How to use Sophos Connect
The Sophos Connect client lets remote users securely access your organization's network through remote access IPsec and SSL VPN connections. The client lets users authenticate using their existing credentials or Microsoft Entra ID SSO and connect to the network.
Learn how to download the Sophos Connect client, import the configuration or provisioning files, and understand connection behavior and platform compatibility.
Client information
Learn about the supported platforms and where to download the Sophos Connect client.
Compatibility with endpoint platforms
The Sophos Connect client is supported on the following endpoint operating systems.
| Endpoint OS | Supported connection types | File to install |
|---|---|---|
| macOS | Only remote access IPsec VPN | Sophos Connect_x.x_(IPsec).pkg |
| Windows | Remote access IPsec and SSL VPNs | SophosConnect_x.x_(IPsec_and_SSLVPN).msi |
For more information, see Clients and configurations.
Note
The Sophos Connect client is supported on Windows 10 and 11, including LTSB and LTSC. It's also supported on macOS 10.13 and later.
For more information, see Supported platforms in Sophos Connect release notes.
Download the client
You can download the Sophos Connect client from the following portals:
- Users can download the client from the VPN portal. See Remote access VPN.
-
Administrators can download the client from the web admin console and then share it with users.
Go to Remote access VPN > IPsec or SSL VPN and click Download client.
The latest client version is available on the VPN portal. It's also available on the web admin console if you set pattern updates to automatically update on Backup & Firmware > Pattern updates.
Configurations and provisioning
Users can import the configuration files or the provisioning file into the Sophos Connect client.
Configuration files
SSL VPN: Users can download the .ovpn configuration file from the VPN portal, then import it into the client.
IPsec VPN: Administrators must download the .scx file from the web admin console and share it with users. Users then import it into the client.
SSL VPN connection behavior
The Sophos Connect client connects to the remote gateways listed in the .ovpn configuration file in reverse order of priority. Dynamic DNS gateways take priority over WAN IP address gateways in the list.
Example
In this .ovpn configuration file, the Sophos Connect client first connects to 5g.vpn.sophosexample.example.net. If the connection fails, it then attempts to connect to the next available gateway in reverse order, starting with vpn.sophosexample.example.net and so on.
Provisioning file
You can configure the provisioning (.pro) file for automatic VPN provisioning of both IPsec and SSL VPN connections. You can then share it with users.
When users import the file into the Sophos Connect client, the configuration files are automatically imported.
See Provisioning file templates.
How to sign in
Remote users can sign in to the Sophos Connect client using their credentials or Single Sign-On (SSO). Credential sign-ins are based on the local configurations in the firewall or an external authentication server, such as Active Directory.
Single sign-on
Remote users can use Microsoft Entra ID SSO to sign in to remote access VPN tunnels using the Sophos Connect client. See Microsoft Entra ID (Azure AD) server.
Note
Windows devices running Sophos Connect client 2.4 or later support Microsoft Entra ID SSO.
Note
When a user establishes tunnels from a shared endpoint device, we recommend that they force an SSO re-login for subsequent users of the endpoint device. The next user can then establish the tunnel only when they sign in with Microsoft Entra ID SSO. See Microsoft Entra ID Single Sign-On.
To troubleshoot SSO issues, see Single sign-on.