Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

FAQs for remote access VPN

Basic FAQs

Can I establish remote access IPsec and SSL VPN tunnels on Windows, macOS, and mobile platforms?

See the following table for VPN clients and configurations for the supported endpoint platforms:

Endpoint OS IPsec SSL VPN
Windows

Sophos Connect client

.pro or .scx

Sophos Connect client

.pro or .ovpn

macOS

Sophos Connect client

.scx

Third-party VPN client

.ovpn

Android

Third-party VPN client

.tgb

Third-party VPN client

.ovpn

iOS

No client required.

Download configuration from VPN portal.

Third-party VPN client

.ovpn

See Supported platforms for Sophos Connect client.

Are remote access VPN connections encrypted?

Yes, all traffic between the firewall and the VPN clients is encrypted.

To see the encryption settings, do as follows:

  • IPsec VPN: Go to Remote access VPN > IPsec and click IPsec profiles. On the IPsec profiles tab, see Encryption algorithm.
  • SSL VPN: Go to Remote access VPN > SSL VPN and click SSL VPN global settings. On the SSL VPN global settings tab, see Cryptographic settings.

Provisioning file

SSL VPN connections are established on gateways that aren't configured in the provisioning (.pro) file.

The Sophos Connect client only uses the gateways entered in the .pro file to connect to the VPN portal and fetch the remote access VPN configurations. These gateways aren't used for establishing VPN connections.

IPsec: Tunnels are established using the interface you select in the configuration.

SSL VPN: Tunnels are established over the interfaces configured on Network > Interfaces if you've allowed SSL VPN from their zones (Administration > Device access > Local service ACL). These are listed in the .ovpn file.

To use the public IP address or a specific IP address for SSL VPN, go to SSL VPN global settings and enter it in Override hostname. See SSL VPN global settings.

How can I use the provisioning and configuration files if the firewall is behind a router?

Provisioning file: Enter the FQDN or public IP address of the router. Configure the router's DNAT settings to forward the traffic to the firewall.

IPsec: In the .scx file, manually change the gateway address to the router's WAN IP address, then configure the router's settings.

SSL VPN: On SSL VPN global settings, set Override hostname to the public FQDN or the router's WAN IP address, then configure the router's settings.

When should users manually import IPsec and SSL VPN configuration changes to the Sophos Connect client?

IPsec: Users must click Edit connection engine button. on the Sophos Connect client, click Update policy, and download the configuration from the VPN portal.

SSL VPN: For changes to the port, protocol, gateway, and SSL server certificate on SSL VPN global settings, users must click Update policy in the client. See When SSL VPN users must download the configuration again.

If you use the .pro file, it automatically fetches some SSL VPN configuration updates. Alternatively, reinstall the .pro file on users' endpoints to fetch the IPsec and SSL VPN configurations again.

Untrusted certificate error appears when the provisioning file is used.

The error appears if you use the firewall's default certificate for the web admin console and the VPN portal (Administration > Admin and user settings). The .pro file connects to the VPN portal to fetch the VPN configurations resulting in the error because the default certificate's private.

See Remove untrusted certificate error.

Multi-factor authentication

How do I implement MFA for remote access VPN users?

Go to Authentication > Multi-factor authentication and configure MFA. See Configure MFA with an authenticator app

Make sure you select the following:

  • User portal
  • SSL VPN remote access
  • IPsec remote access
How do I implement an independent input field for OTP in the Sophos Connect client?

To show the third input field, do as follows:

  • IPsec: Go to Remote access > IPsec. Under Advanced settings, select Prompt users for 2FA token and click Apply.
  • IPsec and SSL VPN: Set the following values in the provisioning file:

    • otp: true
    • 2fa: 1

    See Set up MFA for remote access SSL VPN.

Does Sophos Connect client support challenge-based MFA?

No. Currently, the Sophos Connect client doesn't support OTP challenge. It sends the password and OTP details in passwordotp format to the authentication server. So, when the authentication server sends an OTP challenge, it doesn't receive the OTP alone, and authentication doesn't take place.

The Sophos Connect client supports Call and Push-based MFA. The VPN portal and web admin console support challenge-based MFA in addition to these.

Remote access IPsec

Can I establish remote access IPsec connections on more than one WAN interface?

Currently, you can only establish remote access IPsec connections on a single WAN interface.

Remote access SSL VPN

Why can't I add subnets smaller than /24 in SSL VPN global settings?

The firewall runs SSL VPN tunnels in multiple instances, depending on the number of CPUs in the model. Each instance creates a tun0 interface, which requires an independent subnet for routing and internal traffic distribution.

The firewall automatically slices subnets from the configured network address and subnet and assigns them to the tun0 interfaces. Smaller subnets, such as /25 and smaller, result in fewer IP addresses for lease.

For example, a 192.168.0.0/27 network in a firewall with eight concurrent instances has a single leasable IP address after assigning the subnets to the eight tun0 interfaces.