{"id":22101,"date":"2019-05-18T12:00:00","date_gmt":"2019-05-18T11:00:00","guid":{"rendered":"https:\/\/www.avanet.com\/kb\/configure-sophos-connect-client-on-xg-firewall-sfos\/"},"modified":"2025-02-24T20:25:11","modified_gmt":"2025-02-24T19:25:11","slug":"how-to-configure-sophos-connect-client-on-sfos-firewall","status":"publish","type":"kb","link":"https:\/\/www.avanet.com\/en\/kb\/how-to-configure-sophos-connect-client-on-sfos-firewall\/","title":{"rendered":"Configure Sophos Connect Client on the Sophos Firewall (SFOS)"},"content":{"rendered":"\n<p>In this guide, we will show you how to set up the <strong>Sophos Connect Client<\/strong> for your employees as an Sophos Firewall administrator. SFOS 17.5 or newer is required.<\/p>\n\n<h2 class=\"wp-block-heading\" id=\"h-sophos-connect-client-serie\">Sophos Connect Client &#8211; Series<\/h2>\n\n<p>This article is part of a series that will give you everything you need to get started with the Sophos Connect client.<\/p>\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.avanet.com\/en\/kb\/sophos-connect-client-vs-ssl-vpn-client-what-s-the-difference\/\">Comparison: Sophos Connect Client or SSL VPN Client?<\/a><\/li>\n\n\n\n<li>Configure Sophos Connect Client on XG Firewall (SFOS)<\/li>\n\n\n\n<li><a href=\"https:\/\/www.avanet.com\/en\/kb\/how-to-install-the-sophos-connect-client-on-windows\/\">Install Sophos Connect Client on Windows<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.avanet.com\/en\/kb\/how-to-install-the-sophos-connect-client-on-macos\/\">Install Sophos Connect Client on macOS<\/a><\/li>\n<\/ul>\n\n<h2 class=\"wp-block-heading\" id=\"h-vorbereitung\">Preparation<\/h2>\n\n<p>Log in to your XG Firewall as an administrator and go to <code>VPN<\/code> &gt; <code>Sophos Connect Client<\/code> from the menu. On this page we will now go through the settings in <strong>12 steps<\/strong> and make the necessary entries.<\/p>\n\n<p>Please also note the following diagram with the steps marked so that you can follow the instructions more easily:<\/p>\n\n<figure class=\"wp-block-gallery has-nested-images columns-default is-cropped wp-block-gallery-1 is-layout-flex wp-block-gallery-is-layout-flex\">\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.avanet.com\/assets\/sophos-sfos-sophos-connect-client-webadmin-configuration.jpg\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"887\" data-id=\"15787\" src=\"https:\/\/www.avanet.com\/assets\/sophos-sfos-sophos-connect-client-webadmin-configuration-1024x887.jpg\" alt=\"Sophos Connect Client Webadmin Configuration\" class=\"wp-image-15787\" srcset=\"https:\/\/www.avanet.com\/assets\/sophos-sfos-sophos-connect-client-webadmin-configuration-1024x887.jpg 1024w, https:\/\/www.avanet.com\/assets\/sophos-sfos-sophos-connect-client-webadmin-configuration-64x55.jpg 64w, https:\/\/www.avanet.com\/assets\/sophos-sfos-sophos-connect-client-webadmin-configuration-300x260.jpg 300w, https:\/\/www.avanet.com\/assets\/sophos-sfos-sophos-connect-client-webadmin-configuration-600x520.jpg 600w, https:\/\/www.avanet.com\/assets\/sophos-sfos-sophos-connect-client-webadmin-configuration-768x665.jpg 768w, https:\/\/www.avanet.com\/assets\/sophos-sfos-sophos-connect-client-webadmin-configuration-1536x1331.jpg 1536w, https:\/\/www.avanet.com\/assets\/sophos-sfos-sophos-connect-client-webadmin-configuration-14x12.jpg 14w, https:\/\/www.avanet.com\/assets\/sophos-sfos-sophos-connect-client-webadmin-configuration.jpg 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n<\/figure>\n\n<h2 class=\"wp-block-heading\">General settings<\/h2>\n\n<h3 class=\"wp-block-heading\">1. activate Connect Client<\/h3>\n\n<p>The beginning is quite easy. Check the box to enable the Sophos Connect client.<\/p>\n\n<h3 class=\"wp-block-heading\">2. select interface<\/h3>\n\n<p>In this step, you need to select the interface on which the traffic will arrive on the Sophos. Typically, this is a WAN interface with a public IP address. If you have multiple WAN interfaces because you have more than one Internet provider, choose either the faster one, the more reliable one, or the one with less traffic. Decide for yourself which criterion is most important to you.<\/p>\n\n<h3 class=\"wp-block-heading\">3. authentication type<\/h3>\n\n<p>You can choose two options here:<\/p>\n\n<ul class=\"wp-block-list\">\n<li><strong>Distributed key<\/strong> &#8211; Define a password yourself.