Getting Started with Remote

Access VPNs on Sophos

Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]
Sophos Firewall
FW5005: Getting Started with Remote Access VPNs on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Getting Started with Remote Access VPNs on Sophos Firewall - 1

 Configuring SSL Remote Access VPNs on Sophos Firewall

In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to configure SSL and IPsec ✓ Protocols used for VPN access
remote access VPNs on Sophos ✓ Authentication servers, users and groups
Firewall.

DURATION

20 minutes

In this chapter you will learn how to configure SSL and IPsec remote access VPNs on Sophos
Firewall.

Getting Started with Remote Access VPNs on Sophos Firewall - 2

 Remote Access VPNs

IPsec
Establish remote access IPsec
VPNs using the Sophos
Connect client or third-party
clients
SSL
Establish remote access SSL
VPNs using the Sophos
Connect client, legacy SSL VPN
client, or OpenVPN clients

Clientless SSL L2TP over IPsec PPTP

Provide access to internal Compatible with VPN client Support for legacy PPTP
services and resources using a built into Windows connections
browser (not recommended)

Sophos Firewall supports a range of common protocols for remote access VPNs.

The most used are IPsec and SSL, so in this chapter we will focus on these two, but it is useful to
remember that Sophos Firewall also supports L2TP over IPsec, which is compatible with the
Windows built-in VPN client, and PPTP, although we do not recommend you use it as it is less
secure.

Getting Started with Remote Access VPNs on Sophos Firewall - 3

 Additional information in
SSL and IPsec VPNs the notes

SSL Remote Access VPN IPsec Remote Access VPN

• Sophos Connect VPN Client for Windows • Sophos Connect VPN Client for Windows
and Mac OS X and Mac OS X

• Compatible with OpenVPN clients on all • Compatible with third-party IPsec VPN
platforms clients

• Support for multi-factor authentication • Support for multi-factor authentication

• Supports Synchronized Security • Supports Synchronized Security

• Split tunnelling and tunnel all • Split tunnelling and tunnel all

• Guided configuration wizard

Sophos Firewall’s SSL remote access VPN is based on OpenVPN, a full-featured VPN solution. The
encrypted tunnels between remote devices and the Sophos Firewall use both SSL certificates and
username and password to authenticate the connection, and you can also enable multi-factor
authentication for additional security.

The IPsec remote access VPN can be authenticated using a pre-shared key or digital certificate,
with users then authenticating with their username and password, and optionally multi-factor
authentication. As a standard IPsec VPN, it is compatible with third-party VPN clients.

For both the SSL and IPsec remote access VPNs we provide the Sophos Connect VPN client for
Windows and Mac OS X devices.

For SSL remote access VPNs, we still support the legacy Sophos SSL VPN Client; however, we
recommend upgrading to Sophos Connect when possible.

[Additional Information]
https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-
us/webhelp/onlinehelp/nsg/sfos/concepts/VPNSophosConnectClient.html

Getting Started with Remote Access VPNs on Sophos Firewall - 4

 SSL VPN Assistant

Sophos Firewall has a wizard to streamline and simplify the configuration of everything required
for remote access SSL VPNs. The assistant includes:
• Selecting the users and groups the policy will apply to
• Configuring the authentication servers
• Selecting the resources users will be able to access
• Choosing between split tunneling or tunnel all
• Selecting which zones can access the user portal to download the client and configuration
• And selecting which zones users can establish an SSL VPN from

As part of the assistant, a firewall rule will be created to control access to internal resources from
the VPN.

Getting Started with Remote Access VPNs on Sophos Firewall - 5

 Demo: SSL VPN Assistant

In this demo you will see how to use

the SSL VPN assistant to quickly
configure remote access for users.

PLAY DEMO CONTINUE

https://training.sophos.com/fw/demo/SslVpnAssistant/1/play.html

In this demo you will see how to use the SSL VPN assistant to quickly configure remote access for
users.

