The answer lies in three steps:
Integrate Sophos Firewall with a Microsoft CA to automatically issue machine certificates for IPsec. This eliminates manual certificate installation for 1,000+ users. sophosconnect250gaipsecandsslvpnmsi work