Dear Community,
We're currently in the process, where we implement our SSL-VPN remote access with FQDN based policies – What we're trying to ahchieve is a Split-Tunneling like behavior, where our SSL-VPN clients would go through the tunnel, only when they're trying to reach, say, community.sophos.com.
What we're currently encountering is the behavior of the UTM, where it «kills» all the SSL-VPN sessions, when there's a change in a «DNS group» network definition. Let's assume that we had definied «sophos.com» under the DNS group network definition – The UTM resolves the name, keeps the IP addresses returned in the DNS response and passes those addresses as /32 host routes to the SSL-VPN clients. So far, so gut – But then, when the TTL of the DNS response expires, the UTM resolves the name again and, quite naturally, gets different IP addresses in the DNS response. Now the UTM kills all the SSL-VPN sessions, so that, apparently, it can push all the new routes as «protected» destinations.
Though it may be a reasonable behaviour, given the fact that UTM is a security appliance, what we'd like to know is whether if it is an expected behaviour. Isn't there a way, where we can push new routes to SSL-VPN clients without closing the SSL-VPN sessions? In today's environment, it seems kind of like something what we should take into the consideration, that the IP addresses of an external service do change in a relatively frequent manner.
Please let me know what you think about the issue – I'm looking forward to your insights!
Best regards,
iichikocchi
This thread was automatically locked due to age.
