https://community.checkpoint.com/t5/SASE-and-Remote-Access/Change-of-Firewall-Public-IP-and-Endpoint-Security-VPN/m-p/31173#M13997 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I did try the mentioned SK but it did not work.</P><P>You could create a package in SCCM where you have to stop the Checkpoint Endpoint Connect Services and then change the trac.config.</P><P>This is nearly the same as upgrading to a new version or kill and recreate the Site with trac.exe.</P><P>It would be realy great if the Clients would also update their policy in the secure Network as they did with SecureClient.</P><P>The biggest problem are users, which didn't connect to the Site for months and do not have the actual policy.</P><P>If you try to do a trac.exe update it says you are in the internal network and do not need a connection.</P><P></P><P>Best regards,</P><P></P><P>Jan</P></BODY></HTML> Fri, 21 Sep 2018 05:44:45 GMT Jan_Kleinhans 2018-09-21T05:44:45Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Change-of-Firewall-Public-IP-and-Endpoint-Security-VPN/m-p/31167#M13991 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>we have to change our WAN IP.</P><P>How do we configure the distributed Endpoint Security VPN-Clients?</P><P>I have tried to use the options:</P><P>enable_gw_resolving = true</P><P>automatic_mep_topology="false"</P><P>mep_mode="dns_based"</P><P></P><P>and changed the dns entry for our site but it always connects to the old IP and do not try to establish a link to the new ip.</P><P></P><P>Another try where it seems to work is,</P><P>enable_gw_resolving = true</P><P>automatic_mep_topology="false"</P><P>mep_mode="primary_backup"</P><P>ips_of_gws_in_mep="ip_old&amp;#ip_new&amp;#"</P><P></P><P>This seems to work (tried routing the old ip to blackhole and see connections to the new ip). But how do I get the configuration to clients not connecting frequently.</P><P>Is the only way to publish a new client with a new configuration?</P><P>The problem is, that we have 2 different authentication methods configured. If we deploy a new client with a new configuration, the users have to manualy change the authentication method.</P><P>I tried to run "trac.exe update" from inside the network. But it only says that the ressources are already available an does not update its configuration from trac_default.ttm.</P><P></P><P>Has anybody that migrated to another ip with Endpoint Security Clients a tip?</P><P></P><P>Greetings,</P><P></P><P>Jan</P></BODY></HTML> Wed, 21 Feb 2018 07:28:19 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Change-of-Firewall-Public-IP-and-Endpoint-Security-VPN/m-p/31167#M13991 Jan_Kleinhans 2018-02-21T07:28:19Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Change-of-Firewall-Public-IP-and-Endpoint-Security-VPN/m-p/31168#M13992 <HTML><HEAD></HEAD><BODY><P>I assume your users can delete/re-add the site?</P><P>That requires users doing something manually, of course, but it's an option.</P></BODY></HTML> Thu, 22 Feb 2018 23:07:20 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Change-of-Firewall-Public-IP-and-Endpoint-Security-VPN/m-p/31168#M13992 PhoneBoy 2018-02-22T23:07:20Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Change-of-Firewall-Public-IP-and-Endpoint-Security-VPN/m-p/31169#M13993 <HTML><HEAD></HEAD><BODY><P>Hi Jan,</P><P></P><P>Did you change the entry in the DNS server on the network you are connecting from?</P><P></P><P>In NSLOOKUP do you see the new IP?</P><P></P><P></P><P></P><P>Thanks,</P><P>Adi</P></BODY></HTML> Mon, 26 Feb 2018 08:45:40 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Change-of-Firewall-Public-IP-and-Endpoint-Security-VPN/m-p/31169#M13993 Adi_Babai 2018-02-26T08:45:40Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Change-of-Firewall-Public-IP-and-Endpoint-Security-VPN/m-p/31170#M13994 <HTML><HEAD></HEAD><BODY><P>I changed the DNS Entry on the local DNS Server on a remote network.</P><P>I could do a nslookup with the new ip address.</P><P>But I did not see a connection try to the new ip address in a tcpdump on the router.</P><P></P><P>We are now deploying a new configuration with primary and secondary MEP.</P><P>I hope that this will work when we change the IP.</P><P></P><P>Thanks,</P><P></P><P>Jan</P></BODY></HTML> Mon, 26 Feb 2018 09:10:15 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Change-of-Firewall-Public-IP-and-Endpoint-Security-VPN/m-p/31170#M13994 Jan_Kleinhans 2018-02-26T09:10:15Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Change-of-Firewall-Public-IP-and-Endpoint-Security-VPN/m-p/31171#M13995 <HTML><HEAD></HEAD><BODY><P>We did it by deinstalling and installing the Client with SCCM and added the site by trac.exe. It does work but it is not a realy good way.</P><P>When you create the Site, there is no downloading of the Sites policy until the user connects the first time.</P><P>So Location Awareness does not work and the users always get the SDL Popup.</P><P></P><P>In the past, the old SecureClient fetched the policy when creating the site.</P><P></P><P>Jan</P></BODY></HTML> Thu, 22 Mar 2018 14:29:25 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Change-of-Firewall-Public-IP-and-Endpoint-Security-VPN/m-p/31171#M13995 Jan_Kleinhans 2018-03-22T14:29:25Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Change-of-Firewall-Public-IP-and-Endpoint-Security-VPN/m-p/31172#M13996 <HTML><HEAD></HEAD><BODY><P>I researched migration options for RA VPN and stumbled over this thread. </P><P>Jan, regarding the problem that you faced with the DNS change not making a difference to the IP the clients connected to, I think this SK might resolve the problem:</P><P><A class="link-titled" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk103440" title="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk103440">How to force Remote Access VPN Client to resolve DNS name of VPN Site at every connection</A>&nbsp;</P><P></P><P>Would the only thing required for an IP address migration not just be to push a new trac.config file with SCCM to all clients rather than reinstallation? I understand Jan's problem is now resolved but I wanted to continue the discussion on this matter in case anyone is interested.</P></BODY></HTML> Mon, 17 Sep 2018 13:40:12 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Change-of-Firewall-Public-IP-and-Endpoint-Security-VPN/m-p/31172#M13996 Albert_Wilkes 2018-09-17T13:40:12Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Change-of-Firewall-Public-IP-and-Endpoint-Security-VPN/m-p/31173#M13997 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I did try the mentioned SK but it did not work.</P><P>You could create a package in SCCM where you have to stop the Checkpoint Endpoint Connect Services and then change the trac.config.</P><P>This is nearly the same as upgrading to a new version or kill and recreate the Site with trac.exe.</P><P>It would be realy great if the Clients would also update their policy in the secure Network as they did with SecureClient.</P><P>The biggest problem are users, which didn't connect to the Site for months and do not have the actual policy.</P><P>If you try to do a trac.exe update it says you are in the internal network and do not need a connection.</P><P></P><P>Best regards,</P><P></P><P>Jan</P></BODY></HTML> Fri, 21 Sep 2018 05:44:45 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Change-of-Firewall-Public-IP-and-Endpoint-Security-VPN/m-p/31173#M13997 Jan_Kleinhans 2018-09-21T05:44:45Z