Got a 2nd WAN - how to migrate to uplink balancing without user interaction

Hi everyone,

setting up uplink balancing seems to be very easy. But i have questions how to change the interfaces for SSL VPN Remote without user problems.

I would set up the new interface and add it to the uplink balancing.

But how do i change the ssl vpn remote interface without the user noticing? Can i set the interface group as the SSL VPN remote interface so that the firewall listens on both addresses? So that i can change the DNS entry for the fw remote endpoint without any problems?

Is there a load balancer service @ the internet (EU preferred) i can add both ip addresses with priority?

 

Best regards

Stephan

  • Hallo Stephan,

    On the 'Settings' tab of SSL VPN, you can specify the "Any" network object as the 'Interface address'.  There are specialized DNS services that offer a not-free service as you ask.  Just adding a second A record for the FQDN will probably be good enough for this purpose, and that should be free.

    Cheers - Bob
    PS Moving this thread to the VPN forum.

  • In reply to BAlfson:

    Hi,

    thank you for your answer.

    Is there no interruption for any service if i activate Uplink balancing? Or do i want to do this off hours?

    Best regards

    Stephan 

  • In reply to StephanG:

    The default balancing is "by Connection," so established connections should not be interrupted, Stephan.

    Cheers - Bob

  • In reply to BAlfson:

    Hi,

     

    i now activated uplink balancing.

    But back to my question of remote ssl. I cannot take the "uplink interfaces" group to the listening interface address

    So can i only choose one ssl vpn listening interface?

  • In reply to StephanG:

    That's why I said that you must use the "Any" network object, Stephan - otherwise, it must be a single "(Address)" object.

    Cheers - Bob

  • In reply to BAlfson:

    Sorry. I forgot. 

    But will it break the User Portal as it listens on the same 443 port? 

  • In reply to StephanG:

    Two totally different connections, Stephan, and the UTM knows how to differentiate.

    Cheers - Bob

  • In reply to BAlfson:

    I will try the configuration. But there are several "ideas" here where it conflicts with NAT and/or WAF. So this is another thing i want to do out of office hours.

    https://ideas.sophos.com/forums/17359-sg-utm/search?filter=hot&oauth_consumer_key=DRfxHKLCir1RCZbSH0fo5g&oauth_signature_method=HMAC-SHA1&page=2&query=SSL+VPN+Remote+uplink+balancing

  • In reply to StephanG:

    Take a look at #2 in Rulz, Stephan.  Also see Doug Foster's READ ME FIRST: UTM Architecture.

    Cheers - Bob

  • In reply to BAlfson:

    Hi Bob,

    i just got the time to test it:

    And it is not working. I have to use a service that acts as load balancer to achieve a smooth migration. But there is no automatic failover if one internet connection does not work.

    Best regards

    Stephan

  • In reply to StephanG:

    If "OWA" is on its own dedicated IP different from how your User Portal and SSL VPN are reached, I would try temporarily disabling "OWA" to change to "Any" here.  Then re-enable "OWA" - did that work?

    Cheers - Bob

  • In reply to BAlfson:

    Hi Bob,

    i have around ~6 webservices with different IPs (additional ips) on one of my uplink interfaces. So if i deactive OWA the next one will come up.

    I think it is just by design that you cannot select "any" if you have webservers that use 443 over web application firewall out there.

    So this ssl feature is not possible to fail over/migrate easily

  • In reply to StephanG:

    When I configure a client initially, I change the protocol to UDP to avoid future conflicts and to accelerate the tunnel.  If you were to do that now, you would need to change line 4 in all users' config files to proto udp from proto tcp.  Either that or send each an update which you can download from the 'Users' tab of 'Users & Groups'.

    I agree that the easiest would be to use the DNS failover service for now.

    Cheers - Bob

  • In reply to BAlfson:

    Hey Bob,

    thanks for your answer.

    Do you know a good one? 

    Or am i searching for load balancing? 

    I would think it works like this: I set up dns failover with ip 1.1.1.1 and specify my old and new ssl endpoint there.

    Then i change the DNS entry to 1.1.1.1. The dns failover will then decided where to route the traffic (port 443 reachable on this ip)

  • In reply to StephanG:

    I'm not familiar with DNS failover services in Germany, so you might want to Google for them from there.  A load balancing service would also work if that would be beneficial when both WAN connections are available.

    Cheers - Bob