Learn about the Benefits of Multi-Factor Authentication (MFA) . Turn your MFA on now!
Information: Three minute survey on Exploring more ways to contact Sophos Technical Supportt. If you can spare the time, we would love your feedback!
We'd love to hear about it! Click here to go to the product suggestion community
setting up uplink balancing seems to be very easy. But i have questions how to change the interfaces for SSL VPN Remote without user problems.
I would set up the new interface and add it to the uplink balancing.
But how do i change the ssl vpn remote interface without the user noticing? Can i set the interface group as the SSL VPN remote interface so that the firewall listens on both addresses? So that i can change the DNS entry for the fw remote endpoint without any problems?
Is there a load balancer service @ the internet (EU preferred) i can add both ip addresses with priority?
On the 'Settings' tab of SSL VPN, you can specify the "Any" network object as the 'Interface address'. There are specialized DNS services that offer a not-free service as you ask. Just adding a second A record for the FQDN will probably be good enough for this purpose, and that should be free.
Cheers - BobPS Moving this thread to the VPN forum.
In reply to BAlfson:
thank you for your answer.
Is there no interruption for any service if i activate Uplink balancing? Or do i want to do this off hours?
In reply to StephanG:
The default balancing is "by Connection," so established connections should not be interrupted, Stephan.
Cheers - Bob
i now activated uplink balancing.
But back to my question of remote ssl. I cannot take the "uplink interfaces" group to the listening interface address
So can i only choose one ssl vpn listening interface?
That's why I said that you must use the "Any" network object, Stephan - otherwise, it must be a single "(Address)" object.
Sorry. I forgot.
But will it break the User Portal as it listens on the same 443 port?
Two totally different connections, Stephan, and the UTM knows how to differentiate.
I will try the configuration. But there are several "ideas" here where it conflicts with NAT and/or WAF. So this is another thing i want to do out of office hours.
Take a look at #2 in Rulz, Stephan. Also see Doug Foster's READ ME FIRST: UTM Architecture.
i just got the time to test it:
And it is not working. I have to use a service that acts as load balancer to achieve a smooth migration. But there is no automatic failover if one internet connection does not work.
If "OWA" is on its own dedicated IP different from how your User Portal and SSL VPN are reached, I would try temporarily disabling "OWA" to change to "Any" here. Then re-enable "OWA" - did that work?
i have around ~6 webservices with different IPs (additional ips) on one of my uplink interfaces. So if i deactive OWA the next one will come up.
I think it is just by design that you cannot select "any" if you have webservers that use 443 over web application firewall out there.
So this ssl feature is not possible to fail over/migrate easily
When I configure a client initially, I change the protocol to UDP to avoid future conflicts and to accelerate the tunnel. If you were to do that now, you would need to change line 4 in all users' config files to proto udp from proto tcp. Either that or send each an update which you can download from the 'Users' tab of 'Users & Groups'.
I agree that the easiest would be to use the DNS failover service for now.
thanks for your answer.
Do you know a good one?
Or am i searching for load balancing?
I would think it works like this: I set up dns failover with ip 220.127.116.11 and specify my old and new ssl endpoint there.
Then i change the DNS entry to 18.104.22.168. The dns failover will then decided where to route the traffic (port 443 reachable on this ip)
I'm not familiar with DNS failover services in Germany, so you might want to Google for them from there. A load balancing service would also work if that would be beneficial when both WAN connections are available.