Sophos Connect Help Contents About Sophos Connect

Sophos Connect help Contents About Sophos Connect...... 1 How to install Sophos Connect...... 1 How to uninstall Sophos Connect...... 2 Connections...... 2 Events...... 8 Troubleshoot event errors...... 10 General troubleshooting...... 19 About Sophos Connect Admin...... 25 Editing configuration files...... 25 Legal Notices...... 27

(2021/03/05) Sophos Connect

1 About Sophos Connect

Sophos Connect is a VPN client that you can install on Windows and Macs. It allows you to connect to networks behind XG Firewall from a remote location, such as your organization's network. Your firewall administrator configures connection details on XG Firewall and gives you the installation package and the connection configuration files. This guide provides information about how to use Sophos Connect.

1.1 How to install Sophos Connect

Follow these instructions to install Sophos Connect on Windows or macOS.

Introduction

Install Sophos Connect on Windows

To install Sophos Connect on Windows, do as follows: 1. Open the installer. 2. Accept the license agreement and click Install. 3. Once the installation is complete, click Finish. You can now run Sophos Connect.

Install Sophos Connect on macOS

To install Sophos Connect on macOS, do as follows: 1. Open the installer. 2. Choose the installation destination. Make sure you have enough free space in the destination you've chosen, such as the system drive. 3. Click Install. 4. Once the installation is complete, click Finish. You can now run Sophos Connect.

1.2 How to uninstall Sophos Connect

This topic shows you how to uninstall Sophos Connect on Windows or macOS.

Introduction

Uninstall Sophos Connect from Windows

To uninstall Sophos Connect from Windows, do as follows: 1. Go to Control Panel and under Programs click Uninstall a program. 2. Right-click Sophos Connect, and select Uninstall.

Uninstall Sophos Connect from macOS

To uninstall Sophos Connect from macOS, do as follows: 1. Open the terminal. 2. Elevate to root and run the uninstall script from the location Sophos Connect is installed in. Example: sudo /Library/Sophos Connect/uninstall.sh You'll get the following message if the uninstallation was successful: Sophos Connect has been uninstalled

1.3 Connections

You can import connections, establish connections, and view and edit connections. Sophos Connect supports SSL VPN and IPsec VPN.

1.3.1 Import Connections

The Sophos Connect client can connect to XG Firewall using SSL or IPsec VPN connections. You can import connections into the Sophos Connect client.

Introduction

In version 2.0 of the Sophos Connect client, you can import both SSL and IPsec VPN connections. If you're using an earlier version of the Sophos Connect client, you can only import IPsec connections. You can do as follows: • Import an IPsec connection using a file given to you by your firewall administrator. • Import an SSL connection using a file given to you by your firewall administrator. • Import an SSL connection by downloading a file from the user portal.

Import an IPsec connection

To import an IPsec connection you must have a connection file. The file has the extension tgb. To get the file contact your firewall administrator. To import a connection, do as follows: 1. Click Import connection on the Connections page. a) If there are existing connections, click the menu button and choose Import connection from the drop-down menu. The image below shows the Connections page:

2. Browse for the .tgb file and double-click on it. The imported connection shows under Connections. The image below shows an imported connection:

You can now establish the connection. You can import multiple connections.

Import an SSL connection

To import an SSL connection you must have a connection file. The file has the extension pro. To get the file contact your firewall administrator. To import a connection do as follows: Browse for the .pro file and double-click it.

The connection is imported automatically, and Sophos Connect opens. The imported connection shows under Connections.

You can now establish the connection. You can import multiple connections.

Import an SSL connection from the user portal

To import a connection do as follows: 1. Sign in to the user portal. 2. Go to SSL VPN and click Download configuration for other OSs. 3. Open the Sophos Connect client. 4. Click Import connection on the Connections page. If there are existing connections, click the menu button and choose Import connection from the drop-down menu. 5. Browse for the .ovpn file and open it. The imported connection shows under Connections.

You can now establish the connection. You can import multiple connections.

1.3.2 Connect

Follow these instructions to establish a connection. Make sure there's at least one imported connection available, and your firewall administrator has given you the required credentials.

