It is submitted that the user provide the facility of disconnect the live user himself by their User Access Portal that. Right now their are 2 facility is available in the firewall to disconnect the user (1 is by the Firewall Admin> Current Activities> Live Users> Disconnect & 2 is user login the same pc and logout himself. User needs to extra facility to disconnect himself from any PC by the User Access Portal.

It is submitted that the user provide the facility of disconnect the live user himself by their User Access Portal that. Right now their are 2 facility is available in the firewall to disconnect the user (1 is by the Firewall Admin> Current Activities> Live Users> Disconnect & 2 is user login the same pc and logout himself. User needs to extra facility to disconnect himself from any PC by the User Access Portal.

Based on case 03497881, Sophos doesn't think that having the surfing quota tied to the SSL VPN function is a bug even when SSL VPN is not used as the default Internet gateway. This should be changed so customers do not need to create separate user IDs for LAN usage and for SSL VPN login.

Radius connection from Sophos XG Firewall dosn't forward the IPv4 Attribute to our MFA system (test with other firewalls vendos do that)

We are using the RADIUS Attribute CALLING-STATION-ID (31) in our ENTRUST MFA solution.

In our setup users authendicate through RADIUS when connecting with remote VPN (Sophos Connect) - we can see the remote IP of the user in the firewall so the XG know it - but the IP not forwarded to the MFA solution

The IP is uses e.g. for risk management settings.

Sophos XG supports MAC binding for user authentication.
This is a feature used e.g. SSL VPN connections to identify devices.
Mobile devices with Android or iOS as operating system do not support sending the MAC, but instead the UUID.
Therefore I request adding this feature so we can identify corporate devices by UUID.

If you try to log in to the user portal with MFA enabled, the login form needs to display either another text box to insert the MFA code or a message stating that a MFA code needs to be appended to the password.

The current login form causes a lot of helpdesk calls because they don't realize ( or keep forgetting) that their MFA code needs to be inserted after their password.

With a SSL VPN client with MFA enabled, the login form needs to display either another text box to insert the MFA code or a message stating that a MFA code needs to be appended to the password.
The current login form is rather crude and causes a lot of helpdesk calls because they don't realize ( or keep forgetting) that their MFA code needs to be inserted after their password.
An upgraded form with logo that looks more professional would be my preference please.

We need to change default user password at first login and expiry policy or other easy way to change user password by themsalves.

Even if LDAP server authentication is configured, Sophos Connect users have to login to User Portal one time before connect thru VPN.
Connect's Users must be can connect without doing login to user portal before.

Regards

We are seeing issues with NTLM/Kerberos authentication where the device name is authenticating with Sophos XG vs the user. It seems to be that some Microsoft services are causing this and it is causing blocked web access.

Ideally, it would be nice to see an option made available where you can filter out or prevent Sophos from Authenticating computer objects/devices in AD, and only to authenticate user objects.

Allow Public Key authenication method for XG SSL VPN clients. It would also be a bonus if keypairs could be generated within the GUI rahter than CLI.

Hello Team,

We have a customer here requesting to have much more user friendly two factor authentication for Sophos Connect 2.0. The current 2FA on XG like appending a 6-digit code to a password to gain access is not user friendly. Requesting if possible for sophos XG to support a third party 2FA that is much more easy to use and no need to enter the token or one time password.

For your assistance please.

Thank You

Administrators should be able to require users passwords to meet certain password criteria/complexity, Character length, Case, numeric, special characters.

Hello Team,

We have customer requesting here to implement Multi factor authentication to be integrated on active directory as they will be needing different level of security between their SSL VPN users. For your assistance please.

Thank You

Please Provide the MAC Address also in Current Activities>Live Users

Let the Radius Server supply a Groupname for different Firewall Rules

XG already has 802.1x for AP authentications, but it can't be used as a client. Many ISP's (specifically AT&T) use 802.1x client on their supplied CPE with priority vlan 0 tagging to authenticate.
UTM can replace the vendor-supplied CPE by adding a wpa_supplicant, but you don't have the kernel-level control on XG as you do on UTM. Sophos would have to add this feature to XG.

I have XG330 box, user accounts available in google admin mail domain, I want to use the gmail accounts for authentication purpose. How can I add the Server Authentication to google domain?