This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Di_Junior
Advisor
Advisor
‎2018-09-23 05:45 AM

Remote Access VPN in a Load-sharing Cluster Environment

Dear Mates

I hope you are doing fine.

I started working as Check Point admin of a large corporation, and my first challenge is to migrate our Remote Access VPN from one vendor that we are currently using to Check Point Remote Access VPN solution. I have implemented Remote Access VPNs in simple environments with a single gateway and Management server, but I now have to implement it in a much complex environment, thats why I need a hand. The diagram bellow gives an high-level overview of our infrastructure. 

Based on the diagram above, I would like to have your help with regards to the following questions:

1. Do I have to buy remote access VPN (mobile access) for both clusters (Internal and external)? if yes why? if not why?

2. Since the clusters are operating in Load-sharing unicast, do I have to activate Sticky Decision Function in cluster properties? if yes why? if no why? 

3. Should Sticky Decision Function be activated on both clusters (Internal and External)?if yes why? if no why? 

4. Is there any documentation or SK you would recommend for implementation of Remote Access VPN in similar environment? or maybe share your experience if you have worked on similar environment.

42 Replies
Vladimir
Champion
Champion
‎2018-11-06 06:51 AM
In response to Di_Junior

They should be the same.

There is no reason for your gateways to perform external lookups on their own.

(Well, there is a niche case where your internal network is completely isolated and should resolve internal hosts only)

Good practice is to point gateways to your internal DNS that are configured to use forwarders (i.e. public DNS, such us 1.1.1.1 or 9.9.9.9).

0 Kudos
Di_Junior
Advisor
Advisor
‎2018-11-06 07:06 AM
In response to Di_Junior

I would like to share with you the behaviour that I detected now in Wireshark.

When I open the URL in the browser and click enter, nothing shows up in wireshark while the page is loading. I only see the DNS traffic when the page starts opening. 

Could this mean that the problem may be on the client side?

0 Kudos
Vladimir
Champion
Champion
‎2018-11-06 07:27 AM
In response to Di_Junior

Please post ipconfig /all from the client and the pcap file for me to take a look at.

0 Kudos
_Val_
Admin
Admin
‎2018-09-28 10:08 AM

Why or why people are still using Load Sharing mode?

0 Kudos
Di_Junior
Advisor
Advisor
‎2018-09-28 10:14 AM
In response to _Val_

Hi @Valeri Loukine I just took over as the Check Point Administrator in the company. And ny good recommendation that I can get is welcomed. I hold a CCSE certification but I do not have much experience as this is my first job as the CP admin. Is there any documentation that you would suggest which can give more information as to why Load sharing should not be used. 

Thanks in advance

0 Kudos
_Val_
Admin
Admin
‎2018-09-29 11:07 AM
In response to Di_Junior

LS mode today does not have any advantages in the real world. It creates more bottlenecks that resolves performance issues. To answer in more details, I would have to hear about the arguments to use Load Sharing in the first place. 

0 Kudos
Di_Junior
Advisor
Advisor
‎2018-09-29 01:20 PM
In response to _Val_

I would not be able to give a pricise argument about why we are using LS mode because I am new in the company. But the argument could be to share the load between both cluster members.

0 Kudos
Di_Junior
Advisor
Advisor
‎2018-09-30 11:57 AM
In response to _Val_

Hi again @Valeri Loukine, with regards to the same topic, what would you suggest instead of using Load-sharing. Which ClusterXL is better the most recommended.

Thanks

_Val_
Admin
Admin
‎2018-10-01 01:23 AM
In response to Di_Junior

HA of course. Removes lots of headache 

Vladimir
Champion
Champion
‎2018-11-06 07:06 AM
In response to _Val_

Valeri,

Can you detail the differences between VSLS in a simple ClusterXL and VSX?

It seems that the message about preferred mode of operation is inconsistent:

Hardware ClusterXL, VSLS is a bad idea

VSX ClusterXL, VSLS is preferred

I'd like to compile pros and cons in a table for future references and, preferably, keep it updated.

0 Kudos
_Val_
Admin
Admin
‎2018-11-06 08:51 AM
In response to Vladimir

Hi, I think there is a confusion here.

VSLS - Virtual Systems Load Sharing - this is a special case of HA. Each VS is working in HA pair, but different VSs are usually set up on different HW cluster members, which allows using all HW at the same time. The load however is not balanced but split between different VSs.

For regular physical cluster, there is not VSLS mode. Physical clusters are working either in HA or LS. Load sharing can be either unicast or multicast, but either case has inherent bottlenecks and makes no sense today.

0 Kudos
Vladimir
Champion
Champion
‎2018-11-06 09:24 AM
In response to _Val_

OK then:) thank you for clarifying.

Why then CP simply does not drop the LS from its supported configuration options?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top