuration file to users for import into the Sophos Connect client.
If you don't change any of the default advanced settings on the web admin console, users can continue using the existing configuration file that was updated using Sophos Connect Admin. Alternatively, replicate the settings of the existing configuration file in the advanced settings on the web admin console.
The Use as default gateway setting you specify on VPN > IPsec remote access applies to all the Allowed users and groups. If you want to turn on this option for some users and turn it off for other users, use SSL VPN (remote access).
If you turn on this option, all traffic, including external internet requests, from all the allowed users and groups goes through Sophos Firewall. If you turn it off, Sophos Firewall provides access only to the permitted resources within the network for all the allowed users and groups. The rest goes directly to the internet.
Whether Use as default gateway is turned on or off, if you change the permitted networks on the firewall, the firewall accepts only the permitted networks. It denies all other networks configured in the configuration file.
Clients, configuration files, and provisioning file
|Type of remote access VPN||Client||Provisioning and configuration files|
|IPsec (remote access)||Sophos Connect client |
Users download the client from the user portal.
|You can share one of the following files with users: |
You can use the provisioning file for remote access IPsec VPNs for Sophos Firewall 18.0 MR4 and later. Additionally, users must install version 2.1 of the Sophos Connect client.
|IPsec remote access (VPN)||Third-party clients|| |
|IPsec remote access (legacy)||Third-party clients|| |
|SSL VPN (remote access)||Sophos Connect client |
Windows users can download the client from the user portal.
|The Sophos Connect client 2.0 and later versions are available for SSL VPN connections on Windows 8.1 and Windows 10 devices. Users of macOS, Windows 7 SP2, and Windows 8 platforms can continue to use the legacy SSL VPN client. |
You can use one of the following methods:
|SSL VPN (remote access)||SSL VPN client (legacy client) |
Users download the client from the user portal.
|SSL VPN (remote access)||For macOS and mobile platforms, we recommend that you use the OpenVPN Connect client.|| |