Skip to content

Client downloads

Use these settings to download the clients and components that support single sign-on, transparent authentication, and email encryption.

You can use transparent clientless authentication through STAS and SATC or authentication through the clients installed on users' endpoints.

Single sign-on

Sophos Transparent Authentication Suite (STAS): Enables transparent authentication whereby Windows credentials can be used to authenticate and the user is required to log on once only to access network resources. This does not require a client on the user’s machine.

Sophos Authentication for Thin Client (SATC): Enables transparent authentication for users in Citrix or Terminal Services environments whereby network credentials can be used to authenticate and the user is required to log on once only. This does not require a client on the user’s machine. SATC supports only TCP connections, not UDP connections.

Authentication client and server CA with Windows Installer

If you use Windows Installer, users must install the following client authentication agent and server CA on their computers. You can download these files and share them with users. Alternatively, users can download these from the user portal and install them on their endpoints.

The authentication client uses the server CA to establish a TLS connection with the firewall for user authentication. It communicates through IP address 1.2.3.4 and port 9922. When users sign in to the client, they're signed directly into the network through the firewall.

Download MSI: Download and share the MSI authentication client (client authentication agent) with users.

Download CA for MSI: Download the CA certificate and share it with users.

Note

If you reset the firewall to factory configuration, it reconfigures the CA certificate. Users must reinstall the CA certificate.

Authentication clients and server CAs for computers

Download and install one of the following on users' computers based on the operating system. The downloaded file contains the authentication client and the authentication server CA. Authentication clients use the CA to establish a TLS connection with the firewall for user authentication. It communicates through IP address 1.2.3.4 and port 9922. When users sign in to the client, they're signed directly into the network through the firewall.

  • Download for Windows
  • Download for MAC OS X
  • Download for Linux (32 bit)
  • Download for Linux (64 bit)

Note

If you reset the firewall to factory configuration, it reconfigures the CA certificate. Users must download and reinstall the client and server CA.

The client authentication agent supports the following operating systems:

  • Windows 10 and later
  • Linux: Ubuntu 16.4 and later
  • macOS Catalina (10.15) and later

Authentication server CA for Android and iOS devices

Sophos Network Agent is an authentication client. It enables the firewall to authenticate local network users using mobile devices running Android and iOS devices.

Warning

Sophos Network Agent reached End of Life (EOL) on September 1, 2023.

To set up strict authentication for unauthenticated users, select Use web authentication for unknown users in the firewall rule.

Additionally, go to Authentication > Web authentication. Under Authorize unauthenticated users for web access, select Show captive portal link. The captive portal page requires unauthenticated users to sign in.

Users must first download Sophos Network Agent from the Play Store or the App Store depending on their device. They must then import the authentication server CA into the client to establish a TLS connection with the firewall for user authentication. It communicates through IP address 1.2.3.4 and port 9922. When users sign in to the client, they're signed directly into the network through the firewall.

Download certificate for iOS 12 and earlier and Android client: Users with Android or iOS 12 and earlier devices must install this authentication server CA certificate on their mobile devices. You can download this CA and share it with users. Alternatively, users can download it from the user portal. To know more, see Use Sophos Network Agent for iOS 12 and Android devices.

Install client certificate in iOS 13 and later: This installer contains the authentication server CA certificate for iOS 13 and later devices. You can't download it and share it with users. The following steps are needed:

  1. Install the signing CA on users' devices. To import the authentication server CA for user authentication, Sophos Network Agent establishes a TLS connection with the firewall. To establish this connection, the client needs the signing CA certificate installed on the mobile device.

    If you're using a public CA for the firewall, iOS 13 and later devices allow the client to import the authentication server CA directly, and you can skip this step.

    However, if you're using a locally signed certificate for the firewall, you must set the certificate as the firewall certificate and share the signing CA (Default CA) with users. For more information about how to do this, see Use Sophos Network Agent for iOS 13 devices.

  2. Users must import the authentication server CA for authentication. To enable the firewall to authenticate users, the Sophos Network Agent needs the authentication server CA installed. For iOS 13 and later devices, Sophos Network Agent directly imports this CA certificate through the user portal. So, users must download the CA directly to their mobile device from the user portal.

Note

If you reset the firewall to factory configuration, it reconfigures the CA certificate. Users must reinstall the CA certificates.

The client authentication agent supports the following operating systems:

  • iOS 8.0 and later
  • Android 4.1 and later

SPX Add-In

The SPX add-in allows users to encrypt outgoing messages using Sophos Email Protection directly from Microsoft Outlook.

For an interactive installation, run setup.exe.

For an unattended installation, run the installer as follows:

msiexec /qr /i SophosOutlookAddInSetupUTM.msi T=1 EC=3 C=1 I=1

Unattended installations require the following:

  • Windows XP, Windows Vista, Windows 7, or Windows 8 (both 32 and 64-bit)
  • Microsoft Outlook 2007 SP3, 2010 or 2013 (both 32 and 64-bit)
  • Microsoft .NET Framework 4 Client Profile
  • Microsoft Visual Studio 2010 Tools for Office Runtime 4.0

More resources