[Additional Information]

https://training.sophos.com/fw/demo/SslVpnAssistant/1/play.html

In this short demo we will look at the SSL VPN assistant, which brings together the configuration of
the VPN profile, creation of a firewall rule, as well as several global settings, to make setting up SSL
VPNs quick and easy.

The SSL VPN assistant is launched from the Remote access VPN section on the SSL VPN tab.

The first screen here gives you an overview of some of the global SSL VPN settings. These can be
configured using the SSL VPN global settings link here.

Give the VPN a name, then select the users and groups that can use this connection. I will select
the Training group here.

Next, you can customize the authentication servers for SSL VPNs. I will remove local
authentication. This setting is global for SSL VPNs, and if you need to update it you will find it in
Authentication > Services.

Select the resources you want users to be able to access through the VPN. This will be used to
configure a firewall rule.

Getting Started with Remote Access VPNs on Sophos Firewall - 6

Choose whether the VPN will be the default gateway for all traffic, or whether you
will be using split tunnelling.

Select which zones can access the user portal, where users can download the SSL
VPN client and configuration files. Note that this is a global setting that can be found
in Administration > Device access.

Finally, select from which zones users can establish SSL VPNs from. This is also a
global setting in device access.

Review the configuration, then click Finish.

In addition to creating the SSL VPN configuration you can see here; the assistant also
created a firewall rule to limit the scope of access for VPN users to the resources
selected.

Getting Started with Remote Access VPNs on Sophos Firewall - 6

 Security Heartbeat over SSL VPN

Split tunnel or tunnel all option

To enable using the Security Heartbeat over the SSL VPN, you need to add the built-in
‘SecurityHeartbeat_over_VPN’ host object. This contains the public IP address used for Security
Heartbeat and will ensure it is routed over the VPN to Sophos Firewall.

Getting Started with Remote Access VPNs on Sophos Firewall - 7

 SSL VPN Settings

By default, Sophos Firewall uses

port 8443

By default, Sophos Firewall hosts the SSL VPN on port 8443, however this can be changed to a
different available port in the SSL VPN settings. Note that the SSL VPN can share port 443 with
other services on Sophos Firewall, such as the user portal and web application firewall rules.

You can modify the SSL certificate for the connection and override the hostname used in the
configuration files.

You can configure the IP lease range, DNS, WINS and domain name that will be used for clients that
connect.

In addition to this, there are several advanced connection settings such as the algorithms, key size,
key lifetime and compression options.

The SSL VPN settings are global for both remote access and site-to-site SSL VPNs; if you make
changes here you may need to update any SSL site-to-site VPNs you have configured.

Getting Started with Remote Access VPNs on Sophos Firewall - 8

 SSL VPN Client

Recommended VPN Client for

Windows and Mac OS X

Legacy SSL VPN client for Windows

Configuration for all platforms

Once an SSL VPN profile has been created for a user, they can download an SSL VPN client from
their User Portal. For Windows and Mac OS X we recommend using the Sophos Connect client.
There is also a legacy SSL VPN Client for Windows, and configuration download for all platforms.

Getting Started with Remote Access VPNs on Sophos Firewall - 9

 Additional information in the notes

Sophos Connect Client and Legacy SSL VPN Client

If the legacy SSL VPN client is not installed in the default location the
Sophos Connect installer will not detect it

The legacy SSL VPN client and Sophos Connect client cannot be installed on the same computer as
they will conflict with each other. To prevent this, when installing Sophos Connect it will check for
the legacy VPN in the default installation path and display an error if found.

If the legacy SSL VPN client has been installed to a non-default location the Sophos Connect
installer will not detect it. This may render both VPN clients inoperable due to the conflict.

[Additional Information]
The default installation path of the legacy SSL VPN client is: C:\Program Files (x86)\Sophos\Sophos
SSL VPN)

Getting Started with Remote Access VPNs on Sophos Firewall - 10

 Simulation: Configure an SSL Remote Access VPN

In this simulation you will configure

an SSL remote access VPN using the
assistant. You will then review the
configuration created and test your
VPN using the Sophos Connect
client.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/SslUserVpn/1/start.html

In this simulation you will configure an SSL remote access VPN using the assistant. You will then
review the configuration created and test your VPN using the Sophos Connect client.

