SSL VPN client for mass deployment
We need a way to deploy the SSL VPN on mass without logging into the user portal. A standard MSI would be ideal which could be deployed by any ESD or as part of an image.
Workaround is use STAT and VPN Connect. You then have to add users to the allowed list. Have to wait for sometime to populate the user list.
Sophos, please add functionality to download user config as in UTM models at least.
As posted on other suggestion. Reasoning for having client certificates is that shared certificate is consider insecure by OpenVPN. How on earth makes grating administrator access to local computers thins any more secure as that is what is needed with current SSL VPN implementation.
No one runs around asking 100's of users to log in to user portal download client and then enter administrator credentials to install the software.
XG is far from enterprise ready. I understand you can do it for 20 users or so with a 100eur firewall. But when you pay 30 000 eur for FW and licenses and still having to do this is a big joke.
This is a pretty big deal. I wish I knew about this limitation before purchasing.
Daniel Bowne commented
Get it together Sohos. This is unacceptable for smb no less Enterprise.
Jeff D commented
Just ran into this problem last week when trying to migrate from UTM to XG. If could just import our certs, we could swap over easily. Users will not required to log into the user portal to re-download a new config file.
Now we have to wait for a downtime so I can run around updating all remote devices.
I am new to XG and suprised by this.
Not Enterprise ready:
• Per user installation only
o i.e. individualized packages per client installation
o Stores configuration information in “Program Files (x86)”
User has no access to change install configuration data
Tied to machine
• User configuration stored where it cannot move/float
• If user changes to a different machine, reinstall is required
o Our current user base is ~400 for VPN clients
Users do not have requisite permissions to install software
~400 different packages would need to be generated and pushed.
Huge administrative overhead
• Other clients (L2TP/PPTP)
o Do not support split tunneling
o Do not support pushing routes
o Other deployment issues
o Will support requirements
o Additional cost, i.e. it must be licensed from Cisco to be able to use
o XG supports AnyConnect, but they have no client. (?!?)
Have not tested capabilities
• Supposedly there is an IPSEC client that is being worked on, but there is to ETA
This is _NOT_ what I would call an Enterprise or even a SMB level device/system.
To help, if installation was split (system level package for tun/tap) and user configuration that would download into user data directories, would go a long way to help mitigate the issues. Such is not the case. Even if you look at the open source version of OpenVPN for windows, it installs configuration data in userland
+1 for this. Unique per user installation packages are inefficient and disappointing.
This is the show-stopper! Wo do not buy Sophos!
Any ETR for this. This is a basic requirement for corporates.
This is needed for any enterprise level solution.
Martin Damgaard commented
Martin Damgaard commented
This is indeed very much needed. Now i have to keep my VPN users on the old Cisco ASA with Cisco VPN Client, simply because i cannot roll out a new VPN client for all mobile users!
I even looked into moving the Cisco VPN client users onto the XG by using the Cisco VPN Client option on the XG appliance - but unfortunately it is not possible to immitate the ASA box preshared key and Group membership settings on the XG box.
So for now, we have to keep the ASA box running, for our VPN clients.
Please make it possible to deploy a single VPN client installation to multiple users! Or at least give proper information on how to do this with third party VPN client software - i don't care if it will cost me Money - if i can just do it somehow!