Sophos Connect

help
Contents
About Sophos Connect............................................................................................................................ 1
Installing Sophos Connect.............................................................................................................1
Uninstalling Sophos Connect........................................................................................................ 1
Connections................................................................................................................................... 2
Events.......................................................................................................................................... 11
General troubleshooting.............................................................................................................. 18
About Sophos Connect Admin...............................................................................................................22
Editing configuration files............................................................................................................ 22
Legal Notices..........................................................................................................................................24

(2020/04/29)
 Sophos Connect

1 About Sophos Connect

Sophos Connect is a VPN client that can be installed on Windows and Macs. It allows you to
connect to networks behind the XG from a remote location, for instance, your company network.
Your firewall administrator will configure connection details on the XG and provide you with the
installation package and the connection configuration files.
This guide provides information about how to use Sophos Connect:
• For instructions on how to install and uninstall Sophos Connect, see Installing Sophos Connect
(page 1).
• For instructions on importing connection files and managing connections, see Connections (page
2).
• For information on events, and how to troubleshoot event errors, see Events (page 11).
• To troubleshoot issues that do not appear in the events section, see General troubleshooting (page
18).

1.1 Installing Sophos Connect

Install Sophos Connect on Windows

• Open the installer.
• Accept the license agreement and click Install.
• Once the installation is complete, click Finish. You can choose to launch Sophos Connect after the
exit.

Install Sophos Connect on Mac

• Open the installer.
• Choose the installation destination. Make sure you have enough free space in the destination you
have chosen, for example, System Drive.
• Click Install.
• Once the installation is complete, click Finish.

1.2 Uninstalling Sophos Connect

Uninstall Sophos Connect from Windows

• Go to Control Panel and under Programs click Uninstall a program.
• Right click on Sophos Connect, and select Uninstall.

Copyright © Sophos Limited 1

Sophos Connect

Uninstall Sophos Connect from Mac

• Open the terminal.
• Elevate to root and run the uninstall script from the location Sophos Connect is installed in:
sudo /Library/Sophos Connect/uninstall.sh
You will get the following message if the uninstallation was successful:
Sophos Connect has been uninstalled

1.3 Connections
You can import connections, establish connections, and view and edit connections.
Sophos Connect supports SSL VPN and IPsec VPN.

1.3.1 Import Connections

The Sophos Connect client can connect to XG firewall using SSL or IPsec VPN connections. You can
import connections into the Sophos Connect client.

Introduction
For version 2.0 of the Sophos Connect client, you can import both SSL and IPsec VPN connections.
If you are using an earlier version of the Sophos Connect client, you can import IPsec connections
only.
This page tells you how to do the following:
• Import an IPsec connection using a file provided to you by your admin.
• Import an SSL connection using a file provided to you by your admin.
• Import an SSL connection by downloading a file from the user portal.

Import an IPsec connection

A connection file has been provided to you. It has the extension tgb, for example
Company_connection.tgb.
To import a connection:
1. Click Import connection on the Connections page.
If there are existing connections, click the menu button and choose Import connection from the
drop-down menu.

2 Copyright © Sophos Limited

 Sophos Connect

2. Browse for the .tgb file and double click on it.

The connection will be displayed under Connections.

Copyright © Sophos Limited 3

Sophos Connect

You can now establish the connection.

Note
You can import multiple connections.

Import an SSL connection

A connection file has been provided to you. It has the extension pro, for example
Company_connection.pro.
To import a connection:
Browse for the .pro file and double-click it.
The connection will be imported automatically and Sophos Connect will open. The connection will show
under Connections.

4 Copyright © Sophos Limited

 Sophos Connect

You can now establish the connection.

Note
You can import multiple connections.

Import an SSL connection from the user portal

To import a connection:
1. Sign into the user portal.
2. Go to SSLVPN and click Download configuration for other OSs.
3. Open the Sophos Connect client.
4. Click Import connection on the Connections page.
If there are existing connections, click the menu button and choose Import connection from the
drop-down menu.
5. Browse for the .ovpn file and open it.
The connection will show under Connections.