To establish a connection do as follows: 1. Select a connection on the Connections page. 2. Double-click the connection. You can also click Connect. The sign-in screen appears. The following image shows the sign-in screen:

3. Enter your username and password and click Sign in. Your firewall administrator may have configured one of the following types of multi-factor authentication: • If your firewall administrator has configured One Time Password (OTP), in addition to entering your username and password, you must enter your six-digit OTP passcode. You'll see a third input box (under username and password) where you enter the OTP passcode. • If your firewall administrator has configured DUO authentication, you may get one or two DUO prompts during the connection process. • If your firewall administrator has configured mixed mode two-factor authentication (2FA), you'll see a third input box (under username and password). You must enter one of the following words: push, phone, sms, or enter a DUO token. If you aren't sure about which options you can choose, contact your IT administrator or firewall administrator.

Note If you imported the connection using a provisioning file, you'll get a warning that the server certificate can't be verified. You can click OK to continue. If you don't want to see the message, contact your firewall administrator.

Sophos Connect attempts to establish the connection and authenticate you. If you're facing connection issues, do as follows: • To investigate the cause, click the Events tab or click the menu icon and select Open VPN log. • For help with troubleshooting, see Troubleshoot event errors (page 10) and General troubleshooting (page 19). • You can also contact your IT administrator or firewall administrator for further assistance. The image below shows you where to find the Events tab and Open VPN log.

The connection to the remote server is established. The image below shows a successful connection:

If the connection is successful, you'll see this icon on the taskbar:

If the connection is unsuccessful, you'll see this icon on the taskbar:

Note If you've renamed the connection, the original name, as provided by your firewall administrator, still shows in connection details. For instructions on how to rename it, see Connection options (page 7).

1.3.3 Connection options

You can change the connections in Sophos Connect. To change a connection click the settings icon on the right of the connection.

1. Auto-connect: Attempts a connection when Sophos Connect starts up.

Restriction You can only use this option if your firewall administrator turned it on.

2. Delete: Deletes the connection, so if you want to re-enable that connection, you'll need to import it again. 3. Rename: Gives you the option to rename your connection. 4. Clear credentials: Clears credentials that you've previously stored. 5. Update policy: Allows you to pull the latest policy from XG Firewall on demand.

Restriction You can only use this option if your firewall administrator created the connection using a provisioning file.

Tip If the connection fails after multiple retries, start a policy update, and try to connect again.

1.4 Events

On the events page, you can see any actions in Sophos Connect, and the results of those actions. For example, a user imports a connection file, and the connection is added to the Sophos Connect client. The events page shows the time and date the event occurred and a description of the event.

To remove all events from the list, click Clear events. The following image shows example events:

Related concepts Troubleshoot event errors (page 10)

If you have issues connecting to your remote network, click the events tab, find the timestamp from when you attempted a connection, and find the relevant error.

1.5 Troubleshoot event errors

If you have issues connecting to your remote network, click the events tab, find the timestamp from when you attempted a connection, and find the relevant error. In the following topics, you can see error messages, possible causes for the errors, and information on what to do next. If you experience any issues that aren't listed, see General troubleshooting (page 19). If you need further assistance, contact Sophos Support.

Related concepts Events (page 8) On the events page, you can see any actions in Sophos Connect, and the results of those actions.

1.5.1 No network connection

If you don't have a network connection, follow these instructions.

Cause

The network adapter (ethernet or Wi-Fi) has no IP address.

Remedy

Check that you have a valid IP address and that your existing network connection is working.

1.5.2 DNS resolution failed

If DNS resolution is failing, follow these instructions.

Cause

The client isn't able to resolve the gateway hostname.

Remedy

1. Check if a DNS server is assigned to the network interface. If it doesn't resolve, contact your ISP. 2. Run nslookup from the command prompt (Windows) or the Terminal (macOS) for a public host, such as www.sophos.com, and verify that it resolves to an IP address. 3. If it doesn't resolve, contact your ISP.

1.5.3 User authentication of failed

If you can't authenticate, follow these instructions.

Cause

The username or password didn't match.

Remedy

1. Retry to see if it was due to user error during input. If you retry multiple times and get the same error, the password may have changed or been disabled on the firewall. 2. In this case, contact your firewall administrator.

