This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Michael_Gonnaso
Participant
‎2018-06-04 10:46 PM

Single RA community, multiple gateways?

Right now I have a single meshed community to connect three remote sites together. 

I have a single Remote access community on one gateway, and that works great. However we want the Remote Access community to be able to work with all gateways and users.

Is this a supported config? We are too small to leverage Multi-domain architectures. 

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2018-06-08 12:31 PM

Yes, the feature is called Secondary Connect.

Refer to: Enabling Secondary Connect for Remote Access Clients E75.20 and above 

0 Kudos
Michael_Gonnaso
Participant
‎2018-07-16 03:14 PM

Ok here is what happened:

total sites: 3 

total unique AD domains: 3 (1 per site)

Single management server at the core site , no Multi-Domain.

We setup one site as the "core" site and put that gateway into the Remote Access community.

I then had our windows team allow access from AD to AD, and created a single group, which was defined in the Remote Access community. This allows users from any of the three ADs to auth and connect.

We then allowed the office mode subnet to communicate across the VPN for the three sites.

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2018-07-17 03:11 PM
In response to Michael_Gonnaso

Well, your setup with 3 different AD's is a bit different, but I have 2 customers running with this setup, one with sites all over the world with 3 sites connected with MPLS but all other sites with only a VPN connection. Their challenge was an office in Brasil with a local server and one main site in the US, one in Europe and one in China.

In your version a user located at home in Brasil wants to access his files in their Brasil office, he would need to connect to the US office, go through a VPN to Brasil access the file, which is then send through a VPN to the US and from there to the user. On top of the extra load on the internet line of the US site the latency for the user is far to high.

Adding all gateways to the RA community solves all these issues.

There is 1 caveat, LDAP traffic is dropped when the remote GW is trying to authenticate the user with the central AD server as it is not encrypted, this needs to be excluded from the implied.def file on management.

@Dameon, secondary connect enabled has been the default setting since it was added to the client a long time ago. .

Regards, Maarten
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events