Check and safely update Sophos Connect Client version
Sophos Connect is the primary remote access client for many Sophos firewall environments. Nevertheless, the client version is often less consciously maintained in everyday life than the firewall firmware. This leads to unnecessary support cases: connections do not establish, DNS does not work properly on macOS, SSO shows an incorrect status or users are asked differently than expected during OTP reconnects.
The article explains how to check Sophos Connect versions, schedule updates and validate after the update. It does not replace the installation instructions for Windows or macOS, but supplements them with the operation and updating of the client.
For the basic decision between IPsec, SSL VPN, mobile clients and ZTNA, Sophos Connect or SSL VPN: Which remote access solution is right? fits first.
When an update should be checked
A Sophos Connect update should not only be checked for acute errors. Especially with remote access, the client version is directly related to platform support, VPN protocol, MFA, SSO and profile import.
Typical triggers:
- new Windows or macOS versions in the company
- Switching from IPsec to SSL VPN or vice versa
- Use of Windows ARM
- Introducing Microsoft Entra ID SSO
- Switch to Sophos Connect with SSL VPN on macOS
- recurring reconnect, DNS or OTP problems
- Distribution of new
.scx,.tgb,.ovpnor.profiles - major firewall updates, for example to SFOS 22 or newer
If remote access is mission critical, the client should not be updated casually. It is better to have a small pilot with a clear test list before the version is distributed widely.
Classify current version points
As of 20. As of June 2026, Sophos Connect 2.5 MR1 is the current version in the official Sophos Connect Release Notes. The release date is 18. June 2026 documented.
Important points from the current release notes:
| Version | Relevance for admins |
|---|---|
| Sophos Connect 2.5 MR1 | fixes several practical issues around Windows startup, SSO status, OTP reconnect and SSL VPN provisioning |
| Sophos Connect 2.5 | supports Windows ARM and uses 64-bit Windows 10 or 11 |
| Sophos Connect 2.4 | brings Microsoft Entra ID SSO for Sophos Connect on Windows with SFOS 21.5 or later |
| Sophos Connect 2.0 for macOS | supports Remote Access SSL VPN on macOS |
| Sophos Connect 2.0 MR1 for macOS | Fixes, among other things, DNS problems with SSL VPN and restores the storage of access data for SSL VPN |
This table is not a complete release history. The points shown are those that, in practice, often lead to rollout or support questions for Sophos firewall admins.
Check supported platforms
Before an update you should not just download the latest version. First, it must be clear which platforms and profiles exist in the area.
Windows
For current Sophos Connect versions you should plan with Windows 10 or Windows 11. Windows ARM is supported from Sophos Connect 2.5. If old 32-bit Windows installations are still in use, you should not blindly switch to the current client line, but first check whether these devices should still be operated as a supported remote access platform.
For Entra ID SSO with Sophos Connect, Sophos lists Windows devices with Sophos Connect 2.4 or later. The identity configuration on the firewall is described in the article Set up Microsoft Entra ID SSO for Sophos Connect and VPN Portal.
macOS
On macOS, which protocol is used is particularly important. IPsec has been supported by Sophos Connect for a long time. SSL VPN via Sophos Connect on macOS, however, is only relevant from Sophos Connect 2.0.
For Sophos Connect 2.0 and newer, Sophos calls macOS Ventura 13 or newer, both for Intel Macs and for Apple Silicon via Rosetta 2. If older macOS versions are in use, you should check before the rollout whether the affected devices need to be updated or connected differently.
Mobile platformsSophos Connect is not the client for iOS and Android. For mobile platforms, depending on the remote access design, operating system functions or OpenVPN-compatible apps are used. The decision between Sophos Connect, SSL VPN, OpenVPN clients and ZTNA is summarized in Sophos Connect or SSL VPN: Which remote access solution is right?.
Clarify VPN profile type before update
Many errors are not caused by the client itself, but by old or incorrect profiles. Before an update, it should be documented which connection types are distributed:
| Profile type | Typical file | Note |
|---|---|---|
| IPsec Remote Access | .scx or .tgb | Profile must match the firewall configuration and user group |
| SSL VPN | .ovpn | Check certificate, user permission and DNS settings |
| Provisioning | .pro | automatic provisioning, but dependent on gateway, portal and client support |
After changes to the VPN portal, gateway, certificates, Entra SSO, user groups, IP pools or DNS, one should assume that profiles will need to be reimported or redistributed. Old profiles in circulation are one of the most common causes of difficult to understand remote access problems.
Configure Sophos Connect on Sophos Firewall is suitable for the firewall-side IPsec basic configuration. For SSL VPN, Set up Sophos Firewall SSL VPN Remote Access is the more suitable start.
Prepare update properly
A controlled Sophos Connect update consists of more than the new installer.
Check before rollout:
- Which Sophos Connect version is currently installed?
- Which operating systems are affected?
- Are IPsec, SSL VPN or both protocols used?
- Are
.proprovisioning files used? - Is there Entra SSO, RADIUS, AD or local users?
- Is MFA active and how does the client behave during reconnects?
- Are there any known users with special characters in usernames, passwords or certificates?
- Are old profiles still in circulation?
- Is there a pilot group and a fallback path?
For managed clients, the version should be controlled through normal software distribution. Individual manual updates by users only make sense if the support process is prepared for this.
