This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Daniel_Kavan
MVP Gold
MVP Gold
‎2019-02-28 06:56 AM
Jump to solution

office mode network/clusterXL HA/SSLVPN/network extender

With ClusterXL HA (active/standby) RE: office mode network for SSLVPN (network extender mode) - Is it recommended to define one OM network for each member in the cluster (a seperate network for each member)?   Or is it recommended/required to have one office mode network defined (the same one) and configured one each member?  My guess is with HA, they'll be using one gw or the other so it's preferred to define the same network.

0 Kudos
2 Solutions

Accepted Solutions
Jerry
Mentor
Mentor
‎2019-02-28 08:47 AM
Jump to solution

Only one OfficeMode (MAB?) subnet for the whole SSLVPN NetX VPN Users - no need to create multiply OM subnets really. I don't get your point how HA is relevant to this ... have you ever used HA in Active/Passive mode before?

You know what VMAC stands for? or VIP on each "clusterred" interface? You don't need to worry about multiply OM subnets. Just make one, add to the config. and off you go Smiley Happy

Jerry

View solution in original post

0 Kudos
Daniel_Kavan
MVP Gold
MVP Gold
‎2019-05-23 08:25 AM
In response to Daniel_Kavan
Jump to solution

Per  case  6-0001647364

We are both right.  For Active/Active two sepeate ip pools are recommended.  For active/standby the same pool can be used on both nodes.
 
Each node what has been assigned, they are in sync.

View solution in original post

0 Kudos
4 Replies
Jerry
Mentor
Mentor
‎2019-02-28 08:47 AM
Jump to solution

Only one OfficeMode (MAB?) subnet for the whole SSLVPN NetX VPN Users - no need to create multiply OM subnets really. I don't get your point how HA is relevant to this ... have you ever used HA in Active/Passive mode before?

You know what VMAC stands for? or VIP on each "clusterred" interface? You don't need to worry about multiply OM subnets. Just make one, add to the config. and off you go Smiley Happy

Jerry
0 Kudos
Daniel_Kavan
MVP Gold
MVP Gold
‎2019-05-22 11:01 AM
In response to Jerry
Jump to solution

Office Mode addresses can be allocated from an IP pool or by a DHCP server. If addresses are allocated from an IP pool, a separate IP pool must be defined for every cluster member. This prevents the allocation of the same IP address to different clients simultaneously.

I assume I route these to my INT-VIP IP, not the respective gws.

0 Kudos
Daniel_Kavan
MVP Gold
MVP Gold
‎2019-05-23 08:25 AM
In response to Daniel_Kavan
Jump to solution

Per  case  6-0001647364

We are both right.  For Active/Active two sepeate ip pools are recommended.  For active/standby the same pool can be used on both nodes.
 
Each node what has been assigned, they are in sync.
0 Kudos
Vladimir
Champion
Champion
‎2019-05-23 09:54 AM
In response to Daniel_Kavan
Jump to solution

If you are assigning Office Mode IPs from the Pool, it makes sense to split it in two and serve half from each cluster member in HA configuration.

The reason for this is that if one of the unit has leased the IP to the client and then the failover has occurred, no duplicate IPs will be leased.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events