[Additional Information]

https://training.sophos.com/fw/simulation/SslUserVpn/1/start.html

Getting Started with Firewall and NT Rules on Sophos Firewall - 11

 IPsec VPN Configuration

Quick links to IPsec profile, Sophos Connect client download, and logs

At the top of the tab for the IPsec remote access VPN are quick links that provide access to IPsec
profiles, the Sophos Connect client download, and logs.

Getting Started with Remote Access VPNs on Sophos Firewall - 12

 IPsec VPN Profiles

IPsec profiles contain the security configuration for the IPsec connection, such as the encryption
algorithms that will be supported.

Sophos Firewall provides a default profile for remote access; however, you can clone this and
create your own to meet your security requirements.

Getting Started with Remote Access VPNs on Sophos Firewall - 13

 IPsec VPN Configuration

Select the IPsec profile

Pre-shared keys or
digital certificate

Select the users and

groups that can connect

To configure the IPsec remote access VPN, start by enabling it and selecting which interface it will
listen for connections on.

Select the IPsec profile.

The VPN can be authenticated by either pre-shared keys or with a digital certificate.

Select the users and groups that will be able to authenticate to use the VPN.

Getting Started with Remote Access VPNs on Sophos Firewall - 14

 IPsec VPN Configuration

IP range to use for the VPN

DNS servers

You need to configure the IP range that will be used for clients that connect, and optionally you can
also assign DNS servers.

Getting Started with Remote Access VPNs on Sophos Firewall - 15

 IPsec VPN Configuration

The advanced configuration can be found at the bottom of the page and allows you to configure
split tunneling, two-factor authentication, Security Heartbeat, and other connection settings.

Getting Started with Remote Access VPNs on Sophos Firewall - 16

 IPsec VPN Configuration

Download configuration files

Using the buttons at the bottom of the page you can export the configuration for the VPN.

Getting Started with Remote Access VPNs on Sophos Firewall - 17

 IPsec VPN Configuration

Only the .scx contains the

advanced settings

When you export the configuration from the web admin you will download an archive with two
files:
• .scx – that includes the advanced settings
• .tbg – which only contains the basic configuration and tunnels all traffic back to the Sophos
Firewall

Getting Started with Remote Access VPNs on Sophos Firewall - 18

 IPsec VPN Client

Sophos Connect client can be

downloaded from the user portal

The Sophos Connect client can also be downloaded from the user portal; however, the
configuration for the IPsec VPN needs to be provided by the admin.

Getting Started with Remote Access VPNs on Sophos Firewall - 19

 Sophos Connect Client
Import the configuration file for either
IPsec or SSL

To use the Sophos Connect client you need to import a configuration file. This can be either for the
IPsec or SSL VPN.

Getting Started with Remote Access VPNs on Sophos Firewall - 20

 Sophos Connect Client
Connect Login Connection Details

You can then connect to the VPN.

When the Sophos Connect Client contacts the firewall, you will be prompted to authenticate.

Once connected, the details will be shown.

Getting Started with Remote Access VPNs on Sophos Firewall - 21

 Simulation: Configure an IPsec Remote Access VPN

In this simulation you will configure

an IPsec remote access VPN. You
will then test your VPN using the
Sophos Connect client.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/IpsecUserVpn/1/start.html

In this simulation you will configure an IPsec remote access VPN. You will then test your VPN using
the Sophos Connect client.

[Additional Information]

https://training.sophos.com/fw/simulation/IpsecUserVpn/1/start.html

Getting Started with Firewall and NT Rules on Sophos Firewall - 22

 Additional information in
Deploying Sophos Connect the notes

Knowledgebase Article KB-000040793 Open KB-000040793

How to Deploy Sophos Connect via Group Policy Object (GPO)

1 Deploy the Sophos Connect MSI via a GPO script

2 Push the configuration as a file in the Windows Settings GPO

The Sophos Connect client can be easily deployed using Active Directory Group Policy. This requires
two elements to be configured.

