Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Di_Junior
Advisor
Advisor

Publishing a service with multiple DNS records associated with a Single Públic IP using Check Point

Dear Mates

We wish to migrate one of our critical services from TMG to Check point. Most of the services have already been migrated except this one last service.

Currently, the service has 4 DNS records associated with a single Public IP, the public IP is then NATed internally to a private IP of the TMG Proxy. Taking into account that this service runs on three machines which where put into a pool of a single DNS record internally.

So the Proxy has a rule like: 

Source: Any

Destination: DNS record (A single DNS record where all the machines where added)

Service: http, https

Action: Accept

 

How can we translate this configuration in Check Point?

We are using R80.20.

 

Thanks in advance

0 Kudos
7 Replies
Maarten_Sjouw
Champion
Champion

So you are using DNS to run round robin load sharing on the webservers.
I don't think this will even work with the use of dynamic objects, as when it is resolved (ie to a internal DNS server with multiple entries), it will cache the result for a certain time, instead of asking for the same DNS entry again for every request.
Next to that this is really a job for a load-balancer.
Regards, Maarten
0 Kudos
Di_Junior
Advisor
Advisor

Hi Maarten

Thanks for your feedback.

I have been reading about Logical Server objects, and it seems interesting.

I just have a question, in my situation since the service runs on three machines with internal IPs, and accessible through a single public Ip, I would like to know if its possible to have a network group with the three machines with internal IP, and create e logical server object with the Public Ip? Or the logical server must be in the same subnet of the internal machines.

Thanks in advance
0 Kudos
Maik
Advisor

Take a look at this old explanation from R76 - I guess it is still valid as the logical server objects seem to be very old and kinda legacy (like for example "service with resource objects").
https://sc1.checkpoint.com/documents/R76/CP_R76_SGW_WebAdmin/6662.htm
0 Kudos
Wolfgang
Authority
Authority

Di_Junior,

logical server or „connect control“ is your solution.

This is Check Points solution for LoadBalancing of incoming connections and is still supported on R80.30.

You need one external IP and forward them to more then one internal server. The distribution is possible via round robin, failover and some other options.

Please be aware that you can only define this for IP-addresses not for FQDNs. But as you wrote you have more then one FQDN pointing all to one IP. Alle requests to this IP are then forward as define in your distribution configuration.

If you want FQDN-A forwarded to internal-IP-A and FQDN-B forwarded to internal-IP-B then connect control is not your solution !

Wolfgang

Di_Junior
Advisor
Advisor

Thanks everyone, it seems that Logical Sever will achieve my purpose. I will update you when I am done with the implementation.

Thanks
0 Kudos
nemezis_rock
Contributor

Hi dear Wolfgan,

Can you provide information regarding FQDN forwarding. I am facing this problem and cannot find information. How it should be configured in checkpoint?

0 Kudos
Wolfgang
Authority
Authority

@nemezis_rock FQDN forwarding can be done with Reverse Proxy feature of the MobileAccessBlade. Be aware there is no GUI to configure this, everything is done via console.

Mobile Access Reverse Proxy

Mobile Access R81.10 Administration Guide - Reverse Proxy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events