Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Automatic provisioning, configuration files, and clients

You can use the provisioning file to automatically import remote access IPsec and SSL VPN configurations to the Sophos Connect client.

Alternatively, users can download the individual configuration files.

Requirement

When the provisioning file is used, the Sophos Connect client imports the configuration through the VPN portal. For remote users connecting from the WAN zone, you must allow WAN access for the VPN portal in Administration > Device access, under Local service ACL.

Provisioning file

When users double-click the provisioning (.pro) file, it's imported into the Sophos Connect client. Based on the .pro file settings, the client connects to the VPN portal and automatically imports the remote access SSL VPN (.ovpn) file corresponding to the user and the remote access IPsec (.scx) file into the Sophos Connect client.

You can configure the provisioning file in a text editor and save it with a .pro extension. To know the operating systems on which you can use the Sophos Connect client and provisioning file, see Sophos Connect client.

Installing the provisioning file

You can share the .pro file with users. See Provisioning file templates.

Alternatively, you can directly install it on users' endpoints using Active Directory Group Policy Object (GPO) in the following folder: C:\Program Files (x86)\Sophos\Connect\import. The Sophos Connect client will automatically import the .pro file from the folder.

See Import VPN provisioning file through GPO.

Fetching configurations

After importing the provisioning file, the client automatically fetches the available VPN (.scx and .ovpn) configurations.

See the following behavior for configuration changes you make later:

  • If you change the port and protocol on SSL VPN global settings, users must click the gear button for the configuration in the Sophos Connect client and click Update policy.

    Pull configuration changes through the Sophos Connect client.

  • The client automatically fetches any other configuration changes you make.

  • Some configuration changes in SSL VPN global settings, such as port, gateway, SSL server certificate, and protocol, require users to sign in to the Sophos Connect client again.

Configuration files

These files are created when you configure the IPsec remote access connection and the SSL VPN remote access settings and policies.

IPsec: Go to Remote access VPN > IPsec and click Export connection to download the files. You must share one of the following configuration files manually with users:

  • .scx file: You can only use this file with the Sophos Connect client. It contains advanced settings in addition to the other settings. You configure all the settings on the web admin console. We recommend that you use this file.

    If you update any of the advanced settings, send the updated .scx configuration file to users for import into the Sophos Connect client.

  • .tgb file: You can use this file with third-party clients. It doesn't contain the advanced settings you configure.

  • iOS users can download the configuration file directly from the VPN portal (VPN > VPN configuration under IPsec VPN profile).

SSL VPN: It uses the .ovpn configuration file. On the VPN portal, users can download the file from VPN > VPN configuration under SSL VPN configuration. They can select the configuration file that's compatible with the client they use.

Clients and configurations

The clients you can use depends on the connection type and the endpoint device. See the client, provisioning file, and configuration file details in the following table:

Type of remote access VPN Client Provisioning and configuration files
IPsec

Sophos Connect client.

For mobile platforms, you can use the OpenVPN Connect client.

Users download the client from the VPN portal.

You can share one of the following files with users:

.pro (recommended): Share the provisioning file with users. It automatically imports the configuration file to the client.

You can use the provisioning file for remote access IPsec VPNs. Additionally, users must install the Sophos Connect client 2.1 or later.

.scx: Use this configuration file rather than the .tgb file for advanced security settings. You must share it with users.

.tgb

iOS users must download the configuration file from the VPN portal.

IPsec (legacy) Third-party VPN clients .tgb: Share the file with users.
SSL VPN Sophos Connect client

You can use one of the following methods:

.pro (recommended): Share the provisioning file with users. They can click the file to import the .ovpn file to the Sophos Connect client.

.ovpn: Users directly download the file from the VPN portal for the Sophos Connect and OpenVPN Connect clients.

SSL VPN

For macOS, you can use third-party VPN clients.

For mobile platforms, you can use the OpenVPN Connect client.

.ovpn: Users download the file from the VPN portal.