Professional Documents
Culture Documents
Scon H PDF
Scon H PDF
help
Contents
About Sophos Connect............................................................................................................................ 1
Installing Sophos Connect.............................................................................................................1
Uninstalling Sophos Connect........................................................................................................ 1
Connections................................................................................................................................... 2
Events.......................................................................................................................................... 11
General troubleshooting.............................................................................................................. 18
About Sophos Connect Admin...............................................................................................................22
Editing configuration files............................................................................................................ 22
Legal Notices..........................................................................................................................................24
(2020/04/29)
Sophos Connect
1.3 Connections
You can import connections, establish connections, and view and edit connections.
Sophos Connect supports SSL VPN and IPsec VPN.
Introduction
For version 2.0 of the Sophos Connect client, you can import both SSL and IPsec VPN connections.
If you are using an earlier version of the Sophos Connect client, you can import IPsec connections
only.
This page tells you how to do the following:
• Import an IPsec connection using a file provided to you by your admin.
• Import an SSL connection using a file provided to you by your admin.
• Import an SSL connection by downloading a file from the user portal.
Note
You can import multiple connections.
Note
You can import multiple connections.
Note
You can import multiple connections.
1.3.2 Connect
Make sure there is at least one imported connection available and you have been given the required
credentials.
To establish a connection:
1. Select a connection on the Connections page.
2. Double-click the connection.
You can also click Connect.
The sign-in screen will appear.
Note
If you imported the connection using a provisioning file, you will get a warning that the
server certificate can't be verified. You can click OK to continue. If you don't want to see the
message, contact your administrator.
Note
If you are facing connection issues, look at the Events page and contact your IT. You can also
check the VPN logs by clicking on the menu icon and selecting them.
If the connection is successful, you will see this icon on the taskbar:
If the connection is unsuccessful, you will see this icon on the taskbar:
Note
If you have renamed the connection, the original name as provided by your firewall administrator
will still show in connection details. For instructions on how to rename it see Connection options
(page 10).
5. Update policy (only avaliable if the connection was created using a provisioning file). This allows
you to pull the latest policy from the XG firewall on demand.
Tip
If the connection fails after multiple retries, initiate a policy update and try to connect again.
1.4 Events
See any actions within Sophos Connect and the results of those actions. This includes failures
resulting from user actions as well as IKE negotiation failures. To troubleshoot event errors, see
Troubleshooting events (page 12)
• If verbose errors are required to troubleshoot a problem, click Open VPN log.
• To remove events from the list, click Clear events.
Figure 1: Events
No network connection
Cause: The network adapter (Ethernet or Wi-Fi) has no IP address.
What to do: Check that you have a valid IP address, and that your existing network connection is
working.
Note
The troubleshooting steps below are for Windows only.
Cause: After the phase 2 SA is established, route add to the remote network failed. This may be
because the strongSwan service crashed while the tunnel was active.
What to do: Disable and enable the TAP adapter. Open the command prompt as an administrator
and type the following commands:
net stop scvpn
net start scvpn
Service is unavailable
Note
The troubleshooting steps below are for Windows only.
Note
The troubleshooting steps below are for Windows only.
What to do: Accept the security warning to connect and download the ovpn configuration file from
the user portal. To prevent the prompt from showing in future, use one of these options:
• Issue a new certificate for XG Firewall signed by a public CA. On XG Firewall, import the certificate
and then select the certificate in Admin settings for signing in to the web admin console.
• Push the default CA certificate from XG Firewall to the trusted store on the remote computers.
Note
If the administrator changes the SSL VPN policy on XG Firewall while the tunnel is in a connected
state, and it is an SSL VPN over TCP, then the Sophos Connect Client will detect and download
the new policy immediately. If it is an SSL VPN over UDP tunnel, you need to wait for the inactivity
timer to delete the tunnel. Sophos Connect will then download the new policy to reestablish the
tunnel.
