https://community.checkpoint.com/t5/General-Topics/Publishing-a-service-with-multiple-DNS-records-associated-with-a/m-p/67899#M13880 <P>Dear Mates</P><P>We wish to migrate one of our critical services from TMG to Check point. Most of the services have already been migrated except this one last service.</P><P>Currently, the service has 4 DNS records associated with a single Public IP, the public IP is then NATed internally to a private IP of the TMG Proxy. Taking into account that this service runs on three machines which where put into a pool of a single DNS record internally.</P><P>So the Proxy has a rule like:&nbsp;</P><P>Source: Any</P><P>Destination: DNS record (A single DNS record where all the machines where added)</P><P>Service: http, https</P><P>Action: Accept</P><P>&nbsp;</P><P>How can we translate this configuration in Check Point?</P><P>We are using R80.20.</P><P>&nbsp;</P><P>Thanks in advance</P> Wed, 20 Nov 2019 12:33:45 GMT Di_Junior 2019-11-20T12:33:45Z https://community.checkpoint.com/t5/General-Topics/Publishing-a-service-with-multiple-DNS-records-associated-with-a/m-p/67899#M13880 <P>Dear Mates</P><P>We wish to migrate one of our critical services from TMG to Check point. Most of the services have already been migrated except this one last service.</P><P>Currently, the service has 4 DNS records associated with a single Public IP, the public IP is then NATed internally to a private IP of the TMG Proxy. Taking into account that this service runs on three machines which where put into a pool of a single DNS record internally.</P><P>So the Proxy has a rule like:&nbsp;</P><P>Source: Any</P><P>Destination: DNS record (A single DNS record where all the machines where added)</P><P>Service: http, https</P><P>Action: Accept</P><P>&nbsp;</P><P>How can we translate this configuration in Check Point?</P><P>We are using R80.20.</P><P>&nbsp;</P><P>Thanks in advance</P> Wed, 20 Nov 2019 12:33:45 GMT https://community.checkpoint.com/t5/General-Topics/Publishing-a-service-with-multiple-DNS-records-associated-with-a/m-p/67899#M13880 Di_Junior 2019-11-20T12:33:45Z https://community.checkpoint.com/t5/General-Topics/Publishing-a-service-with-multiple-DNS-records-associated-with-a/m-p/67905#M13881 So you are using DNS to run round robin load sharing on the webservers.<BR />I don't think this will even work with the use of dynamic objects, as when it is resolved (ie to a internal DNS server with multiple entries), it will cache the result for a certain time, instead of asking for the same DNS entry again for every request.<BR />Next to that this is really a job for a load-balancer. Wed, 20 Nov 2019 12:58:52 GMT https://community.checkpoint.com/t5/General-Topics/Publishing-a-service-with-multiple-DNS-records-associated-with-a/m-p/67905#M13881 Maarten_Sjouw 2019-11-20T12:58:52Z https://community.checkpoint.com/t5/General-Topics/Publishing-a-service-with-multiple-DNS-records-associated-with-a/m-p/67934#M13889 Hi Maarten<BR /><BR />Thanks for your feedback.<BR /><BR />I have been reading about Logical Server objects, and it seems interesting.<BR /><BR />I just have a question, in my situation since the service runs on three machines with internal IPs, and accessible through a single public Ip, I would like to know if its possible to have a network group with the three machines with internal IP, and create e logical server object with the Public Ip? Or the logical server must be in the same subnet of the internal machines.