This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Rafee
Participant
‎2022-11-04 08:00 AM

VPN Design Recommendation - Two Datacenters

Hi All,

We are having two datacenters, with a Checkpoint VPN cluster(Active/Standby)  at each house. Users have two IP's configured in their client and it is their choice which DC they want to connect to. However we are facing a load issue some times as most of the users will connect to the single DC.

We have tried to create a single GSLB DNS  and pointed that to the IP's of both the houses, however the VPN client caches the IP when it tries to connect for the first time and always connects to the same DC/IP.

Question: How to make this solution work and have clients not cache the IP  and perform a DNS resolution every time they connect.

0 Kudos
9 Replies
Chris_Atkinson
Employee Employee
Employee
‎2022-11-04 08:12 AM

With reference to sk75221 are you using MEP currently and which mode?

CCSM R77/R80/ELITE
0 Kudos
Rafee
Participant
‎2022-11-04 08:30 AM
In response to Chris_Atkinson

It is the default, please see below:

:mep_mode (
:gateway (
:map (
:dns_based (dns_based)
:first_to_respond (first_to_respond)
:primary_backup (primary_backup)
:load_sharing (load_sharing)
:client_decide (client_decide)
)
:default (dns_based)

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-11-04 08:33 AM
In response to Rafee

Also which client version is used?

Circa E81.10 we improved the first_to_respond logic to improve distribution.

CCSM R77/R80/ELITE
0 Kudos
Rafee
Participant
‎2022-11-04 08:35 AM
In response to Chris_Atkinson

Version VPN E84.60 Build 986102607

0 Kudos
RS_Daniel
Advisor
‎2022-11-04 08:44 AM

Hello,

You have to follow sk103440 to perform DNS resolution every time they connect.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Regards

Rafee
Participant
‎2022-11-04 08:47 AM
In response to RS_Daniel

Thank you much will keep you posted.

One last question - How to add a new site on remote user laptops as it is very difficult to ask them add it manually also most of them do not have admin right's to the system

0 Kudos
Rafee
Participant
‎2022-11-04 09:06 AM
In response to Rafee

Found the steps(attachment) for adding a site to remote users

Preview file
41 KB
0 Kudos
Rafee
Participant
‎2022-11-05 05:06 AM
In response to RS_Daniel

I have made the suggested changes and it is performing the DNS resolution, However, everytime i disconnect/connect back the the VPN client it throws an error "Login Option not configured" , Attached snippet

Preview file
26 KB
0 Kudos
Duane_Toler
Advisor
‎2022-11-07 10:28 AM
In response to Rafee

Login Options are configured per gateway.

Edit gateway properties - expand VPN Clients on the left, select Authentication on the left

You have two choices:  Allow all clients connect to the one default option, or use multiple login options with customized settings (local firewall users, AD login, MFA, combinations...).  These must be identical on all gateways to prevent that error.  Multiple Login Options method is much nicer, and more preferred, but the user will have to select the correct one at the time of site creation (unless you are able to push out a new trac.config to your clients).  You can have different groups of users using different Login Option methods, if you wish.

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events