This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Architecting DNS for users with 2 SSL-VPN connections to 2 UTM's on separate sites

Hi we have an interesting scenario, We have clients using the OpenVPN client to connect to multiple (2) client sites (both UTM's) at the same time, although once we connect we have DNS issues. All users are remote and so its not viable to have an Internal DNS server in the office and although local host files work they are a pain to setup on everyone's machine.

As they are separate clients we don't want to connect the sites together, and I'm not sure what other options we have to fix DNS resolution for both sites when connected to both, any suggestions would be great.

Thanks,

 



This thread was automatically locked due to age.
  • There is no better DNS configuration.   You want a way to say that tunnel A uses split tunnel networking and is only used for DNS for COMPANYA.LOCAL.  
    UTM does not provide this feature, and I wonder if alternatives would either.

    It is apparently a happy accident that you have no IP address conflicts.  In the general case without coordination, this should be expected as well.

    Politically, if Org A and Org B have not seen fit to create a tunnel between them, I don't think it is appropriate for User C, perhaps a vendor to both, to create a VPN tunnel without their full knowledge and consent.

    What could be done, with cooperation from both organizations, is a VPN client connection to company A, coupled with a VPN tunnel from A to B that is only open to the Company A IP Pool Address range.

  • Hi Douglas,

    Thank you for your detailed response, the "client sites" are actually cloud hosted enclaves with just a couple of servers, but as these are separate clients we cannot create a site to site between the client enclaves. We have architected this in a way that there is no overlapping IP ranges. We have permissions for our admin team to VPN into each enclave but due to the nature of the work they need to connect simultaneously that seems to work fine, but causes DNS issues.

    I was hoping there was an easier solution, we can get this working with local host file configuration but its a PITA to manage for many users, and I was hoping for something simpler, unfortunately we cant have an internal DNS server as all employees are WFH.

    Any other thoughts with this info in mind?

     

     

  • Depends whether the goal is to tunnel between clients or merely to have the ability to support both clients with rapid context switching.

    If the latter, then the preferred solution is to have a desktop, probably virtual, for each client, with one vpn tunnel from each of the two desktops.   Virtual desktop could be at home or at your data center, but your data center is preferred.  However,  everything costs money and you need to stay in business.

    I have asked elsewhere in this forum how to ensure that a computer at home is secure, and if it comes into the office how to ensure it does not bring malware along for the ride.   I have not had any responses.

    If your staff is working from home with vpn tunnels into client environments, you have a lot of obstacles when trying to protect them from malicious websites, malicious emails, and adjacent infected computers.  Then there is the usual challenge of patch management as well.   Not for the faint of heart.  

  • Hi Douglas,

    We are in the process of rolling out corporate laptops to all users and we already have MDM, with AV & patching testing , so we are not massively concerned in this area.

    Ideally constant access to both environments is what is needed as required (SSL-VPN), rapid switching is what they are currently doing and the switching every 5 minutes is impacting the project delivery.

     

    Thanks,

  • Rather than have Remote Access sessions at both locations or a tunnel between them, I would configure site-to-sites between the UTM and company A and company B.  Then, have the users dial into the UTM to reach both sites.  To make this work, you would need a Request Route for COMPANYA.LOCAL pointed at the internal DNS server for company A and similarly for company B.  "VPN Pool (SSL)" must be in 'Allowed Networks' for DNS and 'DNS server #1' should be the IP of "Internal (Address)" on the UTM.

    You might want to add a suggestion at Ideas to have a DNS option added to a VPN SSL Profile if there isn't already one there.  If there is, vote for and comment on it to enhance its visibility.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA