Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 1913 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Connect 2.0 - gateway_order clarification

Edmond Egan

Hey All,

Can anyone clarify how gateway_order works with the new provisioning files ?

Is this the gateway on the XG (i.e. XG will say connect in on X interface IP)

I'm just trying to figure out how we have the failover functionality in event of a gateway failure as we have customers with dual WAN.



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    The Sophos Connect Client supports multiple gateway configuration, and with the gateway_order, you could specify how the XG firewall will balance the traffic with multiple gateways. In your case, specify both WAN interfaces as a gateway. Sophos Connect Client supports automatic failover to the next firewall WAN link when one link fails.

    Check out this link for more info: Sophos Connect 2.0 is now GA

    gateway_order: 

    Specifies how the XG Firewall balances traffic when multiple gateways are configured.

    Allowed values: distributed, latency, and in_order. XG Firewall acts as follows:

    • distributed: Selects a gateway at random when a connection is attempted.
    • latency: Selects a gateway by how quickly it responds to a TCP connect request.
    • in_order: Tries the first gateway in the list is tried first, if that fails, the next gateway in the list is tried.

    Check out the following document for more info: Sophos Connect provisioning file

    Thanks,

  • 0 in reply to FormerMember

    Thanks for the reply.

    I have read this and see this info but doesn't explain what 'list' of gateways is being used.

    Can we specify multiple gateways within the provisioning file e.g.

    [
    {
    "gateway": "12.34.56.78",
    "gateway": "91.01.12.13",
    "gateway_order": "distributed",
    "user_portal_port": 4433,
    "otp": false,
    "auto_connect_host": "192.168.5.253",
    "can_save_credentials": true,
    "check_remote_availability": false,
    "run_logon_script": true
    }
    ]

    is that how it would work ?

    Also, what is the recommendation for multiple gateway with SSL ?

    Is it best to just have round robin DNS for the VPN address for clients to connect to ? - just wondering about how we handle SSL cert warnings and if possible to avoid them totally with dual WAN setup on XG.

  • 0 in reply to Edmond Egan

    Great question.  The link above does have this example, but it doesn't include the gateway_order setting:

    Example of multiple connections:

[  
    {  
        "gateway": "<Enter your gateway hostname or IP address>", 
        "user_portal_port": 443, 
        "otp": false, 
        "auto_connect_host": "<Enter internal hostname or IP address>", 
        "can_save_credentials": true, 
        "check_remote_availability": false, 
        "run_logon_script": false 
    },
    {  
        "gateway": "<Enter your gateway hostname or IP address>", 
        "otp": false, 
        "auto_connect_host": "<Enter internal hostname or IP address>",
        "check_remote_availability": false, 
        "run_logon_script": false 
    },
    {
        "gateway": "<Enter your gateway hostname or IP address>",
        "user_portal_port": 9443,
        "can_save": false
    }
]

    Have you tried that to see if it works as expected?

  • 0 in reply to axsom1

    This will basically import "different" Profiles in one file. 

    So you do not have to push several SCX (Sophos Connect config file) to the Client.

    In such manner, you can configure IPsec and SSLVPN in one SCX, so it will appear in Sophos Connect as 2 different profile, which the user can choose. #

    (Now my feedback about gateway order, i could not test it)

    Its about having a VPN Connection to a XG with different WAN Gateways.

    For example, you have a XG with two different WAN Connection and want to prefer the IPsec connection which: 

    • distributed: Selects a gateway at random when a connection is attempted.
    • latency: Selects a gateway by how quickly it responds to a TCP connect request.
    • in_order: Tries the first gateway in the list is tried first, if that fails, the next gateway in the list is tried

    Those criteria will be used to choose a gateway within a profile. 

    Its not about auto failover (SSLVPN to IPsec) for example. This is a story item for later the road. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi both, thanks for the replies.

    I had done some testing but not really had much success.

    Essentially, what I was hoping for was one provisioning file which supported 2 connections for one profile.

    e.g. we have an XG firewall, 2 broadband connections (both active) and wanted to have ability where we have SSL VPN users connect in on the primary connection and if this fails, the client will failover to the secondary.

    Is this possible ?

    Am I getting gateway in the provisioning file confused with gateways on the XG itself.

    Do we need to just deploy 2 profiles - a primary and a secondary ?

Unfiltered HTML