Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jan_Kleinhans
Advisor

Change of Firewall Public IP and Endpoint Security VPN

Hello,

we have to change our WAN IP.

How do we configure the distributed Endpoint Security VPN-Clients?

I have tried to use the options:

enable_gw_resolving = true

automatic_mep_topology="false"

mep_mode="dns_based"

and changed the dns entry for our site but it always connects to the old IP and do not try to establish a link to the new ip.

Another try where it seems to work is,

enable_gw_resolving = true

automatic_mep_topology="false"

mep_mode="primary_backup"

ips_of_gws_in_mep="ip_old&#ip_new&#"

This seems to work (tried routing the old ip to blackhole and see connections to the new ip). But how do I get the configuration to clients not connecting frequently.

Is the only way to publish a new client with a new configuration?

The problem is, that we have 2 different authentication methods configured. If we deploy a new client with a new configuration, the users have to manualy change the authentication method.

I tried to run "trac.exe update" from inside the network. But it only says that the ressources are already available an does not update its configuration from trac_default.ttm.

Has anybody that migrated to another ip with Endpoint Security Clients a tip?

Greetings,

Jan

6 Replies
PhoneBoy
Admin
Admin

I assume your users can delete/re-add the site?

That requires users doing something manually, of course, but it's an option.

0 Kudos
Adi_Babai
Employee
Employee

Hi Jan,

Did you change the entry in the DNS server on the network you are connecting from?

In NSLOOKUP do you see the new IP?

Thanks,

Adi

0 Kudos
Jan_Kleinhans
Advisor

I changed the DNS Entry on the local DNS Server on a remote network.

I could do a nslookup with the new ip address.

But I did not see a connection try to the new ip address in a tcpdump on the router.

We are now deploying a new configuration with primary and secondary MEP.

I hope that this will work when we change the IP.

Thanks,

Jan

0 Kudos
Jan_Kleinhans
Advisor

We did it by deinstalling and installing the Client with SCCM and added the site by trac.exe. It does work but it is not a realy good way.

When you create the Site, there is no downloading of the Sites policy until the user connects the first time.

So Location Awareness does not work and the users always get the SDL Popup.

In the past, the old SecureClient fetched the policy when creating the site.

Jan

Albert_Wilkes
Collaborator

I researched migration options for RA VPN and stumbled over this thread.

Jan, regarding the problem that you faced with the DNS change not making a difference to the IP the clients connected to, I think this SK might resolve the problem:

How to force Remote Access VPN Client to resolve DNS name of VPN Site at every connection 

Would the only thing required for an IP address migration not just be to push a new trac.config file with SCCM to all clients rather than reinstallation? I understand Jan's problem is now resolved but I wanted to continue the discussion on this matter in case anyone is interested.

0 Kudos
Jan_Kleinhans
Advisor

Hello,

I did try the mentioned SK but it did not work.

You could create a package in SCCM where you have to stop the Checkpoint Endpoint Connect Services and then change the trac.config.

This is nearly the same as upgrading to a new version or kill and recreate the Site with trac.exe.

It would be realy great if the Clients would also update their policy in the secure Network as they did with SecureClient.

The biggest problem are users, which didn't connect to the Site for months and do not have the actual policy.

If you try to do a trac.exe update it says you are in the internal network and do not need a connection.

Best regards,

Jan

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events