This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
Legend
Legend
Sunday
Jump to solution

Using same enc domain for remote access on more than one firewall

Hey guys,

Just for my own sanity, though we already confirmed with the customer doing this caused the issue, but they were wondering if doing so, one can make it work? So essentially have SAME remote access enc domain for 2 clusters, one for on prem and one Azure?

I cant really see how that would work, but just wondering if its even possible? if not, could they use same random subnets from large group already used for onprem to test Azure side or in order to use same one, it would need to be done during cutover window?

Tx as always!

Andy

0 Kudos
2 Solutions

Accepted Solutions
Wolfgang
Authority
Authority
Sunday
Jump to solution

Hi @the_rock using the same encryption domain on multiple gateways for remote access is possible. Normally this is called and done MEP (MultipleEntryPoint). You have to have an eye for the return packets if used MEP.

I don‘t know if this help for your needs, maybe you have to describe this.

View solution in original post

6 Replies
the_rock
Legend
Legend
Sunday
Jump to solution

For what is worth, I even had it configured with 2 subnets from current RA group used on prem, but even that caused an issue, so now Im really wondering how this can be tested before the actual cutover.

Andy

0 Kudos
Wolfgang
Authority
Authority
Sunday
Jump to solution

Hi @the_rock using the same encryption domain on multiple gateways for remote access is possible. Normally this is called and done MEP (MultipleEntryPoint). You have to have an eye for the return packets if used MEP.

I don‘t know if this help for your needs, maybe you have to describe this.

the_rock
Legend
Legend
Sunday
In response to Wolfgang
Jump to solution

Hey @Wolfgang 

Thanks for that. I see what you mean, though now we have to pause on this, since we dont want to cause customer more issues, as they heavily rely on remote access. I did end up opening TAC case about it, so lets see what they say 🙂

Andy

0 Kudos
the_rock
Legend
Legend
Sunday
In response to Wolfgang
Jump to solution

@Wolfgang 

I assume this is the link you meant?

Andy

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_RemoteAccessVPN_AdminGuide/Topics-....

0 Kudos
Wolfgang
Authority
Authority
Sunday
In response to the_rock
Jump to solution

@the_rock  yes, that's it. We have customers using this as active/backup and others using Loadbalancing to distribute the remote users between gateways. Works like a charm. With different IP-pools for office-mode on every gateway you are fine with the back routing to the endpoints. I always use some SAM rules (blocking HTTPS to the gateway) to test the failover to another gateway. With these SAM rule you can add and remove block rules quickly and you can skip the internal rules, because SAM rules are working before.

the_rock
Legend
Legend
Monday
In response to Wolfgang
Jump to solution

Thanks @Wolfgang 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events