sophos connect€¦ · you can make various changes to the connections in sophos connect by...

Sophos Connect

help

ContentsAbout Sophos Connect............................................................................................................................ 1

Installing Sophos Connect.............................................................................................................1Uninstalling Sophos Connect........................................................................................................ 1Connections................................................................................................................................... 2Events.......................................................................................................................................... 11General troubleshooting.............................................................................................................. 15

About Sophos Connect Admin...............................................................................................................18Editing configuration files............................................................................................................ 18

Legal Notices..........................................................................................................................................20

(2020/04/21)

Sophos Connect

1 About Sophos ConnectSophos Connect is a VPN client that can be installed on Windows and Macs. It allows you toconnect to networks behind the XG from a remote location, for instance, your company network.Your firewall administrator will configure connection details on the XG and provide you with theinstallation package and the connection configuration files.

This guide provides information about how to use Sophos Connect:

• For instructions on how to install and uninstall Sophos Connect, see Installing Sophos Connect(page 1).

• For instructions on importing connection files and managing connections, see Connections (page2).

• For information on events, and how to troubleshoot event errors, see Events (page 11).

• To troubleshoot issues that do not appear in the events section, see General troubleshooting (page15).

1.1 Installing Sophos Connect

Install Sophos Connect on Windows

• Open the installer.

• Accept the license agreement and click Install.

• Once the installation is complete, click Finish. You can choose to launch Sophos Connect after theexit.

Install Sophos Connect on Mac

• Open the installer.

• Choose the installation destination. Make sure you have enough free space in the destination youhave chosen, for example, System Drive.

• Click Install.

• Once the installation is complete, click Finish.

1.2 Uninstalling Sophos Connect

Uninstall Sophos Connect from Windows

• Go to Control Panel and under Programs click Uninstall a program.

• Right click on Sophos Connect, and select Uninstall.

Copyright © Sophos Limited 1

Sophos Connect

Uninstall Sophos Connect from Mac

• Open the terminal.

• Elevate to root and run the uninstall script from the location Sophos Connect is installed in:

sudo /Library/Sophos Connect/uninstall.sh

You will get the following message if the uninstallation was successful:

Sophos Connect has been uninstalled

1.3 ConnectionsYou can import connections, establish connections, and view and edit connections.

Sophos Connect supports SSL VPN and IPsec VPN.

1.3.1 Import Connections

The Sophos Connect client can connect to XG firewall using SSL or IPsec VPN connections. You canimport connections into the Sophos Connect client.

Introduction

For version 2.0 of the Sophos Connect client, you can import both SSL and IPsec VPN connections.If you are using an earlier version of the Sophos Connect client, you can import IPsec connectionsonly.

This page tells you how to do the following:

• Import an IPsec connection using a file provided to you by your admin.

• Import an SSL connection using a file provided to you by your admin.

• Import an SSL connection by downloading a file from the user portal.

Import an IPsec connection

A connection file has been provided to you. It has the extension tgb, for exampleCompany_connection.tgb.

To import a connection:

1. Click Import connection on the Connections page.

If there are existing connections, click the menu button and choose Import connection from thedrop-down menu.

2 Copyright © Sophos Limited

Sophos Connect

2. Browse for the .tgb file and double click on it.The connection will be displayed under Connections.


Sophos Connect

You can now establish the connection.

NoteYou can import multiple connections.

Import an SSL connection

A connection file has been provided to you. It has the extension pro, for exampleCompany_connection.pro.


Browse for the .pro file and double-click it.The connection will be imported automatically and Sophos Connect will open. The connection will showunder Connections.


Sophos Connect



Import an SSL connection from the user portal


1. Sign into the user portal.

2. Go to SSLVPN and click Download configuration for other OSs.

3. Open the Sophos Connect client.

4. Click Import connection on the Connections page.

If there are existing connections, click the menu button and choose Import connection from thedrop-down menu.

5. Browse for the .ovpn file and open it.

The connection will show under Connections.


Sophos Connect



1.3.2 Connect

Make sure there is at least one imported connection available and you have been given the requiredcredentials.

