topic Re: Get rid of Secondary Connect - use VPN routing in SASE and Remote Access

Get rid of Secondary Connect - use VPN routing

Khay — Mon, 22 Sep 2025 09:21:50 GMT

Hello,

For now vpn client are using basic authentication (AD login/password) and I want to enforce a new authentication method for vpn client (azure SAML),

The issue is every client usually open a secondary tunnel to our main site, it's totaly transparent for the user.

With SAML I will have a prompt when the second tunnel open, so I want to get ride of this functionnality, the traffic going though this secondary tunnel is legit but I want to use vpn routing instead.

To achieve this, should I disable secondary connect on all gateway with "$FWDIR/conf/trac_client_1.ttm" file ?
Or can I only modify Encryption domain for vpn client to include the destination subnet of the remote gateway ?

here is a picture of a part of my infra (default: default encryption domain, azure, vpn-client are specific encryption domain)

site 1 is the center gateway of a star community where site 2 and 3 are satellite

clients on site 2 and 3 usually open a secondary tunnel to site 1

If I add the subnet in red and blue in encryption domain, should it be enough ? I did some test and I still see a secondary tunnel, if I check routes on client I see subnets from all my gateway is it the issue ?

All Gateway version : R81.20 Take 99

Thanks for your help

Re: Get rid of Secondary Connect - use VPN routing

PhoneBoy — Mon, 29 Sep 2025 20:56:08 GMT

This is expected behavior with SAML as each gateway/cluster is a unique service provider.
I believe it's possible to use Infinity Identity with Secondary Connect, though I'm sure @Royi_Priov will correct me if I'm wrong.

Without Infinity Identity and SAML, yes, you have to disable Secondary Connect if you don't want to be prompted for authentication again.
If you want a specific gateway to allow access to other subnets behind other gateways via VPN routing, you need to add those subnets to the RemoteAccess encryption domain on the relevant gateway.

Re: Get rid of Secondary Connect - use VPN routing

Khay — Mon, 20 Oct 2025 07:20:59 GMT

Hello,

thanks for the information, I didnt know Infinity Identity.

Is it only available on R82 ? this component is part of a subscription or can be use free of charge ?

Thanks for your help

Re: Get rid of Secondary Connect - use VPN routing

PhoneBoy — Mon, 20 Oct 2025 15:53:35 GMT

Infinity Identity is still in Early Availability as far as I know (though @Royi_Priov can confirm)
Currently it requires R82 management and either R81.20 or R82 gateways.
As this requires Infinity Portal, I expect there will ultimately be a charge for this, but the details are not finalized yet.

Re: Get rid of Secondary Connect - use VPN routing

Royi_Priov — Tue, 21 Oct 2025 08:38:35 GMT

Thanks @PhoneBoy for tagging me.

The administrator configures the IDP once in the Infinity Portal.
The IDP is "replicated" into SmartConsole, and you can place it for authentication and in the access role picker.
The infinity portal acts as a SAML service provider, and the identity can be shared via Infinity Identity to other gateways (to Identity Awareness component).

Now, to the disclamers 🙂

Infinity Identity is a cloud service, and the gateway side that supports it is currently in EA. It will be included in R82.10GA2 which is right across the corner.
the VPN support for Infinity Identity/Portal SAML I/S was not released yet. It is planned for 2026 as far as I know. Currently only Identity Awareness supports this (from R82 GA).