cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Multiple Remote Access Communities (GW Version?)

Hello, when playing around in R80.10-Management today, I discovered that it's now possible to define multiple remote access communities (including defining different vpn domains for each RAC). First of all, thank you CheckPoint - I've been waiting for this feature for so long.  [edit 07.01.: more a bug than a feature, see below]

I couldn't find any hints regarding multiple RACs in the R80.10 Release Notes/HFA Notes/Support-Center.So my questions are:

Is there any official statement whether the GW has to run R80.10 or can this be configured for a R77.30 GW (managed by R80.10 SM) as well?

(added) Any experiences/considerations when using on VSX?

Thanks in advance!
Greetings Christoph

14 Replies
Admin
Admin

Re: Multiple Remote Access Communities (GW Version?)

To be honest, I haven't heard anything about this myself.

I suspect if this were not allowed, you'd have issues pushing policy.

Have you tried doing so?

0 Kudos

Re: Multiple Remote Access Communities (GW Version?)

I can remember that a developer told me about it at CPX, but more as an upcoming R80.20 feature.

No, I didn't have the opportunity yet, but I'll try it next week.

Admin
Admin

Re: Multiple Remote Access Communities (GW Version?)

Curious, how you managed to do this?

I can't get SmartConsole to allow this in R80.10 or R80.20.

0 Kudos

Re: Multiple Remote Access Communities (GW Version?)

Hi,

to be honest, I didn't have time to test it so far which means that I don't know if the configuration actually verifies or can actually be deployed, but I managed to configure it the following way (R80.10 Smart Console):

Right-click on existing RemoteAccess-Community -> New... (in the objects bar, not the object explorer) - this allows the creation of another RemoteAccess-Community-Object (Maybe this is the part that should not be possible to do as the "standard" menu to create a new object "New... -> More -> VPN Community" does not offer a RemoteAccess-Community). Afterwards you can define different VPN-Domains in the topology settings of the participating gateway object.

0 Kudos
Admin
Admin

Re: Multiple Remote Access Communities (GW Version?)

Huh, interesting, that does seem to work. 

From what I know, this isn't supported.

The fact you can create more than one Remote Access community would be considered a bug.

0 Kudos

Re: Multiple Remote Access Communities (GW Version?)

Could we get a confirmation if this works to the point where you may also have different rules set up or is it just the fact that you have 2 RACs.

According to the Admin Guide you can create a new Remote Access community but it never mentions how. However it doesn't mention that you can use more than one in the policy. 

There is also a definition of Encryption Domain on the Gateway object itself so having 2 RACs on the Same Gateway would imply using the same Encryption Domain.

0 Kudos
Admin
Admin

Re: Multiple Remote Access Communities (GW Version?)

Like I said, the fact the GUI allows you to create more than one Remote Access community is a bug.

Where in the documentation does it state you can create a second Remote Access community?

The only place where I could see it being useful is if you could also define the encryption domain for the different communities.

But since the encryption domain is defined on the gateway, and it would be the same for all communities, I don't see a real benefit to different VPN communities for Remote Access.

0 Kudos

Re: Multiple Remote Access Communities (GW Version?)

Well, the thing is, that the GUI actually allows you to define a separate encryption domain per remote access community. (GW-properties -> Network Management -> VPN Domain -> Set domain for Remote Access Community...). I didn't want to deploy that on productive environment (therefore my question), so I don't know if the policy installation is allowed, but you can configure it in R80.10 SmartConsole (that led me to the assumption that this might be a new feature...).

0 Kudos

Re: Multiple Remote Access Communities (GW Version?)

Dameon Welch-Abernathy wrote:

Like I said, the fact the GUI allows you to create more than one Remote Access community is a bug.

Where in the documentation does it state you can create a second Remote Access community?

 

The only place where I could see it being useful is if you could also define the encryption domain for the different communities.

But since the encryption domain is defined on the gateway, and it would be the same for all communities, I don't see a real benefit to different VPN communities for Remote Access.

Well here is the place it says you can create "a new Remote Access VPN Community" with a different name. This to my understanding is equivalent with a second Remote Access Community as it is new and does not replace the existing one. However it never states anywhere in the manual how to actually create it. I would say it's a more a feature and less a bug.

@Christoph Holzinger i will test this in production and update soon.

0 Kudos

Re: Multiple Remote Access Communities (GW Version?)

HI,

I have just tested this possibility but It's not working!!! The policy installation fail said that we can use ANY or "RemoteAccess" as Community name

Some one know how have the possibility to view just one gateway on the VPN Client instead of all Gateways contained into the community?

Best Regards

0 Kudos

Re: Multiple Remote Access Communities (GW Version?)

ok interesting, thanks for testing.

Regarding your question: If you mean the dropdown that appears after the first successful connect, I think the solution you are looking for is sk78180. (at least it solved the same issue for me ).

Re: Multiple Remote Access Communities (GW Version?)

I have tried the sk78180.... only on a secondary gateway but  doesn't work? Do I need to implement on all gateways?

My goal is to remove the dropdown list that shows all gateways in the remote community!

thaks

0 Kudos

Re: Multiple Remote Access Communities (GW Version?)

I made the change on both gateways....the dropdown list is removed but the client is still connecting to the "primary" site....

0 Kudos

Re: Multiple Remote Access Communities (GW Version?)

I solved with your SK!

Thank You very Much!

0 Kudos