First, you need to add the Sophos Connect MSI via a GPO, or group policy Object, script.

Secondly, you need to configure a Windows Settings file to push the configuration to the
endpoints.

[Additional Information]

Details on how to do this are covered in knowledgebase article KB-000040793.

https://support.sophos.com/support/s/article/KB-000040793

Getting Started with Remote Access VPNs on Sophos Firewall - 23

 Chapter Review

The VPN assistant streamlines the configuration of everything required for remote
access SSL VPNs

The default port for SSL VPNs is 8443. This can be changed in the SSL VPN settings.
These settings are global and apply to site-to-site SSL VPNs

The Sophos Connect client supports both IPsec and SSL VPNs and can be downloaded
from both the web admin and user portal. The SSL VPN configuration is downloaded in
the user portal, whereas the IPsec VPN configuration is downloaded in the web admin

Here are the main things you learned in this chapter.

The VPN assistant streamlines the configuration of everything required for remote access SSL
VPNs.

The default port for SSL VPNs is 8443. This can be changed in the SSL VPN settings. These settings
are global and apply to site-to-site SSL VPNs.

The Sophos Connect client supports both IPsec and SSL remote access VPNs and can be
downloaded from both the web and user portal. The SSL VPN configuration is downloaded in the
user portal, whereas the IPsec VPN configuration is downloaded in the web admin.

Getting Started with Remote Access VPNs on Sophos Firewall - 28

Getting Started with Remote Access VPNs on Sophos Firewall - 29
 Advanced Sophos Connect
Configuration on Sophos
Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]
Sophos Firewall
FW5010: Advanced Sophos Connect Configuration on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Advanced Sophos Connect Configuration on Sophos Firewall - 1

 Advanced Sophos Connect Configuration on Sophos
Firewall
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to use advanced configuration ✓ Configuring Remote Access VPNs on Sophos
options with Sophos Connect on Firewall
Sophos Firewall.

DURATION

9 minutes

In this chapter you will learn how to use advanced configuration options with Sophos Connect on
Sophos Firewall.

Advanced Sophos Connect Configuration on Sophos Firewall - 2

 Sophos Connect Client
Sophos Connect VPN client for Windows and Mac OS X

Supports SSL and IPsec VPNs

Split tunneling and tunnel all (default)

Synchronized Security

Download the client from web admin and user portal

The Sophos Connect client is available for Windows and Mac OS X and supports both SSL and IPsec
remote access VPNs.

By default, the IPsec remote access configuration will tunnel all traffic over the VPN; however, this
can be customized to support split tunneling.

The Synchronized Security Heartbeat can be routed over the VPN, allowing you to tightly control
access to connected devices using the security settings in firewall rules for client VPN traffic.

The Sophos Connect client can be downloaded from both the web admin and the user portal;
however, the IPsec configuration can only be downloaded from the web admin and the SSL
configuration can only be downloaded from the user portal.

Advanced Sophos Connect Configuration on Sophos Firewall - 3

 Tunnel All and Split Tunnelling

TUNNEL ALL SPLIT TUNNELLING

For both IPsec and SSL remote access VPNs you can choose between tunnelling all the traffic back
to the firewall or using split tunnelling to only send traffic for specific networks and resources over
the VPN. This is controlled by the ‘Use as default gateway’ option in the VPN configuration. When
enabled, all traffic will be sent to the firewall, and when disabled, only selected traffic is routed
over the VPN.

Advanced Sophos Connect Configuration on Sophos Firewall - 4

 Synchronized Security

When configuring the VPN for split-tunnelling, you can make use of the Security Heartbeat over
the VPN by ensuring the built-in host object is included in the networks.

Advanced Sophos Connect Configuration on Sophos Firewall - 5

 IP Range and DNS: SSL

IP range to use for the VPN

DNS servers

SSL VPNs have a default address pool for clients that connect, which can be modified in the global
SSL VPN settings. Here, you can also define DNS servers so that connected clients can resolve
resources through the VPN.

