cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

ICA on DMS and SMS

Hi Guys,

I wonder why changing hostname of DMS (multi domain) will still preserve the SIC to Security gateway while changing hostname on SMS will break SIC.

is there any distinguish between this as Each DMS also store its own ICA based on mdm admin guide.

thank you.

br,

Anthony

0 Kudos
5 Replies
Admin
Admin

Re: ICA on DMS and SMS

I assume if you changed the name of a CMA/Domain, you'd experience the same issue you'd experience with an SMS.

The MDS name isn't relevant in the SIC certificates gateway objects are provisioned with, the management server name (and, by extension, the CMA/Domain) is.

0 Kudos
Highlighted

Re: ICA on DMS and SMS

Hi Dameon,

Thank you for your reply.

Sorry rephrase the question. When i performed migrate export of the CMA, i can go on to change the CMA name and performed import with the CMA export which contained previous name.

And the SIC still preserved with new CMA name after the cma import.

While i am unable to do so on normal SMS.

Just trying to understand this as i have performed this for customer and it amuses me how checkpoint ICA works.

Hope to get enlightment here Smiley Happy

Thank you.

Best regards,

Anthony

0 Kudos
Admin
Admin

Re: ICA on DMS and SMS

Hm... gotta admit, I don't know that one.

That said, I think the hint is in the SIC name.

0 Kudos

Re: ICA on DMS and SMS

Hi Dameon,

Thank you for the reply. No worries just trying to understand better how Checkpoint infra works. Smiley Happy

Best regards,

Anthony

0 Kudos

Re: ICA on DMS and SMS

When you import an export file into a newly created CMA one of the core functions that occur is a migration of the certificate authority. The name of the CMA and the ICA do not necessarily need to match in an MDS environment. If you create a domain called "Production" and import a file that was taken from a server named "Lab", your certificate authority will actually still be called "Lab". This can be confirmed in Cpconfig or by running "#cpca_client lscert -kind SIC -stat Valid". Testing SIC to a gateway will show Lab in the cert string. All certificates created going forward will still have Lab in the name.

Sometimes this needs to be changed, because the customer just wants to see the new name or because a template domain was used to create 2 or more CMAs. Duplicate ICAs in domains can cause quite a few headaches and is detailed in sk17197. The resolution to both duplicate domains and just wanting to see a new name in the cert string is a full ICA reset. Part of the procedure requires resetting SIC to all gateways and re creating all VPN certificates, no way around it. Helpful documents are sk94871, sk34887, sk42071, and sk32491. 

While I believe the same concepts apply to R80 the procedures listed do not.

0 Kudos