Sophos Connect Migration script from UTM SSLVPN

14/07/2021 2 Comments

Sophos, Sophos Firewall, Sophos UTM

Hi all,

This is a very early beta of a script that does the following:

– Takes a backup of the old ovpn config from SG UTM SSLVPN

– Removes old SG UTM client

– Installs Sophos Connect

– Imports the old config into Sophos Connect so user can still connect to UTM

– Installs a provisioning file for the coming Sophos Firewall, so migration should be easier 🙂

Have testet it all, it works so far good, but do not implement in production before thoroughly tested 🙂

Batch script:

@echo off

IF NOT EXIST “c:\Program Files (x86)\Sophos\Sophos SSL VPN Client\uninstall.exe” goto :eof
REM Remove the old client
REM Kill running programs, preventing uninstall
taskkill /im openvpn* /F
timeout 2
REM Backup the OVPN config file
rem rmdir “c:\!vpn” /s /q
mkdir c:\!vpn
copy “c:\Program Files (x86)\Sophos\Sophos SSL VPN Client\config\*.ovpn” c:\!vpn\
REM Use uninstaller to remove the client
cd\Program Files (x86)\Sophos\Sophos SSL VPN Client
Uninstall.exe /S
timeout 10
REM Do folder cleanup – if not, Sophos Connect refuse to install
cd\
rmdir “c:\Program Files (x86)\Sophos\Sophos SSL VPN Client” /s /q

SET Sophos_Connect=Sophos\Connect\scvpn
IF “%PROCESSOR_ARCHITECTURE%” == “x86” GOTO X86_PROG
IF NOT EXIST “%ProgramFiles(x86)%\%Sophos_Connect%” GOTO INSTALL
exit /b 0
:X86_PROG
IF NOT EXIST “%ProgramFiles%\%Sophos_Connect%” GOTO INSTALL
exit /b 0
:INSTALL
msiexec.exe /i “\\server\share\SophosConnect.msi” /QN
timeout 5
REM Deploying SSLVPN provisioning file – user must connect once with the client to fetch their profile when SF is in place.
REM Userportal on SF must be accessible and with a valid certificate!
copy /Y “\\server\share\xgsslvpn.pro” “C:\Program Files (x86)\Sophos\Connect\Import\”
REM Deploying old SSLVPN for UTM
copy /Y “c:\!vpn\*.ovpn” “C:\Program Files (x86)\Sophos\Connect\Import\”
Popd
REM Start Gui – tray icon.
start “” “C:\Program Files (x86)\Sophos\Connect\GUI\scgui.exe”

:eof

END && EXIT

Sample Provisioning file:

 

[
{
“gateway”: “fw01.domain.dk”,
“user_portal_port”: 4445,
“otp”: false,
“auto_connect_host”: “”,
“can_save_credentials”: true,
“check_remote_availability”: false,
“run_logon_script”: false
}
]

Hope you can use this to get moving with Sophos Firewall and SSLVPN 🙂

Related Posts

2 Comments

  1. Chris

    Thanks for the script, but I can see this being an issue if they aren’t already on the network to pull the new provisioning file.

    Reply
    1. Martin (Post author)

      You need to allow access from the WAN for the UserPortal during the migration period 🙂

      Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close