Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 8014 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SOPHOS UTM 9 | Activate RED Service without internet Connection

Christian Stock

Is there any possibilty to active the RED Service on a UTM without an internet connection? I read an article for RED Devices where a boot with a usb-stick is possible. A have already created the provisioning profile on the central firewall.

At the moment the system is connected via IPSEC but we need to change it because we need to use ospf routing.



This thread was automatically locked due to age.
  • 0

    I dont understand why you need to do that. If the correspondig device of the RED device has no internet connection the RED is not working.

    What is your current scenario? Which system is connected via IPSEC? What is your rollout scenario?

  • 0 in reply to BeEf

    The Scenario is the following:

    Headquarter:

    Sophos UTM with an activated RED Service which has only connection to mpls, so no internet access available.

    Sites:

    Sophos UTM with no activated RED Service connected to mpls with the headquarter.

    ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    So atm the Site is connected via IPSEC-Tunnel to the Headquarter, but I want to use the RED Connection with a separate interface to get the routing over ospf.

    If you need more informations, let me know.

     

     

     

     

     

     

     

     

  • 0 in reply to Christian Stock

    Hello Christian,

    so you are encrypting your MPLS traffic as well and want to switch from IPSEC to Layer 2 tunneling ...

    As our MPLS provider is a daughter company we are not doing this. According to them 95% of their customers are not doing Encryption on top of MPLS but ofcourse if you want to be 100% sure that your provider is not able to look into your traffic you need to do this.

    This seems to be rather complicated and probably you should talk to Sophos.

    But maybe this works: Define for the reds an UTM hostname that belongs to an interface that connects to the internet. Define a 2nd UTM Hostname that is your MPLS interface on the headquarter. Configure it to do a failover (from internet ->mpls).  Configure the device on the internet and then connect it to the MPLS.

    One question off topic: Did you do any measurements comparing the troughput and latency of the network when using mpls - red (layer2) - ipsec? Are your remote sites worldwide or nearby`?

    Best regards,

    Bernd

  • 0

    Hi, Christian, and welcome to the UTM Community!

    If I'm wrong in my impression that you want to connect UTMs in two separate locations with a VPN running over MPLS, then the following won't help you.  If my understanding is correct, you have two possible solutions:

    1. Bind the IPsec Connection to the MPLS interface.  Here's a description of failover with two IPsec tunnels, but the principal is the same with one tunnel and one regular Internet connection: Sophos UTM multiple S2S IPsec VPN mit Failover – Tutorial (DE).  (For others that don't read German like Christian can, the guide is well documented with pictures of all settings with WebAdmin in English.)
    2. I think you're confusing RED devices with a RED tunnel between two UTMs.  You can very easily create a RED server in one UTM, download the Client from the UTM and then upload it into the other UTM.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?