Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
AkiYa
Explorer

Remote access two different sites

Hi mates,

I need to know if this scenario is possible:

I have a S2S VPN between two clusters in two different geographical locations with their own public IPs;
They are also part of the same RemoteAccess community, but the actual connection points to the first cluster public IP (the IP configured in the VPN client);
Users connect to the HQ's IP and since there is also the S2S can reach the BO network and they are happy.

For reasons I'll have to completely turn off the HQ cluster for some hours but I need to make users connecting to the BO, where I will move some servers they need during this maintenance.

I've read about MEP remote access, but I'm not sure this is what I need; I also tried to just enable the Mobile Access blade on the BO cluster, configuring it like a regular VPN, but when I configure my VPN client pointing to its IP it doesn't connect (negotiation with site failed).
There are two domain controllers for both sites and I checked that the BO firewalls can ping them.

Is this supported?
How could I allow people to connect during the maintenance?

 

Thanks

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

MEP is what you need.
Also, end users may have to delete and re-add the site for the change to take effect.

AkiYa
Explorer

Hi PhoneBoy,

thank you for your reply!

If I understand well, users will just use the current VPN site and since there won't be connectivity to the HQ's IP they will fall back to the BO cluster, right?

Is there any way to test this functionality before the actual power off of the HQ's cluster?

 

0 Kudos
PhoneBoy
Admin
Admin

The failover won't necessarily be automatic.
In fact, each cluster will need different Office Mode IPs.
The users will have to connect to the other gateway.

0 Kudos
the_rock
Champion
Champion

This is your best reference:

https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_RemoteAccessVPN_AdminGuid...

I always do manual method for people and works fine, no issues. Btw, just so you dont get confused, documentation is not so clear about that...you CAN use manual MEP method even if gateways have exact same enc domains, it does work.

0 Kudos