cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Can a Checkpoint GW have more than 1 RA VPN Profile?

Is there any way to create multiple remote access vpn profiles like with the ASA?

I have two different domains, and I'd like my users to access their own specific domain AD for login authentication

I have a RA VPN set up right now that performs ldap lookups against domain1.local but I want to add a second profile that does it's lookups against domain2.local's  AD.  Is this possible with checkpoint?

Tags (2)
0 Kudos
5 Replies
Admin
Admin

Re: Can a Checkpoint GW have more than 1 RA VPN Profile?

You can configure one gateway to consult multiple LDAP servers.

Though I guess there is a question about which LDAP server will get priority and that may not be desirable.

To ensure completely different settings, you would need to use VSX (a virtual gateway for each domain).

Re: Can a Checkpoint GW have more than 1 RA VPN Profile?

If you use VSX (a virtual gateway for each domain) and you use the same SmartConsole to manage them, they will be all part of the "Remote Access" VPN Community, right?

In that case, will the client try to authenticate to each virtual Gateway because of the "Secondary Connect" feature?

0 Kudos

Re: Can a Checkpoint GW have more than 1 RA VPN Profile?

You can configure the account unit (AD) to query in gateway settings

0 Kudos

Re: Can a Checkpoint GW have more than 1 RA VPN Profile?

As I mentioned before the management server is considered one site. all the gateways in the remote access community are part of one site. For secondary connect the  client will try to establish secondary connection if it find some traffic to go to different encryption domain behind different gateway in the remote access community.

0 Kudos

Re: Can a Checkpoint GW have more than 1 RA VPN Profile?

Checkpoint queries all account units at the same time the first to respond checkpoint gw will use that information. The problem that you have if the same user exists in both account units and you will run to race condition. There is another option which you change the  attribute that will be used to search the users for example you can use userprinciple name (by default checkpoint uses sAMaccount Name) but the user have to use his email to login not just user name.

Thanks

0 Kudos