Comparison: Sophos Connect Client or SSL VPN Client?

The Sophos SSL VPN Client has been the most popular solution for establishing a VPN connection with the Sophos Firewall. However, Sophos now offers an alternative variant with the new Sophos Connect Client. In this article you will learn the advantages and disadvantages of both clients.

Sophos Connect Client – Series

This article is part of a series that will give you everything you need to get started with the Sophos Connect client.

• Comparison: Sophos Connect Client or SSL VPN Client?
• Configure Sophos Connect Client on XG Firewall (SFOS)
• Install Sophos Connect Client on Windows
• Install Sophos Connect Client on macOS

Sophos SSL VPN Client

Advantages

• OpenVPN – The Sophos SSL VPN client is a branded OpenVPN client. This works fine with the OpenVPN server running on the Sophos firewall.
• Wide OS selection – The OpenVPN client is available for Windows, macOS, Android and iOS.
• Open standard and thus multiple clients – It is also possible to use other SSL VPN clients, such as:
  • pritunl Client – Windows, macOS, Linux (Free and Open Source)
  • Tunnelblick – macOS (Free and Open Source)
  • Viscosity – Windows, macOS (Shareware)
• Multiple setting options – With the SSL VPN client, Sophos allows you to choose a different port over which the connection should go. Likewise, you can set the encryption strength.

Disadvantages

• Software distribution – It is not possible to install the VPN Client via a software distribution because each user has its own certificate.
• Performance – Depending on the setting, the traffic runs over a TCP or UDP tunnel. But even with UDP, performance is worse than over the IPsec protocol.
• Firewall load – SSL requires more power on the Sophos Firewall, which means that not as many parallel connections can be established. Depending on the appliance, up to 6 times more connections are possible here.

Sophos Connect Client

Advantages

• Performance – IPsec offers better performance.
• Deployment – The tool can be rolled out via software distribution.
• In-house development – The tool is developed directly by Sophos and may also be distributed via Central in the future. This makes it even easier for the admin.
• Sophos Synchronized Security – With the Sophos Connect client, it is much easier to configure the security heartbeat than with the SSL VPN client.
• macOS / iOS board tools – We at Avanet love it when you can work on a system with board tools and don’t have to install an extra tool for every purpose. In macOS, the Cisco IPsec Client is integrated into the operating system. From the “Sophos User Portal” you can download the IPsec configuration ‘iOS_IPSECProfile.mobileconfig’ and install it with one click.

Disadvantages

• Client download – Currently only the admin can download the setup and config files. The user cannot do this himself via the User Portal, except for macOS and iOS. However, we assume that this will change in the future.
• Protocol Ports – For IPsec connection ports are used which are not open everywhere e.g. hotels or public hotsports.
• User authorization – Each user must be added individually in the SFOS configuration. It is not possible to enable entire ActiveDirectory groups for the Sophos Connect client.