Multiple Entry Point for Remote Access VPNs

In This Section:

The Need for Multiple Entry Point Security Gateways

The Security Gateway provides a single point of entry to the internal network. It is the Security Gateway that makes the internal network "available" to remote machines. If the Security Gateway fails, the internal network is no longer available. It therefore makes good sense to have Multiple Entry Points (MEP) to the same network.

The Check Point Solution for Multiple Entry Points

In an MEP environment, more than one Security Gateway is both protecting and giving access to the same VPN domain. How a remote user selects a Security Gateway in order to reach a destination IP address depends on how the MEP Security Gateways have been configured, which in turn depends on the requirements of the organization.

The Check Point solution for multiple entry points is based on a proprietary Probing Protocol (PP) that tests Security Gateway availability. The probing protocol is used only in Site-to-Site MEP. MEP checks for gateway availability. The MEP Security Gateways do not have to be in the same location and can be widely-spaced, geographically.

Note - In a MEP Security Gateway environment, the remote clients supported are the Check Point Remote Access Clients.

MEP Methods

There are three methods used to choose which Security Gateway is used as the entry point for a connection:

First to Respond - The first Security Gateway to reply to the probing mechanism is chosen.
Primary/Backup - The client attempts to connect to the Primary Security Gateway first. If the Primary Security Gateway does not reply, the client attempts to connect to the Backup Security Gateway. If the Backup Security Gateway does not reply, there are no further attempts to connect.
Random Selection - In a Load Sharing MEP environment, the client randomly selects a Security Gateway and assigns the Security Gateway priority. The remote peer stays with this chosen Security Gateway for all subsequent connections to host machines within the VPN domain. Load distribution takes place on the level of "different clients", rather than the level of "endpoints in a connection".

Visitor Mode and MEP

The RDP Security Gateway discovery mechanism used in an MEP environment runs over UDP. This creates a special challenge for Remote Access clients in Visitor Mode, because all traffic is tunneled over a regular TCP connection.

In an MEP environment:

The RDP probing protocol is not used; instead, a special Visitor Mode handshake is employed.
When a MEP failover occurs, the Remote Access client disconnects and the user needs to reconnect to the site in the usual way. See sk115996 for information on configuration.
In a Primary-Backup configuration, the Remote Access client reconnects to the backup gateway only when the primary gateway is unavailable. When the primary gateway is available again, the Remote Access client remains on the backup gateway and does not connect to the primary gateway.
All the gateways in the MEP:

Must support visitor mode.

Routing Return Packets

There are two ways to configure the routing for return packets:

Enable NAT for the Office Mode network.
Use the IP pool NAT, (if the client is configured to ignore Office Mode).

IP Pool NAT

IP pool NAT is a type of NAT in which source IP addresses from remote VPN domains are mapped to an IP address drawing from a pool of registered IP addresses. In order to maintain symmetric sessions using MEP Security Gateways, the MEP Security Gateway performs NAT using a range of IP addresses dedicated to that specific Security Gateway and should be routed within the internal network to the originating Security Gateway. When the returning packets reach the Security Gateway, the Security Gateway restores the original source IP address and forwards the packets to the source.

Configuring MEP

To configure MEP, decide on the MEP selection method:

First to Respond
Primary/Backup
Load Distribution

Defining MEP Method

MEP configuration can be implicit or manual.

Implicit - MEP methods and gateway identities are taken from the topology and configuration of gateways that are in fully overlapping encryption domains or that have Primary-Backup gateways.
Manual - You can edit the list of MEP Security Gateways in the XX Product XX TTM file.

Whichever you choose, you must set the XX Product XX configuration file to identify the configuration.

To define MEP topology:

On the gateway, open the $FWDIR/conf/trac_client_1.ttm configuration file.

Find automatic_mep_topology. If you do not see this parameter, add it manually as shown here:

:automatic_mep_topology (
:gateway (
:map (
:true (true)
:false (false)
:client_decide (client_decide)
)
:default (true)
)
)

Set the value of :default to:
- true - For implicit configuration
- false - For manual configuration
For Manual MEP only: Make sure that enable_gw_resolving is true
Save the file.
Install the policy.

