Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Provisioning file templates

The Sophos Connect provisioning file allows you to provision remote access IPsec and SSL VPN connections with Sophos Firewall.

If you've configured the IPsec remote access settings, the provisioning file automatically imports the .scx configuration file into the Sophos Connect client for all users. It only imports the .ovpn configuration file for users you've assigned to an SSL VPN remote access policy.

It also automatically imports any configuration changes you make later. Users don't need to download the configuration file from the VPN portal.

Note

You can use the provisioning file for remote access IPsec VPNs. Users must install the Sophos Connect client 2.1 or later.

Benefits

Using the provisioning file offers the following benefits:

  • Automatically imports the IPsec remote access (.scx) and SSL VPN remote access (.ovpn) configuration files into the Sophos Connect client on users' endpoints. You don't need to share the .scx file with users.

    Users won't need to sign in to the VPN portal and download the .ovpn file.

  • Automatically imports any configuration changes you make later.

  • Allows you to specify more than one gateway and their priority.

Configure the provisioning file

You can configure the provisioning file and share it with users. Alternatively, you can deploy it on users' endpoints through Active Directory Group Policy Management (GPO).

Provisioning file settings

Setting Description
gateway The FQDN or IPv4 address of the Sophos Firewall that provisions the connection.
gateway_order

Specifies how Sophos Firewall balances traffic when multiple gateways are configured.

The allowed values are as follows:

distributed: Selects a gateway at random when a connection is attempted.

latency: Selects a gateway by how quickly it responds to a TCP connect request.

in_order: Tries the first gateway in the list first, if that fails, the next gateway is tried.

vpn_portal_port

You can use the vpn_portal_port syntax to enter the VPN portal port. It's the port on which the provisioning connection is made.

If you change the port in the firewall, you must change it in the provisioning file.

Default port: 443.

You can continue to use the user_portal_port syntax, but you must enter the VPN portal's port.

auto_connect_host

The target host used to determine if the Sophos Connect client is already on the internal network. If a value is supplied, the Sophos Connect client checks if the host is reachable each time a network interface IP address is obtained or modified. If the host isn't reachable, then the connection is automatically enabled, and if the credentials are saved, then the VPN tunnel is established.

Default: empty string "" (auto-connect disabled).

To turn on auto-connect, set it to an IP address or hostname that exists on the remote LAN network.

can_save_credentials

Allows users to save their username and password for the connection. If you enter true, a checkbox appears on the user authentication page. The checkbox is checked by default but the user can decide not to save credentials.

Allowed values: true or false.

Default value: true.

check_remote_availability

Performs a remote availability check at connection startup to eliminate unresponsive clients.

Allowed values: true or false.

Default value: false.

run_logon_script

Runs the logon script provided by the domain controller after the VPN tunnel is established.

Allowed values: true or false.

Default value: false.

Templates

You can use the following provisioning file templates to create provisioning files specific to your organization. You can change the settings.

Copy and paste the scripts in a text editor, such as Notepad, edit the settings to meet your requirements, and save the file with a .pro extension.

Requirement

You must specify the gateway address. The other fields are optional.

Note

If you change the VPN portal port in the firewall, you must change it in the provisioning file.

Single connection
[
    {
        "gateway": "<Gateway hostname or IP address>",
        "vpn_portal_port": <VPN portal's port>,
        "otp": false,
        "auto_connect_host": "<Internal hostname or IP address>",
        "can_save_credentials": true,
        "check_remote_availability": false,
        "run_logon_script": false
    }
]
Multiple connections
[
    {
        "gateway": "<Gateway hostname or IP address>",
        "vpn_portal_port": <VPN portal's port>,
        "otp": false,
        "auto_connect_host": "<Internal hostname or IP address>",
        "can_save_credentials": true,
        "check_remote_availability": false,
        "run_logon_script": false
    },
    {
        "gateway": "<Gateway hostname or IP address>",
        "otp": false,
        "auto_connect_host": "<Internal hostname or IP address>",
        "check_remote_availability": false,
        "run_logon_script": false
    },
    {
        "gateway": "<Gateway hostname or IP address>",
        "vpn_portal_port": 9443,
        "can_save_credentials": false
    }
]

When you don't specify the fields, the default values are used. In the example above, the second connection will use port 443 for the VPN portal port, and users can save their credentials.

Note

When you add multiple connections, you must separate them with commas.

You can add multiple gateways to the same connection.

Multiple gateways
[
    {
    "display_name": "XG_SSL-VPN",
    "gateway_order": "in_order",
    "gateway": [ "xg1.some.company.com", "xg2.some.other.com", "xg3.yet.another.com" ],
    "vpn_portal_port": <VPN portal's port>,
    "otp": false,
    "auto_connect_host": "inside.ad.local",
    "can_save_credentials": true,
    "check_remote_availability": true,
    "run_logon_script": true
    }
]

Provisioning file: 2FA settings

Setting Description
otp

Specifies if a one-time password (OTP) is required for authentication when connecting. This shows a third input box to enter the OTP code in the Sophos Connect client.

Allowed values: true or false.

Default value: false.

2fa

Specifies the method of two-factor authentication (2FA) to use.

Allowed values: 1 or 2.

Default value: 1.

The allowed values are as follows:

1 Uses the Sophos Firewall configuration for 2FA. Users must enter the OTP token or the verification code in the third input field. The OTP token or verification code is appended to the password (example: passwordotp) and sent to the authentication server. Users can generate the token using authenticator apps, such as Google Authenticator.

2 Uses an external 2FA server, such as Duo. Users must enter the verification code generated by the authenticator app in the third input field. The password and verification code are comma-separated and sent to the authentication server. See Third-party authenticator support.

If you've configured more than one Duo method, users must enter the following in the third input box:

  • Duo Push: push
  • Duo phone: phone
  • Duo SMS: sms (The sign-in screen appears again. Users must enter the username, password, and verification code.)
  • Duo token: The passcode.

Note

If users need to enter an OTP token or code, the Sophos Connect client shows the sign-in screen twice when they sign for the first time. The first sign-in downloads the configuration file and the second establishes the connection.

Templates

Sophos Firewall 2FA with OTP
[
    {
        "gateway": "<Gateway hostname or IP address>",
        "vpn_portal_port": <VPN portal's port>,
        "otp": true,
        "2fa": 1,
        "auto_connect_host": "<Internal hostname or IP address>",
        "can_save_credentials": true,
        "check_remote_availability": false,
        "run_logon_script": false
    }
]
Duo 2FA
[
    {
        "gateway": "<Gateway hostname or IP address>",
        "vpn_portal_port": <VPN portal's port>,
        "otp": true,
        "2fa": 2,
        "auto_connect_host": "<Internal hostname or IP address>",
        "can_save_credentials": true,
        "check_remote_availability": false,
        "run_logon_script": false
    }
]

More resources