Recommended flow
1. Record current status
First you should record the existing client versions. In small environments, a manual check on a few devices is often sufficient. In larger environments, software distribution or endpoint management should evaluate the installed versions.
Additionally document:
- connection used per user group
- IPsec or SSL VPN
- Profile source: Firewall export, VPN portal or provisioning file
- Authentication: local, AD, RADIUS, Entra ID SSO
- MFA behavior
- well-known special cases such as Windows ARM or Apple Silicon
2. Define test group
The test group should not only consist of IT admins. It makes sense to have one to three normal users with a typical remote access profile and at least one device per platform that is used productively.
At least test:
- Windows 10 or 11 with standard profile
- Windows ARM, if available
- macOS with IPsec, if available
- macOS with SSL VPN if available
- Entra SSO if used
- OTP/MFA reconnect if used
3. Update client
Install the latest installer from the shared source. In many SFOS environments, Sophos Connect is deployed via firewall pattern updates or obtained from the Sophos download page. What is crucial is that it is clear internally which version has been released.
After installation:
- Open Sophos Connect.
- Check version.
- Show existing connection.
- Test connection.
- If there are profile or SSO changes, re-import the connection.
4. Reimport connection if necessary
A client update alone does not automatically update every VPN profile. If the firewall configuration, gateway, DNS, certificates, SSO or provisioning file have changed, the connection should be deliberately reimported. With macOS, this is particularly important if the option to save access data for SSL VPN is to be used after an update. Sophos notes for Sophos Connect 2.0 MR1 that the configuration file must be reimported after the upgrade to use this option.
5. Validate after update
A green connection status is not enough. After the update, you should check whether Remote Access really works as planned.
Checklist:
- Connection is being established.
- MFA or SSO is queried as expected.
- Client gets the correct VPN IP.
- Internal DNS names are resolved.
- Central internal systems are accessible.
- Firewall rule in the
VPNzone is hit in the log viewer. - Split Tunnel or Full Tunnel behaves as documented.
- Reconnect works after network change.
- Logging out and logging in again works.
- Helpdesk knows which new version has been released.
If the connection is established but no traffic is flowing, the client is often not the cause. Then Sophos Firewall IPsec VPN Troubleshooting and Test firewall rules with Log Viewer, Policy Test and Packet Capture will help.
Typical errors after updates
Sophos Connect does not start automatically
Sophos Connect 2.5 MR1 fixes an autostart issue for additional Windows users when the client was installed by another user. If such cases occur, you should first check whether the current version is actually installed and how the software distribution installs the client.
SSO status is incorrect after internet interruption
In Entra SSO environments, an Internet interruption can result in irritating status displays. Sophos Connect 2.5 MR1 includes a fix for SSO users. You should also check whether the firewall is running on a suitable SFOS version and whether the SSO configuration is set correctly under Authentication > Services.
OTP is queried differently when reconnecting
If users are working with classic MFA or OTP, the reconnect behavior should be tested after an update. Sophos Connect 2.5 MR1 fixes a difference in login verification between IPsec and SSL VPN for Credential users with OTP.
For general planning of Sophos Firewall MFA, Enable MFA for Sophos Firewall WebAdmin, VPN Portal and Remote Access is suitable.
SSL VPN with provisioning file does not connect
A fix is included for 2.5 MR1 for SSO users who were unable to connect with SSL VPN and provisioning file when certificates contained special characters. In such cases, you should not only update the client, but also check the certificate name, profile import and provisioning file.
Internal DNS names do not work on macOS
For macOS and SSL VPN, the version should be checked particularly carefully. Sophos Connect 2.0 MR1 fixes an issue where DNS settings for SSL VPN connections were not applied, resulting in internal FQDNs not being resolved.
If DNS still doesn’t work after the update, you should check DNS servers, search domains, firewall rules and the actually imported .ovpn configuration.
Operating recommendation
Sophos Connect should be treated like other security-related client software: with version tracking, pilot group, documented rollout and support path.
These rules have proven themselves in practice:
- Define a released target version.
- Remove old installation packages from internal download folders.
- Version VPN profiles or name them clearly.
- Force rebalancing after profile changes.
- Test Windows, macOS, SSO and OTP separately.
- Document known errors and target version in the helpdesk.
- Check the client status after major firewall updates.
It is important to separate the client problem and the firewall problem. Updating the Sophos Connect client does not resolve missing firewall rules, incorrect VPN pools, expired certificates, or broken return routes. That’s why the check always includes a look at the log viewer, packet capture and the affected remote access rules.
Checklist
Before the update- Installed Sophos Connect versions recorded.
- Supported operating systems checked.
- IPsec, SSL VPN and provisioning profiles documented.
- Entra SSO, RADIUS, AD or local authentication checked.
- MFA/OTP behavior known.
- Pilot group defined.
- Path to relapse documented.
During the update
- Client installed from shared source.
- Version checked after installation.
- Reimported connection if profile or SSO is affected.
- Windows and macOS tested separately.
- Reconnect and network change tested.
After the update
- DNS, internal targets and firewall rule match checked.
- Helpdesk informed about target version and known changes.
- Removed or clearly marked old profiles and installation packages.
- Anomalies documented from log viewer and user feedback.