To establish a connection:

1. Select a connection on the Connections page.

2. Double-click the connection.

You can also click Connect.

The sign-in screen will appear.


Sophos Connect

3. Enter your username and password and click Log in.

Your admin may have configured two-factor authentication.

• If your admin has configured OTP, in addition to entering your username and password youmust enter your 6 digit OTP passcode.

• If your admin has configured DUO authentication, you may get one or two DUO prompts duringthe connection process.

NoteIf you imported the connection using a provisioning file, you will get a warning that theserver certificate can't be verified. You can click OK to continue. If you don't want to see themessage, contact your administrator.

Sophos Connect attempts to establish the connection and authenticate you.

NoteIf you are facing connection issues, look at the Events page and contact your IT. You can alsocheck the VPN logs by clicking on the menu icon and selecting them.


Sophos Connect

The connection to the remote server is established.


Sophos Connect

If the connection is successful, you will see this icon on the taskbar:

If the connection is unsuccessful, you will see this icon on the taskbar:

NoteIf you have renamed the connection, the original name as provided by your firewall administratorwill still show in connection details. For instructions on how to rename it see Connection options(page 10).


Sophos Connect

1.3.3 Connection options

You can make various changes to the connections in Sophos Connect by clicking the settings icon onthe right hand side of the connection.

1. Auto connect attempts a connection when Sophos Connect is started up.

2. Delete deletes the connection, so if you want to re-enable that connection you will need to import itagain.

3. Rename gives you the option to rename your connection.

4. Clear credentials clears credentials that you have previously stored.


Sophos Connect

5. Update policy (only avaliable if the connection was created using a provisioning file). This allowsyou to pull the latest policy from the XG firewall on demand.

TipIf the connection fails after multiple retries, initiate a policy update and try to connect again.

1.4 EventsSee any actions within Sophos Connect and the results of those actions. This includes failuresresulting from user actions as well as IKE negotiation failures. To troubleshoot event errors, seeTroubleshooting events (page 12)

• If verbose errors are required to troubleshoot a problem, click Open VPN log.

• To remove events from the list, click Clear events.


Sophos Connect

Figure 1: Events

1.4.1 Troubleshooting events

If you have issues connecting, click on Events, look at the timestamp from when you attempted aconnection, and find the relevant error.

In this section you will see the error messages, possible causes for the errors, and informationon what to do next. If you experience any issues that are not listed below, please contact SophosSupport


https://secure2.sophos.com/en-us/support.aspx

https://secure2.sophos.com/en-us/support.aspx

Sophos Connect

No network connection

Cause: The client is unable to get a response to an ICMP request from a public address on theinternet.

What to do: Check that you have a valid IP address, and that your existing network connection isworking.

DNS resolution failed

Cause: The client is not able to resolve the gateway host name.

What to do: Check if a DNS server is assigned to the network interface. Do an nslookup for apublic host, for example www.sophos.com and verify that it resolves to an IP address. If it does notresolve, contact your ISP.

UDP ports 500/4500 blocked

Cause: The firewall or the router is blocking UDP ports 500 and 4500.

What to do: Check your local firewall or router configuration and allow traffic on those ports. If youdo not have access to the firewall or router, for example if you are in a hotel, connect through yourmobile hotspot and try to connect again.

No response from gateway: <gateway FQDN or IP specified inconnection>

Cause: The gateway is not responding to IKE negotiation messages. This may be because:

• The remote gateway (firewall or router) has been shut down.

• The WAN address on the remote gateway is not connected directly to the internet.

What to do: Contact your firewall administrator and report the problem to troubleshoot further.

Received NO_PROPOSAL_CHOSEN notification from gateway

Cause: The remote gateway responded back to IKE negotiations from Sophos Connect with thiserror notification. This may be because:

• The Sophos Connect policy is not defined or activated on the firewall.

