Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jon_Dyke
Contributor

Secondary Management Server over VPN

I have a new secondary management server at a different site and have been asked to try and get it working over the VPN tunnels between sites.  The problem is that the primary mgmt in site 1 and secondary in site 2 do not communicate correctly over the VPN as its my understanding that the control connections between them hit the implied rules first so the traffic does not get encrypted (allow control connection is switched on the Primary). 

Getting them working on sk39740 did not work either and we ended up losing connectivity to the GWs are site 2

Any advice on whether the VPN option is possible and would be welcome.

Thanks

J

0 Kudos
4 Replies
Maarten_Sjouw
Champion
Champion

When the tunnels are built on Check Point gateways managed by these management servers, this is correct. You cannot run management traffic over a tunnel that is managed by the same management server, think about it, when something fails on that tunnel, how will you be able to correct it?

For Management HA the ports used could be excluded from the Implied rules but the point is that 2 of these ports are also used in the communication between management and gateway. 

The ports are 18221, 18211 and 18192 and the latter 2 are also used between GW and management.

Regards, Maarten
0 Kudos
Jon_Dyke
Contributor

Probably helps if I explain a bit more.  We have 3 sites with 2 GW's in each.  There is a mesh VPN between them.  Up to now we have had 1 mgmt server at 1 site but have now purchased a secondary mgmt server (to run in HA) for BCP purposes.  The secondary is there for BCP only - we would only ever use it if we lost the primary site and needed to push policy to Site2 and Site3 (our production and DR site).

I understand its best practice to do this using sk39740 - but was curious if this was achievable - it seems it would be very tricky if the same ports are used for mgmt and GW.

We will take another look at sk39740 - but to be honest this was not proving easy either but  we will persist with this  approach.

Thanks

J

0 Kudos
Maarten_Sjouw
Champion
Champion

If there is a possibility to use NAT for the 2 servers and forget the VPN, I would go that way, the point there is that the traffic is already encrypted.

Regards, Maarten
0 Kudos
PhoneBoy
Admin
Admin

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events