Create a Post
Showing results for 
Search instead for 
Did you mean: 

Remote Site VPN scenario ...

hi folks,

got a little query to you as to the SMEs from mentioned topic, let me describe what bothers me in short steps first:

all R80.10 take 122 (just so you know)

1. Imagin we've got MDS server (VM) behind (NATed) Cluster of 5600 appliances in Active/Passive mode

2. Imagin we've got MDS server as a Central Management of 2 Clusters and several remote sites hooked up by Site2SiteVPN Tunnel, SICed to MDS "not via VPN" but over the public Internet instead

3. Here is the strategic question though: is there any official "guide" I could provide to my customer in order to clarify that we have got 2 options in such scenarios, 1/ SIC over VPN, 2/SIC over Internet but each with some pros and cons? Meaning do we have any sk for such "deployments best practices" and if we do what is the number?

4. If we do not have such "guide" for CCSA's mainly ... has anyone made any kind of article/docs about "VPN Remote Site Deployments with MDS/P1/MDSM behind (NATed) Cluster (not LSM!) at all ?

I'd appreciate you constructive hints if any also bear in mind that I did both scenarios myself but the one over the Internet with SIC it ends up nearly all the time with modifying the "masters files" - I want to avoid that option including GUIDBEDIT if possible and offer customer confidence that SIC over the VPN is possible not not necessarily the most complicated as they say.

Also note that all devices, VMs or any components are R80.10 based with everything up&running. What I'm actually seeking is any "written" version which may or may not convince my Customer that potentially "SIC over the Internet is not a best idea on earth" Smiley Happy

Dameon Welch Abernathy‌ - what you think about that buddy ?



0 Kudos
3 Replies

I consider SIC over VPN to be a bad idea.

Discussion here: 


Second that. SIC is already encrypted, and by the way, with default settings, it is actually excluded from VPN tunneling anyhow.


I would like to start and tell you we manage about 130 customers with about 400 gateways all over the world across the internet. In these type of environments, you try to avoid 2 things, use of NAT, use of VPN.

By default all management traffic is excluded from VPN anyway there is something like the checken and the egg, the FW that needs to build the VPN needs to get its policy form the management that you want to send the traffic for over the VPN... hmmmm it will only complicate things unnecessary as all management traffic is already encrypted and you want to encrypt it again by using a VPN?

Regards, Maarten