Sophos Connect or SSL VPN: Which remote access solution is right?
Sophos Firewall offers multiple paths for remote access. In older environments you often still find the classic SSL VPN client or old IPsec profiles. In current SFOS versions, Sophos Connect is the central client for many remote access scenarios, but the fit varies depending on the platform, protocol and operating model.
This decision guide shows when Sophos Connect with IPsec, Sophos Connect with SSL VPN, an OpenVPN-compatible client or ZTNA makes sense. For environments with SFOS 22.0 MR1 it is also important: Legacy Remote Access IPsec must no longer be left as a legacy. The migration is described in the article Migrate legacy remote access IPsec before SFOS 22 MR1.
Which VPN article fits?
Remote Access and Site-to-Site VPN are configured in different places in Sophos Firewall. The first thing that is important for admins is whether it concerns user access, site networking, client operation, identity or troubleshooting.
- Schedule remote access for users: This article.
- Configure Sophos Connect on the firewall: Configure Sophos Connect Client on the Sophos Firewall.
- Set up SSL VPN for remote access: Set up Sophos Firewall SSL VPN Remote Access.
- Set up an SSL VPN client on Windows or macOS: Windows or macOS.
- Set up SSL VPN on iPhone, iPad or Android: iPhone and iPad or Android.
- Build site-to-site IPsec between sites: Set up Sophos Firewall Site-to-Site IPsec VPN.
- IPsec tunnel is connected but traffic is not working: Sophos Firewall IPsec VPN Troubleshooting.
- VPN is connected, but large transfers hang: Check Sophos Firewall MTU and MSS for VPN problems.
- Use Microsoft Entra ID SSO or Conditional Access: Set up Microsoft Entra ID SSO for Sophos Connect and VPN Portal.
- Remove Legacy Remote Access IPsec before SFOS 22 MR1: Migrate legacy remote access IPsec before SFOS 22 MR1.
- Maintain Sophos Connect client versions and profiles: Check and safely update Sophos Connect Client version. This separation prevents many wrong decisions. A green VPN status does not prove that access is working, a client update does not replace a firewall rule, and a remote access problem is not automatically an IPsec problem.
Short decision-making aid
- Windows clients with central distribution: Sophos Connect with IPsec or SSL VPN.
- macOS clients from Sophos Connect 2.0: Sophos Connect with IPsec or SSL VPN, depending on firewall configuration.
- Windows ARM: Sophos Connect from version 2.5.
- iOS, iPadOS, Android or other mobile platforms: OpenVPN-compatible client or operating system on-board resources, depending on the protocol.
- Foreign networks with blocked IPsec: Check SSL VPN or ZTNA.
- Access only to individual applications: Check ZTNA or Clientless Access.
- Legacy Remote Access IPsec before SFOS 22 MR1: Migrate and Remove. The table is deliberately simplified. In practice, it’s not just the client that decides, but also the authentication model, MFA, the users’ network environment, the required internal targets, and how profiles are distributed and updated.
Platform and profile boundaries
Before making a decision, you shouldn’t just ask “IPsec or SSL VPN”. Equally important is whether the desired platform supports the appropriate profile type and desired distribution.
- Windows 10/11 64-bit: Sophos Connect IPsec: yes; Sophos Connect SSL VPN: yes; Provisioning file: yes.
- Windows ARM: Sophos Connect IPsec: from Sophos Connect 2.5; Sophos Connect SSL VPN: from Sophos Connect 2.5; Provisioning file: from Sophos Connect 2.5.
- macOS Intel: Sophos Connect IPsec: yes; Sophos Connect SSL VPN: from Sophos Connect 2.0; Provisioning file: no.
- macOS Apple Silicon: Sophos Connect IPsec: yes, via Rosetta 2; Sophos Connect SSL VPN: from Sophos Connect 2.0, via Rosetta 2; Provisioning file: no.
- iOS, iPadOS, Android: Sophos Connect IPsec: not with Sophos Connect; Sophos Connect SSL VPN: not with Sophos Connect; Provisioning file: not with Sophos Connect.
- Old 32-bit Windows clients: Only older Sophos Connect versions up to 2.4 still support 32-bit Windows. Current deployments should plan with 64-bit Windows.
For macOS, this practically means: Sophos Connect can now use SSL VPN, but not with the same provisioning logic as Windows. Profiles must be deliberately imported and re-provisioned after relevant changes. For mobile platforms, Sophos Connect does not remain the direct client; Depending on the protocol, OpenVPN-compatible apps or operating system functions are required.
Sophos Connect with IPsec
Sophos Connect with IPsec is often the first choice when classic client VPNs are needed for Windows or macOS devices. IPsec is usually high-performance and is well suited for managed company clients where profiles can be distributed in a controlled manner.
Advantages:
- good performance in many environments
- suitable for managed Windows and macOS clients
- Central firewall rules possible via the
VPNzone - clear separation of remote access and site-to-site VPN
- useful if Sophos Connect is used as the standard client anyway
Limits:
- IPsec can be blocked in hotels, guest networks, mobile networks or strictly filtered third-party networks.
- Profiles and user assignments must be maintained properly.
- After changes to pools, DNS or target networks, clients must be retested.
- Legacy Remote Access IPsec should not be confused with the current Remote Access IPsec configuration.
