Skip to content

IPsec and SSL VPN overview

You can configure remote access IPsec and SSL VPN connections using the Sophos Connect client.

To enforce the advanced security settings and have greater flexibility in configuration, use the Sophos Connect client.

How Sophos Connect client works

Configure the Remote access VPN policies and settings as follows:

IPsec: Configure the settings. See IPsec remote access VPN settings.

SSL VPN: Configure the following settings and policies:

Sophos Connect client: You can download the client as follows:

  • Administrators: Go to Remote access VPN > IPsec or SSL VPN and click Download client.
  • Users: On the user portal, users can download the client from VPN > Sophos Connect client.

Provisioning file: Currently, the provisioning file imports the configuration files for remote access IPsec (.scx) and SSL VPN configuration (.ovpn) files into the Sophos Connect client. It also automatically imports any configuration changes you make later. Configure this file in a text editor and save it with a .pro extension. You then share it with users.

When users double-click the provisioning file, it automatically imports the .ovpn files corresponding to the user. To learn more, see Configuring the provisioning file.

Configuration files: These files are automatically created when you configure the IPsec remote access connection and the SSL VPN remote access settings and policy. If you use the provisioning file, users don't need to manually import the SSL VPN configuration files.

  • Remote access IPsec: Go to Remote access VPN > IPsec and click Export connection to download the files. You must share one of the following configuration files manually with users:

    • .scx file: You can only use this file with the Sophos Connect client. It contains advanced settings in addition to the other settings. You configure all the settings on the web admin console. We recommend that you use this file.

      If you update any of the advanced settings, send the updated .scx configuration file to users for import into the Sophos Connect client.

    • .tgb file: You can use this file with third-party clients. It doesn't contain the advanced settings you configure.

    • iOS users can download the configuration file directly from the user portal (VPN > VPN configuration under IPsec VPN profile).
  • Remote access SSL VPN: It uses the .ovpn configuration file. On the user portal, users can download the file from VPN > VPN configuration under SSL VPN configuration.

Sophos Connect Admin: The application is part of the package (scadmin(legacy).msi) you download when you click Download client on the IPsec remote access page. You can't use this application to edit .ovpn files.

You can continue to use the IPsec remote access settings you've configured earlier using Sophos Connect Admin. However, Sophos Firewall only implements the default gateway and permitted network settings you've configured on the firewall.

Note

We recommend that you use the advanced settings on Remote access VPN > IPsec instead of the Sophos Connect Admin.

User portal: For more information about the VPN clients and configurations that users can download, see VPN clients and configuration files on the user portal.

Sophos Firewall versus Sophos Connect Admin

The advanced settings on the web admin console of Sophos Firewall are the same settings you'd update on Sophos Connect Admin for version 18.0 MR3 and earlier.

If you update the advanced settings on Remote access VPN > IPsec on the web admin console, send the updated .scx configuration file to users for import into the Sophos Connect client.

If you don't change any of the default advanced settings on the web admin console, users can continue using the existing configuration file that was updated using Sophos Connect Admin. Alternatively, replicate the settings of the existing configuration file in the advanced settings on the web admin console.

Note

The Use as default gateway setting you specify on Remote access VPN > IPsec applies to all the Allowed users and groups. If you want to turn on this option for some users and turn it off for other users, use remote access SSL VPN.

If you turn on this option, all traffic, including external internet requests, from all the allowed users and groups goes through Sophos Firewall. If you turn it off, Sophos Firewall provides access only to the permitted resources within the network for all the allowed users and groups. The rest goes directly to the internet.

Note

Whether Use as default gateway is turned on or off, if you change the permitted networks on the firewall, the firewall accepts only the permitted networks. It denies all other networks configured in the configuration file.

Clients, configuration files, and provisioning file

Type of remote access VPN Client Provisioning and configuration files
IPsec Sophos Connect client.

For mobile platforms, you can use the OpenVPN Connect client.

Users download the client from the user portal.

You can share one of the following files with users:

.pro (recommended): Share the provisioning file with users. It automatically imports the configuration file to the client.

You can use the provisioning file for remote access IPsec VPNs. Additionally, users must install the Sophos Connect client 2.1 or later.

.scx: Use this configuration file rather than the .tgb file for advanced security settings.

.tgb

IPsec (legacy) Third-party clients .tgb: Share the file with users.
SSL VPN Sophos Connect client You can use one of the following methods:

.pro (recommended): Share the provisioning file with users. It imports the .ovpn file to the client.

.ovpn: Users download the file from the user portal.

SSL VPN For macOS and mobile platforms, you can use the OpenVPN Connect client. .ovpn: Users download the file from the user portal.

More resources

Back to top