Here in this article we will discuss how to configure sophos connect client in detail
Sophos connect client is used as an IPsec remote access client to access the remote LAN network with confidentiality.
Login to the sophos XG firewall GUI and click on VPN >> IPsec Remote Access and fill up all the details.
IPsec remote access: Enable this option to enable the sophos connect client
Interface: Select your WAN interface since you will connect to firewall LAN network from the external (outside) network
Preshared Key: Enter the preshared key which will be used for authentication
Local ID & Remote ID: These are optional fields used to differentiate different VPN connections.
Allowed Users and Groups: Under allowed users and groups section add the concerned users who want to connect to firewall LAN work using sophos connect client
Name: Enter any name for connection
Assign IP from: Enter any range of IP address, make sure it won’t overlap with existing LAN networks in the firewall.
Enable “Allow leasing IP address from RADIUS server for L2TP, PPTP and IPsec remote access” option to get acquire IP address from the radius server
DNS server1 & DNS server2: You can define the primary DNS and secondary DNS servers for sophos connect clients. These fields are optional
Disconnect when tunnel is idle: This option is used to disconnect when no traffic is passing through sophos connect client tunnel
Idle session time interval: After these number of seconds, idle clients will be disconnected
Use as default gateway: If we enable this option, all sophos connect client traffic will be passing through the sophos XG firewall.
Permitted network resources: Under permitted network resources section add firewall LAN networks.
Send Security Heartbeat through tunnel: This option will allow client to send security heartbeat through the sophos connect client.
Allow users to save username and password: If we enable this option, sophos connect client users can save their credentials. But from security perspective its not recommended.
Here are the sample settings in the firewall:
Now we have configured sophos connect client, we will save it and create firewall rules which will be used to allow the traffic to the firewall LAN network.
Go to Rules and Policies and click on Add firewall Rule on top:
We can create single firewall rule for both LAN to VPN and VPN to LAN traffic as shown in above image. Make sure to create firewall rule on top so that it will not match any block rule. If you are sure about your network configuration you can place this firewall rule based on the requirement.
Now you need to download sophos connect client, you can download it from user portal or VPN >> IPsec Remote Access >> Download client
Login to the concerned user portal and click on the download configuration for windows as shown in image below
Follow the installation process and install the sophos connect client in the end user machine. Once it got installed sophos connect client will be shown in task bar
You have successfully installed configuration file, you have to download sophos connect configuration set up from the VPN >> IPsec Remote Access tab
Click on the export connection as shown in image below
Extract the downloaded zip file, it will download three files as shown in below image
Click on the sophos connect icon, import downloaded connection to sophos connect by clicking on import connection tab. You need to select tgb format file (third file in above image)
Now the specific IPsec connection should be listed in the sophos connect client as shown below
Click on the test connection and click on connect and enter user name and password of specific user. It should be connected to the firewall.
To check the IP address given to the connected machine, enter command prompt and type ipconfig. Sine we have given IP range from 10.0.0.1 to 10.0.0.100. We got IP address 10.0.0.1 as shown in image below
Since we do not enable default gateway option in sophos connect client configuration, default gateway option is not listed in the command prompt
Now you can connect to firewall LAN network.
Hope this article helps you.