<\/li>\n\n\n\n<li><strong>Digital certificate<\/strong> &#8211; select a certificate in this option.<\/li>\n<\/ul>\n\n<h3 class=\"wp-block-heading\">4. define distributed key<\/h3>\n\n<p>For this tutorial, we have chosen the <strong>Distributed Key<\/strong> method, which must now be defined at this point. If you have selected the <strong>Digital Certificate<\/strong> method, you can then select a certificate from your appliance at this point.<\/p>\n\n<h3 class=\"wp-block-heading\">5. local ID (optional)<\/h3>\n\n<p>If you have multiple tunnels, you can define a local identification here so that the correct tunnel can be identified. There are the following options here:<\/p>\n\n<ul class=\"wp-block-list\">\n<li>DNS<\/li>\n\n\n\n<li>IP address<\/li>\n\n\n\n<li>Email<\/li>\n\n\n\n<li>Certificate (if you have chosen the certificate at point 3)<\/li>\n<\/ul>\n\n<h3 class=\"wp-block-heading\">6. remote ID (optional)<\/h3>\n\n<p>Here you can make the same selection as in point 5.<\/p>\n\n<h3 class=\"wp-block-heading\">7. authorized users<\/h3>\n\n<p>If you already have users on your XG, or if you have synchronized the entire Active Directory, you can select the users\/groups that are allowed to use the Sophos Connect client here.<\/p>\n\n<h2 class=\"wp-block-heading\">Client data<\/h2>\n\n<h3 class=\"wp-block-heading\">8. name<\/h3>\n\n<p>Define a name for this IPsec connection here. In our example we have called the connection <strong>homeoffice<\/strong>.<\/p>\n\n<h3 class=\"wp-block-heading\">9. assign IP from<\/h3>\n\n<p>The firewall assigns an IP address via DHCP to all users who connect through the Sophos Connect client. In this step you can define the IP range to be assigned. Select an area here that is not yet used on the firewall.<\/p>\n\n<h3 class=\"wp-block-heading\">10. DNS-Server<\/h3>\n\n<p>It is often the case that VPN users want to connect to internal Server. For this purpose, it makes sense to work with the FQDNs as in the corporate network. Enter your internal DNSServer here.<\/p>\n\n<p>If you do not have an internal DNSServer or do not need this function, you can also specify an external DNSServer, for example:<\/p>\n\n<ul class=\"wp-block-list\">\n<li>Cloudflare: 1.1.1.1 and 1.0.0.1<\/li>\n\n\n\n<li>Google: 8.8.8.8 and 8.8.4.4<\/li>\n\n\n\n<li>Quad9: 9.9.9.9 and 149.112.112.112<\/li>\n\n\n\n<li>OpenDNS: 208.67.222.222 and 208.67.220.220<\/li>\n<\/ul>\n\n<h2 class=\"wp-block-heading\">Advanced settings<\/h2>\n\n<h3 class=\"wp-block-heading\">11. session timeout<\/h3>\n\n<p>Experience shows that users do not always consistently disconnect a VPN connection when it is no longer needed. You can decide for yourself how you want to handle open connections here. The Sophos Connect client gives you the option to automatically disable the connection when no traffic has passed through after a certain time. In our example, we have configured the following:<\/p>\n\n<ul class=\"wp-block-list\">\n<li><strong>Abort connection when tunnel is inactive<\/strong>: enabled<\/li>\n\n\n\n<li><strong>Time limit for inactive session<\/strong>: 120 seconds<\/li>\n<\/ul>\n\n<p>This means that the connection is automatically closed by Sophos Firewall if no more data traffic has been registered by the client for 2 minutes.<\/p>\n\n<h3 class=\"wp-block-heading\">12. save<\/h3>\n\n<p>To save your settings now, all you have to do is click on <code>\u00dcbernehmen<\/code>.<\/p>\n\n<h2 class=\"wp-block-heading\">Set up firewall rule<\/h2>\n\n<p>In order for the firewall to now also allow traffic from VPN users, a firewall rule must still be set up for this. To do this, use the menu to go to <code>Firewall<\/code> and click on <code>Firewall-Regel hinzuf\u00fcgen<\/code> &gt; <code>Benutzer-\/Netzwerkregel<\/code> . Take a look at the following screenshot and try to set the rules exactly the same way.