Multiple Entry Point for Remote Access VPNs

The Need for Multiple Entry Point (MEP) Security Gateways

The Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. provides a single point of entry to the internal network. It is the Security Gateway that makes the internal network "available" to remote machines. If the Security Gateway fails, the internal network is no longer available. It therefore makes good sense to have Multiple Entry Points (MEP) to the same network.

The Check Point Solution for Multiple Entry Points

In an MEP environment, more than one Security Gateway is both protecting and giving access to the same VPN domain. How a remote user selects a Security Gateway in order to reach a destination IP address depends on how the MEP Security Gateways have been configured, which in turn depends on the requirements of the organization.

The MEP Security Gateways do not have to be in the same location and can be widely-spaced, geographically.

Note - In a MEP Security Gateway environment, the remote clients supported are the Check Point Remote Access Clients.

MEP Methods

There are three methods used to choose which Security Gateway is used as the entry point for a connection:

• First to Respond - The first Security Gateway to reply to the probing mechanism is chosen.

• Primary/Backup - The client attempts to connect to the Primary Security Gateway first. If the Primary Security Gateway does not reply, the client attempts to connect to the Backup Security Gateway. If the Backup Security Gateway does not reply, there are no further attempts to connect.

• Random Selection - In a Load Sharing MEP environment, the client randomly selects a Security Gateway and assigns the Security Gateway priority. The remote peer stays with this chosen Security Gateway for all subsequent connections to host machines within the VPN domain. Load distribution takes place on the level of "different clients", rather than the level of "endpoints in a connection".

Visitor Mode and MEP

The RDP Security Gateway discovery mechanism used in an MEP environment runs over UDP. This creates a special challenge for Remote Access clients in Visitor Mode, because all traffic is tunneled over a regular TCP connection.

In an MEP environment:

• The RDP probing protocol is not used; instead, a special Visitor Mode handshake is employed.

• When a MEP failover occurs, the Remote Access client disconnects and the user needs to reconnect to the site in the usual way. See sk115996 for information on configuration.

• In a Primary-Backup configuration, the Remote Access client reconnects to the backup Security Gateway only when the primary Security Gateway is unavailable. When the primary Security Gateway is available again, the Remote Access client remains on the backup Security Gateway and does not connect to the primary Security Gateway.

• All the gateways in the MEP:

Must support visitor mode.

Routing Return Packets

There are two ways to configure the routing for return packets:

1. Enable NAT for the Office Mode network.

2. Use the IP pool NAT, (if the client is configured to ignore Office Mode).

IP Pool NAT

IP pool NAT is a type of NAT in which source IP addresses from remote VPN domains are mapped to an IP address drawing from a pool of registered IP addresses. In order to maintain symmetric sessions using MEP Security Gateways, the MEP Security Gateway performs NAT using a range of IP addresses dedicated to that specific Security Gateway and should be routed within the internal network to the originating Security Gateway. When the returning packets reach the Security Gateway, the Security Gateway restores the original source IP address and forwards the packets to the source.

Configuring MEP

To configure MEP, decide on the MEP selection method:

• First to Respond

• Primary/Backup

• Load Distribution

Defining MEP Method

MEP configuration can be implicit or manual.

• Implicit- MEP methods and Security Gateway identities are taken from the topology and configuration of gateways that are in fully overlapping encryption domains or that have Primary-Backup gateways.

• Manual- You can edit the list of MEP Security Gateways in the Remote Access clients TTM file.

Whichever you choose, you must set the Remote Access clients configuration file to identify the configuration.

To define MEP topology:

1. On the Security Gateway, edit the $FWDIR/conf/trac_client_1.ttm file.

2. Find automatic_mep_topology.If you do not see this parameter, add it manually as shown here:

   :automatic_mep_topology ( :gateway ( :map ( :true (true) :false (false) :client_decide (client_decide) ) :default (true) ) )

3. Set the value of :default to:

   • true- For implicit configuration

   • false- For manual configuration

4. For Manual MEP only: Make sure that enable_gw_resolvingis true

5. Save the file.

6. Install the policy.

First-to-Respond

When more than one Security Gateway leads to the same (overlapping) VPN domain, they are considered MEP by the remote peer, and the first Security Gateway to respond to the probing protocol is chosen. To configure first to respond, define that part of the network that is shared by all the Security Gateways into a single group and assign that group as the VPN domain.

