Install Sophos Connect Client on Windows
Sophos Connect is the central Sophos client for many remote access scenarios with Sophos Firewall. On Windows, the client can use IPsec and SSL VPN connections depending on the firewall configuration. It is important that the client version, Windows platform, configuration file and firewall setup match.
These instructions describe the installation on Windows and the most important checks after importing the connection. When deciding between IPsec, SSL VPN, mobile clients and ZTNA, the first comparison is Sophos Connect or SSL VPN: Which remote access solution is right?.
Which article fits?
Sophos Connect on Windows is just one part of remote access operations. Depending on the task, a different approach is appropriate:
- Install Sophos Connect on Windows: This article.
- Set up SSL VPN on Windows with
.ovpn: Set up Sophos SSL VPN with Sophos Connect on Windows. - Configure Sophos Connect on the firewall side: Configure Sophos Connect on Sophos Firewall.
- Set up Microsoft Entra ID SSO for Sophos Connect: Set up Microsoft Entra ID SSO for Sophos Connect and VPN Portal.
- Maintain client versions, updates and profiles: Check and safely update Sophos Connect Client version.
- VPN is connected but traffic is not working: Test firewall rules with Log Viewer, Policy Test and Packet Capture. This separation prevents typical troubleshooting in the wrong place. An installed client does not yet prove that the VPN portal, authentication, profile, firewall rules, DNS and return path are correct.
Requirements
- Sophos firewall with remote access configuration set up
- Sophos Connect Client in a version that matches the firewall and platform
- Windows 10 or Windows 11, with current Sophos Connect versions as 64-bit or Windows ARM
- Configuration file for IPsec (
.scxor.tgb) or SSL VPN (.ovpnor provisioning file) - User account with VPN permission and, if enabled, working MFA
- Firewall rules for traffic from the
VPNzone or the remote access zone used
If Sophos Connect is to be used with Microsoft Entra ID SSO, Sophos Connect 2.4 or newer is required on Windows and a suitable SSO configuration on the firewall. The process is described in Set up Microsoft Entra ID SSO for Sophos Connect and VPN Portal.
Sophos Connect is supported for Windows ARM from version 2.5. If old software packages are still being distributed internally, you should check which version is actually installed before the rollout. Check and safely update Sophos Connect Client version is suitable for rollout, pilot group and update check.
The platform limit is also important: current Sophos Connect versions should be planned for new rollouts with Windows 10 or Windows 11. Old 32-bit installations should not be continued as the new standard just because they were previously possible with older client versions.
1. Download Sophos Connect Client
The Sophos Connect Client can be downloaded either via the VPN portal of the Sophos Firewall or directly from the Sophos website.
In managed environments, the client should not be randomly installed by individual users. A clear package with a defined version, rollout group and fallback plan makes sense. This is particularly important when using Windows ARM, SSL VPN via Sophos Connect or provisioning files.
Sophos Connect should be updated regularly. New versions not only contain functional changes, but also updated components such as OpenVPN, strongSwan or OpenSSL.
For larger environments, the installation source should be clear. If old MSI files, a VPN portal download and a software distribution exist at the same time, the helpdesk will otherwise quickly install different client versions.
2. Install Sophos Connect Client
The installation starts with the file SophosConnect.msi. After completing the wizard, the window can be closed with Finish.
After installation, the version should be checked directly in the client or via the software inventory. This is particularly important for Windows ARM, Entra SSO, provisioning files and recurring service errors, because small version differences can change the error pattern.



3. Download connection file
When you first start Sophos Connect requires connection configuration. Depending on the remote access design, this is an IPsec, SSL VPN or provisioning file.
Typical connection files:
- IPsec Remote Access:
.scxor.tgb; Export toVPN > Sophos Connect Client. - SSL VPN:
.ovpn; VPN portal or administrative export. - Automatic import via provisioning:
.pro; centrally prepared provisioning file. With a classic IPsec configuration, the file is exported in WebAdmin:
- On the Sophos Firewall, open
VPN>Sophos Connect Client. - Export connection.
- Store the file securely and only distribute it to authorized users.
With SSL VPN, the configuration is usually provided from the VPN portal or from the remote access configuration. The exact source depends on how Remote Access was set up on the firewall. The detailed process for .ovpn import, VPN portal and SSL VPN testing is available in Set up Sophos SSL VPN with Sophos Connect on Windows.
Profiles should be distributed in a controlled manner. If the gateway, certificate, DNS, user group, IP pool, SSO or authentication have been changed, old files in download folders should not be relied upon. The affected connections must be re-exported, re-imported or properly updated via provisioning.
For provisioning files, the gateway, VPN portal port, certificates, SSO reference and user group should be checked particularly carefully. A provisioning file makes distribution easier, but does not replace technical approval of the connection.
4. Set up Sophos Connect Client
The setup is done in just a few steps:
- Open Sophos Connect.
- Select
Import Connection. - Import the appropriate connection file.
- Check connection under Connections.
- Click
Connect. - Log in with the VPN user and confirm MFA if enabled.