Copyright © Sophos Limited 5

Sophos Connect

You can now establish the connection.

Note
You can import multiple connections.

1.3.2 Connect
Make sure there is at least one imported connection available and you have been given the required
credentials.
To establish a connection:
1. Select a connection on the Connections page.
2. Double-click the connection.
You can also click Connect.
The sign-in screen will appear.

6 Copyright © Sophos Limited

 Sophos Connect

3. Enter your username and password and click Log in.

Your admin may have configured two-factor authentication.
• If your admin has configured OTP, in addition to entering your username and password you
must enter your 6 digit OTP passcode.
• If your admin has configured DUO authentication, you may get one or two DUO prompts during
the connection process.

Note
If you imported the connection using a provisioning file, you will get a warning that the
server certificate can't be verified. You can click OK to continue. If you don't want to see the
message, contact your administrator.

Sophos Connect attempts to establish the connection and authenticate you.

Note
If you are facing connection issues, look at the Events page and contact your IT. You can also
check the VPN logs by clicking on the menu icon and selecting them.

Copyright © Sophos Limited 7

Sophos Connect

The connection to the remote server is established.

8 Copyright © Sophos Limited

 Sophos Connect

If the connection is successful, you will see this icon on the taskbar:

If the connection is unsuccessful, you will see this icon on the taskbar:

Note
If you have renamed the connection, the original name as provided by your firewall administrator
will still show in connection details. For instructions on how to rename it see Connection options
(page 10).

Copyright © Sophos Limited 9

Sophos Connect

1.3.3 Connection options

You can make various changes to the connections in Sophos Connect by clicking the settings icon on
the right hand side of the connection.

1. Auto connect attempts a connection when Sophos Connect is started up.

2. Delete deletes the connection, so if you want to re-enable that connection you will need to import it
again.
3. Rename gives you the option to rename your connection.
4. Clear credentials clears credentials that you have previously stored.

10 Copyright © Sophos Limited

 Sophos Connect

5. Update policy (only avaliable if the connection was created using a provisioning file). This allows
you to pull the latest policy from the XG firewall on demand.

Tip
If the connection fails after multiple retries, initiate a policy update and try to connect again.

1.4 Events
See any actions within Sophos Connect and the results of those actions. This includes failures
resulting from user actions as well as IKE negotiation failures. To troubleshoot event errors, see
Troubleshooting events (page 12)
• If verbose errors are required to troubleshoot a problem, click Open VPN log.
• To remove events from the list, click Clear events.

Copyright © Sophos Limited 11

Sophos Connect

Figure 1: Events

1.4.1 Troubleshooting events

If you have issues connecting, click on Events, look at the timestamp from when you attempted a
connection, and find the relevant error.
In this section you will see the error messages, possible causes for the errors, and information
on what to do next. If you experience any issues that are not listed below, check the General
troubleshooting topic.
If you need further assistance, contact Sophos Support.

12 Copyright © Sophos Limited

 Sophos Connect

No network connection
Cause: The network adapter (Ethernet or Wi-Fi) has no IP address.
What to do: Check that you have a valid IP address, and that your existing network connection is
working.

DNS resolution failed

Cause: The client is not able to resolve the gateway host name.
What to do: Check if a DNS server is assigned to the network interface. Run nslookup from
the command prompt (Windows) or from the Terminal (Mac) for a public host, for example
www.sophos.com and verify that it resolves to an IP address. If it doesn't resolve, contact your ISP.

UDP ports 500/4500 blocked

Cause: The firewall or the router is blocking UDP ports 500 and 4500.
What to do: Check your local firewall or router configuration and allow traffic on those ports. If you
do not have access to the firewall or router, for example if you are in a hotel, connect through your
mobile hotspot and try to connect again.

No response from gateway: <gateway FQDN or IP specified in

connection>
Cause: The gateway is not responding to IKE negotiation messages. This may be because:
• The remote gateway (firewall or router) has been shut down.
• The WAN address on the remote gateway is not connected directly to the internet.
What to do: Contact your firewall administrator and report the problem to troubleshoot further.