• The firewall administrator changed the IKE phase 1 proposals used for the Sophos Connectpolicy on the firewall and the new configuration was not exported and uploaded to the client.



http://www.sophos.com/

Sophos Connect

Server expected remote ID <expected ID value> but got <actual IDvalue>

Cause: The local ID type or value configured in the Sophos Connect policy on the firewall is differentthan the value used for this connection. This may be because the firewall administrator changed thelocal ID on the firewall and the new configuration file was not imported to Sophos Connect.


Possible pre-shared key mismatch <connection name>

Cause: The pre-shared key on the firewall does not match the one used for this connection. Thismay be because the firewall administrator changed it on the firewall and the new configuration filehas not been uploaded to Sophos Connect.


User authentication of <user name entered> failed

Cause: The username or password did not match.

What to do: Retry to see if it was a due to user error during input. If you retry multiple times andget the same error, the password may have changed or been disabled on the firewall. In this case,contact your firewall administrator and report the problem to troubleshoot further.

Failure to add route [network/mask] prevented phase 2 completion

NoteThe troubleshooting steps below are for Windows only.

Cause: After the phase 2 SA is established, route add to the remote network failed. This may bebecause the strongSwan service crashed while the tunnel was active.

What to do: Disable and enable the TAP adapter. Open the command prompt as an administratorand type the following commands:

net stop scvpn

net start scvpn

The connection data could not be added. Connection with name<connection name> already exists

Cause: A connection with the same name has already been imported.

What to do: Delete the existing connection from Sophos Connect. Make sure you really want todelete the existing connection before you delete it. Otherwise contact your firewall administrator andreport the problem to troubleshoot further.


Sophos Connect

Service is unavailable


Cause: The Sophos Connect service (scvpn) is not running.

What to do: Open the command prompt as an administrator and type the following command:

net start scvpn

Failed to load connection info into strongSwan


Cause: The strongSwan service is not running (Service Name: charon-svc.exe).

What to do: Open the command prompt as an administrator and type the following command:

net start strongswan

SA disabled or deleted by gateway

Cause: The gateway sent an IKE delete request then the tunnel was deleted. This may be because:

• The firewall administrator changed the policy on the firewall. This sends an IKE delete request to allthe active SAs on the firewall.

• The firewall administrator manually deleted all of the IPsec connections for this user on the firewall.

What to do: Try to reconnect again. If it still does not work then contact your firewall administratorand report the problem to troubleshoot further.

1.5 General troubleshootingThis section covers troubleshooting issues that do not appear in the events page.

Traffic stops going through the VPN tunnel

Cause: If you are running a firmware version prior to v17.5, it is possible that the client received anew virtual IP after the phase 1 rekey.

What to do: You will have to disconnect and reconnect. The permanent solution is to upgrade tov17.5.


Sophos Connect

Sophos Connect dashboard will not open

Cause: If the Sophos Connect dashboard does not open, or it does not respond when you clickon the tray icon, this means that the Sophos Connect GUI is stuck in an infinite loop and cannotrespond to external input.

What to do (Windows): Open task manager and select the Details tab. Find scgui.exe and thenright click to end task. Restart the application from the desktop shortcut.

What to do (Mac): Open Activity Monitor and find the Sophos Connect process. Open this processand select Force Quit. Restart the application from LaunchPad.

Web browsing stops working when tunnel is disconnected

NoteThis is more common on Macs.

Cause: When a tunnel all connection is disconnected, the DNS servers aren't restored from thephysical network adapters. This means the internal DNS servers that were used when you wereconnected through the VPN are still used. As the tunnel no longer exists, the name resolution won'twork.

What to do: Disconnect from your local network then reconnect.

Sophos Connect GUI displays "Service Unavailable"

NoteThis is more common on Macs.

Cause: When a tunnel disconnect is initiated, the strongSwan IPsec daemon gets stuck in an infiniteloop. This will result in the GUI not getting a response for disconnect and ultimately time-out andshow the error as "Service Unavailable".

