This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Routing HTTP(S) traffic outside of Site to Site SSL VPN

Hi,

We've only had our SG430 a few months and for the most part have figured out how to do what we want it to do. The one thing I cannot figure out is this.

We have an externally hosted website that internal users need to access, this external site also needs to be able to read data from an internal SQL server. The thought is that we would set up a site to site SSL VPN on the firewall which would allow the external server access over the SQL Protocol to the SQL Server only (no other access to the internal network, no other protocols allowed to the SQL server). We set up the VPN connection and are waited for the external hosting company to configure their end. We then noticed that internal users were suddenly unable to access the webserver via HTTP. When we did a tracert the traffic stopped at the firewall. It wasn't until we disabled the VPN connection that access was restored to the website.

It seems like the SSL VPN routing is sending all traffic destined for the external webserver via the VPN connection (regardless if it's connected or waiting connection), how do I separate the traffic so only SQL goes over the VPN and the HTTP traffic goes via the external interface.

 

I thought about doing some sort of load balancing or multi path thing, but the VPN connections don't show as interfaces so I'm not sure how to fix this.

 

Thanks in advance for any help you might be able offer.

 

Regards,

 

Nick



This thread was automatically locked due to age.
Parents
  • Hi Nick,

    Interesting issue you have there, it is weird that the HTTPS traffic destined for the webserver is being affected by the S2S VPN tunnel, is it possible that there is some kind of split brain DNS issue that the UTM may be suffering from?

    Additionally, you could set up a host definition on the UTM that has the public IP with the reverse DNS set to the public FQDN of the webserver, this should prevent the UTM perceiving the SQL server as an internal IP that should be destined for the SSL S2S tunnel. Failing that, a TCPDump should be done, so we can see exactly what is happening for the packets if the host definition fails.

    Emile

Reply
  • Hi Nick,

    Interesting issue you have there, it is weird that the HTTPS traffic destined for the webserver is being affected by the S2S VPN tunnel, is it possible that there is some kind of split brain DNS issue that the UTM may be suffering from?

    Additionally, you could set up a host definition on the UTM that has the public IP with the reverse DNS set to the public FQDN of the webserver, this should prevent the UTM perceiving the SQL server as an internal IP that should be destined for the SSL S2S tunnel. Failing that, a TCPDump should be done, so we can see exactly what is happening for the packets if the host definition fails.

    Emile

Children
  • Hi,

     

    Thanks for your response, Please see screen shots of existing config this may help explain the situation better.

     

    I need to establish a secure connection between the external webserver and the internal SQL server for SQL traffic only. Any HTTP traffic destined for that webserver should continue to go out via the external interface of the UTM not via the VPN connection. The external servers FQDN is specified in our internal DNS to ensure that internal clients resolve the domain to it's external public IP and not the IP of the VPN connection.

    Hope that makes sense.

    Regards,

     

    Nick