12-06-2022 08:46 AM
Hello, we have a pair of FTDs between an on-prem data center and Azure and would like to use DNS roundrobin to load balance the client vpn connections between the pair of FTDs. The DNS name obviously would have 1 single A record pointing vpn.domain.com to 2 different FTD's outside interfaces. The tricky part is that we use Okta for SAML authentication and the FTDs are configured to use "VPN client embedded browser." I have spoken to Okta but they aren't clear whether this would work since I need to configure 2 different FTDs with the same DNS name in Okta's SAML config. In that case, does Okta return responses back to the correct FTD?
Please advise, thank you
12-07-2022 05:26 AM - edited 12-07-2022 05:31 AM
Hi @ronnie.shih,
I'm not sure would it work or not, but is worth of trying. I would advise to use recursive DNS lookup instead. Your FTD devices should have its own DNS records, e.g. vpn1.domain.com and vpn2.domain.com. There should be 3rd DNS record - vpn.domain.com, which clients would try to reach, and which would resolve via round-robin to vpn1.domain.com and vpn2.domain.com.
This way, each FTD device can identify itself uniquelly to Azure, and your clients would still be able to use single DNS record. Of course, your devices must have certificates for both domains - common DNS one, and local one (e.g. vpn and vpn1.domain.com). Also, it must accept connections on both vpn and vpn1.domain.com.
I never tried this, and I'm always using VPN load balancing in such case (which works in similar principle). I've configured VPN load balancing on ASA SW, and never on FTD, but I found this great guide, so you might want to try this too, and make sure you go through Configuring VPN Load Balancing config guide.
Kind regards,
Milos
12-07-2022 05:55 AM
Thank you for your response. I believe I just need to try this out and see what breaks.
The last paragraph you mentioned actually refers to anyconnect VPN load balancing in the same layer 2 network, which means load balancing anyconnect connections across several FTD units in a load balancing group in networks stitched together at layer 2. We are looking to load balance anyconnect connections between an on-prem data center and Azure, while using SAML authentication. So this scenario does not apply to us.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: