Sophos Connect VPN Client AD Group Sync

Sophos finally listened to their customers and release a tool to overcome the limitations of group support with their Sophos Connect VPN client.

what’s the deal?

currently, with V18.0 GA and all previous versions, it is not possible to permit Sophos Connect VPN Access by a group. As you can see here:

This is a major issue because it requires administrator intervention on the firewall if new users are created within the AD. 

 

Group supported was requested by customers and partner since the very first release of the sophos connect client.

But for some reason, it is not possible for sophos to add this features because

Quote Sophos PM:

„it would require a lot of recoding of the way user authentication is handled internally“

 

At least they now released a non-supported tool which you can download from their community forum

Reply to Sophos Connect: Syncing AD User Groups

Instructions: community.sophos.com/…/VPNSync-Usage-guide.pdf 

VPN sync utility:  community.sophos.com/…/vpnsync.zip

 

which leverages rest API to sync users from an AD Group and permit them to use Sophos Connect VPN.

 

So how does it work:

Warning: If your users are using SSLVPN, make sure you read to the end, since this tutorial will delete your users X509 certificates. 

 

 

Activate RestAP and add IP of RestClient, running the vpnsync.exe

 

Create a Access Profile which restricts the RestAPI User to only Add Users (optionally, but highly recommended)

 

Now create a RestAPI User and make sure you set the profile to the previously created RestAPI Profile

 

Make sure the client running vpnsync.exe is able to access the https://ip:4444 by allowing https from the Zone the client is connected. 

 

Optionally create an exception if the client is coming from a zone which should not have access to the webadmin Port

 

 

Now downlaod and extract the vpnsync.zip file on you windows machine. There is no installation required. In my case i’ll use the domain controller for the sake of simplicity, but since the tool will connect to the AD via LDAP  (LDAPS currently not supported) you can basically use any machine in your environment, as long as it is able to connect to the AD.

 

First create a copy of vpnsync – default.yml and name it „vpnsync.yml


This step is important, as the name of the config file is hardcoded in the vpnsync.exe

 

Now modify the vpnsync.yml to match the settings of your environment

 

1) RestAPI User Credentials which you created on the XG Firewall

2) URL of you XG Firewall, just edit IP Address and leave the rest as is

3) Remove # from either 1500.1 (Pre V18) or 1800.1 (Post V18)

4) IP of your Active Directory Server

5) Account for LDAP Queries. Note: Admin Privileges are not required, a simple Service account is fine

6) LDAP Bind of your AD. in my case its selution.demo which translates to –> DC=selution, DC=demo

 

Now for step 7 you need to match the Security Group which you want to use for Sophos Connect VPN Access. It’s not possible to Link an Organisation Unit (OU) and also the tool does not support nested groups (group in a group) 

 

In my case i’m going to use a newly created group

 

The easiest way to find out LDAP Strings of a given group is to use the ADSI Editor:

 

Now before you go ahead an test, make sure Sophos Connect VPN is enabled on the firewall

 

 

Now you are ready to Test. 

 

Since to Group is still empty i’m going to add two testusers to the gorup:

 

 

Please note that 

vpnsync_1 does already exist on the firewall

vpnsync_2 does not exist

 

Now run the script:

 

 

if you see this output, chances are good it worked.  

 

Refresh the user page on the XG:

 

Unfortunately the tool only permitted the newly created user „vpnsync_2“ and did not modify existing user „vpnsync_1“

 

You can see this in the vpnsync.log

If <CISCO>Disabled</CISCO>   means that Sophos Connect was not permitted.

 

 

The only way to overcome this is to delete the users first and then rerun the script again.

 

To automate VPN Sync Guides mentioned to use Windows Task Scheduler. Which looks pretty straight forward. 

Scheduling

This script does not install and auto-start, or run as a service. It must be scheduled using an application such as the windows task scheduler. When using the windows task scheduler, it is recommended to keep the recurrence to the minimum amount necessary (Daily is recommended). If a large number of users are created at one time, it may put unexpected load on your firewall. Task Scheduler will ask you to supply a user account to run the task. A privileged user is not needed, only a domain account with permission to list users is needed. It is recommended to create an account specifically for this task, and to set the permissions of any folders that vpnsync.yml files are located in to be accessible by only select users, including the user created to execute the commands, as the yml files will contain username and password information, for both the firewall and your AD environment.

How to schedule using Task Scheduler:

  • On the server you’ve chosen to run the script, click Start, then begin typing Task Scheduler. When you see the Task Scheduler application presented, launch it

  • Click on the Task Scheduler Library

  • Click Create Task

  • On the General tab, click Change User or Group, and select the user created for this task

  • Select Run whether user is logged in or not

  • On the Triggers tab, add a new trigger

  • Set the schedule to Daily

  • Set the desired start time

  • Optionally, for more frequent updates, select Repeat task every and choose a more frequent

    time interval

  • Click OK to save the trigger

  • On the Actions tab, add a new Action

  • Select Start a program, then in the program/script field, browse for the location of vpnsync.exe

  • If you are syncing multiple groups with multiple yml config files, enter the path of the first one in

    the Start in field

  • Click OK to save the Action

  • Click OK to save the task

  • Select the task in the list, and select Run, to test that the task is functioning correctly, and view

    the vpnsync.log file in the same folder as the vpnsync.yml file.

 

With this method, it should also be possible to run multiple instances of this tool, in case you need to sync more than one group.

 

Limitations:

Vpnsync does not support nested user groups. Only direct members of the chosen AD group will be synchronized.
• Users removed from the AD group will not be removed from Sophos Connect access rights on XG, though disabled or deleted AD users will no longer be able to connect
• Only one group may be specified in the vpnconfig.yml file
• The filename vpnconfig.yml is hardcoded, and cannot be named differently
• The vpnconfig.yml file is expected to reside in the present working directory, when vpnsync.exe
is executed
• Synchronizing multiple groups is possible, but requires separate vpnconfig.yml files to be located in separate directories, and when executed, that the working directory for vpnconfig.exe be set to the location of the selected config file.
• Vpnsync does not come with any support or warranty. It is provided as-is, and free of charge. If you require support in using this utility, it is recommended that you consult with other Sophos users on the Sophos Community Forums.

 

 

 

Conclusion:

Let’s be honest. It’s a bit of a nasty workaround and only provides you the minimum to overcome the group limitation. It requires you to delete all existing users, which is a major issue if you already rolled out SSLVPN, since deleting a user also deletes its x509 certificated. 

Also the lack of LDAPS Support could be a problem in the future since microsoft is going to remove LDAP by mid-2020

 

It would have been cool if you can update existing users, without deleting them. 

 

Technically this is possible since there is a „update“ function provided by the API:

 

Samuel Heinrich
Senior Network Engineer at Selution AG (Switzerland)
Arbeitet in Raum Basel (Switzerland) als Senior Network Engineer mit über 10 Jahren Erfahrung im Bereich Netzwerk und Telekommunikation.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.