Received NO_PROPOSAL_CHOSEN notification from gateway

Cause: The remote gateway responded back to IKE negotiations from Sophos Connect with this
error notification. This may be because:
• The Sophos Connect policy is not defined or activated on the firewall.
• The firewall administrator changed the IKE phase 1 proposals used for the Sophos Connect
policy on the firewall and the new configuration was not exported and uploaded to the client.
What to do: Contact your firewall administrator and report the problem to troubleshoot further.

Copyright © Sophos Limited 13

Sophos Connect

Server expected remote ID <expected ID value> but got <actual ID

value>
Cause: The local ID type or value configured in the Sophos Connect policy on the firewall is different
than the value used for this connection. This may be because the firewall administrator changed the
local ID on the firewall and the new configuration file was not imported to Sophos Connect.
What to do: Contact your firewall administrator and report the problem to troubleshoot further.

Possible pre-shared key mismatch <connection name>

Cause: The pre-shared key on the firewall does not match the one used for this connection. This
may be because the firewall administrator changed it on the firewall and the new configuration file
has not been uploaded to Sophos Connect.
What to do: Contact your firewall administrator and report the problem to troubleshoot further.

User authentication of <username entered> failed

Cause: The username or password did not match.
What to do: Retry to see if it was a due to user error during input. If you retry multiple times and
get the same error, the password may have changed or been disabled on the firewall. In this case,
contact your firewall administrator and report the problem to troubleshoot further.

Failure to add route [network/mask] prevented phase 2 completion

Note
The troubleshooting steps below are for Windows only.

Cause: After the phase 2 SA is established, route add to the remote network failed. This may be
because the strongSwan service crashed while the tunnel was active.
What to do: Disable and enable the TAP adapter. Open the command prompt as an administrator
and type the following commands:
net stop scvpn
net start scvpn

The connection data could not be added. Connection with name

<connection name> already exists
Cause: A connection with the same name has already been imported.
What to do: Delete the existing connection from Sophos Connect. Make sure you really want
to delete the existing connection before you delete it. Otherwise contact your administrator to
troubleshoot further.

14 Copyright © Sophos Limited

 Sophos Connect

Service is unavailable

Note
The troubleshooting steps below are for Windows only.

Cause: The Sophos Connect service (scvpn) is not running.

What to do: Open the command prompt as an administrator and type the following command:
net start scvpn

Failed to load connection info into strongSwan

Note
The troubleshooting steps below are for Windows only.

Cause: The strongSwan service is not running (Service Name: charon-svc.exe).

What to do: Open the command prompt as an administrator and type the following command:
net start strongswan

SA disabled or deleted by gateway

Cause: The gateway sent an IKE delete request then the tunnel was deleted. This may be because:
• The firewall administrator changed the policy on the firewall. This sends an IKE delete request to all
the active SAs on the firewall.
• The firewall administrator manually deleted all of the IPsec connections for this user on the firewall.
What to do: Try to reconnect again. If it still does not work then contact your administrator to
troubleshoot further.

DNS resolution failed for gateway: <gateway name:port>

Cause: This error is due to an invalid hostname.
What to do:
• If the connection was added using a provisioning file, verify the hostname provided.
• If the connection was added by importing an ovpn file, check the SSL VPN settings on XG Firewall.

Server certificate cannot be verified: <gateway name>. Do you want to

continue?
Cause: The Sophos Connect client imports the SSL VPN configuration by connecting to the XG
Firewall user portal using the properties in the provisioning file. The user portal uses a self-signed
certificate that can't be verified by the Sophos Connect client.

Copyright © Sophos Limited 15

Sophos Connect

What to do: Accept the security warning to connect and download the ovpn configuration file from
the user portal. To prevent the prompt from showing in future, use one of these options:
• Issue a new certificate for XG Firewall signed by a public CA. On XG Firewall, import the certificate
and then select the certificate in Admin settings for signing in to the web admin console.
• Push the default CA certificate from XG Firewall to the trusted store on the remote computers.