When modifying this configuration, it is important to note that these settings apply to both the
remote access and site-to-site SSL VPNs.

Advanced Sophos Connect Configuration on Sophos Firewall - 6

 IP Range and DNS: IPsec

IP range to use for the VPN

DNS servers

For IPsec remote access VPNs there is no default IP address pool, and it is defined in the
configuration for the VPN. Here, you can also define the DNS servers for resolving hosts over the
VPN.

Advanced Sophos Connect Configuration on Sophos Firewall - 7

 Advanced IPsec Settings

Disable Use as default gateway and

add the networks for the VPN

Enable and configure

advanced features

IPsec remote access VPNs have an ‘Advanced settings’ section. Here, you can choose between split
tunnelling and tunnel all and define the networks for split tunnelling.

In addition to this, you can enable options such as multifactor authentication, which Sophos
recommends as best practice, automatic connection, and so forth.

Advanced Sophos Connect Configuration on Sophos Firewall - 8

 Advanced IPsec Settings

Only the .scx contains the

advanced settings

When you export the IPsec remote access VPN configuration from the web admin you will
download an archive with two files:
• .scx – that includes the advanced settings
• .tbg – which only contains the basic configuration and tunnels all traffic back to the Sophos
Firewall

Advanced Sophos Connect Configuration on Sophos Firewall - 9

 Automatic Provisioning

SOPHOS FIREWALL

Authenticate with the Establish the VPN

user portal connection

Open a provisioning
file (.pro) Download the
connection policy

SOPHOS CONNECT CLIENT

You can perform automatic provisioning of remote access VPN connections with Sophos Connect,
for both IPsec and SSL.

To do this, you start by creating a provisioning file with the details of the Sophos Firewall.

When the provisioning file is imported into Sophos Connect, the user is prompted to authenticate
with the user portal.

Sophos Connect can then download the connection policy and establish the VPN.

Advanced Sophos Connect Configuration on Sophos Firewall - 10

 Automatic Provisioning

Provisioning File (.pro)

[
{
"gateway": "<Enter your gateway hostname or IP address>",
"user_portal_port": 443,
"otp": false,
"auto_connect_host": "<Enter internal hostname or IP address>",
"can_save_credentials": true,
"check_remote_availability": false,
"run_logon_script": false
}
]

Here is an example of what a provisioning file would look like. As you can see, it is a basic JSON file
that includes the gateway hostname or IP address, the port for the user portal, and some other
connection details. This file must be saved with a .PRO extension.

When Sophos Connect is installed it creates a file association for .PRO files, which means that the
provisioning file can simply be double-clicked to import it into Sophos Connect.

Advanced Sophos Connect Configuration on Sophos Firewall - 11

 Additional information in
Automatic Provisioning the notes

The provisioning file supports…

✓Multiple gateways, selected by random, latency, or in order
✓Multiple connections
✓Two-factor authentication

Documentation
https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/SConProvisioningFile.html

Beyond the basic provisioning file we just showed, it also supports:

• Multiple gateways, that can be selected either by random, based on latency, or in order
• Multiple connections
• And two-factor authentication

[Additional Information]
https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-
us/webhelp/onlinehelp/nsg/sfos/concepts/SConProvisioningFile.html

Advanced Sophos Connect Configuration on Sophos Firewall - 12

 Automatic Provisioning

Here you can see that when the user imports the provisioning file they are prompted to
authenticate. In this example, as the user is connecting to the WAN interface, they need to enter
the CAPTCHA for the user portal also.

Once authenticated, Sophos Connect will download the configuration and automatically connect to
the VPN.

Advanced Sophos Connect Configuration on Sophos Firewall - 13

 Automatic Provisioning
If the user portal
certificate is not
trusted users will see
a certificate error

If the user portal certificate is not trusted, users will see a certificate error when they open the
provisioning file.

