Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Christian_Koehl
Contributor

Remote Access VPN - Office mode

Jump to solution

Dear CheckMates,

I am a little bit confused.

 

In CP_R81.10_RemoteAccessVPN_AdminGuide.pdf it is discribed on page 75 in the section "IP Pool versus DHCP" to use different subnets for office mode IP ranges, when using a cluster.

 

Is this correct?

Do I need different office mode IP subnets for each cluster member?

 

Best regards,

Christian

 

 

0 Kudos
1 Solution

Accepted Solutions

There's been some similar discussion in the past: https://community.checkpoint.com/t5/Remote-Access-VPN/office-mode-network-clusterXL-HA-SSLVPN-networ...

Will request that we clarify the documentation some and report back here.

View solution in original post

6 Replies

The pool should be configured for each cluster member:

office mode 1.pngoffice mode 2.pngoffice mode 3.PNG

0 Kudos
Christian_Koehl
Contributor

Dear Chris,

Many thanks for your quick answer. Could you please clarify, must it be the same pool an both members or must it be different pools.

Best regards,

Christian

Ruan_Kotze
Advisor

Hmm, I've often used the same IP pool for both cluster members (typically ClusterXL HA) without issue.  Maybe I should pay closer attention to the documentation😁

You don't state whether you are worried about cluster members attempting to hand out the same IP to different clients, but I'm assuming that is a concern? Client VPN connections are synchronised between cluster members so that to me implies Office Mode leases are also synchronised (will test this in my lab to be sure).

0 Kudos
Christian_Koehl
Contributor

I also used the same subnet for office mode on both members in the past - without any problems 😀 - but I was wondering about the sentense in thr RemoteAccess Guide...

 

There's been some similar discussion in the past: https://community.checkpoint.com/t5/Remote-Access-VPN/office-mode-network-clusterXL-HA-SSLVPN-networ...

Will request that we clarify the documentation some and report back here.

the_rock
Champion
Champion

Yes, you should use the same. Think about it this way...say your master member c**** out and you can only use the other one. When users try to connect, they would not get proper IP address, which could cause connectivity issues.

Makes sense?

0 Kudos