If the login is successful, Sophos Connect should show the connection as connected. Then you should not only check the green status, but also test DNS, internal targets and firewall rules. If the connection is established but no traffic is flowing, Test firewall rules with Log Viewer, Policy Test and Packet Capture will help.
With Entra ID SSO, you should also check whether the SSO flow really runs via the expected Microsoft Entra ID server and whether conditional access or MFA work as planned. A successful local login does not automatically prove that SSO, group mapping and VPN permission are correct.




Check after installation
After installation, these points should be checked:
- Sophos Connect version fits the platform, especially with Windows ARM.
- Imported file corresponds to the desired protocol: IPsec or SSL VPN.
- User is authorized in the correct VPN group.
- MFA works and does not block the connection establishment.
- Client receives a suitable VPN IP.
- Internal DNS names are resolved.
- Firewall rules for the
VPNzone only allow the required targets. - Old profiles were not accidentally reused.
If old remote access IPsec configurations still exist before an SFOS 22 MR1 upgrade, Migrate legacy remote access IPsec before SFOS 22 MR1 should be checked first.
Acceptance test for Windows
A green client status is not sufficient as acceptance. For a robust rollout, a test user should check these points:
- Check client version: Version fits Windows 10/11, Windows ARM and internal release.
- Import profile:
.scx,.tgb,.ovpnor.prois recognized correctly. - Test SSO: Entra SSO only starts where it is planned.
- Test MFA: OTP, RADIUS-MFA or Entra-MFA behaves as documented.
- Test DNS: internal FQDNs resolve correctly.
- Test access: Allowed targets work, unauthorized targets remain blocked.
- Check Log Viewer: Traffic from the VPN zone hits the expected firewall rule.
- Test reconnect: Network changes, standby and reconnections are traceable.
For mixed environments, at least one classic Windows 10/11 device and one Windows ARM device should be tested if ARM is used in production. If macOS clients are also used, the behavior should be documented separately.
Rollout notes for managed Windows clients
If there are few users, a manual installation may be sufficient. In larger environments, Sophos Connect should be controlled through normal software distribution or endpoint management.
Clarify before a broad rollout:
- Which Sophos Connect version is released?
- Which Windows versions and CPU architectures are in use?
- Is IPsec, SSL VPN, Entra SSO or provisioning used?
- Are there users with OTP, RADIUS-MFA or Entra-MFA?
- How are new profiles distributed?
- How to remove old profiles or mark them as obsolete?
- Who checks DNS, firewall rules and reconnect behavior after client updates?
- Which logs and screenshots does the helpdesk need for support cases?
For shared Windows devices, particular attention should be paid to whether Sophos Connect starts reliably for all affected users. Sophos Connect 2.5 MR1 includes a fix for a case where the client for additional Windows users did not start automatically when installed by another user.
Troubleshooting
Sophos Connect does not start or shows service errors
First check whether the Sophos Connect service is running and whether a current client version is installed. For older installation packages, it is usually worth doing a clean reinstallation with the released version. If multiple Windows users use the same device, you should also check whether the client automatically starts correctly in the user context.
Connection is imported but not established
Then usually user permission, MFA, certificate, preshared key, firewall version or an incorrect file type are involved. IPsec and SSL VPN profiles should not be mixed. For provisioning files, also check the gateway, VPN portal port, certificate, SSO configuration and accessible Microsoft endpoints if Entra SSO is involved.
SSO status is unclear after internet interruption
In Entra SSO environments, an Internet interruption can result in irritating status displays. Sophos Connect 2.5 MR1 includes a fix for SSO users. Nevertheless, you should also check whether the tunnel is really disconnected, whether the client is reconnecting and whether the firewall under Authentication > Services is using the expected Microsoft Entra ID server.
OTP is queried differently when reconnecting
If classic OTP or MFA users use IPsec and SSL VPN in parallel, the reconnect behavior should be tested. Sophos Connect 2.5 MR1 fixes a difference in login verification between IPsec and SSL VPN for Credential users with OTP.
Connection is established, but internal systems cannot be reached
In this case, the cause is often not the client, but rather firewall rules, routing, DNS or NAT. It should be visible in the log viewer whether traffic from the VPN zone meets the expected rule. For IPsec special cases, Sophos Firewall IPsec VPN Troubleshooting helps.
Connection no longer works after profile change
After changes to the gateway, certificate, VPN portal port, DNS, IP pool, user group, Entra SSO or authentication, the profile should be redistributed or reimported. A client update does not automatically replace an old profile.### Connection is established, but large transfers are hanging
If login, DNS and small accesses work, but larger file transfers or certain applications hang, MTU/MSS should also be checked. The error pattern often matches fragmentation, PPPoE, tunneled connections or an asymmetric path. The process is described in Check Sophos Firewall MTU and MSS for VPN problems.
Collect support data
If the error is not immediately visible, you should document the time, user, Windows version, CPU architecture, Sophos Connect version, profile type, source network and target system. Log Viewer, sslvpn.log, IPsec logs, packet capture and the affected firewall rule help on the firewall. The assignment of the log files is in Sophos Firewall Troubleshooting: Services and Logs.