This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ChristianCastil
Employee
Employee
‎2020-04-02 07:21 PM

MEP and SNX Load Balance on Azure

this is a set of videos showing how to configure a VMSS to be HUB of C2S VPN by using MEP for IPsec clients and Azure LB for SNX (Clientless VPN)

This was done manually on the first video, then worked on a bash script launched by the CME (so can also work on an ASG of AWS) that do all the manual process by itself so we need only to choose how many gateways we want to terminate the VPN.

The code is here;

https://github.com/christiancastilloporras/sslvpncme

SPECIAL THANKS TO RYAN DARST!

video of manual way (described on the attached doc)

 

video showing the automation by the bash scripting

Preview file
784 KB
3 Replies
Scott_Bily
Participant
‎2020-04-14 08:33 AM

Thank you for creating these procedures.      I have a question specific to the IPSec VPN client and the Scale Set's.    Is there a way to gracefully bring down one of the VM's created in the Scale Set without impacting connected VPN clients?       If you spin up a new vm in the scale set and manually configure it. It will immediately start accepting VPN client connections.    But if we wanted to scale one of the VM's down(or say wanted to apply a hotfix)?  Is there a way to preventing the gateway  from accepting any new connections so that it could be patched or  removed from the scale set when the vpn client connections get down to 0.    We did some initial tests and the VPN client connections do not appear to be state-full across the load balancer.  So when the gateway I was connected to was taken out of service, my vpn connection was dropped.        

0 Kudos
ChristianCastil
Employee
Employee
‎2020-04-14 11:48 AM
In response to Scott_Bily

MEP is not a cluster so it's expected to not have sync on the sessions.

 

Until now I'm still thinking on that Scale-In events, the solution was provided to a customer in this way and he accept to monitor the GW and destroy the least used and apply policy to disappear it from the client list.

 

 

0 Kudos
Abd_S81
Participant
‎2020-05-05 09:14 PM

Thankyou @ChristianCastil for the very informative video. Can I please ask few questions:

Is Azure traffic manager required to achieve GEO load balancing. I see the option of dns_based under mep, as we want the option of EMEA users logging to EMEA region and US users to US region. In the endpoint client we have both the regional scalesets (total 4 VMs). Does this mean the client will resolve to the scaleset based on the proximity and connect. 

Is it possible to have a larger office mode networks than the default /24 to /16 etc. 

Is it possible to use IP pool NAT in Azure instead of just hiding all traffic behind eth1 of the gateway. If so how to register the IP's in Azure env. If not I am worried about NAT port exhaustion given 1000's of users accessing same internal website etc. 

0 Kudos