We have an existing XG 135 at our main office and have an XGS 136 at a branch office. We're thinking about creating a Site-to-Site link between them.
I've watched a video about it (https://techvids.sophos.com/watch/K1Vew1V3e1Pgu3f2fG2K2p) and note that the IP address of the branch office is entered into the main office configuration. We don't have a static IP address at the branch office, would a dynamic DNS host name work?
Also, we would rather the connection from the branch office is unidirectional so it allows access to servers in the main office in the same way as if using Sophos Connect on a client PC. We don't need or want to be able to access the branch office from the main office network. Is this possible, and if so do we need to do any configuration on the main office UTM as IPsec is already configured for remote access? Can the secondary UTM simply act as a client to that?
Hi Alan, Thanks for reaching out to Sophos Community.
You can use a DynamicDNS on the branch firewall and define it in the HQ Firewall as the remote gateway. Configure HQ firewall as Responder and Branch…
You can use a DynamicDNS on the branch firewall and define it in the HQ Firewall as the remote gateway. Configure HQ firewall as Responder and Branch FW as Initiator. I have seen scenarios where this setup works.
For the unidirectional communication, on the Branch firewall, you can do this just by adding only one LAN to VPN rule that'll allow traffic from your local LAN to the Remote network over VPN. All the available options for VPN that connect two Firewalls apart from IPSEC (RED Site to Site and SSL VPN Site to Site), works by adding routes to access the remote location. So there's no site-to-site connection option available that is by default unidirectional only. :)
Hope this helps..
That is very helpful.