IPsec remote access group authentication
The Sophos Connect client supports local and Active Directory (AD) users and groups.
If you haven't configured IPsec remote access, it's turned off by default for all groups.
If you have configured IPsec remote access, it's turned off by default for AD groups that you import to Sophos Firewall. It's also turned off for groups that you migrate, for example, from an earlier version of Sophos Firewall. However, when you create a new local group on Sophos Firewall, IPsec remote access is turned on by default.
You can check this setting under Authentication > Groups.
The image below shows a group with IPsec remote access turned off.
IPsec remote access VPN uses the Sophos Connect client. If a remote user, for example, an AD user, wants to sign in to the Sophos Connect client for the first time, they must first sign in to another authentication client, such as the user portal.
If a user is a member of multiple groups, the policy from the group at the top of the list is applied.
If you change the settings for a group, they override the IPsec remote access settings.
If you turn off IPsec remote access for a group, all the users are disconnected. They won't be able to reconnect, and they'll see an authentication error.
User policies always take priority over group policies. For example, if you turn off the IPsec remote access for an AD group, then turn it on for a user in that group, the user can sign in.
If you turn on IPsec remote access for a group, you can't turn it off for a user in that group.