To resolve this:
• Ensure that the certificate includes the hostname in the subject alternate names
• Then, deploy the CA certificate to the endpoints, or use a certificate from a trusted CA

Advanced Sophos Connect Configuration on Sophos Firewall - 14

 Automatic Provisioning

Detect a policy Download the Reconnect to

mismatch new the VPN
connection
policy

With automatic provisioning, if the VPN configuration is changed on Sophos Firewall, Sophos
Connect will detect the policy mismatch, download the connection policy, and reconnect to the
VPN.

Advanced Sophos Connect Configuration on Sophos Firewall - 15

 Automatic Provisioning

Users can also force an update to the policy through the menu in the Sophos Connect client.

Advanced Sophos Connect Configuration on Sophos Firewall - 16

 Additional information in
Deploying Sophos Connect the notes

Knowledgebase Article KB-000040793 Open KB-000040793

Deploy Sophos Connect using script via GPO

1 Deploy the Sophos Connect MSI via a GPO script

2 Push the configuration as a file in the Windows Settings GPO

The Sophos Connect client can be easily deployed using Active Directory Group Policy. This requires
two elements to be configured.

First, you need to deploy the Sophos Connect MSI through a Group Policy Object, specifically a
GPO script.

Secondly, you need to configure a Windows Settings file to push the configuration to the
endpoints.

[Additional Information]

Details on how to do this are covered in knowledgebase article KB-000040793.

https://support.sophos.com/support/s/article/KB-000040793

Advanced Sophos Connect Configuration on Sophos Firewall - 17

 Create a Group Policy Object

Create a new GPO for and link it in the OU that contains the computers you want to install to

We will take a quick look at how you can do this.

Start by creating a new GPO and linking it in the OU that contains the computers you want to
install Sophos Connect on to.

Advanced Sophos Connect Configuration on Sophos Firewall - 18

 1. Deploy the Sophos Connect MSI via a GPO Script
1. In the script path, create a batch
file to launch the installation of
Sophos Connect

2. Add the script to the GPO

Edit the GPO you created and navigate to Computer Configuration > Policies > Windows Settings >
Scripts. You need to add a startup script.

Click Show Files… to navigate to the script path, then create a batch file like the one shown here
using the code from the knowledgebase article. This will check if Sophos Connect is installed, and if
not, start the installation in the background.

Once you have created the script in the right location, click Add… to add the script to the GPO.

Advanced Sophos Connect Configuration on Sophos Firewall - 19

 2. Push the Configuration File via GPO Settings

Next, navigate to Computer Configuration > Preferences > Windows Settings > Files on the left.

Add a new file. Configure it to create a new file and give it the source and destination paths.

The source should be a configuration file on an accessible network path, here we are using an
automatic provisioning configuration file.

The destination should be the ‘import’ folder in the Sophos Connect installation directory.

Once this is done, Sophos Connect will be installed and configured automatically for users.

Advanced Sophos Connect Configuration on Sophos Firewall - 20

 Chapter Review

Both IPsec and SSL remote access VPNs support tunnel all and split tunnelling. This is
configured using the option ‘Use as default gateway’

Sophos Connect can retrieve the VPN configuration from the user portal by using an
automatic provisioning file. These connections can then be updated if changes are made
on Sophos Firewall

Sophos Connect can be deployed using Active Directory Group Policy. A startup script
can be used to check for and run the Sophos Connect installer, and a configuration file
can be copied to the import directory

Here are the main things you learned in this chapter.

Both IPsec and SSL remote access VPNs support tunnel all and split tunnelling. This is configured
using the option ‘Use as default gateway’.

Sophos Connect can retrieve the VPN configuration from the user portal by using an automatic
provisioning file. These connections can then be updated if changes are made on Sophos Firewall.

Sophos Connect can be deployed using Active Directory Group Policy. A startup script can be used
to check for and run the Sophos Connect installer, and a configuration file can be copied to the
import directory.

Advanced Sophos Connect Configuration on Sophos Firewall - 25

Advanced Sophos Connect Configuration on Sophos Firewall - 26