Allow RED to access the internet line when the Main UTM line is disconnected
This added mode could mean no disruption to the branch operations in case the UTM is down due to internet issues and cannot be up soon enough. Once the RED detected the UTM is up, it will establish connection and all traffic can be channel to the UTM once again.
The red 10 should stay up and running and service endusers with an internet connection when connection to UTM cannot be established. Now the red remains rebooting until connection to utm can be established again while the internet connection is fine.
Currently all in-line RED deployment options (Standard/Unifed, Standard/Split, Transparent/Split) will fail "closed" when the UTM is unreachable. Ah option to permit the RED to fail "open" when the UTM is unreachable and allow traffic to the internet (as it does during normal operation with split-tunnel traffic) would greatly reduce dependence upon the central location for businesses that heavily use internet hosted applications. We can live without the AV & URL filtering for short periods of time.
Jazz Oberoi commented
Hi Guys, Any update on this ? This is turning out to be a deal breaker for us as we cannot afford to loose everything behind the RED each time the link between sites go down. This was the reason we provision the remote site with its own File/Print/AD/DNS Server.. however that no longer is accessible as soon as the RED goes down. !!!!
Not only internet access is not possible, but even the local network doesn't work at all!
It should be possible for the RED to remember important settings during a disconnection and reestablish the tunnel to the UTM when possible, best without constant reboots.
For example there is a Server behind the RED and an AP for the LAN, but no one can connect to the Wifi while the connection to UTM is gone. Not nice!
Daniel Gutierrez commented
When the UTM (ASG) is unavailable (off) the RED device does not work, leaving the branch office without internet access. They are kept in a reboot cycle.
I think the RED devices are able to do functions that allow Internet access to users while they can not communicate with the UTM. This may be an optional function authorized by the system administrator.
One check for activating this function on the RED configuration parameters should be displayed.
Jean-Francois Anctil commented
I totally agree with "-gf-" on that suggestion. I'm working on a little project that could be achieved with a RED deployment but the RED staying in "fail-closed mode" when its losing connection with the ASG is a non-sense to me. I don't understand why nobody raised the flag before. Everybody understand why somebody would force the internet traffic to go through the tunnel but not having an option to use the Internet when the tunnel is down (Internet connection problems or ASG updates) is a big mistake....
I think RED has potential. Keep your good work on that.
Unfortunately the 'split' deployments require a second gateway, driving up costs for deployment at scale. It seems that the simplicity of the RED makes it ideal for large scale, simple, cookie cutter deployments. The scale of such deployments makes loss of internet access to the central UTM very expensive. There's a contradiction between stated purpose and implementation of the REDs.
This may not suit your needs exactly, but please check the Manual/Split deployment setup described here: http://www.sophos.com/en-us/support/knowledgebase/116573.aspx
It will allow a remote network to continue to access the internet if the RED tunnel goes down.