Secondary Connect

In This Section: Secondary Connect Configuring Secondary Connect Secondary Connect for Users

Secondary Connect

Secondary Connect gives access to multiple VPN gateways at the same time, to transparently connect users to distributed resources. Users log in once to a selected site and get transparent access to resources on different gateways. Tunnels are created dynamically as needed, based on the destination of the traffic.

For example: Your organization has Remote Access gateways in New York and Japan. You log in to a VPN site that connects you to the New York gateway. When you try to access a resource that is behind the Japan gateway, a VPN tunnel is created and you can access the resource behind the Japan gateway.

Traffic flows directly from the user to the gateway, without site-to-site communication. VPN tunnels and routing parameters are automatically taken from the network topology and destination server IP address.

In an environment with Secondary Connect, the gateway that the client first authenticates to is the Primary gateway. A gateway that the client connects to through a secondary VPN, is a Secondary gateway.

Secondary Connect is compatible with legacy SecureClient settings.

For gateway requirements for Secondary Connect, see sk65312.

Configuring Secondary Connect

Users can access all gateways that are in the Remote Access Community on the same Management server.

Make sure to do the configuration procedure on each Primary and Secondary gateway.

All gateways that participate in Secondary Connect must have a server certificate that is signed by the internal Certificate Authority.

If you use Office Mode IP addresses, make sure that the IP addresses are different on each gateway so there are no conflicts. The Office Mode IP address that is issued by the first gateway is used to access the secondary gateways.

If user authentication credentials are not cached, users must enter their credentials again when they try to access resources on a different gateway.

Note - If your gateway is a VSX gateway, the path for the trac_client_1.ttm is: /var/opt/CPsuite-R80/fw1/CTX/CTX00001/conf/trac_client_1.ttm

Where CTX00001 represents the VS number: CTX00001 for VS1, CTX00002 for VS2, and so on.

To configure Secondary Connect on each gateway:

1. Make sure the gateway has a server certificate that is signed by the internal Certificate Authority.
2. On each gateway, open the $FWDIR/conf/trac_client_1.ttm configuration file.
3. Set the :default value of automatic_mep_topology to true.
4. Find enable_secondary_connect. If you do not see this parameter, add it manually as shown here:

   :enable_secondary_connect ( :gateway ( :map ( :true (true) :false (false) :client_decide (client_decide) ) :default (true) ) )

1. Make sure the :default value of enable_secondary_connect is true.
2. Save the file.
3. Install the policy.

Secondary Connect for Users

When users log in to the VPN, they can select a site and gateway.

If their credentials are not cached, they might be prompted to authenticate again for a secondary connection.