1.5.4 Import file contains a duplicate connection:

The information below only applies if your firewall administrator configured a provisioning (.pro) file.

Cause

The connection imported from a provisioning file has a duplicate display name.

Remedy

Check the display_name attribute in the provisioning file and rename any duplicate names.

1.5.5 The connection data could not be added. Connection with name already exists

Cause

A connection with the same name has already been imported.

Remedy

Delete the existing connection from Sophos Connect. Contact your firewall administrator if you need further help.

1.5.6 Cannot connect to policy gateway:

The information below only applies if your firewall administrator configured a provisioning (.pro) file.

Cause

The provisioning file is misconfigured. This could be due to any of the following reasons: • Invalid gateway hostname or IP address. • Invalid port or outgoing blocked port. • The policy gateway is unreachable because it's turned off.

Remedy

1. Check the provisioning file for the following: 2. Make sure the value assigned to the gateway attribute is correct. 3. Make sure the value assigned to the user_portal_port attribute matches the user portal HTTPS port setting on XG Firewall. 4. If the provisioning file is configured correctly, contact your firewall administrator to troubleshoot further.

1.5.7 DNS resolution failed for gateway:

If DNS resolution is failing for the gateway, follow these instructions.

Cause

This error is due to an invalid hostname.

Remedy

• If the connection was added using a provisioning file, verify the hostname provided. • If the connection was added by importing an Open VPN (ovpn) file, contact your firewall administrator. They will check the SSL VPN settings on XG Firewall.

1.5.8 Service is unavailable

The troubleshooting steps below are for Windows only.

Cause

The Sophos Connect service (scvpn) is not running.

Remedy

Open the command prompt as an administrator and type the following command: net start scvpn

1.5.9 Server expected remote ID but got

Cause

The local ID type or value configured in the Sophos Connect policy on the firewall is different from this connection's value. This may be because the firewall administrator changed the local ID on the firewall, and the new configuration file wasn't imported to Sophos Connect.

Remedy

Contact your firewall administrator and report the problem to troubleshoot further.

1.5.10 Possible pre-shared key mismatch

This error applies to IPsec VPN connections only.

Cause

The pre-shared key on the firewall doesn't match the one used for this connection. The firewall administrator may have changed it on the firewall, and the new configuration file hasn't been uploaded to Sophos Connect.

Remedy

Contact your firewall administrator and report the problem to troubleshoot further.

1.5.11 UDP ports 500/4500 blocked

This error applies to IPsec VPN connections only.

Cause

The firewall or the router is blocking UDP ports 500 and 4500.

Remedy

Check your local firewall or router configuration and allow traffic on those ports. If you don't have access to the firewall or router, for example, if you're in a hotel, connect through your mobile hotspot and try to connect again.

1.5.12 No response from gateway:

This error applies to IPsec VPN connections only.

Cause

The gateway isn't responding to IKE negotiation messages. The possible causes are as follows: • The remote gateway (firewall or router) has been shut down. • The WAN address on the remote gateway isn't connected directly to the internet.

Remedy

Contact your firewall administrator and report the problem to troubleshoot further.

1.5.13 Received NO_PROPOSAL_CHOSEN notification from gateway

This error applies to IPsec VPN connections only.

Cause

The remote gateway responded to IKE negotiations from Sophos Connect with this error notification. The possible causes are as follows: • The Sophos Connect policy isn't defined or activated on the firewall. • The firewall administrator changed the IKE phase 1 proposal used for the Sophos Connect policy on the firewall and the new configuration wasn't exported and uploaded to the client.

Remedy

Contact your firewall administrator and report the problem to troubleshoot further.

1.5.14 SA disabled or deleted by gateway

This error applies to IPsec VPN connections only.

Cause

The gateway sent an IKE delete request then the tunnel was deleted. This could be due to any of the following reasons: • The firewall administrator changed the policy on the firewall. This sends an IKE delete request to all the active SAs on the firewall. • The firewall administrator manually deleted all of the IPsec connections for this user on the firewall.

Remedy

Try to reconnect. If you can't reconnect, contact your firewall administrator to troubleshoot further.

