Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/21.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=remote-access-VPN-Sophos-Connect-configure-provisioning-file

Configure VPN provisioning file

The Sophos Connect provisioning file allows you to provision remote access IPsec VPN and remote access SSL VPN configurations.

Based on the provisioning file settings, the Sophos Connect client connects to the VPN portal using the user's credentials and automatically imports the following configuration files:

  • IPsec remote access settings: .scx file for all users.
  • SSL VPN remote access policies: .ovpn file for users specified in the policies.

It also fetches the updates you make to remote access IPsec VPN and remote access SSL VPN settings and policies.

Requirements

Make sure you meet the requirements before you configure a provisioning file. See Requirements.

Configure and import the provisioning file

To create and import the provisioning file, do as follows:

  1. Open a new file in a text editor, such as Notepad.

  2. Copy and edit the settings to meet your network requirements using the syntax on Provisioning file settings.

    Requirement

    You must specify the hostname or IP address for gateway. You can edit the other fields if needed.

    When using Microsoft Entra ID single sign-on (SSO), the gateway setting in the provisioning file must match the Redirect URI of the Microsoft Entra ID server configured in the firewall. See Requirements.

    Note

    If you change the VPN portal port in the firewall, you must change it in the provisioning file.

    Example settings 
    [
    {
        "gateway": "203.0.113.1",
        "vpn_portal_port": 443,
        "otp": false,
        "auto_connect_host": "10.10.10.1",
        "can_save_credentials": true,
        "check_remote_availability": false,
        "run_logon_script": false
    }
]

  3. Save the file with a .pro extension.

  4. To install it on users' endpoints, do one of the following:

    • Email the provisioning file to users.

      Users must click Import connection in the Sophos Connect client and select the file. Alternatively, they can double-click the .pro file to import it. See Provisioning IPsec and SSL VPN.

    • Use an Active Directory Group Policy Object (GPO) to automatically import it to the Sophos Connect client on users' endpoints after start-up. See Import VPN provisioning file through GPO.

More resources