Multiple Entry Points for Remote Access VPNs

The Need for Multiple Entry Point (MEP) VPN Gateways

The VPN Gateway provides a single point of entry to the internal network. The VPN Gateway makes the internal network "available" to remote computer. If the VPN Gateway fails, the internal network is no longer available.

To solve this issue, configure several VPN Gateways (Multiple Entry Points - MEP) for the same internal network.

The Check Point Solution for Multiple Entry Points

In an MEP environment, you install two VPN Gateways to provide remote access to your internal network(s).

You configure how a Remote Access client selects a VPN Gateway.

Note - The MEP VPN Gateways do not have to be at the same geographical site.

MEP Methods

There are different ways for Remote Access clients to connect to MEP VPN Gateways:

  • First to Respond - The Remote Access client connects to the first VPN Gateway that responds.

  • Primary/Backup - The Remote Access client connects to the VPN Gateway that you configured as Primary. If the Primary VPN Gateway does not respond, the Remote Access client connects to the VPN Gateway that you configured as Backup. If the Backup VPN Gateway does not respond, the Remote Access client fails the entire remote access VPN connection.

  • Random Selection - In a Load Sharing MEP environment, the Remote Access client randomly selects one of the configured VPN Gateways and assigns priority to that VPN Gateway. The Remote Access client uses the selected VPN Gateway for all subsequent connections.

Visitor Mode and MEP

The VPN Gateway discovery mechanism used in an MEP environment runs over UDP (proprietary Check Point communication). This creates a special challenge for Remote Access clients that work in Visitor Mode, because all traffic is tunneled over a regular TCP connection.

In an MEP environment:

  • A special Visitor Mode handshake is used as a probing method to test the availability of the VPN Gateways.

  • When a MEP failover occurs, the Remote Access client disconnects and the user has to reconnect to the VPN site in the usual way. See sk115996 for information on configuration.

  • In a Primary-Backup configuration, the Remote Access client reconnects to the backup VPN Gateway only when the Primary VPN Gateway is unavailable. When the Primary VPN Gateway is available again, the Remote Access client stays connected to the Backup VPN Gateway and does not connect to the Primary VPN Gateway.

  • All the VPN Gateways in the MEP must support Visitor Mode.

Routing Return Packets

These are the ways to configure the routing for return packets:

  • Enable NAT for the Office Mode network.

  • If the client is configured to ignore Office Mode, use the IP Pool NAT.

IP Pool NAT

IP pool NAT maps source IP addresses from remote VPN domains to an IP address from a pool of registered IP addresses. To maintain symmetric sessions with MEP Security Gateways, the MEP Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. does NAT with a range of IP addresses dedicated to that specific Security Gateway and should be routed within the internal network to the originating Security Gateway (. When the returning packets reach the Security Gateway, the Security Gateway restores the original source IP address and forwards the packets to the source.

Configuring MEP

To configure MEP, select an MEP selection method:

  • First to Respond

  • Primary/Backup

  • Load Distribution

Defining MEP Method

Define MEP configuration as one of these:

  • Implicit - MEP methods and the identities of VPN Gateways are taken from the topology and configuration of VPN Gateways. VPN Gateways are in fully overlapping encryption domains or have Primary-Backup VPN Gateways.

  • Manual - You can edit the list of MEP VPN Gateways in the Remote Access clients' TTM file.

Important - You must edit the required configuration file on Remote Access clients to identify the MEP settings.

To define MEP topology:

  1. On the Security Gateway, edit the $FWDIR/conf/trac_client_1.ttm file.

  2. Find automatic_mep_topology.

    If you do not see this parameter, add it manually as shown here:

    :automatic_mep_topology (
        :gateway (
            :map (
                :true (true)
                :false (false)
                :client_decide (client_decide)
            )
            :default (true)
        )
    )
  3. Set the value of ":default" to:

    • true - For implicit configuration

    • false - For manual configuration

  4. For Manual MEP only - Make sure that the value of ":enable_gw_resolving" is "(true)".

  5. Save the changes in the file and exit the editor.

  6. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., install the policy on the VPN Gateway.

First-to-Respond

When more than one Security Gateway lead to the same (overlapping) VPN domain, they are considered MEP by the remote peer. In a First-to-Respond configuration, the remote peer chooses the first Security Gateway that responds to the probing protocol. To configure First-to-Respond, define the part of the network that is shared by all the Security Gateways into one group. Then, assign that group as the VPN domain.