1.5.15 Failure to add route [network/mask] prevented phase 2 completion

This error applies to IPsec VPN connections only. The troubleshooting steps below are for Windows only.

Cause

After the Phase 2 Security Association (SA) is established, a route can't be added to the remote network. This may be because the strongSwan service crashed while the tunnel was active.

Remedy

1. Turn off the TAP adapter then turn it on. 2. Open the command prompt as an administrator and enter the following commands: net stop scvpn then net start scvpn

1.5.16 Failed to load connection info into strongSwan

The troubleshooting steps below are for Windows only.

Cause

The strongSwan service isn't running (service name: charon-svc.exe).

Remedy

Open the command prompt as an administrator and enter the following command: net start strongswan.

1.5.17 No SSL VPN policy is defined for this user:

This error applies to SSL VPN connections only.

Cause

The SSL VPN (remote access) policy on XG Firewall doesn't contain any policy members.

Remedy

Contact your firewall administrator.

1.5.18 Policy mismatch error. Will download policy and retry connection.

This error applies to SSL VPN connections only.

Cause

The Sophos Connect client tried to establish an SSL VPN connection with an existing policy it has saved for this connection. The firewall administrator changed the SSL VPN settings on XG Firewall after an SSL VPN connection was established and saved by Sophos Connect.

Remedy

The connection was created using a provisioning file. Sophos Connect automatically downloads the new policy and reestablishes the SSL VPN tunnel.

Note If the firewall administrator changes the SSL VPN policy on XG Firewall while the tunnel is in a connected state, if it's an SSL VPN over TCP tunnel, the Sophos Connect client detects and downloads the new policy immediately. If it's an SSL VPN over UDP tunnel, you need to wait for the inactivity timer to delete the tunnel. Sophos Connect then downloads the new policy to re- establish the tunnel.

1.5.19 Compression mismatch error. Will retry connection.

This error applies to SSL VPN connections only.

Cause

An SSL VPN policy is downloaded for the first time from XG Firewall and the SSL VPN tunnel is established with it.

Remedy

• If the connection is configured with an ovpn file, you must reconnect manually. • If the connection is configured with a provisioning file, Sophos Connect automatically tries to reconnect.

1.5.20 Policy mismatch error. Import a new policy for this connection.

This error applies to SSL VPN connections only.

Cause

Remedy

The connection was created by importing an ovpn file. The user must download and import a new ovpn file from XG Firewall user portal to re-establish the SSL VPN tunnel.

Note If the firewall administrator changes the SSL VPN policy on XG Firewall while the tunnel is in a connected state, and it's an SSL VPN over TCP tunnel, then the Sophos Connect client detects and disconnects the tunnel with an error. If it's an SSL VPN over UDP tunnel, then you have to wait for the inactivity timer to delete the tunnel. You must download and import a new ovpn file from the XG Firewall user portal to successfully re-establish the SSL VPN tunnel.

1.5.21 Server certificate cannot be verified: . Do you want to continue?

This error applies to SSL VPN connections only.

Cause

The Sophos Connect client imports the SSL VPN configuration by connecting to the XG Firewall user portal using the provisioning file's properties. The user portal uses a self-signed certificate that can't be verified by the Sophos Connect client.

Remedy

1. Accept the security warning to connect and download the ovpn configuration file from the user portal. To prevent the prompt from showing in the future, contact your firewall administrator. They must choose one of the options below: 2. Issue a new certificate for XG Firewall signed by a public CA. On XG Firewall, import the certificate then select it for Admin console and end-user interaction. 3. Push the default CA certificate from XG Firewall to the trusted store on the remote computers.

Related information Certificates

1.5.22 Could not connect to untrusted server:

This error applies to SSL VPN connections only.

Cause

You canceled the certificate warning prompt, and the connection was terminated.

Remedy

Accept the security warning to connect and download the SSL VPN policy from XG Firewall. To prevent the prompt from showing when the SSL VPN policy is downloading, contact your firewall administrator. They must choose one of the options below: a) Issue a new certificate for XG Firewall signed by a public CA. On XG Firewall, import the certificate, and then select it for Admin console and end-user interaction. b) Push the Default CA certificate from XG Firewall to the trusted store on the remote computers.

