Do you recognize a good idea when you see one? We want to hear from you!
Header Image

I suggest you ...

VPN: Auto-Update SSL VPN Client

It would be nice if the SSL VPN client would automatically update itself from the UTM when the client connects and a new version is available.

74 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    ThorstenThorsten shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
    flaserraflaserra shared a merged idea: Automatic upgrade process for SSL VPN Client  ·   · 

    9 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • Adrien BelcourtAdrien Belcourt commented  ·   ·  Flag as inappropriate

        5 years to not close a security vulnerability like this. Security vulnerabilities are the top priority reason for updating software and SSL VPN client software from the UTM is *no exception* to this rule.

        It is crazy to have all the tools to manage and upgrade UTM software to get rid vulnerabilities like heartbleed but not bother with tools to manage the client software also provided from the UTM like the OpenVPN client.

        Ideally I would like to see connections refused from clients with known security vulnerabilities with an email alert to the admins to say this is the case.

        It would be good to see the version of the client software listed in the Remote Access page along with the connection details.

        It would also be most excellent to provide a client software user with a warning + link to install up2date client software from the firewall under the user+password dialog box as many others have mentioned.

        But for me the top reason to implement this is to make the UTM software more secure by implementing basic version management for *all* the software provided by the UTM - which includes the Sophos client.

      • JulienJulien commented  ·   ·  Flag as inappropriate

        Please, that would be great.
        If you can do it for RED you surely can for VPN clients.

      • Rolf MüllerRolf Müller commented  ·   ·  Flag as inappropriate

        Ohhh yes!! deploying and updating the SSL-VPN Client is really a mess in a larger Environment.
        I would suggest the following procedure.
        There should be a place where admins can download a .msi installer in Webadmin. This can be used to publish the install via SCCM WSUS or whatever. There should be an Option so that the install will flag the config dir as writable by the user. So finaly the user can add his config from the userportal.
        The update within the application is also a nice idea, but usualy has a Problem with users not beeing local admins.

      • pfboyerpfboyer commented  ·   ·  Flag as inappropriate

        After somes UTM patches, the SSL-VPN client must be reloaded / upgraded. In this case, the user must be informed that the (old) allready installed client need to be updated with a choice button like: "Update now". Thank you .

      • pfboyerpfboyer commented  ·   ·  Flag as inappropriate

        Yes , it will be very usefull, anyway better than a green traffic light who doesn´t work after a UTM Patch ( by approx. 300 coworkers !)

      • PatrickPatrick commented  ·   ·  Flag as inappropriate

        The sslvpn client update could come from the cloud. But it would ensure that the client is at the version it should be for the sophos utm version. Or just updated to the latetst.

      • Scott KlassenScott Klassen commented  ·   ·  Flag as inappropriate

        It would be nice if it could work like the Cisco Anyconnect client. Will automatically update the client if a newer version is available on the "server" (Cisco ASA in the case of this example). This upgrade process provides notification to the user, but happens without user interaction. The user needs no administrative priviledges for this to happen, as the install is run by the Anyconnect service (as LocalSystem). This last part is very important for business usage. Users running as admin is sssoooo 2002.

      Feedback and Knowledge Base