To configure Implicit First-to-Respond:

1. In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., click Gateways & Servers and double-click the Security Gateway.

   The Security Gateway Properties window opens and shows the General Properties page.

2. From the navigation tree, click Network Management > VPN Domain.

3. Click Manually defined.

4. Click the field and select the VPN domain.

5. Repeat these steps for each Security Gateway.

   Note - Make sure to use the same VPN domain for the Security Gateways.

To configure Manual First-to-Respond:

1. On the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server., open $FWDIR/conf/trac_client_1.ttm.

2. Make these changes:

   • Under mep_mode, change default (client_decide) to default(first_to_respond).

   • Under ips_of_gws_in_mep, change default (client_decide) to default(<PrimaryIP&#SecondaryIP&#TertiaryIP&#>).

     For example, default(192.168.20.250&#192.168.20.240&#).

3. Save the changes.

4. Install Policy.

5. Connect with a client for the configuration to be applied.

Primary-Backup

To configure Implicit Primary-Backup:

1. From Menu, click Global Properties.

2. From the navigation tree, click VPN > Advanced.

3. Click Enable BackupGateway.

4. Click OK.

5. Publish the changes.

To configure the backup Security Gateway settings:

1. Click Gateways & Servers and double-click the primary Security Gateway.

   The Security Gateway Properties window opens and shows the General Properties page.

2. From the navigation tree, click IPsec VPN.

3. Click Use BackupGateways.

4. From the drop-down menu, select the backup Security Gateway.

5. Determine if the backup Security Gateway uses its own VPN domain.

6. To configure the backup Security Gateway without a VPN domain of its own:

   1. Double-click the Security Gateway and from the navigation tree click Network Management > VPN Domain.

   2. Click Manually defined.

   3. Click the field and select the group or network that contains only the backup Security Gateway

   4. Click OK and publish the changes.

7. To configure the backup Security Gateway that DOES have a VPN domain of its own:

   1. Make sure that the IP address of the backup Security Gateway is not included in the VPN domain of the primary Security Gateway.

   2. For each backup Security Gateway, define a VPN domain that does not overlap with the VPN domain of the other backup gateways.

8. Configure IP pool NAT or Hide NAT to handle return packets (see Configuring Return Packets).

To configure Manual Primary-Backup:

1. On the Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server., open $FWDIR/conf/trac_client_1.ttm.

2. Make these changes:

   • Under mep_mode, change default (client_decide) to default(primary_backup).

   • Under ips_of_gws_in_mep, change default (client_decide) to default(<PrimaryIP&#SecondaryIP&#TertiaryIP&#>).

     For example, default(192.168.20.250&#192.168.20.240&#)

3. Save the changes.

4. Install Policy.

5. Connect with a client for the configuration to be applied.

Load Distribution

When you enable this option, the load distribution is dynamic and the remote client randomly selects a Security Gateway.

To configure Implicit Load Distribution for Remote Access clients:

1. From Menu, click Global Properties.

2. From the navigation tree, click Remote Access > VPN Advanced.

3. In the Load distribution section, click Enable load distribution for Multiple Entry Point configurations (Remote Access connections).

4. Click OK and publish the changes.

5. Configure the same VPN domain for all Security Gateways.

To configure Manual Load Distribution:

1. On the Security Gateway, open $FWDIR/conf/trac_client_1.ttm.

2. Make these changes:

   • Under mep_mode, change:

     from default (client_decide)

     to default(load_sharing)

   • Under ips_of_gws_in_mep, change:

     from default (client_decide)

     to default(<PrimaryIP&#SecondaryIP&#TertiaryIP&#>)

     For example, default(192.168.20.250&#192.168.20.240&#)

3. Save the changes.

4. Install Policy.

5. Connect with a client for the configuration to be applied.

Configuring Return Packets

For clients that do not use Office Mode there are two configurations:

• IP pool NAT addresses belonging to the IP Pool NAT (see Configuring IP Pool NAT).

• Hide NAT (see Configuring NAT).

Configuring NAT

Configure NAT using the NAT page in the Virtual System window. Hide or Static NAT addresses configured in this manner are automatically forwarded to the Virtual Router to which the Virtual System is connected. Alternatively, you can manually add NAT routes on the Topology page in the Virtual Router window.