<\/p>\n\n<figure class=\"wp-block-gallery has-nested-images columns-default is-cropped wp-block-gallery-2 is-layout-flex wp-block-gallery-is-layout-flex\">\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.avanet.com\/assets\/sophos-sfos-connect-client-add-firewall-rule-lan.jpg\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"663\" data-id=\"15788\" src=\"https:\/\/www.avanet.com\/assets\/sophos-sfos-connect-client-add-firewall-rule-lan-1024x663.jpg\" alt=\"Sophos Connect Client - add firewall rule for VPN\/LAN\" class=\"wp-image-15788\" srcset=\"https:\/\/www.avanet.com\/assets\/sophos-sfos-connect-client-add-firewall-rule-lan-1024x663.jpg 1024w, https:\/\/www.avanet.com\/assets\/sophos-sfos-connect-client-add-firewall-rule-lan-64x41.jpg 64w, https:\/\/www.avanet.com\/assets\/sophos-sfos-connect-client-add-firewall-rule-lan-300x194.jpg 300w, https:\/\/www.avanet.com\/assets\/sophos-sfos-connect-client-add-firewall-rule-lan-600x388.jpg 600w, https:\/\/www.avanet.com\/assets\/sophos-sfos-connect-client-add-firewall-rule-lan-768x497.jpg 768w, https:\/\/www.avanet.com\/assets\/sophos-sfos-connect-client-add-firewall-rule-lan-1536x995.jpg 1536w, https:\/\/www.avanet.com\/assets\/sophos-sfos-connect-client-add-firewall-rule-lan-18x12.jpg 18w, https:\/\/www.avanet.com\/assets\/sophos-sfos-connect-client-add-firewall-rule-lan.jpg 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n<\/figure>\n\n<ul class=\"wp-block-list\">\n<li><strong>Source Zone<\/strong>: VPN<\/li>\n\n\n\n<li><strong>Destination Zone<\/strong>: LAN<\/li>\n<\/ul>\n\n<p>By default, the Sophos Connect client routes all traffic through the IPsec tunnel. This means that Internet traffic is also sent through the tunnel. We have to allow this on the firewall first and create another rule for this.<\/p>\n\n<figure class=\"wp-block-gallery has-nested-images columns-default is-cropped wp-block-gallery-3 is-layout-flex wp-block-gallery-is-layout-flex\">\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.avanet.com\/assets\/sophos-sfos-connect-client-overview-firewall-rule-wan.jpg\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"48\" data-id=\"15789\" src=\"https:\/\/www.avanet.com\/assets\/sophos-sfos-connect-client-overview-firewall-rule-wan-1024x48.jpg\" alt=\"Sophos Connect Client - add firewall rule for VPN\/WAN\" class=\"wp-image-15789\" srcset=\"https:\/\/www.avanet.com\/assets\/sophos-sfos-connect-client-overview-firewall-rule-wan-1024x48.jpg 1024w, https:\/\/www.avanet.com\/assets\/sophos-sfos-connect-client-overview-firewall-rule-wan-64x3.jpg 64w, https:\/\/www.avanet.com\/assets\/sophos-sfos-connect-client-overview-firewall-rule-wan-300x14.jpg 300w, https:\/\/www.avanet.com\/assets\/sophos-sfos-connect-client-overview-firewall-rule-wan-600x28.jpg 600w, https:\/\/www.avanet.com\/assets\/sophos-sfos-connect-client-overview-firewall-rule-wan-768x36.jpg 768w, https:\/\/www.avanet.com\/assets\/sophos-sfos-connect-client-overview-firewall-rule-wan-1536x72.jpg 1536w, https:\/\/www.avanet.com\/assets\/sophos-sfos-connect-client-overview-firewall-rule-wan-18x1.jpg 18w, https:\/\/www.avanet.com\/assets\/sophos-sfos-connect-client-overview-firewall-rule-wan.jpg 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n<\/figure>\n\n<ul class=\"wp-block-list\">\n<li><strong>Source Zone<\/strong>: VPN<\/li>\n\n\n\n<li><strong>Destination Zone<\/strong>: WAN<\/li>\n<\/ul>\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n<h2 class=\"wp-block-heading\">Further information<\/h2>\n\n<p>After using this guide to configure the Sophos Connect client on your XG Firewall, you may want to go ahead and download and install the Connect client for Windows or macOS next.<\/p>\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.avanet.com\/en\/kb\/how-to-install-the-sophos-connect-client-on-windows\/\">Install Sophos Connect Client on Windows<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.avanet.com\/en\/kb\/how-to-install-the-sophos-connect-client-on-macos\/\">Install Sophos Connect Client on macOS<\/a><\/li>\n<\/ul>\n","protected":false},"author":5,"featured_media":0,"parent":0,"template":"","format":"standard","kb_kategorie":[382],"class_list":["post-22101","kb","type-kb","status-publish","format-standard","hentry","kb_kategorie-sophos-firewall"],"blocksy_meta":[],"acf":[],"_links":{"self":[{"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/kb\/22101","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/kb"}],"about":[{"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/types\/kb"}],"author":[{"embeddable":true,"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/users\/5"}],"wp:attachment":[{"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/media?parent=22101"}],"wp:term":[{"taxonomy":"kb_kategorie","embeddable":true,"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/kb_kategorie?post=22101"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}