Could not connect to untrusted server: <gateway>

Cause: You canceled the certificate warning prompt, and the connection was terminated.
What to do: Accept the security warning to connect and download the SSL VPN policy from XG
Firewall. To prevent the prompt from showing when the SSL VPN policy is downloading, use one of
these options:
• Issue a new certificate for XG firewall signed by a public CA. On XG Firewall, import the certificate
and then select the certificate in Admin settings for signing in to the web admin console.
• Push the Default CA certificate from the XG Firewall to the trusted store on the remote computers.

Import file contains a duplicate connection: <connection name>

Cause: The connection imported from a provisioning file has a duplicate display name.
What to do: Check the display_name attribute in the provisioning file and rename any duplicate
names.

Cannot connect to policy gateway: <gateway name>

Cause: The provisioning file is configured incorrectly. This could be due to any of the following
reasons:
1. Invalid gateway hostname or IP address.
2. Invalid port or outgoing blocked port.
3. The policy gateway is unreachable because it is turned off.
What to do:
Check the provisioning file for the following:
1. Make sure the value assigned to the gateway attribute is correct.
2. Make sure the value assigned to the user_portal_port attribute matches the user portal
HTTPS port setting on XG Firewall.
3. If the provisioning file is configured correctly, contact your administrator to troubleshoot further.

No SSL VPN policy is defined for this user: <username>

Cause: The SSL VPN (remote access) policy on XG Firewall doesn't contain any policy members.
What to do: Contact your administrator.

16 Copyright © Sophos Limited

 Sophos Connect

Compression mismatch error. Will retry connection.

Cause: An SSL VPN policy is downloaded for the first time from XG Firewall and the SSL VPN
tunnel is established with it.
What to do: The error is resolved based on how the connection is configured:
• With a provisioning file: Sophos Connect automatically tries to connect again.
• With an ovpn file: Reconnect manually.

Policy mismatch error. Will download policy and retry connection.

Cause: Sophos Connect client tried to establish an SSL VPN connection with an existing policy it
has saved for this connection.
The administrator changed the SSL VPN settings on XG Firewall after an SSL VPN connection was
established and saved by Sophos Connect.
What to do: The connection was created using a provisioning file. Sophos Connect will
automatically download the new policy and reestablish the SSL VPN tunnel.

Note
If the administrator changes the SSL VPN policy on XG Firewall while the tunnel is in a connected
state, and it is an SSL VPN over TCP, then the Sophos Connect Client will detect and download
the new policy immediately. If it is an SSL VPN over UDP tunnel, you need to wait for the inactivity
timer to delete the tunnel. Sophos Connect will then download the new policy to reestablish the
tunnel.

Policy mismatch error. Import a new policy for this connection.

Cause: Sophos Connect client tried to establish an SSL VPN connection with an existing policy it
has saved for this connection.
The administrator changed the SSL VPN settings on XG Firewall after a SSL VPN connection was
established and saved by Sophos Connect.
What to do: The connection was created by importing an ovpn file. The user must download and
import a new ovpn file from XG Firewall user portal to reestablish the SSL VPN tunnel.

Note
If the administrator changes the SSL VPN policy on XG Firewall while the tunnel is in a connected
state, and it is a SSL VPN over TCP tunnel, then the Sophos Connect Client will detect and
disconnect the tunnel with an error. If it is a SSL VPN over UDP tunnel, then you have to wait for
the inactivity timer to delete the tunnel. The user has to download and import a new ovpn file from
the XG Firewall user portal to successfully reestablish the SSL VPN tunnel.

Timed out waiting for server response.

Cause: The SSL VPN policy is configured incorrectly on XG Firewall. Possible reasons for the failure
are as follows:

Copyright © Sophos Limited 17

Sophos Connect

1. Override hostname is configured, but it does not resolve to the correct or valid public IP address.
2. DDNS is configured, but it does not resolve to the correct or valid public IP address.
3. Both Override hostname and DDNS are not configured and the WAN port does not have a public
IP address.
What to do: If you used a provisioning file to import the connection, update the policy connection
settings menu (on the Sophos Connect client). If you used an ovpn file to create the connection,
export a new ovpn file from the user portal and re-import it in the Sophos Connect client.

