Guest User!

You are not Sophos Staff.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN "Overwrite Hostname" with two IPs/Hostnames ?

Hi, today im learned, that if you have two or more WAN IPs both IPs get written into the SSL VPN config file like this:

remote 213.213.213.213 8443
remote 123.123.123.123 8443

These are according to the NICs, like i have 213.213.213.213 on port 0 and 123.123.123.123 on port 1 the Client will try to connect to the port 0 first, then, if not responding to port 1. Correct?

Is it possible to enter more than one hostname into the VPN Configuration where it sais :"overwrite hostname" ? so i would create two subdomain records with remote1.mydomain.com with the first ip and antoher called remote2.mydomain.com with the second ip address?

Or do i need to add the second hostname manually to the VPN-config-file?



This thread was automatically locked due to age.
Parents
  • That is more likely an Dynamic DNS setup. Use DDNS for this and it will get pushed to SSLVPN as well. 

  • Hi, thank you for your reply. Im not sure how DDNS could solve my puzzle.

    We have two fix IPv4 adresses. RoadWarrior usually want to dial in from IP1. But when ISP1 is offline they want to be able to dial in using IP2. Now unfortunately we set up IP2 on port 0 and IP1 on port 1 on the XG. Right now, when we don't use "overwrite hostname" both IPs get written to SSL VPN config file. But IP2 first and IP1 second, hence the hardware setup.

    When we roll out VPN config files now i simply want to avoid the users are dialing into IP2 first and use the (actual productive) IP1 as backup. And the best way would be not to manualy edit each config file for each user.

  • You should be able to do this with DNS, i guess. SFOS will replace the IPs in the config with FQDNs of DDNS. This means, if you have control over your both DDNS records, you can control, which IP is pushed on which position. 

  • Tobias would like an automatic solution and not manually change the A-record in the DNS. Two A-records are useless because only one wins at a time.

    Tobias should open a feature request.

  • There are automatic solution on DDNS site to do this. 

  • I don't think DDNS is a business solution. Should I actually explain to a major customer that he should use a (free) DDNS account?
    Hopefully this service will still exist in five years, otherwise you have to change all user SSL-VPN configurations. (Okay, a CNAME in DNS solves this problem.)

  • I am not talking about a particular provider, instead the service method. I assume some provider like Route53 by Amazon will be there and is enterprise ready. The service of google is also next generation ready. 

    PS: I personally think, we are talking in 5 Years about ZTNA only, not VPN anymore. 

Reply
  • I am not talking about a particular provider, instead the service method. I assume some provider like Route53 by Amazon will be there and is enterprise ready. The service of google is also next generation ready. 

    PS: I personally think, we are talking in 5 Years about ZTNA only, not VPN anymore. 

Children
No Data