This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
VikingsFan
Advisor
‎2024-08-27 02:43 PM

Cluster Migration and Endpoint Security VPN Users Move?

We're in the middle of a cluster migration and have built a separate cluster with new public IPs for VPN users.  Is there still no easy way to push out a new config for end-users so that the next time they connect, it goes to our new cluster and VPN?  We initially point them to a DNS record but it appears that after the initial setup, it's hard-coding an IP address so messing with DNS is not going to work.

I ran across this SK: https://support.checkpoint.com/results/sk/sk103440 but that looks to only work after manually touching the end-user once to reconfigure the sites.

Is a manual touch or a push of an uninstall/reinstall with proper sites the only way?

Labels
0 Kudos
9 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2024-08-28 01:30 AM

Do you use Remote Access (Enterprise VPN client with VPN blade only) or Harmony Endpoint ? You did not post this in Endpoint, so i assume it is VPN client only. Abyway, manual touch or a push of an uninstall/reinstall with proper sites is the only way to achieve the goal you have.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
VikingsFan
Advisor
‎2024-08-28 03:18 AM
In response to G_W_Albrecht

Correct, Endpoint Security E8X with VPN Blade.  No Harmony involved.

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2024-08-28 03:50 AM
In response to VikingsFan

That is not correct -  you are using Harmony Endpoint Security E8X with VPN Blade. sk103440 is only for Endpoint Security VPN & SecuRemote that you do not use.

But correctly you assume that a push operation will deploy a new vpnj site - you have

  • Add VPN Site

  • Remove VPN Site

Look here, you have to scroll down and click Agent Settings: https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Harmony-Endpoint-Admin-Guide/...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
VikingsFan
Advisor
‎2024-08-28 04:00 AM
In response to G_W_Albrecht

This is a screenshot of our client.  Don't see anything about Harmony unless later versions they changed the name?

Either way, sounds like a manual touch or a pushed uninstall/install.

Thanks.

Preview file
29 KB
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2024-08-28 06:56 AM
In response to VikingsFan

No, see https://support.checkpoint.com/results/sk/sk117536 - Harmony is not shown everywhere, but this is now a Harmony product. Manual touch is not possible as sk103440 does not apply as $FWDIR/conf/trac_client_1.ttm file on GW does not exist with Endpoint. But you can delete the VPN site and replace it using push operations.

infinity2.png

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin
‎2024-08-28 10:40 AM

If you can run scripts on remote computers, you can update trac.config with the appropriate settings.
See: https://sc1.checkpoint.com/documents/RemoteAccessClients_forWindows_AdminGuide/Content/Topics-RA-VPN... 

0 Kudos
VikingsFan
Advisor
‎2024-08-28 12:30 PM
In response to PhoneBoy

Looking at the note (Important - The client version in the Administrator's computer must be the same as the version on the user's computer.) We do have multiple versions out there... 84.XX, 85.XX, 86.XX,etc.  We need a different config for every single build that's different?  Could take a little bit of work but might be worth it. 

0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2024-08-28 01:09 PM

If you can run the old and the new cluster at the same time you can use MultipleEntryPoint feature, called MEP. Both clusters should have the same encryption domain for remote access but different office mode IPs to avoid routing problems for the clients. With MEP you can use both clusters in active/active, active/backup, first to response….. The clients get‘s the new gateway IP if they connect to the old system once and then they use both gateways regarding your MEP configuration. If the old system is gone and did not response the new one is used.

Multiple Entry Points for Remote Access VPNs

 

0 Kudos
VikingsFan
Advisor
‎2024-08-28 01:15 PM
In response to Wolfgang

Yes, they're both fully operational at the moment and I'm connected to the new cluster VPN right now.  Different OM subnet like you said so it can route internally but almost everything else is the same.  The new cluster has it's own Management Server also... if that matters?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events