This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
MVP Diamond
MVP Diamond
‎2026-01-28 04:18 PM
Jump to solution

Remote access switch from onprem cluster to Azure

Hey guys,

I hope you might be able to give me some insight/suggestions about this, just to make sure I am not mixing things up and have a good grasp (if you will) how to go about it the right way.

Here is the situation. Customer ultimately wants to have all their users moved over to SASE, but since there have been some issues in the last few months and P81 support has been helping them with it, they were wondering if moving the users from onprem to Azure cluster would be something they could do in the meantime.

What I mean by that is literally replicate same RA enc. domain and the rule for remote access on Azure as they currently have for onprem.

I am fairly positive we would need to follow below link (implicit part section, as domains would be fully overlapping)

https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_RemoteAccessVPN_AdminGuide/T...

Now, since MEP is required, question is, if all this is done and say their Azure is primary and onprem is backup, they asked me, would clients be forced to delete/re-create the site once this is done or would the changes show up automatically in their harmony endpoint? I cant recall what happened when I did this in my lab last year, but Im fairly sure deleting/recreating the site was indeed needed.

I did also open TAC case about it, so will probably have a call with an engineer this or next week.

Also, 2 other questions they had were:

1) What would happen with people who currently use SASE clients, would they be affected?

and 

2) Can this switch be done gradually, so does not affect bunch of people at the same time?

Thoughts?

Thanks as always for your help and support, I always truly APPRECIATE it! 

YouTheBestYoureAmazingGIF.gif

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
1 Solution

Accepted Solutions
the_rock
MVP Diamond
MVP Diamond
‎2026-01-30 12:30 PM
Jump to solution

Hey team,

Spoke with GREAT guy from DTAC, I dealt with him before, amazing support. We discussed this, I sent him this community link and he actually did some tests on his end, sent me below, which Im satisfied with. Will update the customer next week about it.

****************************************************

*************************************

Now, since MEP is required, question is, if all this is done and say their Azure is primary and onprem is backup, they asked me, would clients be forced to delete/re-create the site once this is done or would the changes show up automatically in their harmony endpoint? I cant recall what happened when I did this in my lab last year, but Im fairly sure deleting/recreating the site was indeed needed

*************************************

 

   Did a testing in my lab.  After the MEP is enabled, the user does not need to "Delete/Re-create" the VPN site.  Once the user connected again, MEP will take effect.

 

 

 

*************************************

1) What would happen with people who currently use SASE clients, would they be affected?

and 

2) Can this switch be done gradually, so does not affect bunch of people at the same time?

Thoughts?

 

*************************************

 

 (1) The users can have both RA VPN client and SASE client installed, but I don't think it's a good idea to turn both on at the same time.  RA client will have higher priority routes installed.

 

(2) As we've discussed during our session, you can try change the resolution of the FQDN and force the clients to resolve the DNS

Best,
Andy
"Have a great day and if its not, change it"

View solution in original post

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2026-01-29 12:04 PM
Jump to solution

Any updates to the topology should be propagated to the clients the next time they connect.
If that doesn't work, then maybe you have a way to roll it out "gradually" to users, otherwise I don't see a way to do so.
SASE would need to be updated with the new VPN setup and it should be transparent to users.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-01-29 12:18 PM
In response to PhoneBoy
Jump to solution

So you dont think deleting/recreating site would be needed?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2026-01-29 06:25 PM
In response to the_rock
Jump to solution

Shouldn't be, as long as the clients can connect to the existing gateway to get the new topology. The 'fun' part with this is managing that aspect of it. Probably start with adding the Azure gateway in - make sure it has its own office mode range so that client connections can route back that way. Once you see that being used by everyone you can adjust priorities if you want to. Once everyone has connected a few timesand has the updated topology it should be safe to remove the on prem gateway, but if anyone is away for this period or doesn't often connect they would likely have to delete/recreate the site.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-01-29 06:38 PM
In response to emmap
Jump to solution

I will definitely talk with TAC about it. Let me see if my colleague, who used to teach CP courses, if we can put together a lab where this can be properly tested.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-01-30 12:30 PM
Jump to solution

Hey team,

Spoke with GREAT guy from DTAC, I dealt with him before, amazing support. We discussed this, I sent him this community link and he actually did some tests on his end, sent me below, which Im satisfied with. Will update the customer next week about it.

****************************************************

*************************************

Now, since MEP is required, question is, if all this is done and say their Azure is primary and onprem is backup, they asked me, would clients be forced to delete/re-create the site once this is done or would the changes show up automatically in their harmony endpoint? I cant recall what happened when I did this in my lab last year, but Im fairly sure deleting/recreating the site was indeed needed

*************************************

 

   Did a testing in my lab.  After the MEP is enabled, the user does not need to "Delete/Re-create" the VPN site.  Once the user connected again, MEP will take effect.

 

 

 

*************************************

1) What would happen with people who currently use SASE clients, would they be affected?

and 

2) Can this switch be done gradually, so does not affect bunch of people at the same time?

Thoughts?

 

*************************************

 

 (1) The users can have both RA VPN client and SASE client installed, but I don't think it's a good idea to turn both on at the same time.  RA client will have higher priority routes installed.

 

(2) As we've discussed during our session, you can try change the resolution of the FQDN and force the clients to resolve the DNS

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events