To configure Implicit First-to-Respond in SmartConsole:

  1. From the left navigation panel, click Gateways & Servers.

  2. Double-click the Security Gateway object.

  3. From the navigation tree, click Network Management > VPN Domain.

  4. Select User defined.

  5. Click the [...] button and select the applicable Group or Network object.

    Click New to create the required objects from this menu.

  6. Click OK.

  7. Repeat steps 2-6 for each Security Gateway object.

    Note - Make sure to use the same VPN domain for all Security Gateways.

To configure Manual First-to-Respond:

  1. On the Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server., edit the $FWDIR/conf/trac_client_1.ttm file.

  2. Make these changes:

    • In the ":mep_mode ()" section, change

      from ":default (client_decide)"

      to ":default(first_to_respond)"

    • In the ":ips_of_gws_in_mep ()" section, change

      from ":default (client_decide)"

      to ":default(<Primary-IP-Address>&#<Secondary-IP-Address>&#<Tertiary-IP-Address>&#)".

      Example:

      :default(192.168.20.240&#192.168.20.250&#)

  3. Save the changes in the file and exit the editor.

  4. In SmartConsole, install policy on the VPN Gateway.

  5. Connect with a Remote Access client.

    The configuration is applied.

Primary-Backup

To configure Implicit Primary-Backup:

  1. In SmartConsole, click Menu > Global properties.

  2. From the left navigation tree, click VPN > Advanced.

  3. Select Enable Backup Gateway.

  4. Click OK.

  5. In SmartConsole, install policy on the VPN Gateway.

To configure the backup Security Gateway settings:

  1. From the left navigation panel, click Gateways & Servers.

  2. Double-click the primary Security Gateway.

  3. From the left navigation tree, click IPsec VPN.

  4. At the bottom of the page, select Use Backup Gateways.

  5. From the drop-down menu, select the backup Security Gateway.

  6. Determine if the backup Security Gateway uses its own VPN domain.

  7. To configure the backup Security Gateway without a VPN domain of its own:

    1. Double-click the Security Gateway and from the navigation tree click Network Management > VPN Domain.

    2. Click Manually defined.

    3. Click the field and select the group or network that contains only the backup Security Gateway.

    4. Click OK and publish the changes.

  8. To configure the backup Security Gateway that has a VPN domain of its own:

    1. Make sure that the IP address of the backup Security Gateway is not included in the VPN domain of the primary Security Gateway.

    2. For each backup Security Gateway, define a VPN domain that does not overlap with the VPN domain of the other backup Security Gateways.

  9. Configure IP pool NAT or Hide NAT to handle return packets (see Configuring Return Packets).

To configure Manual Primary-Backup:

  1. On the Management Server, edit the $FWDIR/conf/trac_client_1.ttm file.

  2. Make these changes:

    • In the ":mep_mode ()" section, change

      from ":default (client_decide)"

      to ":default(primary_backup)"

    • In the ":ips_of_gws_in_mep ()" section, change

      from ":default (client_decide)"

      to ":default(<Primary-IP-Address>&#<Secondary-IP-Address>&#<Tertiary-IP-Address>&#)".

      Example:

      :default(192.168.20.240&#192.168.20.250&#)

  3. Save the changes in the file and exit the editor.

  4. In SmartConsole, install policy on the VPN Gateway.

  5. Connect with a Remote Access client.

    The configuration is applied.

Load Distribution

When you enable this option, the load distribution is dynamic and the remote client randomly selects a Security Gateway.

To configure Implicit Load Distribution for Remote Access clients:

  1. Click Menu > click Global properties.

  2. From the left navigation tree, click Remote Access > VPN Advanced.

  3. In the Load distribution section, select Enable load distribution for Multiple Entry Point configurations (Remote Access connections).

  4. Click OK.

  5. Configure the same VPN domain in all Security Gateways.

  6. Install policy on the Security Gateways.

To configure Manual Load Distribution:

  1. On the Security Gateway, edit the $FWDIR/conf/trac_client_1.ttm file.

  2. Make these changes:

    • In the ":mep_mode ()" section, change

      from ":default (client_decide)"

      to ":default(load_sharing)"

    • In the ":ips_of_gws_in_mep ()" section, change

      from ":default (client_decide)"

      to ":default(<Primary-IP-Address>&#<Secondary-IP-Address>&#<Tertiary-IP-Address>&#)".

