Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
VikingsFan
Collaborator

Cluster Migration and Endpoint Security VPN Users Move?

We're in the middle of a cluster migration and have built a separate cluster with new public IPs for VPN users.  Is there still no easy way to push out a new config for end-users so that the next time they connect, it goes to our new cluster and VPN?  We initially point them to a DNS record but it appears that after the initial setup, it's hard-coding an IP address so messing with DNS is not going to work.

I ran across this SK: https://support.checkpoint.com/results/sk/sk103440 but that looks to only work after manually touching the end-user once to reconfigure the sites.

Is a manual touch or a push of an uninstall/reinstall with proper sites the only way?

0 Kudos
9 Replies
G_W_Albrecht
Legend Legend
Legend

Do you use Remote Access (Enterprise VPN client with VPN blade only) or Harmony Endpoint ? You did not post this in Endpoint, so i assume it is VPN client only. Abyway, manual touch or a push of an uninstall/reinstall with proper sites is the only way to achieve the goal you have.

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
VikingsFan
Collaborator

Correct, Endpoint Security E8X with VPN Blade.  No Harmony involved.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

That is not correct -  you are using Harmony Endpoint Security E8X with VPN Blade. sk103440 is only for Endpoint Security VPN & SecuRemote that you do not use.

But correctly you assume that a push operation will deploy a new vpnj site - you have

Look here, you have to scroll down and click Agent Settings: https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Harmony-Endpoint-Admin-Guide/...

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
VikingsFan
Collaborator

This is a screenshot of our client.  Don't see anything about Harmony unless later versions they changed the name?

Either way, sounds like a manual touch or a pushed uninstall/install.

Thanks.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

No, see https://support.checkpoint.com/results/sk/sk117536 - Harmony is not shown everywhere, but this is now a Harmony product. Manual touch is not possible as sk103440 does not apply as $FWDIR/conf/trac_client_1.ttm file on GW does not exist with Endpoint. But you can delete the VPN site and replace it using push operations.

infinity2.png

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin

If you can run scripts on remote computers, you can update trac.config with the appropriate settings.
See: https://sc1.checkpoint.com/documents/RemoteAccessClients_forWindows_AdminGuide/Content/Topics-RA-VPN... 

0 Kudos
VikingsFan
Collaborator

Looking at the note (Important - The client version in the Administrator's computer must be the same as the version on the user's computer.) We do have multiple versions out there... 84.XX, 85.XX, 86.XX,etc.  We need a different config for every single build that's different?  Could take a little bit of work but might be worth it. 

0 Kudos
Wolfgang
Authority
Authority

If you can run the old and the new cluster at the same time you can use MultipleEntryPoint feature, called MEP. Both clusters should have the same encryption domain for remote access but different office mode IPs to avoid routing problems for the clients. With MEP you can use both clusters in active/active, active/backup, first to response….. The clients get‘s the new gateway IP if they connect to the old system once and then they use both gateways regarding your MEP configuration. If the old system is gone and did not response the new one is used.

Multiple Entry Points for Remote Access VPNs

 

0 Kudos
VikingsFan
Collaborator

Yes, they're both fully operational at the moment and I'm connected to the new cluster VPN right now.  Different OM subnet like you said so it can route internally but almost everything else is the same.  The new cluster has it's own Management Server also... if that matters?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events