Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Christian_Koehl
Collaborator
Collaborator
Jump to solution

Remote Access VPN - Office mode

Dear CheckMates,

I am a little bit confused.

 

In CP_R81.10_RemoteAccessVPN_AdminGuide.pdf it is discribed on page 75 in the section "IP Pool versus DHCP" to use different subnets for office mode IP ranges, when using a cluster.

 

Is this correct?

Do I need different office mode IP subnets for each cluster member?

 

Best regards,

Christian

 

 

0 Kudos
1 Solution

Accepted Solutions
Chris_Atkinson
Employee Employee
Employee

There's been some similar discussion in the past: https://community.checkpoint.com/t5/Remote-Access-VPN/office-mode-network-clusterXL-HA-SSLVPN-networ...

Will request that we clarify the documentation some and report back here.

CCSM R77/R80/ELITE

View solution in original post

6 Replies
Chris_Atkinson
Employee Employee
Employee

The pool should be configured for each cluster member:

office mode 1.pngoffice mode 2.pngoffice mode 3.PNG

CCSM R77/R80/ELITE
0 Kudos
Christian_Koehl
Collaborator
Collaborator

Dear Chris,

Many thanks for your quick answer. Could you please clarify, must it be the same pool an both members or must it be different pools.

Best regards,

Christian

Ruan_Kotze
Advisor

Hmm, I've often used the same IP pool for both cluster members (typically ClusterXL HA) without issue.  Maybe I should pay closer attention to the documentation😁

You don't state whether you are worried about cluster members attempting to hand out the same IP to different clients, but I'm assuming that is a concern? Client VPN connections are synchronised between cluster members so that to me implies Office Mode leases are also synchronised (will test this in my lab to be sure).

0 Kudos
Christian_Koehl
Collaborator
Collaborator

I also used the same subnet for office mode on both members in the past - without any problems 😀 - but I was wondering about the sentense in thr RemoteAccess Guide...

 

Chris_Atkinson
Employee Employee
Employee

There's been some similar discussion in the past: https://community.checkpoint.com/t5/Remote-Access-VPN/office-mode-network-clusterXL-HA-SSLVPN-networ...

Will request that we clarify the documentation some and report back here.

CCSM R77/R80/ELITE
the_rock
Legend
Legend

Yes, you should use the same. Think about it this way...say your master member c**** out and you can only use the other one. When users try to connect, they would not get proper IP address, which could cause connectivity issues.

Makes sense?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events