This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Christian_Koehl
Collaborator
Collaborator
‎2022-03-23 01:57 AM
Jump to solution

Remote Access VPN - Office mode

Dear CheckMates,

I am a little bit confused.

 

In CP_R81.10_RemoteAccessVPN_AdminGuide.pdf it is discribed on page 75 in the section "IP Pool versus DHCP" to use different subnets for office mode IP ranges, when using a cluster.

 

Is this correct?

Do I need different office mode IP subnets for each cluster member?

 

Best regards,

Christian

 

 

0 Kudos
1 Solution

Accepted Solutions
Chris_Atkinson
Employee Employee
Employee
‎2022-03-23 05:49 AM
In response to Christian_Koehl
Jump to solution

There's been some similar discussion in the past: https://community.checkpoint.com/t5/Remote-Access-VPN/office-mode-network-clusterXL-HA-SSLVPN-networ...

Will request that we clarify the documentation some and report back here.

CCSM R77/R80/ELITE

View solution in original post

6 Replies
Chris_Atkinson
Employee Employee
Employee
‎2022-03-23 03:17 AM
Jump to solution

The pool should be configured for each cluster member:

office mode 1.pngoffice mode 2.pngoffice mode 3.PNG

CCSM R77/R80/ELITE
0 Kudos
Christian_Koehl
Collaborator
Collaborator
‎2022-03-23 03:19 AM
In response to Chris_Atkinson
Jump to solution

Dear Chris,

Many thanks for your quick answer. Could you please clarify, must it be the same pool an both members or must it be different pools.

Best regards,

Christian

Ruan_Kotze
Advisor
‎2022-03-23 04:02 AM
In response to Christian_Koehl
Jump to solution

Hmm, I've often used the same IP pool for both cluster members (typically ClusterXL HA) without issue.  Maybe I should pay closer attention to the documentation😁

You don't state whether you are worried about cluster members attempting to hand out the same IP to different clients, but I'm assuming that is a concern? Client VPN connections are synchronised between cluster members so that to me implies Office Mode leases are also synchronised (will test this in my lab to be sure).

0 Kudos
Christian_Koehl
Collaborator
Collaborator
‎2022-03-23 04:29 AM
In response to Ruan_Kotze
Jump to solution

I also used the same subnet for office mode on both members in the past - without any problems 😀 - but I was wondering about the sentense in thr RemoteAccess Guide...

 

Chris_Atkinson
Employee Employee
Employee
‎2022-03-23 05:49 AM
In response to Christian_Koehl
Jump to solution

There's been some similar discussion in the past: https://community.checkpoint.com/t5/Remote-Access-VPN/office-mode-network-clusterXL-HA-SSLVPN-networ...

Will request that we clarify the documentation some and report back here.

CCSM R77/R80/ELITE
the_rock
Legend
Legend
‎2022-03-23 05:59 AM
In response to Christian_Koehl
Jump to solution

Yes, you should use the same. Think about it this way...say your master member c**** out and you can only use the other one. When users try to connect, they would not get proper IP address, which could cause connectivity issues.

Makes sense?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top