VPN Communities - MEP
What can I do here?
Use this window to configure
- Multiple Entry Points (MEP) to the core network
- Tracking options
- Return packet routing
|
Getting Here - SmartConsole > Security Policies > Access Control > Policy > Access Tools > VPN Communities > New Star Community > MEP
|
Multiple Entry Point
Overview of MEP
Multiple Entry Point (MEP) is a feature that provides a High Availability and Load Sharing solution for VPN connections. A Security Gateway on which the VPN module is installed provides a single point of entry to the internal network. It is the Security Gateway that makes the internal network "available" to remote machines. If a Security Gateway should become unavailable, the internal network too, is no longer available. A MEP environment has two or more Security Gateways both protecting and enabling access to the same VPN domain, providing peer Security Gateways with uninterrupted access.
VPN High Availability Using MEP or Clustering
Both MEP and Clustering are ways of achieving High Availability and Load Sharing. However:
- Unlike the members of a ClusterXL Security Gateway Cluster, there is no physical restriction on the location of MEP Security Gateways. MEP Security Gateways can be geographically separated machines. In a cluster, the clustered Security Gateways need to be in the same location, directly connected via a sync interface.
- MEP Security Gateways can be managed by different Security Management Server; cluster members must be managed by the same Security Management Server.
- In a MEP configuration there is no "state synchronization" between the MEP Security Gateways. In a cluster, all of the Security Gateways hold the "state" of all the connections to the internal network. If one of the Security Gateways fails, the connection passes seamlessly over (performs failover) to another Security Gateway, and the connection continues. In a MEP configuration, if a Security Gateway fails, the current connection is lost and one of the backup Security Gateways picks up the next connection.
- In a MEP environment, the decision which Security Gateway to use is taken on the remote side; in a cluster, the decision is taken on the Security Gateway side.
Implementation
MEP is implemented via a proprietary Probing Protocol (PP) that sends special UDP RDP packets to port 259 to discover whether an IP is reachable. This protocol is proprietary to Check Point and does not conform to RDP as specified in RFC 908/1151.
Note - These UDP RDP packets are not encrypted, and only test the availability of a peer.
The peer continuously probes or polls all MEP Security Gateways in order to discover which of the Security Gateways are "up", and chooses a Security Gateway according to the configured selection mechanism. Since RDP packets are constantly being sent, the status of all Security Gateways is known and updated when changes occur. As a result, all Security Gateways that are "up" are known.
There are two available methods to implement MEP:
MEP Method
|
Description
|
Explicit MEP
|
Only Star communities with more than one central Security Gateway can enable explicit MEP.
This MEP method provides multiple entry points to the network behind the Security Gateways.
When available, Explicit MEP is the recommended method.
|
Implicit MEP
|
This MEP method is supported in all scenarios, where fully or partially overlapping encryption domains exist, or where Primary-Backup Security Gateways are configured.
|
Routing Return Packets
To make sure return packets are routed correctly, the MEP Security Gateway can make use of either of these:
- IP Pool NAT (Static NAT)
- Route Injection Mechanism (RIM)
Multiple Entry Point - Options
Use these options to configure entry to the core network.
- Select the closest gateway to source (First to respond). If "first to respond" is the chosen mechanism, then the first MEPed gateway to respond to the satellites probing RDP packets becomes the chosen gateway. Subsequent connections pass through the chosen gateway
- Select the closest gateway to destination (By VPN domain). An extension to the traditional Primary-backup MEP configuration. Before the MEP unification, the destination IP belonged to a particular VPN domain. The gateway of that domain becomes the chosen entry point. This gateway becomes the primary gateway while other gateways in the MEP become its backup gateways.
- Random Selection (for Load distribution). To distribute the load, and prevent any one gateway from being flooded, connections can be evenly shared amongst all the gateways in the MEP configuration. When all gateways share equal priority (no primary) and are MEPed to the same VPN domain, a gateway is randomly chosen as the entry point to the network for each pair of source/destination IP addresses.
- Manually set priority list (MEP rules). Which gateway will be chosen as the entry point to the core network can be controlled by manually setting a priority per source gateway. Each priority constitutes a MEP Rule. Click Set... to configure the rules
Tracking fields
From the drop-down box, select the type of tracking required.
Multiple Entry Point - Advanced
In some instances, more than one gateway is available in the center with no obvious priority between them. When this occurs, select how the gateway should be chosen, either by:
- First to respond
- Random Selection
Return Packet Routing
While MEP is used to determine which gateway to connect to, RIM (like IP Pool NAT) is used to correctly route return packets through the chosen gateway.
Return packets can be routed according to IP pool NAT, configured per gateway, or by using the route injection mechanism (RIM) configured in Tunnel Management.
IP Pool NAT
An IP Pool is a range of IP addresses (an Address Range, a network or a group of one of these objects) routable to the gateway or gateway cluster.
IP Pool NAT ensures proper routing for two connection scenarios:
- SecuRemote/SecureClient to MEPed (Multiple Entry Point) gateways.
- Gateway to MEP gateways.
To configure IP Pool NAT, see: IP Pool NAT