IPsec and SSL VPN overview
You can configure remote access IPsec and SSL VPN connections using the Sophos Connect client.
To enforce the advanced security settings and have greater flexibility in configuration, use the Sophos Connect client.
How Sophos Connect client works
Configure the Remote access VPN policies and settings as follows:
IPsec: Configure the settings. See IPsec remote access VPN settings.
SSL VPN: Configure the following settings and policies:
Sophos Connect client: You can download the client as follows:
- Administrators: Go to Remote access VPN > IPsec or SSL VPN and click Download client.
- Users: On the user portal, users can download the client from VPN > Sophos Connect client.
Provisioning file: Currently, the provisioning file imports the configuration files for remote access IPsec (
.scx) and SSL VPN configuration (
.ovpn) files into the Sophos Connect client. It also automatically imports any configuration changes you make later. Configure this file in a text editor and save it with a
.pro extension. You then share it with users.
When users double-click the provisioning file, it automatically imports the
.ovpn files corresponding to the user. To learn more, see Configuring the provisioning file.
Configuration files: These files are automatically created when you configure the IPsec remote access connection and the SSL VPN remote access settings and policy. If you use the provisioning file, users don't need to manually import the SSL VPN configuration files.
Remote access IPsec: Go to Remote access VPN > IPsec and click Export connection to download the files. You must share one of the following configuration files manually with users:
.scxfile: You can only use this file with the Sophos Connect client. It contains advanced settings in addition to the other settings. You configure all the settings on the web admin console. We recommend that you use this file.
If you update any of the advanced settings, send the updated
.scxconfiguration file to users for import into the Sophos Connect client.
.tgbfile: You can use this file with third-party clients. It doesn't contain the advanced settings you configure.
- iOS users can download the configuration file directly from the user portal (VPN > VPN configuration under IPsec VPN profile).
Remote access SSL VPN: It uses the
.ovpnconfiguration file. On the user portal, users can download the file from VPN > VPN configuration under SSL VPN configuration.
Sophos Connect Admin: The application is part of the package (
scadmin(legacy).msi) you download when you click Download client on the IPsec remote access page. You can't use this application to edit
You can continue to use the IPsec remote access settings you've configured earlier using Sophos Connect Admin. However, Sophos Firewall only implements the default gateway and permitted network settings you've configured on the firewall.
We recommend that you use the advanced settings on Remote access VPN > IPsec instead of the Sophos Connect Admin.
User portal: For more information about the VPN clients and configurations that users can download, see VPN clients and configuration files on the user portal.
Sophos Firewall versus Sophos Connect Admin
The advanced settings on the web admin console of Sophos Firewall are the same settings you'd update on Sophos Connect Admin for version 18.0 MR3 and earlier.
If you update the advanced settings on Remote access VPN > IPsec on the web admin console, send the updated
.scx configuration file to users for import into the Sophos Connect client.
If you don't change any of the default advanced settings on the web admin console, users can continue using the existing configuration file that was updated using Sophos Connect Admin. Alternatively, replicate the settings of the existing configuration file in the advanced settings on the web admin console.
The Use as default gateway setting you specify on Remote access VPN > IPsec applies to all the Allowed users and groups. If you want to turn on this option for some users and turn it off for other users, use remote access SSL VPN.
If you turn on this option, all traffic, including external internet requests, from all the allowed users and groups goes through Sophos Firewall. If you turn it off, Sophos Firewall provides access only to the permitted resources within the network for all the allowed users and groups. The rest goes directly to the internet.
Whether Use as default gateway is turned on or off, if you change the permitted networks on the firewall, the firewall accepts only the permitted networks. It denies all other networks configured in the configuration file.
Clients, configuration files, and provisioning file
|Type of remote access VPN||Client||Provisioning and configuration files|
|IPsec||Sophos Connect client. |
For mobile platforms, you can use the OpenVPN Connect client.
Users download the client from the user portal.
|You can share one of the following files with users: |
You can use the provisioning file for remote access IPsec VPNs. Additionally, users must install the Sophos Connect client 2.1 or later.
|IPsec (legacy)||Third-party clients|| |
|SSL VPN||Sophos Connect client||You can use one of the following methods: |
|SSL VPN||For macOS and mobile platforms, you can use the OpenVPN Connect client.|| |