Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 17 replies
  • Subscribers 1 subscriber
  • Views 18056 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN SSL Failover

lferrara
Hi All, 

we are using UTM 220 from one year and it is very smart and working good. 
We have several remote users that travel around and they need to access their resources from everywhere and anytime.

We need to setup failover vpn in Astaro. We have 3 ISP connections. At the moment Vpn is bound to one ISP address. How can we bound VPN SSL to multiple ISP without manual interventation?

We created a dns public failover named vpn.***x.com that points to 3 ISP Public addresses.

If you have a solution, this one can even work for User Portal.

Regards, 

Luciano


This thread was automatically locked due to age.
  • 0
    In remote access -> SSL -> settings you can define which interface is used. Maybe you can select Uplink interfaces so it listens on all interfaces, or you could simply add 2 more configs using the other 2 ISP's interfaces.
    DNS should take care of the distribution of IP-addresses.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0
    Thank you Apij for your answer.

    I am not able to add uplink interface or another interface. It wants just one. Uplink balancing is active.

    Have a look at the picture attached.
  • 0
    Set 'Interface Address: Any' or create a Network Group containing the three "(Address)" objects.

    You could always give folks a second and third configuration if you wanted to use different FQDNs.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Thank you Balfson.

    Here is what I have done. See attachs.

    I tried with Interface group under: Interfaces > New Interface > Group > Inserted both wan int.

    Same thing. 

    I can even add any, but what happen to additional addresses where I have email server published with 443 port for webmail access?
  • 0
    Hi,

    I think the only option is using ANY and change the port to a none used public value like 4430 or so.

    Regards
    Gerald
  • 0
    If no one else have a solution, I try to open a feature request. The port 443 is nice because you can connect to your DC even if you are behind a Firewall(without App. Control). We can even switch to another port, but all the ISP we are going to add, we also need to add their IP address into DNS public zone.
  • 0
    I always recommend using UDP instead of TCP.  That avoids interference with HTTPS and speeds up the VPN tunnel.

    Did you change 'Interface Address' to the "Failover" group?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Hi Balfson, 

    I am not able to change Interface Address. I can only choose between Interface address but no Network Group or Inter. group. 

    It is strange that I can put any but not Network group.

    Could you try on your Astaro and see if you can add network group?
  • 0
    No it's not possible... therefore you must use ANY...
  • 0
    I've only every used Any, but I'm surprized that the Group wouldn't work.  Thanks for confirming that, Gerald.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML