https://community.checkpoint.com/t5/SASE-and-Remote-Access/Using-same-enc-domain-for-remote-access-on-more-than-one/m-p/257241#M1642 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/38213">@the_rock</a>&nbsp;using the same encryption domain on multiple gateways for remote access is possible. Normally this is called and done MEP (MultipleEntryPoint). You have to have an eye for the return packets if used MEP.</P> <P>I don‘t know if this help for your needs, maybe you have to describe this.</P> Sun, 14 Sep 2025 19:20:15 GMT Wolfgang 2025-09-14T19:20:15Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Using-same-enc-domain-for-remote-access-on-more-than-one/m-p/257229#M1640 <P>Hey guys,</P> <P>Just for my own sanity, though we already confirmed with the customer doing this caused the issue, but they were wondering if doing so, one can make it work? So essentially have SAME remote access enc domain for 2 clusters, one for on prem and one Azure?</P> <P>I cant really see how that would work, but just wondering if its even possible? if not, could they use same random subnets from large group already used for onprem to test Azure side or in order to use same one, it would need to be done during cutover window?</P> <P>Tx as always!</P> <P>Andy</P> Sun, 14 Sep 2025 12:12:30 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Using-same-enc-domain-for-remote-access-on-more-than-one/m-p/257229#M1640 the_rock 2025-09-14T12:12:30Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Using-same-enc-domain-for-remote-access-on-more-than-one/m-p/257239#M1641 <P>For what is worth, I even had it configured with 2 subnets from current RA group used on prem, but even that caused an issue, so now Im really wondering how this can be tested before the actual cutover.</P> <P>Andy</P> Sun, 14 Sep 2025 18:52:01 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Using-same-enc-domain-for-remote-access-on-more-than-one/m-p/257239#M1641 the_rock 2025-09-14T18:52:01Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Using-same-enc-domain-for-remote-access-on-more-than-one/m-p/257241#M1642 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/38213">@the_rock</a>&nbsp;using the same encryption domain on multiple gateways for remote access is possible. Normally this is called and done MEP (MultipleEntryPoint). You have to have an eye for the return packets if used MEP.</P> <P>I don‘t know if this help for your needs, maybe you have to describe this.</P> Sun, 14 Sep 2025 19:20:15 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Using-same-enc-domain-for-remote-access-on-more-than-one/m-p/257241#M1642 Wolfgang 2025-09-14T19:20:15Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Using-same-enc-domain-for-remote-access-on-more-than-one/m-p/257242#M1643 <P>Hey&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/1447">@Wolfgang</a>&nbsp;</P> <P>Thanks for that. I see what you mean, though now we have to pause on this, since we dont want to cause customer more issues, as they heavily rely on remote access. I did end up opening TAC case about it, so lets see what they say <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Andy</P> Sun, 14 Sep 2025 20:09:09 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Using-same-enc-domain-for-remote-access-on-more-than-one/m-p/257242#M1643 the_rock 2025-09-14T20:09:09Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Using-same-enc-domain-for-remote-access-on-more-than-one/m-p/257245#M1644 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/1447">@Wolfgang</a>&nbsp;</P> <P>I assume this is the link you meant?</P> <P>Andy</P> <P><A href="https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_RemoteAccessVPN_AdminGuide/Topics-VPNRG/MEP.htm#:~:text=same%20internal%20network.-,The%20Check%20Point%20Solution%20for%20Multiple%20Entry%20Points,at%20the%20same%20geographical%20site" target="_blank">https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_RemoteAccessVPN_AdminGuide/Topics-VPNRG/MEP.htm#:~:text=same%20internal%20network.-,The%20Check%20Point%20Solution%20for%20Multiple%20Entry%20Points,at%20the%20same%20geographical%20site</A>.</P> Sun, 14 Sep 2025 21:43:26 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Using-same-enc-domain-for-remote-access-on-more-than-one/m-p/257245#M1644 the_rock 2025-09-14T21:43:26Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Using-same-enc-domain-for-remote-access-on-more-than-one/m-p/257255#M1645 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/38213">@the_rock</a>&nbsp; yes, that's it. We have customers using this as active/backup and others using Loadbalancing to distribute the remote users between gateways. Works like a charm. With different IP-pools for office-mode on every gateway you are fine with the back routing to the endpoints. I always use some SAM rules (blocking HTTPS to the gateway) to test the failover to another gateway. With these SAM rule you can add and remove block rules quickly and you can skip the internal rules, because SAM rules are working before.</P> Mon, 15 Sep 2025 06:08:24 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Using-same-enc-domain-for-remote-access-on-more-than-one/m-p/257255#M1645 Wolfgang 2025-09-15T06:08:24Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Using-same-enc-domain-for-remote-access-on-more-than-one/m-p/257269#M1646 <P>Thanks&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/1447">@Wolfgang</a>&nbsp;</P> Mon, 15 Sep 2025 10:15:55 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Using-same-enc-domain-for-remote-access-on-more-than-one/m-p/257269#M1646 the_rock 2025-09-15T10:15:55Z