Related information Certificates

1.5.23 Timed out waiting for server response

This error applies to SSL VPN connections only.

Cause

The SSL VPN policy is misconfigured on XG Firewall. Possible reasons for the failure are as follows: • Override hostname is configured, but it does not resolve to a valid or correct public IP address. • DDNS is configured, but it does not resolve to the correct or valid public IP address. • Both Override hostname and DDNS aren't configured, and the WAN port doesn't have a public IP address.

Remedy

• If you used a provisioning file to import the connection, update the policy connection settings menu (on the Sophos Connect client). • If you used an ovpn file to create the connection, export a new ovpn file from the user portal and re-import it in the Sophos Connect client.

1.6 General troubleshooting

You can troubleshoot issues that don't appear on the events page. The following topics show issues, possible causes, and information on what to do next. If you need further assistance, contact Sophos Support.

1.6.1 Failed to write to pipe

If you can't connect, follow these instructions.

Cause

Failed to write to pipe

Remedy

1. Re-establish the connection. If this doesn't work, restart your device and try again. 2. If you restart your device and you still can't connect, contact your firewall administrator.

1.6.2 Sophos Connect dashboard will not open

If the Sophos Connect dashboard won't open, follow these instructions.

Cause

If the Sophos Connect dashboard doesn't open, or it doesn't respond when you click the tray icon, the Sophos Connect GUI is stuck in an infinite loop and can't respond to external input.

Remedy

• On Windows: Open Task Manager and select the Details tab. Find scgui.exe and then right- click and select End task. Restart the application from the desktop shortcut. • On macOS: Open Activity Monitor and find the Sophos Connect process. Open this process and select Force Quit. Restart the application from LaunchPad.

1.6.3 Web browsing stops working when tunnel is disconnected

This error is more common on macOS.

Cause

When a tunnel all connection is disconnected, the DNS servers aren't restored from the physical network adapters. This means the internal DNS servers used when you were connected through the VPN are still used. As the tunnel no longer exists, the name resolution won't work.

Remedy

Disconnect from your local network then reconnect.

1.6.4 Traffic stops going through the VPN tunnel

This error applies to IPsec VPN connections only.

Cause

If you're running a firmware version earlier than 17.5, it's possible that the client received a new virtual IP after the phase 1 rekey.

Remedy

You must disconnect then reconnect. The permanent solution is to upgrade to version 17.5 or later.

1.6.5 Sophos Connect GUI displays "Service Unavailable"

This error is more common on macOS. This error applies to IPsec VPN connections only.

Cause

When a tunnel disconnect is initiated, the strongSwan IPsec daemon gets stuck in an infinite loop. This results in the GUI not getting a response for disconnect, then time out and show the error as "Service Unavailable."

Remedy

• On macOS, do as follows: a) Open the Activity Monitor and quit the Sophos Connect GUI process. b) Open the Terminal and run the following commands: sudo /bin/launchctl unload -w /Library/LaunchDaemons/com.sophos.connect.scvpn.plist then sudo /bin/launchctl load -w /Library/LaunchDaemons/ com.sophos.connect.scvpn.plist c) Open Sophos Connect and check that the "Service unavailable" error is resolved. • On Windows, do as follows: a) Open cmd as administrator then run the following commands: net stop scvpn net start scvpn b) Open Sophos Connect and check that the "Service unavailable" error is now resolved.

1.6.6 Received connection reset from gateway:

This error applies to SSL VPN connections only. This message is logged in the scvpn.log file (in the install folder).

Cause

SSL VPN settings are changed on XG Firewall, a user is manually disconnected or XG Firewall restarts. If the connection uses SSL VPN over TCP, XG Firewall sends a connection reset request. If the connection uses SSL VPN over UDP, the connection may reconnect automatically depending on the idle time-out period.

Remedy

Import a new configuration file into the Sophos Connect client and then reconnect. a) If your firewall administrator hasn't sent you the file, go to the user portal and download it. b) Otherwise, go to the user portal to download the ovpn file.

1.6.7 SSL VPN connection has auto-connect and update policy menu items grayed out.

This error applies to SSL VPN connections only.

Cause

If the SSL VPN connection is created by importing an ovpn file, these options aren't available.