Note
If the administrator changes the SSL VPN policy on XG Firewall while the tunnel is in a connected
state, and it is a SSL VPN over TCP tunnel, then the Sophos Connect Client will detect and
disconnect the tunnel with an error. If it is a SSL VPN over UDP tunnel, then you have to wait for
the inactivity timer to delete the tunnel. The user has to download and import a new ovpn file from
the XG Firewall user portal to successfully reestablish the SSL VPN tunnel.
1. Override hostname is configured, but it does not resolve to the correct or valid public IP address.
2. DDNS is configured, but it does not resolve to the correct or valid public IP address.
3. Both Override hostname and DDNS are not configured and the WAN port does not have a public
IP address.
What to do: If you used a provisioning file to import the connection, update the policy connection
settings menu (on the Sophos Connect client). If you used an ovpn file to create the connection,
export a new ovpn file from the user portal and re-import it in the Sophos Connect client.
Note
This is more common on Macs.
Cause: When a tunnel all connection is disconnected, the DNS servers aren't restored from the
physical network adapters. This means the internal DNS servers that were used when you were
connected through the VPN are still used. As the tunnel no longer exists, the name resolution won't
work.
What to do: Disconnect from your local network then reconnect.
Note
This is more common on Macs.
Cause: When a tunnel disconnect is initiated, the strongSwan IPsec daemon gets stuck in an infinite
loop. This will result in the GUI not getting a response for disconnect and ultimately time-out and
show the error as "Service Unavailable".
What to do (Mac):
1. Open the Activity Monitor and quit the Sophos Connect GUI process.
2. Open the Terminal and run the following commands:
sudo /bin/launchctl unload -w /Library/LaunchDaemons/
com.sophos.connect.scvpn.plist
sudo /bin/launchctl load -w /Library/LaunchDaemons/
com.sophos.connect.scvpn.plist
3. Open Sophos Connect, and check that the "Service unavailable" error is now resolved.
What to do (Windows):
1. Open cmd as administrator then run the following commands:
net stop scvpn
net start scvpn
2. Open Sophos Connect, and check that the "Service unavailable" error is now resolved.
Note
They must be installed in that order.
SSL VPN connection has auto-connect and update policy menu items
grayed out.
Cause: If the SSL VPN connection is created by importing an ovpn file, these options aren't
available.
What to do: To enable these options you must create a connection using a provisioning file. Add
these options to the provisioning file. Update policy will be available after you connect for the
first time. To enable auto-connect, you must define an auto_connect_host that can only be
accessed on the internal network.
Example of a provisioning file with minumum requirements for enabling auto-connect:
[
{
"display_name": "<Enter connection name>",
"gateway": "<Enter your gateway hostname or IP>",
"auto_connect_host":" <Enter hostname or IP of internal network resource>"
}
]
Note
For information on how to configure and export a .tgb file on the XG, see the Sophos Connect
Client section of the XG help guide: Sophos Connect client.
The installation and uninstallation processes for Sophos Connect Admin are the same as the
processes for Sophos Connect. See Installation in the Sophos Connect help guide for more
information.
Note
If you configure an IP Address or FQDN, ICMP must be allowed on this host.
• Add, modify and delete Networks that the user can connect to. Adding specific networks to the
list enables split tunneling, as the user will access resources on those networks through the VPN
connection, but will access internet resources straight through their remote gateway.
Note
If you delete all networks, Tunnel All mode will be activated, meaning all traffic will be
directed through the VPN connection.
Note
You can import .scx files and re-edit them.
When you have saved the configuration file you can send it to the user, who will import it into Sophos
Connect. For more information, see Sophos Connect.
3 Legal Notices
Copyright © 2020 Sophos Limited. All rights reserved. No part of this publication may be reproduced,
stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical,
photocopying, recording or otherwise unless you are either a valid licensee where the documentation
can be reproduced in accordance with the license terms or you otherwise have the prior permission
in writing of the copyright owner.
Sophos, Sophos Anti-Virus and SafeGuard are registered trademarks of Sophos Limited, Sophos
Group and Utimaco Safeware AG, as applicable. All other product and company names mentioned
are trademarks or registered trademarks of their respective owners.