- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
Check Point's Cyber Park is Now Open
Let the Games Begin!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
this is a set of videos showing how to configure a VMSS to be HUB of C2S VPN by using MEP for IPsec clients and Azure LB for SNX (Clientless VPN)
This was done manually on the first video, then worked on a bash script launched by the CME (so can also work on an ASG of AWS) that do all the manual process by itself so we need only to choose how many gateways we want to terminate the VPN.
The code is here;
https://github.com/christiancastilloporras/sslvpncme
SPECIAL THANKS TO RYAN DARST!
video of manual way (described on the attached doc)
video showing the automation by the bash scripting
Thank you for creating these procedures. I have a question specific to the IPSec VPN client and the Scale Set's. Is there a way to gracefully bring down one of the VM's created in the Scale Set without impacting connected VPN clients? If you spin up a new vm in the scale set and manually configure it. It will immediately start accepting VPN client connections. But if we wanted to scale one of the VM's down(or say wanted to apply a hotfix)? Is there a way to preventing the gateway from accepting any new connections so that it could be patched or removed from the scale set when the vpn client connections get down to 0. We did some initial tests and the VPN client connections do not appear to be state-full across the load balancer. So when the gateway I was connected to was taken out of service, my vpn connection was dropped.
MEP is not a cluster so it's expected to not have sync on the sessions.
Until now I'm still thinking on that Scale-In events, the solution was provided to a customer in this way and he accept to monitor the GW and destroy the least used and apply policy to disappear it from the client list.
Thankyou @ChristianCastil for the very informative video. Can I please ask few questions:
Is Azure traffic manager required to achieve GEO load balancing. I see the option of dns_based under mep, as we want the option of EMEA users logging to EMEA region and US users to US region. In the endpoint client we have both the regional scalesets (total 4 VMs). Does this mean the client will resolve to the scaleset based on the proximity and connect.
Is it possible to have a larger office mode networks than the default /24 to /16 etc.
Is it possible to use IP pool NAT in Azure instead of just hiding all traffic behind eth1 of the gateway. If so how to register the IP's in Azure env. If not I am worried about NAT port exhaustion given 1000's of users accessing same internal website etc.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY