This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
John_Richards
Contributor
‎2021-08-12 08:06 AM

Remote Access VPN - VMSS

We currently have a fairly simple Azure VMSS environment with two CP gateways (these are VMSS and not clustered). Want to enable remote access VPN. There is a public IP for the external load-balancer (LB) and then two separate public IP's tied to each of the VMSS gateways. External traffic (non-vpn) to the LB public IP works. Have also reviewed a document titled "Quick Deployment Guide for Virtual Machine Scale Sets (VMSS) for Microsoft Azure with Remote Access VPN" that CP produced. Have opened a case with CP as we are not able to access either of the public IP's assigned to each GW. Here is the response from TAC:

 

I have consulted our team on your issue. The consensus is that a ticket needs to be opened with Azure to identify where the traffic from your endpoint client is currently being routed to or where it might be dropped. 

  • We have already confirmed that your configuration matches our R80.40 Remote Access VPN guide and it look okay.
  • Based on our team suggestions, a load-balancer rule needs to be configured on the frontend-lb so that the client traffic is not blackholed and does not reach the gateway. 

Hope this find you well. The next action plan would be to verify where the traffic from your client is being dropped, since we cannot identify this on the VMSS instance itself.

Not sure why CP would not provide better instructions to accomplish this. Does anyone have any knowledge of how you can enable access to the public ip's on each VMSS GW fro VPN access? Please note that the client does not want to deploy the Azure DNS application and according to CP this is not necessary. Appreciate any help.

Preview file
1181 KB
0 Kudos
6 Replies
the_rock
Legend
Legend
‎2021-08-12 09:06 AM

I read your post carefully and I recall working with customer once where we ended up modifying some stuff on load balancer to make this work, but I cant recall exactly what...I can definitely see if I can find what we did. By the way, just curious, if you do capture on the firewalls, do you see any drops as to why IP is not accessible? Anything in the logs at all?

0 Kudos
John_Richards
Contributor
‎2021-08-12 09:11 AM
In response to the_rock

So no drops in the logs. I also worked with TAC and they say no drops as well. We also ran a command in expert to see the public ip for each GW as outbound traffic does not go through the LB. It shows as the IP we want to connect to and not the LP IP. I assume that this is a setting in Azure (to allow access to these public IP's) but you'd think CP would have some documentation on this.

0 Kudos
the_rock
Legend
Legend
‎2021-08-12 09:17 AM
In response to John_Richards

Yea, I hear you there brother...ok, Im not Azure expert by any means, but I would say I know my way around it. So, here is what Im thinking...do you see something in your Azure portal that say Network security groups? Im positive that you can actually configure rules there (both inbound and outbound)...happy to do remote session tomorrow morning if you are free (Im in EST) and see if I can help you out.

0 Kudos
John_Richards
Contributor
‎2021-08-12 10:19 AM
In response to the_rock

Thanks and will look into that. I'll hold off on the remote session for now but appreciate the assistance. Still working with TAC and want to see if they come through.

the_rock
Legend
Legend
‎2021-08-12 10:38 AM
In response to John_Richards

Sounds good, keep us posted how it goes...Im very curious to see how it gets resolved.

0 Kudos
John_Richards
Contributor
‎2021-10-07 09:03 AM
In response to the_rock

So we were able to get this working. We created an NSG and attached it to the external subnet, By doing this we could make a VPN connection to the two VMSS firewall nodes using the Public IP assigned to the external interface. But now we have another problem. May open a TAC case. We successfully make a VPN connection but it times out after 11 seconds. In the Endpoint Security client we see in the properties the Public IP and then when it disconnects we see the Private IP of the internet Interface. Seems odd and the logs show "Session Timeout". When we try to connect it tries the Private IP rather than the Public. Any ideas?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events