VPN: Auto-Update SSL VPN Client
It would be nice if the SSL VPN client would automatically update itself from the UTM when the client connects and a new version is available.
Jan van Zeggelaar commented
I have created a similar " idea", but now I stumble on this one. Open since 2009!!!
I tried to report this as the bug that it is through SophServ, but it got rejected for being a feature request.
Okay, auto-update is an "idea", but the fact that the installer as distributed on the portal is so outdated that program I use to hunt down unpatched software, flags the OpenVPN client as INSECURE, is a BUG. And this is what I reported.
So please, lets all report this through SophServ. Maybe someone wakes up. Because how much work can it really be: updating the installer. And keeping security related components up to date should be standard procedure. Every new release of the UTM software, should have the lates OpenVPN client.
Chris Andal commented
Would love to see this functionality!! Looking at the changelog for OpenVPN, it's scary to see the configuration changes that do not get passed down to the client, simply because automatic updating is not configured.
David Struve commented
I think being able to update the SSL VPN Client without having to change the config information (with the user certificate, etc.) would be great. I turn off the "Remote Access" portion of the User Portal so they can't just install it on any computer they want to. If I could just push out a Client update and leave the config alone, then it would be very easy to fix all of my computers.
Adrien Belcourt commented
5 years to not close a security vulnerability like this. Security vulnerabilities are the top priority reason for updating software and SSL VPN client software from the UTM is *no exception* to this rule.
It is crazy to have all the tools to manage and upgrade UTM software to get rid vulnerabilities like heartbleed but not bother with tools to manage the client software also provided from the UTM like the OpenVPN client.
Ideally I would like to see connections refused from clients with known security vulnerabilities with an email alert to the admins to say this is the case.
It would be good to see the version of the client software listed in the Remote Access page along with the connection details.
It would also be most excellent to provide a client software user with a warning + link to install up2date client software from the firewall under the user+password dialog box as many others have mentioned.
But for me the top reason to implement this is to make the UTM software more secure by implementing basic version management for *all* the software provided by the UTM - which includes the Sophos client.
Please, that would be great.
If you can do it for RED you surely can for VPN clients.
Rolf Müller commented
Ohhh yes!! deploying and updating the SSL-VPN Client is really a mess in a larger Environment.
I would suggest the following procedure.
There should be a place where admins can download a .msi installer in Webadmin. This can be used to publish the install via SCCM WSUS or whatever. There should be an Option so that the install will flag the config dir as writable by the user. So finaly the user can add his config from the userportal.
The update within the application is also a nice idea, but usualy has a Problem with users not beeing local admins.
After somes UTM patches, the SSL-VPN client must be reloaded / upgraded. In this case, the user must be informed that the (old) allready installed client need to be updated with a choice button like: "Update now". Thank you .
Yes , it will be very usefull, anyway better than a green traffic light who doesn´t work after a UTM Patch ( by approx. 300 coworkers !)
The sslvpn client update could come from the cloud. But it would ensure that the client is at the version it should be for the sophos utm version. Or just updated to the latetst.
Scott Klassen commented
It would be nice if it could work like the Cisco Anyconnect client. Will automatically update the client if a newer version is available on the "server" (Cisco ASA in the case of this example). This upgrade process provides notification to the user, but happens without user interaction. The user needs no administrative priviledges for this to happen, as the install is run by the Anyconnect service (as LocalSystem). This last part is very important for business usage. Users running as admin is sssoooo 2002.
Kyle Stewart commented
I think notifying them to update their client would be awesome.
Hi thorsten, can you provide a bit more information about what you are after here? Simply letting the end-user know they should update to the latest client offering of the ASG?