For setting it up on the firewall, Configure Sophos Connect Client on the Sophos Firewall is the appropriate connection article.
Sophos Connect with SSL VPN
Sophos Connect can also use SSL VPN connections. This has been relevant on Windows for a long time, and since Sophos Connect 2.0, Sophos has also supported SSL VPN on macOS. This is particularly important because older Avanet and Sophos Connect instructions partly date back to a time when macOS with Sophos Connect could only do IPsec.
Advantages:
- often better usable in restrictive third-party networks than IPsec
- Windows and macOS are supported with current Sophos Connect versions
- OpenVPN technology is easy to understand in operation
- makes sense if existing SSL VPN processes are already established
Limits:
- Performance and scaling depend more on appliance, protocol, encryption and load.
- User profiles and certificates must be managed properly.
- Old SSL VPN clients and old OpenVPN versions should not be used without checking.
- Mobile devices still typically use other OpenVPN-compatible clients.
The firewall-side configuration is in Set up Sophos Firewall SSL VPN Remote Access. For Windows there is the step-by-step guide Set up Sophos SSL VPN with Sophos Connect on Windows. For macOS, you should check the current Sophos Connect version for new installations because platform support changed in 2026. The relevant operating article is Check and safely update Sophos Connect Client version.
OpenVPN clients and mobile platforms
Sophos Connect does not directly support all platforms. Mobile platforms such as iOS and Android are not directly covered by Sophos Connect for IPsec and SSL VPN. In such cases, depending on the protocol, the operating system’s on-board resources or OpenVPN-compatible clients are used.
This is not a disadvantage if the process is clearly documented. It only becomes problematic when users use different apps, old profiles and unclear instructions. The following should therefore be clearly defined for mobile devices:
- which protocol is used
- which app is supported
- where the configuration file comes from
- how MFA or certificates work
- who supports device changes
Specific instructions are available for Sophos SSL VPN with Sophos Connect on Windows, Sophos SSL VPN with Sophos Connect on macOS, Sophos SSL VPN on iPhone and iPad and Sophos SSL VPN on Android.
Profile distribution and updates
Remote access problems often arise not from the selected tunnel type, but from old profiles. If the gateway, certificate, DNS, user group, IP pool, portal or provisioning file are changed, you should actively clean up the profile inventory.
Practical rules:- Track Sophos Connect versions centrally.
- Do not distribute
.scx,.tgb,.ovpnand.profiles in parallel in an uncontrolled manner. - With
.proprovisioning, the client receives the configuration automatically, but the actual SSL VPN gateways still come from the imported SSL VPN configuration and may differ from the portal address. - For SSL VPN, check whether users can download new configurations through Update policy in the User Portal or whether the profile must be redistributed manually.
- Consciously distinguish the file types:
.scxis typically used for Sophos Connect IPsec profiles,.tgbfor IPsec profiles for certain third-party or mobile clients,.ovpnfor SSL VPN configurations, and.profor Windows provisioning. - Deliberately distinguish file types:
.scxis typically for Sophos Connect IPsec profiles,.tgbfor IPsec profiles for certain third-party or mobile clients,.ovpnfor SSL VPN configurations and.profor Windows provisioning. - Keep profile names unique, especially for multiple locations.
- Schedule a new import after changes to SSL VPN or IPsec.
- Test Windows, macOS and mobile clients separately.
- Remove old profiles when leaving, changing devices or migrating.
A re-import is not only relevant after firewall changes. Client updates can also change behaviour, for example when saved credentials, profile options or new client features only work correctly after the configuration has been imported again. Therefore, Update policy, re-import and helpdesk communication should be tested before larger rollouts.
The operational process for client updates is in Check and safely update Sophos Connect Client version.
When ZTNA is a better fit
Not every remote access case needs a classic VPN. When users only need to access individual web applications or defined internal services, ZTNA is often the cleaner architecture. The client then does not get blanket network access, but only access to the applications it requires.
ZTNA is particularly suitable if:
- no full network accessibility is required
- external users only use individual applications
- Access should be more closely tied to identity, device and policy
- VPN rules have grown historically and become too broad
ZTNA does not replace every VPN. A classic VPN may still be necessary for admin access, many protocols, special software or complex network paths. To get started, use Sophos ZTNA Gateway Connector.
Security and Operations
Regardless of the client chosen, the operational issues remain similar. Remote access is a publicly accessible entry point into the network and should not only function technically, but also be operated cleanly.
Important points:
- Activate and test MFA for Remote Access.
- With Sophos Connect, check whether the MFA method matches the client. Challenge-based OTP methods do not work in the same way as User Portal or WebAdmin; Sophos Connect works with password-plus-OTP or call/push-based flows.
- Check user groups regularly.
- Only release required target networks and services.
- Clearly name and log firewall rules for the
VPNzone. - Remove VPN profiles when leaving or changing devices.
- Clean up old legacy configurations before SFOS 22.0 MR1.
- Use log viewer and central logs for login and connection errors.
Set up Sophos Firewall MFA is suitable for MFA. If connections are established but no traffic is flowing, Sophos Firewall IPsec VPN Troubleshooting and Test firewall rules with Log Viewer, Policy Test and Packet Capture can help.
If VPN Portal, User Portal or SSL VPN can be accessed from the Internet, you should also check Device Access and Local Service ACL. Remote Access is not just a client issue, but also a publicly accessible firewall service.