Deploying Multi-Domain Management

In This Section: Planning your Deployment Protecting the Multi-Domain Management Deployment

This chapter includes information to help you plan your deployment and gives a general overview of the deployment process.

Planning your Deployment

This section includes best practices and other suggestions to help make your Multi-Domain Management deployment work efficiently.

Multi-Site High Availability Deployment

Large enterprises use Multi-Domain Management in a multi-site, High Availability deployment, with many Multi-Domain Servers located at remote sites, often in different countries. Each Multi-Domain Server and Multi-Domain Log Server continuously synchronizes with its remote peers.

The advantages of this type of deployment are:

• Full Multi-Domain Server, Multi-Domain Log Server, and Domain Server redundancy
• Domain Server load sharing that can balance traffic based on geographic location
• Many administrators can connect to different Multi-Domain Servers to manage Security Policies and system configuration from different locations

Single Site Deployments

Small organizations, with moderate traffic volumes can use a single-site deployment, with one Multi-Domain Server that manages a set of Domains.

Best Practice - For this type of deployment, use a backup solution that periodically saves the system databases and settings to another device.

This example shows a single-site Multi-Domain Server deployment with three Domains at remote locations. Each Domain has many Security Gateways to protect the internal networks and resources. This example has only one Multi-Domain Server and does not use High Availability.

Item	Description
1	London Domain and networks
2	New York (Headquarters) Domain and networks
3	Tokyo Domain and networks
4	SmartConsole clients, typically at a network control center.
5	Multi-Domain Server
6	London Domain Server
7	New York Domain Server
8	Tokyo Domain Server
9	Internet

This illustration shows the configuration grid in the SmartConsole Multi Domain view for the example deployment:

Note - The system automatically creates the Global Domain when you install Multi-Domain Management.

Platform & Performance Issues

Make sure that your Multi-Domain Management system hardware is compliant with the system requirements for this release. If your Multi-Domain Server has more than one interface, make sure that the total traffic load complies with the performance load recommendations for that Multi-Domain Server.

Topology, IP Addresses and Routing

All Multi-Domain Servers must have at least one interface with a routable IP address. You must configure these Multi-Domain Servers to run DNS server queries and to resolve the IP addresses and host names.

Configure your network routing for IP communication between:

• All Multi-Domain Servers, Domain Servers and Multi-Domain Log Servers
• Different Domains, if necessary
• Domain Servers, Domain Log Servers and Security Gateways in a Domain
• A Domain Server and its Domain High Availability peers
• SmartConsole and Multi-Domain Servers, Domain Servers and Domain Log Servers

Make sure that IP addresses and routing configuration can handle special issues, such as Multi-Domain Servers in different physical locations.

Using More than one Interface on a Multi-Domain Server

If there is more than one interface on a Multi-Domain Server, you must configure at least one interface to be the leading interface. Multi-Domain Servers (Primary and Secondary) and Multi-Domain Log Servers use the leading interface to communicate with each other for database synchronization.

Make sure that all Multi-Domain Server interfaces are routable. Domain Servers must be able to communicate with their Domain Security Gateways. Domain Log Servers must be able to communicate with their Domain Security Gateways.

Changing the Leading Interface

You define the leading interface during the installation procedure, but you can change it later. If you add a new interface to a Multi-Domain Server after installation, define the Leading Interface manually.

To add a New Leading Interface:

1. From the Multi-Domain Server command line, run: mdsconfig
2. Select Leading VIP Interfaces, and then select Add external IPv4 interface.
3. Enter the interface name and press Enter.

Changing the Leading Interface:

1. From the Multi-Domain Server command line, run: mdsconfig
2. Do steps 2-3, in the above procedure, to add new interface.
3. Select Leading VIP Interfaces.
4. Select Remove External IPv4 interface.
5. Enter the interface name to remove and press Enter.

Synchronizing Clocks

All Multi-Domain Server system clocks must synchronize to approximately one second. Before you create a new Multi-Domain Server or Multi-Domain Log Server, you must synchronize its clock with other system components.