1.5 General troubleshooting

This topic covers troubleshooting issues that do not appear in the events page.
If you need further assistance contact Sophos Support.

Traffic stops going through the VPN tunnel

Cause: If you are running a firmware version prior to v17.5, it is possible that the client received a
new virtual IP after the phase 1 rekey.
What to do: You will have to disconnect and reconnect. The permanent solution is to upgrade to
v17.5.

Sophos Connect dashboard will not open

Cause: If the Sophos Connect dashboard does not open, or it does not respond when you click
on the tray icon, this means that the Sophos Connect GUI is stuck in an infinite loop and cannot
respond to external input.
What to do (Windows): Open task manager and select the Details tab. Find scgui.exe and then
right click to end task. Restart the application from the desktop shortcut.
What to do (Mac): Open Activity Monitor and find the Sophos Connect process. Open this process
and select Force Quit. Restart the application from LaunchPad.

Web browsing stops working when tunnel is disconnected

Note
This is more common on Macs.

Cause: When a tunnel all connection is disconnected, the DNS servers aren't restored from the
physical network adapters. This means the internal DNS servers that were used when you were
connected through the VPN are still used. As the tunnel no longer exists, the name resolution won't
work.
What to do: Disconnect from your local network then reconnect.

18 Copyright © Sophos Limited

 Sophos Connect

Sophos Connect GUI displays "Service Unavailable"

Note
This is more common on Macs.

Cause: When a tunnel disconnect is initiated, the strongSwan IPsec daemon gets stuck in an infinite
loop. This will result in the GUI not getting a response for disconnect and ultimately time-out and
show the error as "Service Unavailable".
What to do (Mac):
1. Open the Activity Monitor and quit the Sophos Connect GUI process.
2. Open the Terminal and run the following commands:
sudo /bin/launchctl unload -w /Library/LaunchDaemons/
com.sophos.connect.scvpn.plist
sudo /bin/launchctl load -w /Library/LaunchDaemons/
com.sophos.connect.scvpn.plist
3. Open Sophos Connect, and check that the "Service unavailable" error is now resolved.
What to do (Windows):
1. Open cmd as administrator then run the following commands:
net stop scvpn
net start scvpn
2. Open Sophos Connect, and check that the "Service unavailable" error is now resolved.

Sophos Connect can't establish a tunnel

Cause: You probably installed the Sophos Connect client first and then installed the Sophos SSL
VPN client.
What to do: Uninstall both clients then re-install the Sophos SSL VPN client and then the Sophos
Connect client.

Note
They must be installed in that order.

Received connection reset from gateway: <gateway name>

This message is logged in the scvpn.log file (in the install folder).
Cause: SSL VPN settings are changed on XG Firewall, a user is manually disconnected or XG
Firewall restarts. If the connection uses SSL VPN over TCP, XG Firewall will send a connection
reset request. If the connection uses SSL VPN over UDP, depending on the idle time-out period, the
connection may reconnect automatically.
What to do: Import a new configuration file into Sophos Connect client and then reconnect. If your
administrator hasn't sent you the file, go to the user portal and download. Otherwise, go to the user
portal to download the ovpn file.

Copyright © Sophos Limited 19

Sophos Connect

SSL VPN connection has auto-connect and update policy menu items
grayed out.
Cause: If the SSL VPN connection is created by importing an ovpn file, these options aren't
available.
What to do: To enable these options you must create a connection using a provisioning file. Add
these options to the provisioning file. Update policy will be available after you connect for the
first time. To enable auto-connect, you must define an auto_connect_host that can only be
accessed on the internal network.
Example of a provisioning file with minumum requirements for enabling auto-connect:

[
{
"display_name": "<Enter connection name>",
"gateway": "<Enter your gateway hostname or IP>",
"auto_connect_host":" <Enter hostname or IP of internal network resource>"
}
]

SSL VPN error

Cause: An error generated by the OpenVPN service.
What to do: Re-establish the connection. If this doesn't work, restart your device and try again.

