This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
chethan_m
Collaborator
‎2023-05-29 08:12 PM
Jump to solution

CloudGuard - Remote Access SSL-VPN Connectivity Issues.

Hi Everyone,

 

I'm practicing deploying CloudGuard Network Security Solution on Azure Public Cloud and I'm facing connectivity issues with setting up Remote-Access VPN.

 

On the web-browser, I can see that the gateway is resetting the connection: "It looks like <GW-Pub-IP-Addr> closed the connection -> ERR_CONNECTION_CLOSED" 

 

The Architecture:

  • CloudGuard Single Gateway deployed with 2 interfaces: eth0 and eth1. The static public IP is assigned to eth0:1 sub-interface.
  • The SMS is on an on-premise VMware Workstation.
  • IPsec VPN and Mobile Access VPN blades are enabled on the gateway.

 

I followed this SK article: Check Point Reference Architecture for Azure. The best practices section speaks about the IPsec VPN, Link Selection Source IP Address settings, where it says to select the private IP address of the gateway's external interface to ensure that the Gateway in the Azure cloud sends encrypted traffic with the source address set to its private IP address.

Is there anything similar to do for Remote Access VPN configuration as well?

 

  • Anti-Spoofing is disabled on both external and internal interfaces.
  • I suspected there might be a conflict with Web-UI and changed the web ssl-port from 443 to 4434. Even then the issue persists.

 

Could anyone help me to know what should I be troubleshooting for, please?

 

Thank you! 

Labels
Preview file
38 KB
0 Kudos
1 Solution

Accepted Solutions
chethan_m
Collaborator
‎2023-05-31 02:26 AM
Jump to solution

The solution to my problem was found here (sk115732): Unable to connect to Gaia Portal on port 443 (checkpoint.com)

View solution in original post

0 Kudos
4 Replies
G_W_Albrecht
Legend Legend
Legend
‎2023-05-29 11:57 PM
Jump to solution

Did you read https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_VMSS_for_Azure/Content/Topics-Azure-V... ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
chethan_m
Collaborator
‎2023-05-30 12:42 AM
In response to G_W_Albrecht
Jump to solution

Yes, this guide is specifically for Scale Sets. Which makes use of the Azure Functions to return the active member's public IP address to the connecting client.

In case of single gateway, the public IP address associated with the external interface will be used for VPN. And for HA the cluster's public VIP address will be used.

Reference Architecture: Check Point Reference Architecture for Azure

 

In my case, it's not about the network reachability but the gateway is refusing the connection for "https://<gateway-public-ip>/sslvpn" URL.

 

Thank you!

 

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-05-30 01:34 AM
In response to chethan_m
Jump to solution

Better contact CP TAC - MAB is supported with Azure, but i did not find any special configuration hints. Changing the WebUI port should not be needed as MAB uses the path /sslvpn for access (MultiPortal feature).

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
chethan_m
Collaborator
‎2023-05-31 02:26 AM
Jump to solution

The solution to my problem was found here (sk115732): Unable to connect to Gaia Portal on port 443 (checkpoint.com)

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events