Skip to content
Avanet

Set up Sophos SSL VPN with Sophos Connect on Windows

SSL VPN remains an important remote access option on Sophos Firewall, especially when IPsec causes problems in hotels, guest networks or heavily filtered third-party networks. On Windows, SSL VPN is now used in many environments through Sophos Connect.

This article explains the installation on Windows, importing the .ovpn configuration and the most important checks after the connection is established. For the basic choice between Sophos Connect, SSL VPN, IPsec, mobile clients and ZTNA, start with Sophos Connect or SSL VPN: which remote access solution fits?.

Context

These instructions apply to Sophos Firewall with SFOS. Depending on the platform or starting point, another entry point may fit better:

Important: Sophos Connect supports SSL VPN not only on Windows. Since Sophos Connect 2.0, Remote Access SSL VPN has also been available on macOS. Mobile platforms such as iOS and Android are not directly supported by Sophos Connect for IPsec and SSL VPN; OpenVPN-compatible clients or operating system functions are used there.

Requirements

  • Sophos Firewall with configured SSL VPN remote access
  • user with permission for SSL VPN
  • access to the VPN Portal or an administratively provided .ovpn file
  • Sophos Connect in a current version suitable for the Windows platform
  • Windows 10 or Windows 11, and Windows ARM with Sophos Connect 2.5 or later
  • MFA/OTP configured if Remote Access is protected by it
  • firewall rules for traffic from the VPN zone
  • a clear process for distributing new .ovpn files after changes

If the firewall-side SSL VPN configuration is not yet in place, first complete Set up Sophos Firewall SSL VPN Remote Access.

Before an SFOS 22 MR1 upgrade, also check whether old Remote Access IPsec configurations still exist. SSL VPN is not directly affected by this, but many environments reassess Remote Access at this point. The process is described in Migrate legacy Remote Access IPsec before SFOS 22 MR1.

Plan before downloading

Before users download the client, it should be clear how SSL VPN will be operated. Many later errors do not come from the installation, but from old profiles, unclear permissions or overly broad firewall rules.

Important planning questions:

  • Users: Which users or groups are authorised as Policy members for SSL VPN?
  • Portal: Does the VPN Portal need to be reachable from the internet, or is the .ovpn file distributed administratively?
  • Certificate: Does the certificate match the public FQDN and does the browser show no warning?
  • MFA: Is OTP/MFA requested for Remote Access and is the token rollout complete?
  • DNS: Are internal DNS servers and search domains required?
  • Access: Which internal networks and services may be reached from the VPN zone?
  • Operations: Who updates Sophos Connect and distributes new profiles after changes?

If the VPN Portal is publicly reachable, it should not be treated as a simple download page. It is a firewall login service and part of the attack surface. Device Access, certificate, MFA, logging and possible source or country restrictions should therefore be reviewed deliberately.

1. Log in to the VPN Portal

Open the Sophos Firewall VPN Portal in the browser and log in with the VPN user.

Sophos Firewall v20 VPN Portal login screen
The VPN Portal is the typical entry point for users, but it should be operated with a valid certificate, MFA and deliberate Device Access settings.

If the browser warns about the certificate, check the cause. In production environments, a valid certificate for the VPN Portal is cleaner than a permanent browser exception. For public portals, certificate, MFA and Device Access are not minor details, but part of Remote Access security. Device Access and Local Service ACL on Sophos Firewall is a suitable hardening reference.

If the user does not see an SSL VPN configuration after successful login, this is rarely a Windows problem. First check whether the user or their group is included in the matching SSL VPN policy as Policy members and whether the correct portal is being reached.

2. Download Sophos Connect and the SSL VPN configuration

In the VPN Portal, switch to the VPN area. The Sophos Connect client and SSL VPN configuration are provided there. For SSL VPN, the .ovpn file is relevant.

Sophos Firewall VPN Portal - client and config download
The client and .ovpn configuration are provided in the VPN Portal; the file should match the current firewall configuration.

