I'm using Sophos Endpoint for antivirus at my company, but we also need to connect to client networks using Cisco AnyConnect VPN. Recently, after an update, AnyConnect has been running a system check called ISE Posture before we can connect. On one computer, it states we're missing a Windows update but doesn't provide a KB number, making it hard to fix since we use patch management software that only previews updates. Another computer mentions that Sophos Endpoint is outdated, which the support team confirmed is a known issue. I'm looking for ways to work around these checks since we can't compromise on using Sophos. Can the ISE checks be turned off, or is there an exemption available? Also, some weird messages pop up during connection attempts, making it confusing. Currently, I've been uninstalling and reinstalling Sophos to get a temporary connection, but that's not sustainable. Anyone have any suggestions?
5 Answers
You could explore altering a Group Policy Object (GPO) to allow Defender to update its definitions even while it's disabled. This might alleviate some issues with it not recognizing Sophos. But I’ve heard that the ISE system may not even see Sophos as up to date, leading to these connectivity headaches.
You'll definitely have to work with Cisco ISE policies. There’s a chance you can modify the posture requirements or policy sets on their end to alleviate this issue. Just remember that convincing them might take some effort since they could see these checks as necessary for security. But it's worth a shot!
If the client really needs you to connect, they'll likely have to get their IT security team or vendors involved. Be prepared—this could be a multi-organizational hustle to get it sorted out. An intermediate step could be to use a jump box dedicated to VPN access.
I can hear the response now: "We can't turn off the security checks; they're essential!" And then you're left thinking about how you’re not going to ditch Sophos for just one client. Good luck with that!
One option could be setting up a clean VM solely for the required VPN client. That way, it wouldn’t interfere with your main system. However, considering you have many people accessing it, that could become a hassle with storage needs and syncing issues.
Yeah, we once tried this for another client, but it just created conflict when we needed them online at the same time. Definitely not the best approach with our current setup.
Yeah, I thought they were mandatory too, so this is actually relieving to know that there's a potential workaround.