Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 2 subscribers
  • Views 8922 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

adding failover SSL VPN server(s) to the client config?

GNyce

Is there any way to 'customize' the SSL vpn client config?  It's nice the sophos bundles the install (S/W as well as cert/key/config), but haven't found a way to be able to add some directives... specifically, want to add additional "remote" lines.  I see where the "override hostname" is... wonder, can we do something like "host1.acme.com; host2.acme.com" and end up with something in the .ovpn file like:

remote host1.acme.com 1194

remote host2.acme.com 1194

resolv-retry 60

Barring that, any other possible way to do this?  Other options are 1) instructions for user to manually edit (but they need local-admin), or 2) try to inject into the Sophos .exe/install bundle (have not tried this yet - but even so, as an admin, not sure I have access to this).  Or maybe 3), if the bundle-creation (to download via the user portal) is a shell script, wonder if that can be... "tweaked" (at the first of warranty/support). 



This thread was automatically locked due to age.
Parents
  • 0

    G, please tell us what you want to accomplish instead of making suggestions about what you think might work.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Problem definition: I would like some redundancy on our SSL VPN connection (remote-access) - so that if I have an internet circuit go down, clients can re-connect on a 2nd interface.  The Sophos UTM is listening in two different internet circuits from two difference providers - the SSL VPN will work on either.  I would like to add both connections to the client config.  Ideally I could have 1 circuit as the 'primary'/first choice, and the 2nd as a failover.   I also want to avoid, if possible, hand/manually-editing the client config (.ovpn).  As it stands now, when the user downloads the 'config' from the user-portal, it only has 1 vpn-server destination defined.

  • 0 in reply to GNyce

    thats not possible with the gui.

    i use it in my configs too but have to manually edit the ovpn-file for each user.

    greets

    zaphod
    ___________________________________________

    Home: Zotac CI321 (8GB RAM / 120GB SSD)  with latest Sophos UTM
    Work: 2 SG430 Cluster / many other models like SG105/SG115/SG135/SG135w/...

  • 0 in reply to zaphod

    Thanks.  I was just hoping there was a work-around or clever hack.  The only way I can think of, minus hand-editing, is to put both IPs in the same DNS A record.  That gives me more of a round-robin dispersal, unless the DNS provider would allow me some options... e.g. primarily respond with host 1, but ping/monitor both hosts, and if ping fails, return host 2.  But DNS is heavily cached, so I'm not going to get the immediate response that a client-config directive will have. 

  • 0 in reply to GNyce

    There are DNS services that do exactly what you want, but I think your "free" round-robin approach is a great idea.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to GNyce

    There are DNS services that do exactly what you want, but I think your "free" round-robin approach is a great idea.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML