Overview This article provides information about support for macOS 11 Big Sur. Sophos Central: Version 10.0.4 and above include full support for Big Sur, and support for M1 processors via emulation (Rosetta 2). On Premise (SEC): Sophos Anti-virus for MacOS version 9.10.2 and above have full support for Big Sur, and support for M1 processors via emulation (Rosetta 2). Sophos Intercept X for Mobile delivers industry leading protection against malware and other mobile threats. The app has consistently achieved a 100% protection score in AV-TEST’s comparison of the top Android security and antivirus apps. Full features, no advertising, all free Sophos is an IT security leader for companies and governments worldwide. Sophos Endpoint Security and Control: How to deploy through an Active Directory group policy KB-000033319 03 18, 2020 16 people found this article helpful.
- Sophos Enterprise Console: Why Is Port 80 Required When Installing Or Upgrading Console
- Sophos Knowledge Base
- Sophos Kba133542
- Sophos Kb
In this tutorial, we will show you how to set up the Sophos Connect Client for your employees as a Sophos Firewall administrator. This requires SFOS 17.5 or later.
Sophos Connect Client - Series
This article is part of a series that will give you all the knowledge you need to get started with the Sophos Connect Client.
- How to configure Sophos Connect Client on XG Firewall (SFOS)
Preparation
Log on to your XG firewall as an administrator and go to the VPN
> Sophos Connect Client
page from the menu. On this page we will now go through the settings in 12 steps and make the necessary adjustments.
Also note the following graphic with the steps drawn so that you can follow the instructions more easily:
General settings
1. Activate Connect Client
It’s easy to get started. Check the box to enable the Sophos Connect client service.
2. Select Interface
In this step, you will need to select the interface on which you want the traffic to arrive on Sophos. This is usually a WAN interface with a public IP address. If you have multiple WAN interfaces because you have more than one internet provider, choose either the faster one, the more reliable one, or the one with less traffic. Decide for yourself which criterion is most important to you.
3. Authentication type
You can choose two options here:
- Preshared key - Define a password yourself.
- Digital certificate - Select a certificate with this option.
4. Define Preshared Key
For this tutorial we decided to use the method with Preshared key, which has to be defined here. If you have chosen the Digital certificate method, you can select a certificate from your appliance at this point.
5. Local ID (optional)
If you have multiple tunnels, you can define a local identification here so that the correct tunnel can be identified. There are the following options:
- DNS
- IP address
- Certificate (only if you have chosen the digital certificate at step 3)
6. Remote ID (optional)
Here you can make the same selection as in step 5.
7. Allowed user
If you have already captured users on your XG, or if you have synchronized the entire Active Directory, you can select the users/groups that can use the Sophos Connect Client here.
Client information
8. Name
Define a name for this IPsec connection here. In our example we called the connection homeoffice.
9. Assign IP from
The firewall assigns an IP address via DHCP to all users connecting via the Sophos Connect Client. In this step, you can define the IP range to be assigned. Select a range here which is not yet used on the firewall.
10. DNS Server
It is often the case that VPN users want to connect to internal servers. For this it is a good idea to work with the FQDNs like in a corporate network. Enter your internal DNS server here.
If you don’t have an internal DNS server or don’t need this function, you can also specify an external DNS server, like for example:
- Cloudflare: 1.1.1.1 and 1.0.0.1
- Google: 8.8.8.8 and 8.8.4.4
- Quad9: 9.9.9.9 and 149.112.112.112
- OpenDNS: 208.67.222.222 and 208.67.220.220
Sophos Enterprise Console: Why Is Port 80 Required When Installing Or Upgrading Console
Advanced Settings
11. Session Timeout
Experience shows that users do not always consistently disconnect a VPN connection when it is no longer needed. Here you can decide for yourself how you want to handle open connections. The Sophos Connect client gives you the option of automatically disabling the connection when there is no more traffic after a certain amount of time. In our example, we have configured the following:
Sophos Knowledge Base
- Disconnect when tunnel is ide: activated
- Ide session time interval: 120 seconds
This will automatically close the connection from Sophos Firewall if no traffic has been registered by the client for 2 minutes.
12. Save
To save your settings now, all you have to do is click on Apply
.
Sophos Kba133542
Set firewall rule
So that the firewall now also allows the data traffic of VPN users, a firewall rule must be set up for this. Switch to the Firewall
page via the menu and click on Add firewall rule
> user/network rule
. Take a look at the following screenshot and try to set the rules the same way.
Sophos Kb
- Source Zone: VPN
- Destination Zone: LAN
By default, the Sophos Connect Client routes all traffic through the IPsec tunnel. This means that Internet traffic is also sent through the tunnel. We first have to allow this on the firewall and then create another rule.
- Source Zone: VPN
- Destination Zone: WAN
Further information
After you have configured the Sophos Connect Client on your XG firewall using this guide, you may want to continue right away and download and install the Connect Client for Windows or macOS next.