Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Bruno_Petronio
Contributor

VSX and VS in different domains ?

Hello All,

 

I've read somewhere, that would be possible to have a VSX Gateway inside a specific Domain (MDM environment) and create VS from that VSX Gateway in different Domains.

 

Is this something feasible ?

Inside the domain where i want to create the VS, i can see the VSX Gateways that reside in different domains, so i would guess its possible.

VS_creating_diff_Domain.png

Is this something that someone already tried ?

Pros/Cons would be grateful.

 

Thanks in advance !

Bruno Petrónio

0 Kudos
10 Replies
genisis__
Advisor

If the VSX is managed from a MDS setup then far as I'm aware the VSX appliances should be managed via the main domain, in this way this can then be seen by customer domains.

Bruno_Petronio
Contributor

Main Domain, implies that only one Domain could have the VSX Gateway ?

If i need 2 VSX Gateway (not cluster), is it possible/make sense to have it in different domains ?

0 Kudos
Bob_Zimmerman
Advisor

The short explanation is this is how VSX and Provider-1 are meant to be used together in a managed service provider context. You, the service provider, own the MDS and the VSX chassis. You then provision a Customer Management Add-on for the customer, and a VS (or several) to go with it.

Bruno_Petronio
Contributor

Thanks for clarifying that.

We are not running different customers, but have business related needs and we are running VSX for the virtualization fun/benefits 🙂

Saying that, make sense to have VSXs together in one domain and all VSs spread by different Domains, right ?

No Pros having VSX and VSs per Domain, i would say. 

0 Kudos
Norbert_Bohusch
Advisor

As stated already one reason was separation in provider/customer scenario.

But this was also a best practice to have a separate domain for the VSX gateways, as changes to a VS also locked the domain of VSX gateway (before R80) and so you separated it.

Vincent_Bacher
Advisor

We have many VSX and their vs separated in different CMA. I don't really see a disadvantage of doing that if there is a need to do so. 

and now to something completely different
Bruno_Petronio
Contributor

You mean, many VSX in one domain (called main domain), and their VS inside the several other domains ?

0 Kudos
Vladimir
Champion
Champion

I've written something on this subject some time ago for R77.30

https://community.checkpoint.com/t5/General-Topics/MDSM-with-VSX-Configuration-Guide-and-Architectur...

Perhaps you'd find it useful.

Vincent_Bacher
Advisor

Yes, we have several VSX one domain and their VS inside several other domains. We really have some vsx in a domain called main but several others in different domains.

and now to something completely different
genisis__
Advisor

I believe VSX clusters in the main domain can be shared with other CMAs.  VSX Clusters controlled by a customer CMA, are only usable within that domain and not visible to other customer domains.

If you decided to implement a global level VPN then having a mixed installation may not work (Never done this but thought its worth considering if you ever intended to use this feature in MDS).