This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AkiYa
Contributor
‎2022-04-20 08:58 AM

Remote access two different sites

Hi mates,

I need to know if this scenario is possible:

I have a S2S VPN between two clusters in two different geographical locations with their own public IPs;
They are also part of the same RemoteAccess community, but the actual connection points to the first cluster public IP (the IP configured in the VPN client);
Users connect to the HQ's IP and since there is also the S2S can reach the BO network and they are happy.

For reasons I'll have to completely turn off the HQ cluster for some hours but I need to make users connecting to the BO, where I will move some servers they need during this maintenance.

I've read about MEP remote access, but I'm not sure this is what I need; I also tried to just enable the Mobile Access blade on the BO cluster, configuring it like a regular VPN, but when I configure my VPN client pointing to its IP it doesn't connect (negotiation with site failed).
There are two domain controllers for both sites and I checked that the BO firewalls can ping them.

Is this supported?
How could I allow people to connect during the maintenance?

 

Thanks

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2022-04-20 07:11 PM

MEP is what you need.
Also, end users may have to delete and re-add the site for the change to take effect.

AkiYa
Contributor
‎2022-04-21 05:18 AM
In response to PhoneBoy

Hi PhoneBoy,

thank you for your reply!

If I understand well, users will just use the current VPN site and since there won't be connectivity to the HQ's IP they will fall back to the BO cluster, right?

Is there any way to test this functionality before the actual power off of the HQ's cluster?

 

0 Kudos
PhoneBoy
Admin
Admin
‎2022-04-21 08:21 AM
In response to AkiYa

The failover won't necessarily be automatic.
In fact, each cluster will need different Office Mode IPs.
The users will have to connect to the other gateway.

0 Kudos
the_rock
Legend
Legend
‎2022-04-21 06:01 AM

This is your best reference:

https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_RemoteAccessVPN_AdminGuid...

I always do manual method for people and works fine, no issues. Btw, just so you dont get confused, documentation is not so clear about that...you CAN use manual MEP method even if gateways have exact same enc domains, it does work.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events