This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
PhoneBoy
Admin
Admin
‎2020-07-15 10:12 AM

Scalable Remote Access VPN with CloudGuard IaaS: Video, Slides, and Q&A

Materials available to CheckMates members:

Q&A from the session:

Can we use a single VMSS for Access to Azure Applications/Resources, Site-to-Site VPN, and Remote Access VPN?

The same VMSS deployment can be used for inbound, outbound, and east-west traffic inspection, and for Remote Access VPN. No site-to-site support at this time, but you set up a separate Check Point Cluster or Gateway for this.

Is Remote Access VPN Load Balanced using MEP?

No, it is using DNS.

Is this configuration documented?

The existing CloudGuard IaaS Admin Guides will be updated to fully document this new feature.

If I use BYOL, do I need to have licenses for the autoscaling gateways?

Yes. The licenses will be distributed via the Central Licensing Tool similar to existing NGTP/NGTX licenses. You will need to purchase the appropriate Remote Access VPN licenses.

How was this environment built?

Using an Azure ARM template, which will be available via Github and the Azure Marketplace.

Given a user can terminate on any gateway, how is symmetry maintained?

Using HIDE NAT, which each gateway is doing.

How is the VPN client dynamically updated with the current VPN gateways in the VMSS? 

This is done using DNS, which requires a specific version of the VPN client currently. Over time, this should result in load balancing.

Is there a way to force "round robin" selection of the Remote Access gateway?

Not currently. We will add additional mechanisms over time.

Do PAYG licenses include Remote Access capabilities?

Yes.

Is Office Mode supported?

Yes, each gateway uses the same Office Mode pool. However, the end user is subject to HIDE NAT to maintain symmetry.

Does the VPN client see a fingerprint change if it connects to a different scale set member?

No.

Will this design become a SASE solution?

This is similar to a SASE solution, except you build it/manage it yourself. CloudGuard Connect is our SASE solution, which operates "as a service."

6 Replies
Xiaojiang_Wen
Employee Alumnus
Employee Alumnus
‎2020-08-05 05:05 AM

Does it support autoscaling on AWS?

 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-08-05 06:36 PM
In response to Xiaojiang_Wen

Not yet, but believe this is planned.

0 Kudos
Kamil_Kolo
Participant
‎2021-05-07 03:39 PM
In response to PhoneBoy

Hello,

Any update on this solution being supported in AWS with Auto-scaling?

Thank you!

0 Kudos
Will_Hargreaves
Employee
Employee
‎2020-10-12 09:12 AM

Does this solution work when connecting via Mac OS based clients?

 

0 Kudos
kusch444
Explorer
‎2020-11-24 11:43 PM

PAYG licenses include Remote Access capabilities means unlimited? 

0 Kudos
Kamil_Kolo
Participant
‎2021-04-27 02:17 PM

How many remote users can this scale up to? Or, how many remote users can each Gateway support?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events