Sophos Ssl Vpn Client 2.3 Download Fix
Marissa Albero
- On XG firewall admin portal you need to go to Administration > Device Access and make sure 'Client Authentication' is enabled. (On an related note: For my Windows clients I had switched from using STAS to using certificate-based Kerberos AD authentication, and at that time support told me I could uncheck 'Client Authentication' since it's not required if I was not using STAS. That may be correct except - if you plan on using the Client Authentication Agent on macOS you DO need to check this box).
You mean, I sell Sophos Firewalls to my customers and then cannot use their own product to connect to them but instead a potentially unsupported third party tool? (I know it's technically the same as the old client but that's not the point).
3. If your client gets exposed as a partner, you could potentially leak a lot of information/credentials to all your customers, as those data is likely saved on your client. This makes this kind of approaches unsecure as well.
Sophos provides an authentication client for Windows and Mac OS so that users directly authenticate at Sophos UTM. This gives you user-based control on web surfing and network traffic by, for example, creating firewall rules based on user networks or group networks. Additionally, wherever possible, IP addresses, hostnames, and the like are replaced by usernames to provide a better readability of reporting data and objects.
My company has a lot of machines reporting with bad status after a failed update and it seems the client would report anymore. Is there a way to repair the client remotely or reinstall the client remotely.
The only solution I ve been given is to manually uninstall the client after turning off tamper protection, rebooting then reinstalling the client. This wouldn't work well in a larger organisation with thousands of machines therefore is there a solution or do we need to buy professional services?
Unfortunately, it is not possible to re-install the from Sophos central, however please check this article to uninstall using a batch file, and then you can install the same by pushing the client via SCCM.
I tried to install Sophos connect to a windows server 2016 to run server as a client. I installed it, I Imported the config file but when I Try to connect it says OpenVPN service is not available. I looked for the services but everything is running. My suspicious is windows server cannot run as a client. Any ideas?? Thanks you!
Hello Angelos Zikos1,
Thank you for reaching out to the community, which version of sophos connect you are using?
Between you can download the latest version of the Sophos Connect (IPSec and SSLVPN Client) - -us/support/downloads/utm-downloads
What is the built of your Windows Server 2016 can you share more details on that ?
For that single machine you may try using OpenVPN which can be downloaded from here. So you would need to just download the configuration file and load it onto the OpenVPN client located on your system tray icon.
I have this challenge on my network. I installed the client authentication agent, log in the user successfully but after some time, they are logged out and the agents disappears. It is not on the taskbar nor under task manager. I have to reinstall it and it WILL say this application is already installed.
I checked the logs at \programdata\sophos\management communication system\endpoint\logs\, and the logs show some warnings like the below, but that's from the 14th so it is like sophos isn't trying to check in?
Under Administration - Device Access I have enabled Client Authentication on LAN zone (which is where the client is also connecting). I have also enabled AD SSO on LAN zone to see if that changes anything but it doesn't seem to make a difference.
Another option might be to add a "marker" that is unique for the customer, E.g. In global scanning exclusions - -exclusions you could create a simple marker for each account you manage e.g. a Windows Exclusion for "AccountX". You can then check the client under:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\Scanning\Config\ OnAccessExcludeFilePaths for the value.
Regards,
Jak
We just set up WAF and now client IPs are all showing the IP of the Sophos Firewall. How can we preserve or retain the original client IP? We have a few scenarios where something on our web app is revealed to them based on their IP, but now all traffic is showing coming from the LAN IP of the Sophos.
It's good to enable the "Pass host header" since lots of applications won't work without it, the WAF will send the real IPv4 of the client independent of this configuration through the X-Forwarded-For HTTP Header.
Thanks. I have "Pass host header" checked, and I just added the X-Forwarded-For custom field in IIS 10 logging. I am still seeing the IP address of the Sophos instead of the client IP. Do I need to do anything else on the Sophos to enable X-Forwarded-For?
We have opened a case with Sophos. I will post more when I find out more. This just seems very odd to me that it isn't more straight-forward. Very basic example: imagine a site running google analytics on it for years, then the customer implements a Sophos WAF. Suddenly all google analytics data is irrelevant because all traffic now appears to originate from the firewall, not the public client. I must be missing something, and I hope Sophos can help!
I've just been charged with setting up the sophos cloud system. On the test machines that I have installed, I've just tried to remove sophos client from one of the test pc's however it keeps saying that tamper protection is enabled. I have been in to the sophos central admin and disabled tamper protection for the pc, waited 30 minutes and it is still saying tamper protection is enabled.
At the moment it is only one client that is having the issue. The client is communicating with the sophos central in the fact that I can see on the computer the last activity keeps updating from when I boot/reboot the pc. It just doesn't seem to be picking up the tamper protection settings. I have tried turning them on and off, and also sending out a new tamper protection number. However this is the surface client, so I'm keen to try and get it working without having to resort to safe mode as realistically that's not something we can support. I'll try your other suggestions and let you know how I get on.
just to update, it eventually picked up the fact that I had disabled tamper protection (only took half a day!), so now I've been able to uninstall the client and test pushing it out via our MDM (Intune). However, already on the two that I have tested, they are reporting back in the sophos central that services have not started.
I recently had this issue where sophos kept prompting for administrator and Tamper protection password to uninstall sophos and still would not uninstall sophos agent even though tamper had been disabled on Central. I also could not disable tamper on the endpoint because the GUI component that allows to disable tamper on the endpoint is missing. So I did this simple thing, logged on to my local account (not domain account) and uninstalled sophos. Smooth[:D]
Verify that all the details are filled in the "Default" certificate authority in System Certificate Certificate Authority Default? Fill up the details and re-download the client for a fresh installation.
We too all of a sudden started having could not validate certificate errors with our CAA. I updated to verison 19.0.0 GA-Build317 back in April and didn't have any issues until today. I verified the time on our AD server, our client PCs, and XG firewall and all was correct. I then regenerated the certificates, uninstalled CAA, re-imported certificate, and re-installed CAA all with no luck. I was about to update to latest firmware when I decided to just reboot the XG firewall. After reboot of XG firewall, CAA started working. Maybe all I had to do was reboot our XG firewall? Just wanted to share and hopefully save someone out there a little time.
df19127ead