Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 2 answers
  • Subscribers 27 subscribers
  • Views 874 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Upgrading from UTM to XG - Allow SSL VPN connections on both and routing remote traffic

Andrew Curtis

We are planning our deplyment strategy for upgrading our two UTM boxes in HA to XG.  We have upgraded one to XG and have it configured and ready to test.  Since we allow remote access using the SSL VPN service and will need to redeploy user configurations (XG no longer allows admins to download the client certificates en mass for OpenVPN), we are thinking of running both the UTM and XG boxes in tandem.

We think that this could work fine for testing firewall, needing only a change in gateway configurations to switch between them as the active gateway, but we would like to allow users to continue to connect to the UTM while we deploy the updated SSL VPN configurations for XG.  In practice, we'd have users connecting to one or the other until we confirm that everyone is connecting to the XG for remote access. 

Could this work? A question that has come up is whether, with the UTM as our default gateway, how is the remote access traffic on the XG routed? Would/should it use the XG as the gateway or the UTM?



This thread was automatically locked due to age.
Parents
  • 0

    Hello Andrew,

    When UTM in HA the gateway of UTM and XG would be the same. So only one ISP can be used for a device. So unless you have a seperate connection to your XG firewall and connect to UTM. So the traffic will be routed via XG to UTM and make sure NAT is applied between XG and UTM then to devices. 

Reply
  • 0

    Hello Andrew,

    When UTM in HA the gateway of UTM and XG would be the same. So only one ISP can be used for a device. So unless you have a seperate connection to your XG firewall and connect to UTM. So the traffic will be routed via XG to UTM and make sure NAT is applied between XG and UTM then to devices. 

Children
  • 0 in reply to Aditya Patel

    Hi Aditya, thanks for the quick reponse! The UTM was taken out of HA after removing the slave appliance for upgrade to XG.  We do have a secondary ISP we can use for the inbound SSL VPN connections to the XG.  How would the NAT need to be configured? Would routing traffic from the XG remote clients to the UTM create issues with the routes back to the XG remote clients from the LAN zone?

  • 0 in reply to Andrew Curtis

    Hello Andrew,

    As your network would have one gateway, it is best to have one route. So if the incoming traffic is from SSL VPN connection on XG and your main outbound firewall is UTM. Then you would need to configure one port on UTM and either configure a route between XG and UTM and as XG would be configured as a gateway you may consider a setup where UTM9 is on the LAN side of XG and your end devices LAN of UTM9 and add static route and firewall rules to allow them. We would like to avoid asymmetric routing at any cost i.e. the incoming traffic should have the same outbound path to maintain a stateful connection.