SAML configuration for multiple SSL VPN's

SmoothOperatorSmoothOperator
edited June 4 in Firebox - VPN Mobile User

Hello fellow Watchguarders!

I am having a bit of a struggle configuring our SSLVPN to use SAML in EntraID.

I have 3 FW's all of which are accepting SSL VPN connections. Call them VPN1, VPN2 and VPN3 for this example. All of which work perfectly with SAML when you connect to them directly.

However, its a little more complicated. Our users connect to 'VPN.ourcompany.com' which then does a DNS round robin and connects to the first of the three VPN's that responds. It works pretty well with standard RADIUS and we find it load balances well.

If I try this with SAML authentication, I enter my username, password and MFA and then I get a "403 Forbidden" error. I am guessing its because the response is coming back from VPN1, VPN2 or VPN3 and it is expecting a response from VPN.

I have tired putting all three of the server URL's in the reply field within the single sign on config in EntraID but I think I need to have all of the certificates from all 3 servers available for a valid response. The Enterprise app only allows 1 active token in the config.

Has anyone else managed to get SAML working in a similar setup?
I have contact support already who have said that they do not have any ideas how to work around this.

Happy to try anything! Thanks in advance.

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @SmoothOperator
    I'm not entirely sure what you're doing will work, as the actual SSLVPN connection happens via whatever is in the primary field in your SSLVPN config.

    -If 'vpn.ourcompany.com' is there, every time the client PC does a lookup, the address may come back different, which may cause the SSLVPN client to behave erratically as it will be randomly trying to connect to other firewalls.

    -If 'vpn1/2/3.ourcompany.com' or an IP address is there, the users will probably just cache whatever one they attached to first, and you won't actually be load balancing.

    If SAML auth exists, that will be session based, and trying to connect to another firewall mid-session will probably break this. The SAML you're connecting to would need to be aware of and compensate for this.

    In addition, the SSLVPN client would also need to be aware of this to either sticky the connection to one server or be aware/able to move the session from one firewall to another. There is currently no mechanism to do this.

    Considering that the SSLVPN is designed to connect a client PC to a firewall, it's unlikely that a feature request would be accepted to enable something like this. If you're looking for redundancy, WatchGuard's FireCloud may be a better fit for your use case. You can find more about that here:
    https://www.watchguard.com/wgrd-products/sase/firecloud-internet-access

    -James Carson
    WatchGuard Customer Support

  • SmoothOperatorSmoothOperator

    Hi @james.carson , thank you for your response.

    I had a feeling that would be the response. I think I am trying to do something that just isn't going to work, shame as its worked with RADIUS great and still does along side the new SAML config. But like you say and as I suspected, the client will want a response back from 'vpn.ourcompany.com' and not individual hostnames.

    I will take a look at the FireCloud solution and see if we can work that in somewhere. Thank you for your time!

Sign In to comment.