SSL VPN change precedence order of network ports

Question

I have just experienced the most bizarre situation. Customer has two backup internet connections on Port 2 and Port 3 that run through another router. Port 4 is the main internet connection. When downloading SSL configuration, the Sophos had local LAN IP addresses of Port 2 and Port 3 higher in the priority list. There was no way to change this and of course SSL VPN is never going to connect to a 192.168.xx.xx address. 
 
 There is nowhere anywhere in the Sophos unit to specify what WAN ports to use for SSL VPN and no way to change priority order. 
 
 Here is the stupid thing. I created a new zone "WAN2" and moved Port2 and Port3 to "WAN2". I then moved them back to "WAN". Now the WAN IP addresses in the SSL VPN configuration have changed order. 
 
 So, it looks like the order of WAN IP addresses in the SSL VPN configuration that a user downloads are the order in which the ports are assigned to the WAN zone. If you want to set the order for SSL VPN connections, set all your ports to some random zone and then assign them back to the WAN zone in the order you want the Sophos SSL VPN to use them. 
 
 Dumb - and needs to be fixed, but I'm still waiting for issues from 2012 to be fixed so I won't hold my breathe. 
 
 Hopefully this helps someone

LuCar Toni · Answer

Use this process: https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/VPN/RemoteAccessVPN/VPNSConProvisioningFile/index.html 
 Your process is more likely for the smaller deployments. This process can automate the installation of new files etc. 
 About the DDNS part. Are you sure?

OVPN:

And as the DDNS is written in OVPN, you could use a GoogleDNS or other DNS service, which actually have load balancing and other technologies build in. So you could easily write the same value into this field and let google do a health monitoring and failover etc.

Vishal_R · Answer

Hi Stuart James : Thank you for sharing this information or working details with community users and definitely this will be helpful to get the clarity in terms of SSL VPN WAN precedence. We may define the "Override Hostname" which will fix the connection on that defined (WAN Port) ISP IP only. Override Hostname: This sets the SSL VPN client configuration file to use this public IP when establishing the connection. A lso, another way around for this one is DNS override hostname which resolves to the IP address of one's choice. However, for defining priority order-based settings, such requirements are already under review (possibly may integrate in future with Sophos connect client) by the PM team, and meantime I would also suggest you to upvote any existing matching thread or raise a new thread on Ideas Portal.

LuCar Toni · Answer

Did you already create a support case for your issue? 
 Because from what i could see, most customers are using DDNS (any kind of vendors), which resolves such use cases in general. 
 If you experience an issue, which it actually could cause, then it should follow the support workflow to get to Development. The only issue, i can think of, if you are on the road and the network, you are joining, actually uses the same kind of private IP, you have in your OVPN file. 
 If the IP in your OVPN is not existing, it will simply not connect to this host (check before connect, takes milliseconds). 
 
 BTW: My workaround is: Start DDNS from Google on your firewall. You can specify per interface one Hostname. Lets say: XG1.domain.com, XG2.domain.com. So you have two different FQDNs in your OVPN. Both will be resolved by the firewall and send to Google. On the Google DNS interface, you can specify a health check of both DNS records. So you can say, XG1.domain.com is your WAN IP of your fiber interface. And XG2.domain.com points to XG1.domain.com, until XG1.domain.com IP is offline, then failover to XG2.domain.com.

SSL VPN change precedence order of network ports

Top Replies