To configure NAT for a Virtual System on a VSX Gateway:

Step	Instructions
1	Connect with SmartConsole to the Security Management Server / Target Domain Management Server that manages this Virtual System.
2	From the left navigation panel, click Gateways & Servers.
3	Open the Virtual System object.
4	From the navigation tree, click NAT > Advanced. The Advancedpage opens.
5	Select Add Automatic Address Translation.
6	Select the Translation method. Hide - Hide NAT only allows connections originating from the internal network. Internal hosts can access internal destinations, the Internet and other external networks. External sources cannot initiate a connection to internal network addresses. Select one of these options: Hide behind Gateway - Hides the real address behind the VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. external interface address. This is equivalent to hiding behind the address 0.0.0.0 for IPv4, or :: for IPv6. Hide behind IP Address - Hides the real address behind a virtual IP address, which is a routable, public IP address that does not belongs to any real machine. Static - Static NAT translates each private address to a corresponding public address. Enter the static IP address.
7	From the Install on Gateway list, select the VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Gateway.
8	Click OK.
9	Install the Access Control Policy on this Virtual System.

To configure NAT for a Virtual System on a VSX Cluster:

Use case - Perform Hide NAT on traffic a Virtual System itself generates in a VSX Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., so that the Virtual System could connect to external resources (for example, update Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. signatures from the Check Point cloud).

Step	Instructions
1	Connect to the command line on each VSX Cluster Member Security Gateway that is part of a cluster..
2	Log in to the Expert mode.
3	Switch to the context of the applicable Virtual System: [Expert@HostName:0]# vsenv <VSID>
4	Get the Funny IP address of the applicable Virtual System interface, through which the applicable traffic goes out. Note - Funny IP address is the IP address that belongs to cluster's internal communications network (open the VSX Cluster object properties and go to the "Cluster Members" pane). Run one of these commands: [Expert@HostName:<VSID>]# fw getifs [Expert@HostName:<VSID>]# \ifconfig Write down the Funny IP address.
5	Connect with SmartConsole to the Security Management Server / Target Domain Management Server that manages this Virtual System.
6	From the left navigation panel, click Gateways & Servers.
7	Create a new Node Host object and assign to it the Funny IP address you wrote down in Step 4.
8	Create a new Node Host object and assign to it the NATed IP address.
9	From the left navigation panel, click Security Policies.
10	In the Access Control > NAT policy, create the applicable NAT rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. to hide the traffic from the Virtual System behind the NATed IP address: Original Source - Must be a Node Host object with the Funny IP address of the Virtual System Original Destination - * Any Original Services -* Any Translated Source - Must be a Node Host object with the NATed IP address of the Virtual System Translated Destination - = Original Translated Services - = Original Install On - * Policy Targets, or the Virtual System object Comment - Applicable text (for example, "Manual NAT rule for VSXcluster3-VS2 Funny IP")
11	Install the Access Control Policy on this Virtual System.

Configuring IP Pool NAT

For each Security Gateway, create a network object that represents the IP pool NAT addresses for that Security Gateway.

To configure NAT for an IP pool for Remote Access VPN:

1. From Menu, click Global Properties.

2. From the navigation tree, click NAT.

3. Click Enable IP Pool NAT.

4. Click OK and publish the changes.

5. For each Security Gateway create a network object that represents the IP pool NAT addresses for that Security Gateway. The IP pool can be a network, group, or address range.

6. Click OpenObject Explorer (Ctrl+E).

   1. Create the new object.

   2. Configure the IP addresses.

   3. Click OK and publish the changes.

7. Double-click the Security Gateway object where IP pool NAT translation is performed.

8. From the navigation tree, click NAT > IP Pool NAT.

9. Click Allocate IP Addresses from, and select the IP pool object.

10. Click Use IP Pool NAT for VPN client connections.

11. Optional: Click Use IP Pool NAT for Security Gateway to Security Gateway connections.

12. Click OK and publish the changes.

13. Edit the routing table of each internal router, so that packets with an IP address assigned from the NAT pool are routed to the appropriate Security Gateway.

Disabling MEP

To disable MEP, set the following command to true in DBedit, the Check Point database tool:

• desktop_disable_mep

• When MEP is disabled, MEP RDP probing and fail over are not be performed. As a result, remote hosts connect to the Security Gateway defined without considering the MEP configuration. Remote Access clients use Visitor Mode instead of RDP to probe gateways.