Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=remote-access-VPN-provisioning-file-GPO-script

Import VPN provisioning file through GPO

You can automatically download and import the remote access VPN provisioning file (.pro) to the Sophos Connect clients on users' endpoints using a script through Active Directory Group Policy Object (GPO).

Import provisioning file to Sophos Connect client

To download and import the provisioning file, do as follows:

  1. Open a blank file in a text editor, such as Notepad, and paste the following script:

    @echo off
REM Use the automatic import feature of the Sophos Connect client to download and import the .pro file
REM Wait for scvpn service to be available

:WAIT2
timeout /t 5 > NUL
for /f "tokens=4" %%s in ('sc query scvpn ^| find "STATE"') do if NOT "%%s"=="RUNNING" goto WAIT2 
echo Service is now running!

REM scvpn service is available. Download the .pro file from a centrally-hosted location. Make sure you enter your URL and the filename you want.

powershell -Command "Invoke-WebRequest <full_web_url_where_pro_file_is_hosted> -OutFile download_import_scc.pro"

REM Copy the downloaded .pro file to the SCC import folder for the automatic import feature to act

copy download_import_scc.pro "C:\Program Files (x86)\Sophos\Connect\import\"

    Note

    The script waits for the scvpn service to run after the endpoint starts. So, don't stop the Sophos Connect service in your startup apps.

  2. Save the file with a .bat extension.

  3. To add the path where you've saved the script, do as follows:

    1. On the Windows Server, open Group Policy Management Console (GPMC) and click Group Policy Management.
    2. Click the group policy that applies to users' endpoints, click Computer Configuration, and click Policies.
    3. Under Windows Settings, click Scripts, and double-click Startup.
    4. Follow the instructions to add the .bat file. See Working with startup scripts using the Local Group Policy Editor.

  4. To apply the script, run the following command: gpupdate /force

    When users start their endpoints, the scvpn service starts, and the script downloads the .pro file from the server to the Sophos Connect import folder.

    The Sophos Connect client automatically imports the .pro file from this folder and deletes the file from the folder. It then connects to the user portal through the gateway configured in the .pro file and pulls the remote access IPsec and SSL VPN configurations.