Sophos Connect client
Users can establish remote access IPsec VPN and remote access SSL VPN connections to your network using the Sophos Connect client.
To update to the latest version of the Sophos Connect client, go to Backup & Firmware > Pattern updates.
Remote users can use their local or authentication server credentials to sign in.
Download the client
Users can download the Sophos Connect client from the VPN portal. Alternatively, you can download the client from the web admin console and share it with users. To download the client, go to Remote access VPN > IPsec or SSL VPN and click Download client. You can share the following Sophos Connect client software files with users:
- macOS devices (
Sophos Connect_x.x_(IPsec).pkg): It supports only IPsec remote access VPN. - Windows devices (
SophosConnect_x.x_(IPsec_and_SSLVPN).msi): It supports both IPsec and SSL VPN. It also supports the provisioning file, which you configure separately.
Import configuration and provisioning files
SSL VPN: Users can import SSL VPN connections into the Sophos Connect client by double-clicking the .pro provisioning file that you provide to them. Alternatively, users can download the .ovpn configuration file from the VPN portal.
IPsec: You can use the provisioning file for IPsec remote access connections. Alternatively, IPsec remote access users can import the .scx configuration file that you provide to them.
See Provisioning file templates.
Connection behavior
The Sophos Connect client connects to the remote gateways listed in the .ovpn configuration file in reverse order of priority. Dynamic DNS gateways take priority over WAN IP address gateways in the list.
Example
In this .ovpn configuration file, the Sophos Connect client first connects to 5g.vpn.sophosexample.example.net. If the connection fails, it then attempts to connect to the next available gateway in reverse order, starting with vpn.sophosexample.example.net and so on.
Sophos Connect client: Compatibility with platforms
You can establish IPsec and SSL VPN tunnels using the Sophos Connect client on some endpoint platforms and versions. Check the platform version of your endpoint to see if you can use the Sophos Connect client.
Note
The Sophos Connect client supports Windows 10 and 11, including LTSB and LTSC. It also supports macOS 10.13 and later.
For more information, see Supported platforms in Sophos Connect release notes.
Single sign-on
Remote users can use Microsoft Entra ID single sign-on (SSO) to sign in to the remote access VPN through the Sophos Connect client.
To use SSO, you must set up Microsoft Entra ID and use it as an authentication method in Authentication > Services. See Microsoft Entra ID server.
Microsoft Entra ID SSO supports Sophos Connect client version 2.4 and later in Windows.
VPN portal port
The VPN portal port is the port number for users to access the VPN portal and the port used to establish SSO.
Don't change this setting unless your administrator asks you to change it.
Force SSO re-login
If you've signed in using SSO and connected to the network using a shared endpoint, we recommend that you force SSO re-login. The next user must then sign in again and can't use your sign-in to connect to the tunnels. When the new user signs in with SSO for the first time, they must enter their Microsoft Entra ID credentials.
To force SSO re-login, do as follows:
- In Sophos Connect, click menu
in the upper-right corner. - Click Force SSO re-login.
- Click OK.
Troubleshooting
See Single sign-on.
Videos
Configure Sophos Connect client
Configure remote access IPsec and SSL VPN
Configure Microsoft Entra ID SSO for Sophos Connect