Management port is unavailable

Cause: Sophos Connect fails to claim TCP port 25340, which is required to communicate with
OpenVPN.
What to do: Check if another application is running on the device using this port. Exit the
application, if possible. If you don't fix this issue, Sophos Connect 2.0 can't run on your device. If no
other application is using this port, this may be a temporary condition. Re-establishing the connection
should resolve the issue.

Failed to create temporary file

Cause: Sophos Connect uses a temporary file to pass the connection attributes to the OpenVPN
service. Sophos Connect failed to create the file on this device.
What to do: Restart your device.

OpenVPN service is unavailable

Cause: The OpenVPN service may not have started.
What to do: If the OpenVPN service start-up type is set to disabled, change it to manual and also
restart the Sophos Connect service.

20 Copyright © Sophos Limited

 Sophos Connect

Failed to write to pipe

Cause: An error generated by the Sophos Connect client.
What to do: Re-establish the connection. If this doesn't work, restart your device and try again.

Copyright © Sophos Limited 21

Sophos Connect

2 About Sophos Connect Admin

In Sophos Connect Admin you can import config (.tgb) files and configure various options for your
VPN setup.

Note
For information on how to configure and export a .tgb file on the XG, see the Sophos Connect
Client section of the XG help guide: Sophos Connect client.

The installation and uninstallation processes for Sophos Connect Admin are the same as the
processes for Sophos Connect. See Installation in the Sophos Connect help guide for more
information.

2.1 Editing configuration files

You can edit your configuration (.tgb) files in Sophos Connect Admin, which provides you with
more granular VPN configuration options.
Open the .tgb file you have exported from the XG in Sophos Admin. You can:
• Enable Tunnel All to send all traffic through the VPN connection.
• Enable Send Security Heartbeat to allow Sophos Endpoint to send a heartbeat to the XG. This
will only work if the user has the Sophos Endpoint client installed on their machine.
• Enable Allow Password Saving to allow the users to save their user name and password on
their machine. The user credentials are stored securely using keychain services.
• Enable Prompt for 2FA if you have configured Two Factor Authentication for the VPN users on
the XG.
• Enable Auto-Connect Tunnel to automatically enable the connection after the user logs on to
Sophos Connect on their machine. Sophos Connect will not automatically initiate the connection
if the user is already connected to the corporate network.
Auto connect requires an additional configuration parameter: DNS Suffix/Monitoring Host, that
can be used to determine if the user's local system is inside or outside the corporate network.
Use one of the following values:
— An IP address.
— A Fully Qualified Domain Name (FQDN). The host name must only resolve when using the
internal DNS server.
— A DNS suffix.

Note
If you configure an IP Address or FQDN, ICMP must be allowed on this host.

• Add, modify and delete Networks that the user can connect to. Adding specific networks to the
list enables split tunneling, as the user will access resources on those networks through the VPN
connection, but will access internet resources straight through their remote gateway.

22 Copyright © Sophos Limited

 Sophos Connect

Note
If you delete all networks, Tunnel All mode will be activated, meaning all traffic will be
directed through the VPN connection.

• Change the Connection Name and Target Host.

If you Clear the configuration, you will need to import the .tbg file again.
If you Save the configuration, it will be saved as a .scx file.

Note
You can import .scx files and re-edit them.

When you have saved the configuration file you can send it to the user, who will import it into Sophos
Connect. For more information, see Sophos Connect.

Copyright © Sophos Limited 23

Sophos Connect

3 Legal Notices
Copyright © 2020 Sophos Limited. All rights reserved. No part of this publication may be reproduced,
stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical,
photocopying, recording or otherwise unless you are either a valid licensee where the documentation
can be reproduced in accordance with the license terms or you otherwise have the prior permission
in writing of the copyright owner.
Sophos, Sophos Anti-Virus and SafeGuard are registered trademarks of Sophos Limited, Sophos
Group and Utimaco Safeware AG, as applicable. All other product and company names mentioned
are trademarks or registered trademarks of their respective owners.

24 Copyright © Sophos Limited