The Sophos Connect client can also be downloaded directly from the Sophos website: Download Sophos Connect Client.

In managed environments, the client should not be installed randomly. A defined software package with a clear version, test group and update process is better. The approved version should be derived from the official release notes, the VPN Portal or the internal software package, not from individual downloads on user devices. Current Sophos Connect versions also include security and component updates, for example for OpenVPN or OpenSSL.

If an old SSL VPN client or another OpenVPN-based client for the same connection is still installed on the Windows device, clean up that state before the rollout. Multiple VPN clients maintained in parallel quickly lead to wrong adapters, old profiles and unclear support cases.

3. Install Sophos Connect

Run the setup and follow the installation steps.

Install Sophos Connect SSL VPN client on Windows
The installation sets up Sophos Connect and the required VPN adapter; in managed environments this step should be packaged.

If a network adapter has to be confirmed during installation, this belongs to the VPN client. In managed Windows environments, this step should be properly prepared through software deployment or local admin rights.

After installation, document the Sophos Connect version. This helps later in support cases, because client errors, profile errors and firewall errors otherwise quickly get mixed together. For ongoing operation, Check the Sophos Connect client version and update it safely fits.

4. Import the SSL VPN configuration

After installation, the Sophos Connect icon appears in the notification area of the Windows taskbar. Open Sophos Connect and import the downloaded .ovpn file.

Import Sophos Connect client SSL VPN configuration
After installation, Sophos Connect has no connection yet; only the profile import makes the client usable.
Import Sophos Connect SSL VPN client config on Windows
The SSL VPN configuration is imported deliberately; old or duplicate profiles should be cleaned up before rollout.
Log in to the Sophos SSL VPN client on Windows
After import, the connection name should be clear so users and the helpdesk can select the right profile.

When several profiles exist, the connection name should be clear. Old or duplicate profiles quickly lead to support cases because users select the wrong destination.

After changes to the SSL VPN policy, certificate, gateway, DNS, user scope or provisioning logic, the connection should be imported again. A client update does not automatically replace an old .ovpn profile. If Sophos Connect reports a policy or compression mismatch, this profile state is often exactly the problem.

Typical signs of an outdated or wrong profile:

  • Connection shows old site name: An old profile is usually still imported. Remove the old connection and import the current .ovpn again.
  • Certificate or gateway warning: FQDN, certificate or Override Hostname may have changed. Download the profile again from the current VPN Portal.
  • DNS works only on individual clients: Check old DNS values in the profile or local DNS behaviour. Reimport the profile and check Windows DNS.
  • User sees no configuration in the portal: Check policy assignment or user context. Verify SSL VPN policy and group membership.

5. Establish the VPN connection

Select the imported connection and click Connect. Then log in with the VPN user. If MFA or OTP is active, confirm the second factor according to the firewall configuration.

After the connection is established, do not only check the status in the client. The decisive question is whether the required internal destinations can be reached.

Check after installation

At least these points should be checked with a test user:

  • Sophos Connect shows the connection as connected.
  • The user receives an IP address from the expected SSL VPN pool.
  • Internal DNS names resolve correctly.
  • Required servers and applications are reachable.
  • Internet behaviour matches the design: Split Tunnel or Full Tunnel.
  • The expected firewall rule for traffic from the VPN zone is visible in Log Viewer.
  • MFA is requested as planned.
  • A deliberately disallowed target remains blocked.
  • Disconnecting and logging in again work.

If the connection is established but no access works, the cause is often not the client but firewall rules, DNS, routing or NAT. For analysis, use Test a firewall rule with Log Viewer, Policy Test and Packet Capture.

Quick Windows-Side Check

On the Windows client, simple checks help before changing the firewall configuration:

ipconfig /all
route print
nslookup intranet.example.local
ping 10.10.10.10

The point is not to allow every ping. What matters is whether the client has received an SSL VPN address, whether a route to the internal target network exists, and whether DNS resolves via the expected server. If access works by IP address but not by name, DNS is more likely than the firewall rule.

