In the last few weeks, I have been migrating Sophos SG to Sophos XGS for a lot of customers. One of the more tedious parts is the redeployment of VPN configurations to the clients.
As far as I know, the only way to get the user configuration for SSL VPN (which we use primarily) is for the user to log in to the user portal at least once so that the user certificate is generated. This also allows the user to download and install the file. In case we change something in the settings, like for example the encryption level, the user has to log in and download the new configuration file.
I don’t think there is a way around the first step, but Sophos provides a solution for the second one. If we use the new Sophos Connect Client, we can employ a *.pro configuration file to automate the download of the VPN files.
This file also allows us to do neat things, like automatically enabling the VPN connection when the client is not in the company network.
The Provisioning File
The setup is very simple. Create a *.pro file (business.pro for example) and fill it with the following.
[ { "gateway": "vpn.business.de", "user_portal_port": 443, "otp": false, "auto_connect_host": "HOSTNAME_OR_IP", "can_save_credentials": true, "check_remote_availability": false, "run_logon_script": false } ]
“auto_connect_host” checks if the supplied IP or hostname is reachable. If not, the client will automatically establish the VPN connection. For this to work, the credentials need to be saved.
The “check_remote_availability” performs, as the name suggests, a remote availability check. This is to prevent unresponsive clients.
Distribute this file to the users. Once they execute it, the Sophos Connect Client will have a new entry. This will look like a normal VPN Profile, but once the user clicks on “connect” the client will connect to the user portal and download the VPN configuration file. If you have multiple configurations, like IPsec and SSLVPN for instance, it will download both.
This will happen every time you change a setting. As long as the user portal is accessible, of course.
There are way more options. You could for instance add multiple gateways or connections, and this also works with MFA. Though it’s not perfect. Check the official documentation for more templates.