What to do (Mac):

1. Open the Activity Monitor and quit the Sophos Connect GUI process.

2. Open the Terminal and run the following commands:

sudo /bin/launchctl unload -w /Library/LaunchDaemons/com.sophos.connect.scvpn.plist

sudo /bin/launchctl load -w /Library/LaunchDaemons/com.sophos.connect.scvpn.plist

3. Open Sophos Connect, and check that the "Service unavailable" error is now resolved.

What to do (Windows):

1. Open cmd as administrator then run the following commands:

net stop scvpn

net start scvpn

2. Open Sophos Connect, and check that the "Service unavailable" error is now resolved.


Sophos Connect

Sophos Connect can't establish a tunnel

Cause: You probably installed the Sophos Connect client first and then installed the Sophos SSLVPN client.

What to do: Uninstall both clients then re-install the Sophos SSL VPN client and then the SophosConnect client.

NoteThey must be installed in that order.


Sophos Connect

2 About Sophos Connect AdminIn Sophos Connect Admin you can import config (.tgb) files and configure various options for yourVPN setup.

NoteFor information on how to configure and export a .tgb file on the XG, see the Sophos ConnectClient section of the XG help guide: Sophos Connect client.

The installation and uninstallation processes for Sophos Connect Admin are the same as theprocesses for Sophos Connect. See Installation in the Sophos Connect help guide for moreinformation.

2.1 Editing configuration filesYou can edit your configuration (.tgb) files in Sophos Connect Admin, which provides you withmore granular VPN configuration options.

Open the .tgb file you have exported from the XG in Sophos Admin. You can:

• Enable Tunnel All to send all traffic through the VPN connection.

• Enable Send Security Heartbeat to allow Sophos Endpoint to send a heartbeat to the XG. Thiswill only work if the user has the Sophos Endpoint client installed on their machine.

• Enable Allow Password Saving to allow the users to save their user name and password ontheir machine. The user credentials are stored securely using keychain services.

• Enable Prompt for 2FA if you have configured Two Factor Authentication for the VPN users onthe XG.

• Enable Auto-Connect Tunnel to automatically enable the connection after the user logs on toSophos Connect on their machine. Sophos Connect will not automatically initiate the connectionif the user is already connected to the corporate network.

Auto connect requires an additional configuration parameter: DNS Suffix/Monitoring Host, thatcan be used to determine if the user's local system is inside or outside the corporate network.Use one of the following values:

— An IP address.

— A Fully Qualified Domain Name (FQDN). The host name must only resolve when using theinternal DNS server.

— A DNS suffix.

NoteIf you configure an IP Address or FQDN, ICMP must be allowed on this host.

• Add, modify and delete Networks that the user can connect to. Adding specific networks to thelist enables split tunneling, as the user will access resources on those networks through the VPNconnection, but will access internet resources straight through their remote gateway.


https://docs.sophos.com/nsg/sophos-firewall/17.5/Help/en-us/webhelp/onlinehelp/index.html#page/onlinehelp%2FSCONVPNClientConfiguration.html%23

Sophos Connect

NoteIf you delete all networks, Tunnel All mode will be activated, meaning all traffic will bedirected through the VPN connection.

• Change the Connection Name and Target Host.

If you Clear the configuration, you will need to import the .tbg file again.

If you Save the configuration, it will be saved as a .scx file.

NoteYou can import .scx files and re-edit them.

When you have saved the configuration file you can send it to the user, who will import it into SophosConnect. For more information, see Sophos Connect.


http://docs.sophos.com/nsg/sophos-connect/help/en-us/index.html

Sophos Connect

3 Legal NoticesCopyright © 2020 Sophos Limited. All rights reserved. No part of this publication may be reproduced,stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical,photocopying, recording or otherwise unless you are either a valid licensee where the documentationcan be reproduced in accordance with the license terms or you otherwise have the prior permissionin writing of the copyright owner.

Sophos, Sophos Anti-Virus and SafeGuard are registered trademarks of Sophos Limited, SophosGroup and Utimaco Safeware AG, as applicable. All other product and company names mentionedare trademarks or registered trademarks of their respective owners.


sophos connect€¦ · you can make various changes to the connections in sophos connect by...

Documents