Operations and security

SSL VPN is a publicly reachable Remote Access service. Therefore, do not document only the installation, but also the operation:

  • Update Sophos Connect regularly.
  • Enable and test MFA for Remote Access.
  • Review VPN groups regularly.
  • Restrict portal access through Device Access and Local Service ACL where possible.
  • Keep firewall rules for the VPN zone narrow and logged.
  • Remove old .ovpn files and outdated profiles.
  • Plan Syslog or central analysis for longer log retention.

For MFA basics, see Enable MFA for Sophos Firewall WebAdmin, VPN Portal and Remote Access. For log files and service logs, Sophos Firewall troubleshooting: services and logs is useful.

Troubleshooting

Login to the VPN Portal does not work

Check user, password, MFA, group membership and authentication server. If AD, RADIUS or Microsoft Entra ID SSO is involved, test authentication separately from the VPN.

User Sees No SSL VPN Configuration in the VPN Portal

If login works but no .ovpn file or SSL VPN download is visible, do not start with the Windows client. First check SSL VPN policy, Policy members, group membership, portal access, and User-ID limit. The firewall-side process is described in Set up Sophos Firewall SSL VPN Remote Access.

.ovpn file cannot be imported

First check whether the file really belongs to the current firewall configuration and whether Sophos Connect is current enough. For special characters in certificates or user data, use a current client version.

If downloading the .ovpn file in the VPN Portal itself fails even though login and permission are correct, also check the Sophos Firewall User-ID limit.

Connection is established, but internal systems are not reachable

Check DNS, firewall rules, routing, NAT and the return path. Traffic from the VPN zone should be visible in Log Viewer. If no logs appear, the traffic probably does not reach the expected rule or logging is disabled.

If small accesses work but larger file transfers or certain applications hang, also check MTU/MSS: Check Sophos Firewall MTU and MSS for VPN problems.

Sophos Connect reports policy mismatch or compression mismatch

Such messages often indicate that the firewall configuration was changed but the client still uses an old SSL VPN profile. In this case, download the current .ovpn file again from the VPN Portal or redistribute it administratively and then import it again.

After Profile Change, Sophos Connect Still Connects to the Old Target

Often an old connection entry is still present or users select the wrong profile name in the client. Remove old profiles, import the current .ovpn again and choose the profile name so that site, environment or purpose are clearly recognisable.

Connection drops in third-party networks

SSL VPN is often more tolerant than IPsec, but it is not immune to restrictive networks, Captive Portals, forced proxies or unstable Wi-Fi. In such cases, test with a second network and check whether Split Tunnel, port, protocol or ZTNA is a better fit.

Collect support data

If the error is not directly visible, Sophos Connect can generate a technical support report. It contains connection events, VPN configurations and information about the endpoint. Before sharing it, check sensitive data such as usernames, internal hostnames, IP addresses and gateway FQDNs.

On the firewall side, Log Viewer, sslvpn.log, openvpn-status*.log and the matching firewall rule help in parallel. The log file mapping is described in Sophos Firewall troubleshooting: services and logs.

FAQ

Which operating systems is the Sophos Connect client compatible with?

Current Sophos Connect versions support Windows 10 and 11 as 64-bit systems. Windows ARM is supported from Sophos Connect 2.5.

Is macOS supported for SSL VPN?

Yes. Since Sophos Connect 2.0, the Sophos Connect client on macOS can also use Remote Access SSL VPN.

Can the Sophos Connect client be used on mobile platforms?

No. Sophos Connect does not directly support Android and iOS for IPsec and SSL VPN. Depending on the protocol, OpenVPN-compatible clients or operating system functions are used for mobile platforms.

Does the Sophos Connect client support Windows ARM?

Yes. Windows ARM is supported from Sophos Connect 2.5.

Is SSL VPN better than IPsec?

Not in general. SSL VPN often works better in restrictive third-party networks. IPsec can perform better. The decisive factors are user devices, network environments, security requirements and operating processes.