Help us enhance your Sophos Community experience. Share your thoughts in our Sophos Community survey.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 2 answers
  • Subscribers 3 subscribers
  • Views 1414 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NAT SSL Remote Access To Sophos Address

Tran Ngoc Hien

Hello Every body.

I have Sophos UTM SG310 with 4 internet connection.

I setup SSL remote Access listen on port 443(TCP) of sophos LAN Address and NAT from external Address to internal Address. User success connect to SSL Remote access but when one of internet interface down user cannot connect to SSL Remote Access.

Any body help me.

Sorry for my english. 



This thread was automatically locked due to age.
  • 0

    Hi Tran Ngoc Hien,

    why did you use the NAT rule for the ssl connection?

    For the other case use the option override hostname and enter here a dns name the client can resolve.

    For example

    ssl.example.com shows to wan1

    If wan1 fails you only have to switche the a record of your dns name

    ssl.example.com shows to wan2

    You can also enter the the dns name in the NAT rule instead of the wan interface -> dns host: ssl.example.com set as original destination.

    Best Regards
    DKKDG

  • 0 in reply to DKKDG

    The SSL is listen on single address when it come down i need to reconfig ssl on other interface and change dns record. it not good solution because i not ony sit and monitor it all time.

    And i used this address for other IPsec site-to-site connection, and load balancing on two internet interface by this DNS record.

    Any good Ideal

    Thank you.

  • 0 in reply to Tran Ngoc Hien

    I would not recommend the NAT rule you set for the SSL-Interface

    Try the KB from Sophos to configure the ssl proberly
    https://www.sophos.com/en-us/medialibrary/PDFs/documentation/utm90_Remote_Access_Via_SSL_geng.pdf

    As far as i know there is no automatic failover inside the utm for switching the interface for ssl vpn.

    So if you have configured as described in the KB use an public dns name the clients can resolve.

    When you want a dynamic dns name you have to use DynDNS and a dns host in your NAT rule.

    Best Regards

    DKKDG

  • 0

    Chào Tran Ngoc Hien,

    It always helps to show pictures here regardless of your English - which isn't so bad!

    I will guess that you have selected a single interface in the SSL VPN setup.  You should change that to the "Any" network object.  Also, if you think you need a NAT rule, please show a picture of it.

    As DKKDG suggests, you can use one of the failover DNS services to have your FQDN resolve to an alternate IP when the primary IP is down.  An alternative is to show your folks how to edit their SSL VPN client config and save it with a new name.  For example, assume line 5 in C:\Program Files (x86)\Sophos\Sophos SSL VPN Client\config\trannh@wan1.yourdomain.com is:

    remote wan1.yourdomain.com 443

    Edit that file to change wan1 to wan2 in line 5 and save the modified file as C:\Program Files (x86)\Sophos\Sophos SSL VPN Client\config\trannh@wan2.yourdomain.com.  Now you can select either connection when you activate the SSL VPN Client.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML