Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=remote-access-VPN-clients-configurations

Automatic provisioning, configuration files, and clients

You can use the provisioning file for IPsec and SSL VPN connections with Sophos Connect client. Alternatively, you can use the individual configuration files.

Provisioning file

The provisioning file automatically imports the configuration files for remote access IPsec (.scx) and SSL VPN configuration (.ovpn) files into the Sophos Connect client. It also automatically imports any configuration changes you make later. Configure this file in a text editor and save it with a .pro extension. You then share it with users.

When users double-click the provisioning file, it automatically imports the .ovpn files corresponding to the user. See Configure the provisioning file.

Configuration files

These files are created when you configure the IPsec remote access connection and the SSL VPN remote access settings and policies.

IPsec: Go to Remote access VPN > IPsec and click Export connection to download the files. You must share one of the following configuration files manually with users:

  • .scx file: You can only use this file with the Sophos Connect client. It contains advanced settings in addition to the other settings. You configure all the settings on the web admin console. We recommend that you use this file.

    If you update any of the advanced settings, send the updated .scx configuration file to users for import into the Sophos Connect client.

  • .tgb file: You can use this file with third-party clients. It doesn't contain the advanced settings you configure.

  • iOS users can download the configuration file directly from the user portal (VPN > VPN configuration under IPsec VPN profile).

SSL VPN: It uses the .ovpn configuration file. On the user portal, users can download the file from VPN > VPN configuration under SSL VPN configuration.

Clients and configurations

The clients you can use depends on the connection type and the endpoint device. See the client, provisioning file, and configuration file details in the following table:

Type of remote access VPN Client Provisioning and configuration files
IPsec Sophos Connect client.

For mobile platforms, you can use the OpenVPN Connect client.

Users download the client from the user portal.

 You can share one of the following files with users:

.pro (recommended): Share the provisioning file with users. It automatically imports the configuration file to the client.

You can use the provisioning file for remote access IPsec VPNs. Additionally, users must install the Sophos Connect client 2.1 or later.

.scx: Use this configuration file rather than the .tgb file for advanced security settings. You must share it with users.

.tgb

iOS users must download the configuration file from the user portal.
IPsec (legacy) Third-party clients .tgb: Share the file with users.
SSL VPN Sophos Connect client You can use one of the following methods:

.pro (recommended): Share the provisioning file with users. It imports the .ovpn file to the client.

.ovpn: Users download the file from the user portal.
SSL VPN For macOS and mobile platforms, you can use the OpenVPN Connect client. .ovpn: Users download the file from the user portal.