Create a Post
Showing results for 
Search instead for 
Did you mean: 

Single RA community, multiple gateways?

Right now I have a single meshed community to connect three remote sites together. 

I have a single Remote access community on one gateway, and that works great. However we want the Remote Access community to be able to work with all gateways and users.

Is this a supported config? We are too small to leverage Multi-domain architectures. 

0 Kudos
3 Replies

Yes, the feature is called Secondary Connect.

Refer to: Enabling Secondary Connect for Remote Access Clients E75.20 and above 

0 Kudos

Ok here is what happened:

total sites: 3 

total unique AD domains: 3 (1 per site)

Single management server at the core site , no Multi-Domain.

We setup one site as the "core" site and put that gateway into the Remote Access community.

I then had our windows team allow access from AD to AD, and created a single group, which was defined in the Remote Access community. This allows users from any of the three ADs to auth and connect.

We then allowed the office mode subnet to communicate across the VPN for the three sites.

0 Kudos

Well, your setup with 3 different AD's is a bit different, but I have 2 customers running with this setup, one with sites all over the world with 3 sites connected with MPLS but all other sites with only a VPN connection. Their challenge was an office in Brasil with a local server and one main site in the US, one in Europe and one in China.

In your version a user located at home in Brasil wants to access his files in their Brasil office, he would need to connect to the US office, go through a VPN to Brasil access the file, which is then send through a VPN to the US and from there to the user. On top of the extra load on the internet line of the US site the latency for the user is far to high.

Adding all gateways to the RA community solves all these issues.

There is 1 caveat, LDAP traffic is dropped when the remote GW is trying to authenticate the user with the central AD server as it is not encrypted, this needs to be excluded from the implied.def file on management.

@Dameon, secondary connect enabled has been the default setting since it was added to the client a long time ago. .

Regards, Maarten
0 Kudos