This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Got a 2nd WAN - how to migrate to uplink balancing without user interaction

Hi everyone,

setting up uplink balancing seems to be very easy. But i have questions how to change the interfaces for SSL VPN Remote without user problems.

I would set up the new interface and add it to the uplink balancing.

But how do i change the ssl vpn remote interface without the user noticing? Can i set the interface group as the SSL VPN remote interface so that the firewall listens on both addresses? So that i can change the DNS entry for the fw remote endpoint without any problems?

Is there a load balancer service @ the internet (EU preferred) i can add both ip addresses with priority?

 

Best regards

Stephan



This thread was automatically locked due to age.
Parents Reply Children
  • Hi Bob,

    i just got the time to test it:

    And it is not working. I have to use a service that acts as load balancer to achieve a smooth migration. But there is no automatic failover if one internet connection does not work.

    Best regards

    Stephan

  • If "OWA" is on its own dedicated IP different from how your User Portal and SSL VPN are reached, I would try temporarily disabling "OWA" to change to "Any" here.  Then re-enable "OWA" - did that work?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    i have around ~6 webservices with different IPs (additional ips) on one of my uplink interfaces. So if i deactive OWA the next one will come up.

    I think it is just by design that you cannot select "any" if you have webservers that use 443 over web application firewall out there.

    So this ssl feature is not possible to fail over/migrate easily

  • When I configure a client initially, I change the protocol to UDP to avoid future conflicts and to accelerate the tunnel.  If you were to do that now, you would need to change line 4 in all users' config files to proto udp from proto tcp.  Either that or send each an update which you can download from the 'Users' tab of 'Users & Groups'.

    I agree that the easiest would be to use the DNS failover service for now.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hey Bob,

    thanks for your answer.

    Do you know a good one? 

    Or am i searching for load balancing? 

    I would think it works like this: I set up dns failover with ip 1.1.1.1 and specify my old and new ssl endpoint there.

    Then i change the DNS entry to 1.1.1.1. The dns failover will then decided where to route the traffic (port 443 reachable on this ip)

  • I'm not familiar with DNS failover services in Germany, so you might want to Google for them from there.  A load balancing service would also work if that would be beneficial when both WAN connections are available.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA