Materials available to CheckMates members:
Q&A from the session:
Can we use a single VMSS for Access to Azure Applications/Resources, Site-to-Site VPN, and Remote Access VPN?
The same VMSS deployment can be used for inbound, outbound, and east-west traffic inspection, and for Remote Access VPN. No site-to-site support at this time, but you set up a separate Check Point Cluster or Gateway for this.
Is Remote Access VPN Load Balanced using MEP?
No, it is using DNS.
Is this configuration documented?
The existing CloudGuard IaaS Admin Guides will be updated to fully document this new feature.
If I use BYOL, do I need to have licenses for the autoscaling gateways?
Yes. The licenses will be distributed via the Central Licensing Tool similar to existing NGTP/NGTX licenses. You will need to purchase the appropriate Remote Access VPN licenses.
How was this environment built?
Using an Azure ARM template, which will be available via Github and the Azure Marketplace.
Given a user can terminate on any gateway, how is symmetry maintained?
Using HIDE NAT, which each gateway is doing.
How is the VPN client dynamically updated with the current VPN gateways in the VMSS?
This is done using DNS, which requires a specific version of the VPN client currently. Over time, this should result in load balancing.
Is there a way to force "round robin" selection of the Remote Access gateway?
Not currently. We will add additional mechanisms over time.
Do PAYG licenses include Remote Access capabilities?
Yes.
Is Office Mode supported?
Yes, each gateway uses the same Office Mode pool. However, the end user is subject to HIDE NAT to maintain symmetry.
Does the VPN client see a fingerprint change if it connects to a different scale set member?
No.
Will this design become a SASE solution?
This is similar to a SASE solution, except you build it/manage it yourself. CloudGuard Connect is our SASE solution, which operates "as a service."