Clock synchronization is important for these reasons:

• SIC trust can fail if devices are not synchronized correctly
• SmartEvent Correlation Unit uses time stamps, which must be accurate
• Make sure that cron jobs run at the correct time
• Certificate validation is based on the correct time

Use these resources to synchronize component system clocks:

• Manually, using the Portal or the operating system CLI
• A third-party synchronization utility

Protecting the Multi-Domain Management Deployment

It is a security best practice to deploy a Check Point Security Gateway that protects the Multi-Domain Servers, Multi-Domain Log Server and other components. You can manage this Security Gateway with a Domain Server or a Security Management Server that is not part of a Multi-Domain Management environment.

This simple use case shows a small High Availability deployment with a Security Gateway protecting each Multi-Domain Server. One of the Domain Servers manages these Security Gateways.

Item	Description
1	Active Domain Servers
2	Standby Domain Servers
3	Primary Multi-Domain Server with Active and Standby Domain Servers
4	Security Gateways
5	Internet
6	Secondary Multi-Domain Server with Active and Standby Domain Servers

Security Gateway Managed by a Domain Server

You can create a Domain and Domain Server to manage the Policies for Security Gateways that protect Multi-Domain Servers in your environment.

Workflow for this scenario:

1. Run SmartConsole and log into the Multi-Domain Server.
2. Create a new Domain and Domain Server.
3. Connect to the new Domain SmartConsole and create a Security Gateway object.
4. Enable the Firewall and other Software Blades on this gateway.
5. Create and install a Security Policy for the Security Gateway.

Defining an Access Control Policy for Multi-Domain Server Components

You must create rules in your Security Policies to allow communication between the different Multi-Domain Management components. You can define these rules in global configurations or in local Domain Policies.

Use this table as a guideline to allow connections between specified components:

Activity	Source	Destination
Allow connections between SmartConsole and the Multi-Domain Server	SmartConsole Multi-Domain Server	Multi-Domain Server SmartConsole
Allow connections between Multi-Domain Servers	Multi-Domain Servers	Multi-Domain Servers
Allow connections between Domain Servers and Security Gateways	Domain Server Security Gateway	Security Gateway Domain Server
Allow Domain Server status data and certificate exchange between Domain Server High Availability peers Allow Domain Server synchronization between peers	Domain Server peer	Domain Server peer

See the R80.10 Security Management Administration Guide to learn how to create a Security Policy.

Using External Authentication Servers

Multi-Domain Management supports these external authentication solutions:

• RADIUS
• TACACS
• RSA SecurID ACE/Server

When an administrator logs in, an authentication requests goes to the external authentication server, which sends a reply to the Multi-Domain Server. TACACS and RADIUS use the Multi-Domain Server as a proxy between the Domain Server and the external authentication server. To make this work correctly, you must configure each Multi-Domain Server on the authentication server.

Note - If the Multi-Domain Server is DOWN, the Domain Server cannot authenticate administrators.

Configuring External Authentication

To configure External Authentication:

1. Connect to the Multi-Domain Server with SmartConsole.
2. In the Domains view, select the Global Domain, and then click Connect.
3. Connect to the Global Domain with SmartConsole, and then create a host object for the authentication server.
4. Define the Multi-Domain Management administrators in the authentication server.
5. In SmartConsole, select Administrators.
6. Select an existing administrator or click New.
7. In the General tab, select the applicable Authentication Scheme.
8. If the selected authentication server is RADIUS or TACACS, select the server that you configured in the Global Domain SmartConsole.
9. If the authentication server is SecurID:
   1. Close SmartConsole.
   2. Generate the file sdconf.rec on the ACE/Server, and configure the user to use Tokencode only.
   3. Copy sdconf.rec to /var/ace/ on each Multi-Domain Server.
   4. Open /etc/services in a text editor and add the following lines:

      securid 5500/udp

      securidprop 5510/tcp

   5. Reboot the Multi-Domain Server.

Note - The <authentication_server> parameter is required for TACACS and RADIUS.