In This Section: |
Secondary Connect gives access to multiple VPN gateways at the same time, to transparently connect users to distributed resources. Users log in once to a selected site and get transparent access to resources on different gateways. Tunnels are created dynamically as needed, based on the destination of the traffic.
For example: Your organization has Remote Access gateways in New York and Japan. You log in to a VPN site that connects you to the New York gateway. When you try to access a resource that is behind the Japan gateway, a VPN tunnel is created and you can access the resource behind the Japan gateway.
Traffic flows directly from the user to the gateway, without site-to-site communication. VPN tunnels and routing parameters are automatically taken from the network topology and destination server IP address.
In an environment with Secondary Connect, the gateway that the client first authenticates to is the Primary gateway. A gateway that the client connects to through a secondary VPN, is a Secondary gateway.
Secondary Connect is compatible with legacy SecureClient settings.
For gateway requirements for Secondary Connect, see sk65312.
Users can access all gateways that are in the Remote Access Community on the same Management server.
Make sure to do the configuration procedure on each Primary and Secondary gateway.
All gateways that participate in Secondary Connect must have a server certificate that is signed by the internal Certificate Authority.
If you use Office Mode IP addresses, make sure that the IP addresses are different on each gateway so there are no conflicts. The Office Mode IP address that is issued by the first gateway is used to access the secondary gateways.
If user authentication credentials are not cached, users must enter their credentials again when they try to access resources on a different gateway.
Note - If your gateway is a VSX gateway, the path for the trac_client_1.ttm is: /var/opt/CPsuite-R80/fw1/CTX/CTX00001/conf/trac_client_1.ttm
Where CTX00001
represents the VS number: CTX00001 for VS1, CTX00002 for VS2, and so on.
To configure Secondary Connect on each gateway:
$FWDIR/conf/trac_client_1.ttm
configuration file.:default
value of automatic_mep_topology
to true.
enable_secondary_connect.
If you do not see this parameter, add it manually as shown here:
|
:default
value of enable_secondary_connect
is true
.When users log in to the VPN, they can select a site and gateway.
If their credentials are not cached, they might be prompted to authenticate again for a secondary connection.