Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 13 replies
  • Subscribers 1 subscriber
  • Views 5616 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Move SSL VPN from one UTM to another

weirdo
Hi,

We have a UTM 220 that is currently used for SSL VPN for about 30 users with about 10 using it concurrently.

We have purchased a new UTM 220 and are setting it up from scratch (It was the easiest way to re do all the rules and get the config in shape) The plan is to wipe the old one when finished and set them both up in high availability.

They have different hostnames.

I want to move the users from the first UTM to the second UTM but would like to not have to get the users to do anything as it is a support nightmare.

Could I just change the DNS record for the old UTM to point at the IP of the new UTM. I would imagine that all the certificates will be wrong.

Does any one have a way I can move users over without them knowing?

Thanks


This thread was automatically locked due to age.
Parents
  • 0
    Vilic, this is known behavior, and, although I won't insist on calling it a bug, it certainly is a quirk. [;)]

    Instead of using the built-in AD Groups*, create a new Security Group in AD called "SSL VPN Users" and add the desired members to it there.  Then, in WebAdmin, use the above to create a new Backend Group based on "SSL VPN Users."  Better luck with that?

    Cheers - Bob

    * See #6 in Rulz.
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Instead of using the built-in AD Groups*, create a new Security Group in AD called "SSL VPN Users" and add the desired members to it there.  Then, in WebAdmin, use the above to create a new Backend Group based on "SSL VPN Users."  Better luck with that?


    Yes it worked after that, you should update your rule no. 6 with that info too...[:)]

    Just for experiment I've tried to trick UTM by creating a new AD Global Security group called "UTM Prefetch" and then nesting "Domain Users" into it, with no luck :


    [FONT="Courier New"]2014:08:19-18:34:43 lab-gw1 user_prefetch[4413]: Connecting to ldap server
    2014:08:19-18:34:43 lab-gw1 user_prefetch[4413]: ldap server: ldap://172.16.1.1:389
    2014:08:19-18:34:43 lab-gw1 user_prefetch[4413]: Context 'CN=UTM Prefetch,OU=Korisnici,DC=lab,DC=internal' is a group. Adding group members:
    2014:08:19-18:34:43 lab-gw1 user_prefetch[4413]:    CN=Domain Users,CN=Users,DC=lab,DC=internal
    2014:08:19-18:34:43 lab-gw1 user_prefetch[4413]: ------------------------------------------------------------
    2014:08:19-18:34:43 lab-gw1 user_prefetch[4413]: Performing ldap search:
    2014:08:19-18:34:43 lab-gw1 user_prefetch[4413]:    searching  'CN=Domain Users,CN=Users,DC=lab,DC=internal'
    2014:08:19-18:34:43 lab-gw1 user_prefetch[4413]: Ldap search returned 0 users
    2014:08:19-18:34:43 lab-gw1 user_prefetch[4413]: Search time: 0m 0s
    2014:08:19-18:34:43 lab-gw1 user_prefetch[4413]: ------------------------------------------------------------
    2014:08:19-18:34:43 lab-gw1 user_prefetch[4413]: Adding/updating users
    2014:08:19-18:34:43 lab-gw1 user_prefetch[4413]: ------------------------------------------------------------
    2014:08:19-18:34:43 lab-gw1 user_prefetch[4413]: 0 user objects were found:
    2014:08:19-18:34:43 lab-gw1 user_prefetch[4413]:    0 users were created
    2014:08:19-18:34:43 lab-gw1 user_prefetch[4413]:    0 users were updated
    2014:08:19-18:34:43 lab-gw1 user_prefetch[4413]:    0 users are authenticated locally.
    2014:08:19-18:34:43 lab-gw1 user_prefetch[4413]: Overall time: 0m 0s[/FONT]
Reply
  • 0 in reply to BAlfson
    Instead of using the built-in AD Groups*, create a new Security Group in AD called "SSL VPN Users" and add the desired members to it there.  Then, in WebAdmin, use the above to create a new Backend Group based on "SSL VPN Users."  Better luck with that?


    Yes it worked after that, you should update your rule no. 6 with that info too...[:)]

    Just for experiment I've tried to trick UTM by creating a new AD Global Security group called "UTM Prefetch" and then nesting "Domain Users" into it, with no luck :


    [FONT="Courier New"]2014:08:19-18:34:43 lab-gw1 user_prefetch[4413]: Connecting to ldap server
    2014:08:19-18:34:43 lab-gw1 user_prefetch[4413]: ldap server: ldap://172.16.1.1:389
    2014:08:19-18:34:43 lab-gw1 user_prefetch[4413]: Context 'CN=UTM Prefetch,OU=Korisnici,DC=lab,DC=internal' is a group. Adding group members:
    2014:08:19-18:34:43 lab-gw1 user_prefetch[4413]:    CN=Domain Users,CN=Users,DC=lab,DC=internal
    2014:08:19-18:34:43 lab-gw1 user_prefetch[4413]: ------------------------------------------------------------
    2014:08:19-18:34:43 lab-gw1 user_prefetch[4413]: Performing ldap search:
    2014:08:19-18:34:43 lab-gw1 user_prefetch[4413]:    searching  'CN=Domain Users,CN=Users,DC=lab,DC=internal'
    2014:08:19-18:34:43 lab-gw1 user_prefetch[4413]: Ldap search returned 0 users
    2014:08:19-18:34:43 lab-gw1 user_prefetch[4413]: Search time: 0m 0s
    2014:08:19-18:34:43 lab-gw1 user_prefetch[4413]: ------------------------------------------------------------
    2014:08:19-18:34:43 lab-gw1 user_prefetch[4413]: Adding/updating users
    2014:08:19-18:34:43 lab-gw1 user_prefetch[4413]: ------------------------------------------------------------
    2014:08:19-18:34:43 lab-gw1 user_prefetch[4413]: 0 user objects were found:
    2014:08:19-18:34:43 lab-gw1 user_prefetch[4413]:    0 users were created
    2014:08:19-18:34:43 lab-gw1 user_prefetch[4413]:    0 users were updated
    2014:08:19-18:34:43 lab-gw1 user_prefetch[4413]:    0 users are authenticated locally.
    2014:08:19-18:34:43 lab-gw1 user_prefetch[4413]: Overall time: 0m 0s[/FONT]
Children
No Data
Unfiltered HTML