These are the release notes for Sophos Connect.
View the product documentation at Sophos Connect.
Sophos Connect is distributed to SFOS firewalls via pattern updates. You can download Sophos Connect for UTM at UTM Downloads.
We've completed the following upgrades:
| Issue ID | Description |
|---|---|
| NCL-1820 | Resolved an issue where IPsec users were disconnected sporadically and couldn't reconnect. |
This update resolved one issue.
| Issue ID | Description |
|---|---|
| NCL-2048 | Resolved an issue where users couldn't set up SSL VPN tunnels after disabling the VPN portal on the WAN zone. |
This update resolved one issue.
| Issue ID | Description |
|---|---|
| NCL-1720 | Resolved a vulnerability in Sophos Connect on macOS. If a user visited a malicious website, it could fetch log files and the technical support report from Sophos Connect. |
IMPORTANT:
Sophos Connect 2.3 is compatible with the following firewall and UTM versions:
This update resolved various issues.
| Issue ID | Description |
|---|---|
| NCL-1847 | Resolved an issue where Sophos Connect 2.3 installation failed with the following error: "OpenVPN service failed to start". |
| NCL-1842 | Resolved an issue where the SSL VPN connections between Sophos UTM 9.713 and Sophos Connect 2.3 didn't work. |
| NCL-1852 | Resolved an issue where Sophos Connect 2.3 failed to set up a tunnel when the certificate had a weak signature algorithm. |
IMPORTANT:
vpn_portal_port syntax to enter the VPN portal port.| Issue ID | Description |
|---|---|
| NCL-1797 | Resolved an issue where the login script didn't run. |
| NCL-1834 | Addressed the following CVEs which affect OpenVPN: 2.0 - 2.6.9. |
| NCL-1763 | Resolved an issue where authentication failed for SSL VPN in Sophos Connect 2.2.90 when the password contained two consecutive double quote characters. |
| NCL-1756 | Upgraded the OpenSSL version from 1.1.1n to 1.1.1w to address various vulnerabilities. |
| NCL-1721 | Resolved an issue where users couldn't sign into the Sophos Connect client if their username contained a space or a special character. |
| NCL-1707 | Resolved an issue when the GUI didn't show a connection as established if it was renamed. |
| NCL-1620 | Resolved an issue where the display_name field in the provisioning file wasn't working as expected. |
| NCL-1383 | Resolved an issue where the Sophos Connect client added DNS addresses to the end of the TAP adapter list instead of replacing them. |
This update resolved various vulnerabilities.
| Issue ID | Description |
|---|---|
| NCL-1699 | Resolved an XXS vulnerability in Windows SCC that occurred when renaming a connection. |
| NCL-1708 | Resolved a vulnerability in Windows where any website could easily fetch log files and the technical support report from Sophos Connect 2.2.75. |
| NCL-1725 | Resolved a vulnerability in Windows where malicious VPN files were shared on the Sophos Connect client (2.2.75). |
This is primarily a security and quality update that addresses issues in the libraries used by Sophos Connect and issues in the Sophos Connect client.