Remedy

To turn on these options, you must create a connection using a provisioning file and add them to the provisioning file. Update policy is available after you connect for the first time. To turn on auto-connect, you must define an auto_connect_host that can only be accessed on the internal network. Example of a provisioning file with minimum requirements for enabling auto-connect:

[ { "display_name": "", "gateway": "", "auto_connect_host":" " } ]

1.6.8 SSL VPN error

This error applies to SSL VPN connections only.

Cause

An error generated by the OpenVPN service.

Remedy

Re-establish the connection. If this doesn't work, restart your device and try again.

1.6.9 Sophos Connect can't establish a tunnel

This error applies to SSL VPN connections only.

Cause

You probably installed the Sophos Connect client first and then installed the Sophos SSL VPN client.

Remedy

Uninstall both clients, then re-install the Sophos SSL VPN client, then the Sophos Connect client.

1.6.10 Management port is unavailable

This error applies to SSL VPN connections only.

Cause

Sophos Connect fails to claim TCP port 25340, which is required to communicate with OpenVPN.

Remedy

1. Check if another application is running on the device using this port. 2. Exit the application, if possible. If you don't fix this issue, Sophos Connect 2.0 can't run on your device. If no other application is using this port, this may be a temporary condition. 3. Reconnect to the Sophos Connect client.

1.6.11 Failed to create temporary file

This error applies to SSL VPN connections only.

Cause

Sophos Connect uses a temporary file to pass the connection attributes to the OpenVPN service. Sophos Connect failed to create the file on this device.

Remedy

Restart your device.

1.6.12 OpenVPN service is unavailable

This error applies to SSL VPN connections only.

Cause

The OpenVPN service may not have started.

Remedy

If the OpenVPN service start-up type is set to disabled, change it to manual, and restart the Sophos Connect service.

2 About Sophos Connect Admin

In Sophos Connect Admin, you can import config (.tgb) files and configure various VPN setup options. For information on how to configure and export a .tgb file on XG Firewall, see Sophos Connect client in the XG Firewall help. You can install and uninstall Sophos Connect Admin in the same way you do the Sophos Connect client.

2.1 Editing configuration files

You can edit your configuration (.tgb) files in Sophos Connect Admin, which provides you with more granular VPN configuration options. Open the .tgb file you've exported from XG Firewall in Sophos Connect Admin. You can: • Turn on Tunnel All to send all traffic through the VPN connection. • Turn on Send Security Heartbeat to allow Sophos Endpoint Protection to send a heartbeat to XG Firewall. This only works if the user has the Sophos Endpoint Protection client installed on their device. • Turn on Allow Password Saving to allow the users to save their username and password on their device. The user credentials are stored securely using keychain services. • Turn on Prompt for 2FA if you've configured two-factor authentication for the VPN users on XG Firewall. • Turn on Auto-connect Tunnel to automatically turn on the connection after the user logs on to Sophos Connect on their device. Sophos Connect won't automatically start the connection if the user is already connected to the corporate network. Auto-connect requires an additional configuration parameter: Enter a host/DNS Suffix. It determines whether the user's local system is inside or outside the corporate network. Use one of the following values: — An IP address. — A Fully Qualified Domain Name (FQDN). The hostname must only resolve when using the internal DNS server. — A DNS suffix.

Note If you configure an IP Address or FQDN, ICMP must be allowed on this host.

• Add, change, and delete the networks that the user can connect to. When you add specific networks to the list, you turn split tunneling on. The user accesses resources on those networks through the VPN connection but accesses internet resources straight through their remote gateway.

Note If you delete all networks, tunnel all mode will be activated, meaning all traffic goes through the VPN connection.

• Change the connection name and target host. If you clear the configuration, you'll need to import the .tbg file again. If you save the configuration, it's saved as a .scx file.

Note You can import .scx files and re-edit them.

When you've saved the configuration file, you can send it to the user, who imports it into Sophos Connect.

3 Legal Notices

Copyright © 2020 Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner. Sophos, Sophos Anti-Virus and SafeGuard are registered trademarks of Sophos Limited, Sophos Group and Utimaco Safeware AG, as applicable. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.