First-to-Respond

When more than one Security Gateway leads to the same (overlapping) VPN domain, they are considered MEP by the remote peer, and the first Security Gateway to respond to the probing protocol is chosen. To configure first to respond, define that part of the network that is shared by all the Security Gateways into a single group and assign that group as the VPN domain.

To configure Implicit First-to-Respond:

In SmartConsole, click Gateways & Servers and double-click the Security Gateway.
The gateway window opens and shows the General Properties page.
From the navigation tree, click Network Management > VPN Domain.
Click Manually defined.
Click the field and select the VPN domain.
Repeat these steps for each Security Gateway.
Note - Make sure to use the same VPN domain for the Security Gateways.

To configure Manual First-to-Respond:

On the Security Management Server, open $FWDIR/conf/trac_client_1.ttm.
Make these changes:
- Under mep_mode, change default (client_decide) to default(first_to_respond).
- Under ips_of_gws_in_mep, change default (client_decide) to default(<PrimaryIP&#SecondaryIP&#TertiaryIP&#>).
  For example, default(192.168.20.250&#192.168.20.240&#).
Save the changes.
Install Policy.
Connect with a client for the configuration to be applied.

Primary-Backup

To configure Implicit Primary-Backup:

From Menu, click Global Properties.
From the navigation tree, click VPN > Advanced.
Click Enable Backup Gateway.
Click OK.
Publish the changes.

To configure the backup gateway settings:

Click Gateways & Servers and double-click the primary Security Gateway.
The gateway window opens and shows the General Properties page.
From the navigation tree, click IPsec VPN.
Click Use Backup Gateways.
From the drop-down menu, select the backup gateway.
Determine if the backup gateway uses its own VPN domain.
To configure the backup gateway without a VPN domain of its own:
1. Double-click the Security Gateway and from the navigation tree click Network Management > VPN Domain.
2. Click Manually defined.
3. Click the field and select the group or network that contains only the backup gateway
4. Click OK and publish the changes.
To configure the backup gateway that DOES have a VPN domain of its own:
1. Make sure that the IP address of the backup gateway is not included in the VPN domain of the primary gateway.
2. For each backup gateway, define a VPN domain that does not overlap with the VPN domain of the other backup gateways.
Configure IP pool NAT or Hide NAT to handle return packets.

To configure Manual Primary-Backup:

On the Security Management Server, open $FWDIR/conf/trac_client_1.ttm.
Make these changes:
- Under mep_mode, change default (client_decide) to default(primary_backup).
- Under ips_of_gws_in_mep, change default (client_decide) to default(<PrimaryIP&#SecondaryIP&#TertiaryIP&#>).
  For example, default(192.168.20.250&#192.168.20.240&#)
Save the changes.
Install Policy.
Connect with a client for the configuration to be applied.

Load Distribution

When you enable this option, the load distribution is dynamic and the remote client randomly selects a Security Gateway.

To configure Implicit Load Distribution for Remote Access clients:

From Menu, click Global Properties.
From the navigation tree, click Remote Access > VPN Advanced.
In the Load distribution section, click Enable load distribution for Multiple Entry Point configurations (Remote Access connections).
Click OK and publish the changes.
Configure the same VPN domain for all Security Gateways.

To configure Manual Load Distribution:

On the Security Management Server, open $FWDIR/conf/trac_client_1.ttm.
Make these changes:
- Under mep_mode, change default (client_decide) to default(load_sharing).
- Under ips_of_gws_in_mep, change default (client_decide) to default(<PrimaryIP&#SecondaryIP&#TertiaryIP&#>).
  For example, default(192.168.20.250&#192.168.20.240&#)
Save the changes.
Install Policy.
Connect with a client for the configuration to be applied.

Configuring Return Packets

For clients that do not use Office Mode there are two configurations:

IP pool NAT addresses belonging to the Configuring IP Pool NAT
Hide Configuring NAT

Configuring NAT

Configure NAT using the NAT page in the Virtual System window. Hide or Static NAT addresses configured in this manner are automatically forwarded to the Virtual Router to which the Virtual System is connected. Alternatively, you can manually add NAT routes on the Topology page in the Virtual Router window.