| Issue ID | Description |
|---|---|
| NCL-1635 | Security fix for CVE-2022-0778. |
| NCL-1585 | Security fix for CVE-2021-27406 in OpenVPN binary. |
| NCL-1490 | Security fix for CVE-2021-3606 in OpenVPN. |
| NCL-1667 | Security hygiene cleanup for CVE-2020-1967. |
| NCL-1622 | Resolved an issue with a GCM Cipher parsing error. |
| NCL-1399 | Resolved an issue with a random SSL authentication failure. |
| NCL-1616 | Resolved connection issues with special characters in a password. |
| NCL-1372 | Resolved connection issues with special characters in a password. |
| NCL-1319 | Resolved provisioning issues with special characters in a password. |
| NCL-1256 | Resolved provisioning issues with special characters in a password. |
| NCL-1261 | Resolved SSL authentication issues with multiple spaces in a username. |
| NCL-569 | Resolved provisioning issues with special characters in a username. |
| Issue ID | Affects version | Description | Workaround |
|---|---|---|---|
| NCL-1377 | 2.1 | When you download an IPsec connection via a provisioning file and make a policy change on Sophos Firewall, the policy doesn't automatically update. | Trigger an update policy to re-synchronize the policy. |
| NCL-1618 | 2.1 | When you use a third-party certificate on the remote side and restart your endpoint computer (or restart services related to Sophos Connect), you see the following error: "Failed to validate certificate". | Use a self-signed certificate signed by Sophos Firewall on the remote side or use pre-shared keys instead of certificates. |
| NCL-837 | All versions | Sophos Connect only supports ASCII characters. It doesn't support umlauts, UTF-8, or UTF-16. | Will be resolved shortly. |
| NCL-834 | 1.1 | Sophos Connect fails to start because the port used for the HTTP server (60110) is already in use on the system. | Will be resolved shortly. |
| NCL-1378 | 2.1 | If you configured both IPsec and SSL VPN policies on Sophos Firewall, only the SSL VPN policy has the "Update policy" option available in the settings menu. | Will be resolved shortly. |
| NCL-1382 | 2.1 | When you connect to SSL VPN from Windows 7 or 8, you see the following error: "OpenVPN service is not available". | Use a legacy SSL VPN client. |
| NCL-1391 | 2.1 | When you deploy the Sophos Connect provisioning file, the first authentication attempt always fails when OTP is enabled. | Enter your credentials and one-time password again. |
| NCL-836 | 1.1 | On Macs, you can't import connection files with non-ASCII characters in the file name. | Will be resolved shortly. |
| NCL-835 | 1.3 | After Windows devices wake up from sleep, you may see the following error: "Failed to load connection". | Will be resolved shortly. |
| NCL-833 | All versions | You can't unzip Sophos Connect generated TSR zip files on macOS 10.12.6. | Will be resolved shortly. |
| NCL-839 | 1.0 | DNS servers aren't updated on the network monitor page of the Sophos Connect client. | Disconnect the existing connection and then re-establish it. |
You can establish IPsec and SSL VPN tunnels using the Sophos Connect client on some endpoint platforms and versions. Check the platform version of your endpoint to see if you can use the Sophos Connect client.
Note: Currently, the Sophos Connect client doesn't support macOS for SSL VPN. It also doesn't support mobile platforms for IPsec and SSL VPN.
You can use the provisioning file to enable users to automatically import remote access configurations into the Sophos Connect client. Make sure you use a compatible version of the Sophos Connect client. For details, see the following tables:
| Sophos Connect client version | Configuration file (1.0 and later) | Provisioning file (2.1 and later) |
|---|---|---|
| Windows (x86) | Yes (Windows 10, 11, including LTSB, LTSC) | Yes (Windows 10, 11, including LTSB, LTSC) |
| Windows (ARM) | No | No |
| macOS (x86) | Yes (macOS 10.13 and later) | No |
| macOS (ARM) | No | No |
| Android | No. Use third-party clients. | No |
| iOS | No. Use third-party clients. | No |
Note: You can establish remote access IPsec VPN connections using the configuration file on earlier versions of the Sophos Connect client. However, if you want to use the provisioning file, you must use a later version of the client.
| Sophos Connect client version | Configuration file (1.0 and later) | Provisioning file (2.1 and later) |
|---|---|---|
| Windows (x86) | Yes (Windows 10, 11, including LTSB, LTSC) | Yes (Windows 10, 11, including LTSB, LTSC) |
| Windows (ARM) | No | No |
| macOS (x86) | No. Recommended: OpenVPN Connect client. | No |
| macOS (ARM) | No. Recommended: OpenVPN Connect client. | No |
| Android | No. Recommended: OpenVPN Connect client. | No |
| iOS | No. Recommended: OpenVPN Connect client. | No |
You can find technical support for Sophos products in any of these ways:
Copyright © 2023 Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.
Sophos and Sophos Anti-Virus are registered trademarks of Sophos Limited and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.