topic Re: Remote Access VPN in a Load-sharing Cluster Environment in General Topics

Remote Access VPN in a Load-sharing Cluster Environment

Di_Junior — Sun, 23 Sep 2018 12:45:32 GMT

Dear Mates

I hope you are doing fine.

I started working as Check Point admin of a large corporation, and my first challenge is to migrate our Remote Access VPN from one vendor that we are currently using to Check Point Remote Access VPN solution. I have implemented Remote Access VPNs in simple environments with a single gateway and Management server, but I now have to implement it in a much complex environment, thats why I need a hand. The diagram bellow gives an high-level overview of our infrastructure.

Based on the diagram above, I would like to have your help with regards to the following questions:

1. Do I have to buy remote access VPN (mobile access) for both clusters (Internal and external)? if yes why? if not why?

2. Since the clusters are operating in Load-sharing unicast, do I have to activate Sticky Decision Function in cluster properties? if yes why? if no why?

3. Should Sticky Decision Function be activated on both clusters (Internal and External)?if yes why? if no why?

4. Is there any documentation or SK you would recommend for implementation of Remote Access VPN in similar environment? or maybe share your experience if you have worked on similar environment.

Re: Remote Access VPN in a Load-sharing Cluster Environment

Vladimir — Sun, 23 Sep 2018 13:13:33 GMT

You need the Mobile Access licenses only for the cluster on which RA VPN connections will be terminated.

If your External cluster is in a full routing mode, then that the one that will need mobile access licenses.

If your External cluster is in the transparent bridge mode, you'll have to use licenses on the Internal cluster.

If your clusters are indeed consist of two simple gateways, there is no benefit from load sharing being enabled, just complications. I.e. you are still limited to the 50% capacity on each cluster member, otherwise, if one of the members will fail, the other will be overloaded.

Load sharing makes sense if: 1. you have 3+ gateways, 2. you are planning to expand the existing cluster in a foreseeable future.

I seldom see the #2, as once cluster deployed, the hardware tend to go towards obsolescence relatively fast and it is hard to justify buying identical units down the road. This may be different with scalable platforms, but I have no experience working with those.

If you are planning to use SSL Network Extender, you'l have to use Sticky Decisions, see Mobile Access R80.10 Administration Guide and search for "cluster".

Cheers,

Vladimir

Re: Remote Access VPN in a Load-sharing Cluster Environment

Danny — Sun, 23 Sep 2018 16:06:02 GMT

1. You needed to buy Mobile Access licenses only for the cluster that will provide this functionality, ideally this would be your external cluster.

2. Mobile Access in Load Sharing Clusters automatically enables SDF (Sticky mode), which disables SecureXL > Read: ClusterXL Load Sharing mode limitations and important notes and Which features are not supported when the Sticky Decision Function (SDF) is enabled in ClusterXL object?

3. See 2. It will be automatically enabled on the MOB cluster. You don't need to enable it on the other one.

4. You have a much bigger issue mate. Clusters with less than three or more than four cluster members are not recommended for Load Sharing mode.

Re: Remote Access VPN in a Load-sharing Cluster Environment

Di_Junior — Sun, 23 Sep 2018 17:03:09 GMT

Thanks for the great inputs you shared., it will definetely be very helpful

Re: Remote Access VPN in a Load-sharing Cluster Environment

Di_Junior — Sun, 23 Sep 2018 17:04:55 GMT

Thanks for your contribution Danny Yang 的部落格. it will be very helpful.

can you please share the link you wanted to share in point 4.

Regards

Re: Remote Access VPN in a Load-sharing Cluster Environment

Di_Junior — Mon, 24 Sep 2018 14:50:34 GMT

Hi Mates,

I have managed to get the Remote Access VPN working with the licences on the external cluster, but I am facing a little challenge. The remote clients are only able to communicate with the operation & Management interfaces of the Gateways and Management, not the rest of the network. In the Destination side of the access rule I am using "Any" which means I should be able to reach any network behind the gateway (which is not happening): Any hints on how I could overcome this.

Thanks in advance

Re: Remote Access VPN in a Load-sharing Cluster Environment

Vladimir — Mon, 24 Sep 2018 15:01:21 GMT

Check what you have defined in your Encryption Domain and your Encryption Domain for Remote Access as well as what is defined in the topology of your gateways.

Additionally, you may be NATting the outbound traffic behind external IP of your internal cluster.

If this is the case, you should stop doing that and route networks to the external cluster unchanged, leaving NAT duties to it.

Check the routing from external cluster to internal network before troubleshooting VPN.

Your Remote Clients are likely getting IPs assigned from the "CP_default_Office_Mode_addresses_pool" network object on the external cluster.

Make sure that it is routed into and out of your internal cluster and networks and is included in the security policy applied to your internal cluster.