To configure NAT for a Virtual System on a VSX Gateway:

Step	Description
1	Connect with SmartConsole to the Security Management Server / Target Domain Management Server that manages this Virtual System.
2	From the left navigation panel, click Gateways & Servers.
3	Open the Virtual System object.
4	From the navigation tree, click NAT > Advanced. The Advanced page opens.
5	Select Add Automatic Address Translation.
6	Select the Translation method. Hide - Hide NAT only allows connections originating from the internal network. Internal hosts can access internal destinations, the Internet and other external networks. External sources cannot initiate a connection to internal network addresses. Select one of these options: Hide behind Gateway - Hides the real address behind the VSX Gateway external interface address. This is equivalent to hiding behind the address `0.0.0.0` for IPv4, or `::` for IPv6. Hide behind IP Address - Hides the real address behind a virtual IP address, which is a routable, public IP address that does not belongs to any real machine. Static - Static NAT translates each private address to a corresponding public address. Enter the static IP address.
7	From the Install on Gateway list, select the VSX Gateway.
8	Click OK.
9	Install the Access Control Policy on this Virtual System.

To configure NAT for a Virtual System on a VSX Cluster:

Use case - Perform Hide NAT on traffic a Virtual System itself generates in a VSX Cluster, so that the Virtual System could connect to external resources (for example, update Anti-Bot signatures from the Check Point cloud).

Step	Description
1	Connect to the command line on each VSX Cluster Member.
2	Log in to the Expert mode.
3	Switch to the context of the applicable Virtual System: `[Expert@HostName:0]# vsenv <VSID>`
4	Get the Funny IP address of the applicable Virtual System interface, through which the applicable traffic goes out. Note - Funny IP address is the IP address that belongs to cluster's internal communications network (open the VSX Cluster object properties and go to the "Cluster Members" pane). Run one of these commands: `[Expert@HostName:<`VSID`>]# fw getifs` `[Expert@HostName:<`VSID`>]# \ifconfig` Write down the Funny IP address.
5	Connect with SmartConsole to the Security Management Server / Target Domain Management Server that manages this Virtual System.
6	From the left navigation panel, click Gateways & Servers.
7	Create a new Node Host object and assign to it the Funny IP address you wrote down in Step 4.
8	Create a new Node Host object and assign to it the NATed IP address.
9	From the left navigation panel, click Security Policies.
10	In the Access Control > NAT policy, create the applicable NAT rule to hide the traffic from the Virtual System behind the NATed IP address: Original Source - Must be a Node Host object with the Funny IP address of the Virtual System Original Destination - `* Any` Original Services -`* Any` Translated Source - Must be a Node Host object with the NATed IP address of the Virtual System Translated Destination - `= Original` Translated Services - `= Original` Install On - `* Policy Targets`, or the Virtual System object Comment - Applicable text (for example, "Manual NAT rule for VSXcluster3-VS2 Funny IP")
11	Install the Access Control Policy on this Virtual System.

Configuring IP Pool NAT

For each Security Gateway, create a network object that represents the IP pool NAT addresses for that Security Gateway.

To configure NAT for an IP pool for Remote Access VPN:

From Menu, click Global Properties.
From the navigation tree, click NAT.
Click Enable IP Pool NAT.
Click OK and publish the changes.
For each Security Gateway create a network object that represents the IP pool NAT addresses for that Security Gateway. The IP pool can be a network, group, or address range.
Click Open Object Explorer (Ctrl+E).
1. Create the new object.
2. Configure the IP addresses.
3. Click OK and publish the changes.
Double-click the Security Gateway object where IP pool NAT translation is performed.
From the navigation tree, click NAT > IP Pool NAT.
Click Allocate IP Addresses from, and select the IP pool object.
Click Use IP Pool NAT for VPN client connections.
Optional: Click Use IP Pool NAT for Security Gateway to Security Gateway connections.
Click OK and publish the changes.
Edit the routing table of each internal router, so that packets with an IP address assigned from the NAT pool are routed to the appropriate Security Gateway.

Disabling MEP

To disable MEP, set the following command to true in DBedit, the Check Point database tool:

desktop_disable_mep
When MEP is disabled, MEP RDP probing and fail over are not be performed. As a result, remote hosts connect to the Security Gateway defined without considering the MEP configuration. Remote Access clients use Visitor Mode instead of RDP to probe gateways.