Previous versions sometimes required separate MSI files for IPSec vs. SSL. Version 2.5.0 uses a single MSI that detects which VPN profile is pushed to the user. If you deploy the MSI without a config, it sits idle. If you deploy it with an .scx file for IPSec, it registers the IKEv2 service.
Q: Can I use sophosconnect_2.5.0_ga_ipsec_and_sslvpn.msi on macOS or Linux? A: No. This specific MSI is for Windows only. For macOS, Sophos provides a separate PKG installer. Linux is not officially supported.
Q: Does this client support certificate-based authentication? A: Yes, both machine certificates and user certificates (PKCS#12) are supported for IPSec IKEv2.
Q: Can I deploy this MSI via Intune?
A: Absolutely. Upload the MSI as a Line-of-Business (LOB) app. Use detection rule: %ProgramFiles%\Sophos\Sophos Connect\SophosConnect.exe version >= 2.5.0. sophosconnect 2.5.0 ga ipsec and sslvpn.msi
Q: Why does the MSI prompt for a reboot?
A: Rarely, when an older VPN TAP adapter is present. A reboot is safe to complete driver replacement. Use /norestart for batch deployments.
Q: Is backchannel communication required?
A: By default, the client phones home to Sophos for telemetry. Disable via the ENABLE_ANALYTICS=0 MSI property.
Sophos Connect 2.5.0 GA does not support manual entry of server addresses like traditional VPN clients. Instead, it relies on configuration files provisioned by the Sophos Firewall or Sophos Central. Previous versions sometimes required separate MSI files for
| Log file | Path | Use case |
|----------|------|----------|
| Service log | %ProgramData%\Sophos\Sophos Connect\Logs\service.log | IPsec service & IKE events |
| SSL VPN log | %ProgramData%\Sophos\Sophos Connect\Logs\openvpn.log | OpenVPN engine (SSL mode) |
| GUI log | %AppData%\Sophos\Sophos Connect\Logs\gui.log | UI actions, import errors |
Enable debug logging (temporary):
sc stop "Sophos Connect Service"
sc start "Sophos Connect Service" --log-level=debug
Cause: A previous Sophos Connect installation is corrupt. Resolution: Sophos Connect 2
msiexec /x Sophos-Connect-GUID /quiet
# Then manually delete C:\Program Files (x86)\Sophos\Sophos Connect
| Limitation | Workaround / Impact |
|------------|---------------------|
| No CLI for connection management | Use PowerShell Start-Process with sophos-connect.exe --connect "ProfileName" |
| IPsec behind double NAT | Switch to SSL VPN or enable NAT-T with custom keepalive (15 sec) |
| Windows Server – requires Desktop Experience | Core installations fail GUI login prompt |
| No automatic upgrade from v1.x | Uninstall previous Sophos Connect or NetExtender manually |
Error: The client rejects the .scx file.
Fix: Ensure your Sophos Firewall is on SFOS 19.0.1 or higher. The 2.5.0 client uses a newer config schema incompatible with SFOS 18.5.
Copy the MSI and the .scx file to a network share (e.g., \\server\deploy\).
msiexec /i "sophosconnect 2.5.0 ga ipsec and sslvpn.msi" /quiet /norestart
To pre-load a configuration during install:
msiexec /i "sophosconnect 2.5.0 ga ipsec and sslvpn.msi" CONFIG_FILE="\\server\deploy\company_profile.scx" /quiet
To force the client to auto-start on user login:
msiexec /i "sophosconnect 2.5.0 ga ipsec and sslvpn.msi" AUTO_START=1 /quiet