Cheers,

Vladimir

Re: Remote Access VPN in a Load-sharing Cluster Environment

Di_Junior — Mon, 24 Sep 2018 16:06:28 GMT

Hi Vladmir,

Thanks for your prompt reply and help.

I have changed the office-mode pool address to an address that will not have conflict in our internal network.

I changed the Encryption Domain, and now I get routes to all the operations and Magement IP addresses. Thanks for your help.

I can ping the internal hosts through their O&M interfaces and I get replies successfully. But when I try to RDP an internal server, the connection goes to the Clean-up rule. (see bellow image)

Any thoughts as to how this could be overcomed.

Thanks for your great comments.

Re: Remote Access VPN in a Load-sharing Cluster Environment

Di_Junior — Mon, 24 Sep 2018 16:10:46 GMT

"Make sure that it is routed into and out of your internal cluster and networks and is included in the security policy applied to your internal cluster"

Could you elaborate on this.? Thanks

Re: Remote Access VPN in a Load-sharing Cluster Environment

Vladimir — Mon, 24 Sep 2018 16:14:10 GMT

Well, besides the obvious, "Have you created the rule permitting RDP from this source to this destination", the "Information field in the event you are showing contains:

Inzone: External

Outzone: External

Please check the topology and verify that the Pool's IP is included in the Internal cluster's "External" manually defined group. That there is a route in Gaia configs of both members pointing Pool's network to your External cluster's vIP and your internal networks are define behind Internal interfaces topology in both, external and Internal clusters objects.

Re: Remote Access VPN in a Load-sharing Cluster Environment

Vladimir — Mon, 24 Sep 2018 16:25:30 GMT

Your internal GWs should know that the Pool's range is on its external interface.

Your security policy should permit communication between Pool's range and your internal hosts that you are trying to connect to.

Your External Cluster's Internal interface topology should contain the same networks that are defined behind your Internal Cluster's Internal interface (in addition to intermediate network between internal and external clusters), else they will be treated as spoofed.

While you do have route 0 on your internal cluster members that should route your internal hosts to the Pool's range, I'd personally feel better adding explicit route for the Pool, pointing to the External Cluster's internal vIP.

Re: Remote Access VPN in a Load-sharing Cluster Environment

Di_Junior — Fri, 28 Sep 2018 10:57:24 GMT

@Vladimir Yakovlev I would like to thank you for all your inputs during this migration process. Thanks to your contribution I got everthing up and running.

On behalf of my company, I thank you.

Re: Remote Access VPN in a Load-sharing Cluster Environment

Vladimir — Fri, 28 Sep 2018 12:56:14 GMT

You are quite w:)lcome!

Re: Remote Access VPN in a Load-sharing Cluster Environment

Di_Junior — Fri, 28 Sep 2018 13:29:31 GMT

Thank you.

I have one more question for you before closing this thread.

I dont want our partners to connect to our VPN and get the message that the certificate is not trusted.

Would you kindly recommend which type of certificate has to be paid in order to overcome this situation? Since we have two different sites, do we have to buy two certificates or one should suffice.

Once again, thank you again

Re: Remote Access VPN in a Load-sharing Cluster Environment

Vladimir — Fri, 21 Jun 2019 09:15:53 GMT

Any trusted CA cert would work.

GoDady is now the cheapest and most common source for the certs.

Please follow this post by Gaurav Pandya‌ to issue a CSR for the upload to the CA and the installation of the certificate:

https://community.checkpoint.com/docs/DOC-2732-create-csr-and-importing-third-part-certificate-in-mobile-access-blade

Re: Remote Access VPN in a Load-sharing Cluster Environment

Di_Junior — Fri, 28 Sep 2018 13:43:40 GMT

Thank you...

Re: Remote Access VPN in a Load-sharing Cluster Environment

Vladimir — Fri, 28 Sep 2018 17:03:29 GMT

If it is not too much trouble, please leave a brief feedback on my LinkedIn page:

https://www.linkedin.com/in/vladimiry/

We are ramping-up our services and all positive references are appreciated.

Regards,

Vladimir

Re: Remote Access VPN in a Load-sharing Cluster Environment

_Val_ — Fri, 28 Sep 2018 17:08:09 GMT

Why or why people are still using Load Sharing mode?

Re: Remote Access VPN in a Load-sharing Cluster Environment

Di_Junior — Fri, 28 Sep 2018 17:11:54 GMT

Not a trouble at all. Please accept my request so that I can recommend.

https://www.linkedin.com/in/dialungana-malungo-50321998/

Re: Remote Access VPN in a Load-sharing Cluster Environment

Di_Junior — Fri, 28 Sep 2018 17:14:42 GMT

Hi @Valeri Loukine I just took over as the Check Point Administrator in the company. And ny good recommendation that I can get is welcomed. I hold a CCSE certification but I do not have much experience as this is my first job as the CP admin. Is there any documentation that you would suggest which can give more information as to why Load sharing should not be used.

Thanks in advance