https://community.checkpoint.com/t5/Firewall-and-Security-Management/CloudGuard-Remote-Access-SSL-VPN-Connectivity-Issues/m-p/182477#M33456 <P>Yes, this guide is specifically for <STRONG>Scale Sets</STRONG>. Which makes use of the Azure Functions to return the active member's public IP address to the connecting client.</P><P>In case of single gateway, the public IP address associated with the external interface will be used for VPN. And for HA the cluster's public VIP address will be used.</P><P>Reference Architecture:&nbsp;<A href="https://support.checkpoint.com/results/sk/sk109360#" target="_blank">Check Point Reference Architecture for Azure</A></P><P>&nbsp;</P><P>In my case, it's not about the network reachability but the gateway is refusing the connection for "<STRONG>https://&lt;gateway-public-ip&gt;/sslvpn</STRONG>" URL.</P><P>&nbsp;</P><P>Thank you!</P><P>&nbsp;</P> Tue, 30 May 2023 07:42:11 GMT chethan_m 2023-05-30T07:42:11Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/CloudGuard-Remote-Access-SSL-VPN-Connectivity-Issues/m-p/182462#M33450 <P>Hi Everyone,</P><P>&nbsp;</P><P>I'm practicing deploying CloudGuard Network Security Solution on Azure Public Cloud and I'm facing connectivity issues with setting up Remote-Access VPN.</P><P>&nbsp;</P><P>On the web-browser, I can see that the gateway is resetting the connection: <STRONG>"It looks like&nbsp;<FONT color="#000000">&lt;GW-Pub-IP-Addr&gt;</FONT>&nbsp;closed the connection</STRONG>&nbsp;-&gt; <STRONG>ERR_CONNECTION_</STRONG><STRONG>CLOSED"&nbsp;</STRONG></P><P>&nbsp;</P><P>The Architecture:</P><UL><LI>CloudGuard Single Gateway deployed with 2 interfaces: eth0 and eth1. The static public IP is assigned to eth0:1 sub-interface.</LI><LI>The SMS is on an on-premise VMware Workstation.</LI><LI>IPsec VPN and Mobile Access VPN blades are enabled on the gateway.</LI></UL><P>&nbsp;</P><P>I followed this SK article: <I><A href="https://support.checkpoint.com/results/sk/sk109360#" target="_blank" rel="noopener">Check Point Reference Architecture for Azure</A></I>. The best practices section speaks about the <STRONG>IPsec VPN, Link Selection Source IP Address&nbsp;settings</STRONG>, where it says to select the private IP address of the gateway's external interface to&nbsp;<SPAN>ensure that the Gateway in the Azure cloud sends encrypted traffic with the source address set to its private IP address.</SPAN></P><P>Is there anything similar to do for Remote Access VPN configuration as well?</P><P>&nbsp;</P><UL><LI>Anti-Spoofing is disabled on both external and internal interfaces.</LI><LI>I suspected there might be a conflict with Web-UI and changed the <STRONG>web ssl-port</STRONG> from 443 to 4434. Even then the issue persists.</LI></UL><P>&nbsp;</P><P>Could anyone help me to know what should I be troubleshooting for, please?</P><P>&nbsp;</P><P>Thank you!&nbsp;</P> Wed, 31 May 2023 09:25:40 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/CloudGuard-Remote-Access-SSL-VPN-Connectivity-Issues/m-p/182462#M33450 chethan_m 2023-05-31T09:25:40Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/CloudGuard-Remote-Access-SSL-VPN-Connectivity-Issues/m-p/182475#M33455 <P>Did you read <A href="https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_VMSS_for_Azure/Content/Topics-Azure-VMSS/Overview.htm#Remote_Access_VPN_..2" target="_blank">https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_VMSS_for_Azure/Content/Topics-Azure-VMSS/Overview.htm#Remote_Access_VPN_..2</A> ?</P> Tue, 30 May 2023 06:57:47 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/CloudGuard-Remote-Access-SSL-VPN-Connectivity-Issues/m-p/182475#M33455 G_W_Albrecht 2023-05-30T06:57:47Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/CloudGuard-Remote-Access-SSL-VPN-Connectivity-Issues/m-p/182477#M33456 <P>Yes, this guide is specifically for <STRONG>Scale Sets</STRONG>. Which makes use of the Azure Functions to return the active member's public IP address to the connecting client.</P><P>In case of single gateway, the public IP address associated with the external interface will be used for VPN. And for HA the cluster's public VIP address will be used.</P><P>Reference Architecture:&nbsp;<A href="https://support.checkpoint.com/results/sk/sk109360#" target="_blank">Check Point Reference Architecture for Azure</A></P><P>&nbsp;</P><P>In my case, it's not about the network reachability but the gateway is refusing the connection for "<STRONG>https://&lt;gateway-public-ip&gt;/sslvpn</STRONG>" URL.</P><P>&nbsp;</P><P>Thank you!</P><P>&nbsp;</P> Tue, 30 May 2023 07:42:11 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/CloudGuard-Remote-Access-SSL-VPN-Connectivity-Issues/m-p/182477#M33456 chethan_m 2023-05-30T07:42:11Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/CloudGuard-Remote-Access-SSL-VPN-Connectivity-Issues/m-p/182482#M33457 <P>Better contact CP TAC - MAB is supported with Azure, but i did not find any special configuration hints. Changing the WebUI port should not be needed as MAB uses the path /sslvpn for access (MultiPortal feature).</P> Tue, 30 May 2023 08:34:56 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/CloudGuard-Remote-Access-SSL-VPN-Connectivity-Issues/m-p/182482#M33457 G_W_Albrecht 2023-05-30T08:34:56Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/CloudGuard-Remote-Access-SSL-VPN-Connectivity-Issues/m-p/182658#M33494 <P>The solution to my problem was found here (sk115732):&nbsp;<A href="https://support.checkpoint.com/results/sk/sk115732" target="_blank" rel="noopener">Unable to connect to Gaia Portal on port 443 (checkpoint.com)</A></P> Wed, 31 May 2023 09:26:23 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/CloudGuard-Remote-Access-SSL-VPN-Connectivity-Issues/m-p/182658#M33494 chethan_m 2023-05-31T09:26:23Z