<BR /><BR />Thanks in advance<BR /> Wed, 20 Nov 2019 17:42:44 GMT https://community.checkpoint.com/t5/General-Topics/Publishing-a-service-with-multiple-DNS-records-associated-with-a/m-p/67934#M13889 Di_Junior 2019-11-20T17:42:44Z https://community.checkpoint.com/t5/General-Topics/Publishing-a-service-with-multiple-DNS-records-associated-with-a/m-p/68173#M13936 Take a look at this old explanation from R76 - I guess it is still valid as the logical server objects seem to be very old and kinda legacy (like for example "service with resource objects").<BR /><A href="https://sc1.checkpoint.com/documents/R76/CP_R76_SGW_WebAdmin/6662.htm" target="_blank">https://sc1.checkpoint.com/documents/R76/CP_R76_SGW_WebAdmin/6662.htm</A> Fri, 22 Nov 2019 21:03:10 GMT https://community.checkpoint.com/t5/General-Topics/Publishing-a-service-with-multiple-DNS-records-associated-with-a/m-p/68173#M13936 Maik 2019-11-22T21:03:10Z https://community.checkpoint.com/t5/General-Topics/Publishing-a-service-with-multiple-DNS-records-associated-with-a/m-p/68210#M13945 <P>Di_Junior,</P><P>logical server or „connect control“ is your solution.</P><P>This is Check Points solution for LoadBalancing of incoming connections and is still supported on R80.30.</P><P>You need one external IP and forward them to more then one internal server. The distribution is possible via round robin, failover and some other options.</P><P>Please be aware that you can only define this for IP-addresses not for FQDNs. But as you wrote you have more then one FQDN pointing all to one IP. Alle requests to this IP are then forward as define in your distribution configuration.</P><P>If you want FQDN-A forwarded to internal-IP-A and FQDN-B forwarded to internal-IP-B then connect control is not your solution !</P><P>Wolfgang</P> Sat, 23 Nov 2019 18:45:15 GMT https://community.checkpoint.com/t5/General-Topics/Publishing-a-service-with-multiple-DNS-records-associated-with-a/m-p/68210#M13945 Wolfgang 2019-11-23T18:45:15Z https://community.checkpoint.com/t5/General-Topics/Publishing-a-service-with-multiple-DNS-records-associated-with-a/m-p/68394#M13956 Thanks everyone, it seems that Logical Sever will achieve my purpose. I will update you when I am done with the implementation.<BR /><BR />Thanks Mon, 25 Nov 2019 13:58:59 GMT https://community.checkpoint.com/t5/General-Topics/Publishing-a-service-with-multiple-DNS-records-associated-with-a/m-p/68394#M13956 Di_Junior 2019-11-25T13:58:59Z https://community.checkpoint.com/t5/General-Topics/Publishing-a-service-with-multiple-DNS-records-associated-with-a/m-p/186350#M31103 <P>Hi dear Wolfgan,</P><P>Can you provide information regarding FQDN forwarding. I am facing this problem and cannot find information. How it should be configured in checkpoint?</P> Thu, 13 Jul 2023 12:02:57 GMT https://community.checkpoint.com/t5/General-Topics/Publishing-a-service-with-multiple-DNS-records-associated-with-a/m-p/186350#M31103 nemezis_rock 2023-07-13T12:02:57Z https://community.checkpoint.com/t5/General-Topics/Publishing-a-service-with-multiple-DNS-records-associated-with-a/m-p/186370#M31115 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/96959">@nemezis_rock</a>&nbsp;FQDN forwarding can be done with Reverse Proxy feature of the MobileAccessBlade. Be aware there is no GUI to configure this, everything is done via console.</P> <P><A title="Mobile Access Reverse Proxy" href="https://support.checkpoint.com/results/sk/sk110348" target="_blank" rel="noopener">Mobile Access Reverse Proxy</A></P> <P><A title="Mobile Access R81.10 Administration Guide - Reverse Proxy" href="https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_MobileAccess_AdminGuide/Topics-MABG/Reverse-Proxy.htm" target="_blank" rel="noopener">Mobile Access R81.10 Administration Guide - Reverse Proxy</A></P> Thu, 13 Jul 2023 14:02:53 GMT https://community.checkpoint.com/t5/General-Topics/Publishing-a-service-with-multiple-DNS-records-associated-with-a/m-p/186370#M31115 Wolfgang 2023-07-13T14:02:53Z