      Example:

      :default(192.168.20.240&#192.168.20.250&#)

  3. Save the changes in the file and exit the editor.

  4. In SmartConsole, install policy on the VPN Gateway.

  5. Connect with a Remote Access client.

    The configuration is applied.

Configuring Return Packets

These are the configurations for clients that do not use Office Mode:

Configuring NAT

Configure NAT on the NAT page in the Virtual System window. Hide or Static NAT addresses configured in this manner are automatically forwarded to the Virtual Router to which the Virtual System is connected. Alternatively, you can manually add NAT routes on the Topology page in the Virtual Router window.

To configure NAT for a Virtual System on a VSX Gateway:

Step

Instructions

1

Connect with SmartConsole to the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. / Target Domain Management Server that manages this Virtual System.

2

From the left navigation panel, click Gateways & Servers.

3

Open the Virtual System object.

4

From the left navigation tree, click NAT > Advanced.

The Advanced page opens.

5

Select Add Automatic Address Translation.

6

Select the Translation method.

7

From the Install on Gateway list, select the VSXClosed Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Gateway.

8

Click OK.

9

Install the Access Control Policy on this Virtual System.

To configure NAT for a Virtual System on a VSX Cluster:

Use case - Perform Hide NAT on traffic a Virtual System itself generates in a VSX ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., so that the Virtual System could connect to external resources (for example, update Anti-BotClosed Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. signatures from the Check Point cloud).

Step

Instructions

1

Connect to the command line on each VSX Cluster MemberClosed Security Gateway that is part of a cluster..

2

Log in to the Expert mode.

3

Switch to the context of the applicable Virtual System:

[Expert@HostName:0]# vsenv <VSID>

4

Get the Funny IP address of the applicable Virtual System interface, through which the applicable traffic goes out.

Note - Funny IP address is the IP address that belongs to cluster's internal communications network (open the VSX Cluster object properties and go to the "Cluster Members" pane).

Run one of these commands:

  • [Expert@HostName:<VSID>]# fw getifs

  • [Expert@HostName:<VSID>]# \ifconfig

Write down the Funny IP address.

5

Connect with SmartConsole to the Security Management Server / Target Domain Management Server that manages this Virtual System.

6

From the left navigation panel, click Gateways & Servers.

7

Create a new Node Host object and assign to it the Funny IP address you wrote down in Step 4.

8

Create a new Node Host object and assign to it the NATed IP address.

9

From the left navigation panel, click Security Policies.

10

In the Access Control > NAT policy, create the applicable NAT ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. to hide the traffic from the Virtual System behind the NATed IP address:

Original Source

Original Destination

Original Services

Translated Source

Translated Destination

Translated Services

Install On

Comments

Node Host object with the Funny IP address of the Virtual System

Any

Any

Node Host object with the NATed IP address of the Virtual System

= Original

= Original

Policy Targets

or

Virtual System object

Applicable text.

For example:

Manual NAT rule for VSXcluster3-VS2 Funny IP

11

Install the Access Control Policy on this Virtual System.

Configuring IP Pool NAT

For each Security Gateway, create a network object that represents the IP pool NAT addresses for that Security Gateway.

To configure NAT for an IP pool for Remote Access VPN in SmartConsole:

  1. Configure the applicable global IP Pool NAT settings:

    1. Click Menu > Global properties.

    2. From the left navigation tree, click NAT - Network Address Translation.

    3. Select Enable IP Pool NAT.

    4. Configure the applicable logging settings:

      • Address exhaustion track - controls whether to generate a log if the IP Pool is exhausted.

      • Address allocation and release track - controls whether to generate a log for each allocation and release of an IP address from the IP Pool.

    5. Click OK.

    6. Publish the SmartConsole session

  2. For each Security Gateway / Cluster that participates in Remote Access VPNClosed An encrypted tunnel between remote access clients (such as Endpoint Security VPN) and a Security Gateway., create an applicable object (Network, Group, or Address Range) that represents the IP pool of NAT addresses for that Security Gateway / Cluster.

    1. Click Objects > Object Explorer (or press CTRL+E).

    2. Create the new object.

    3. Configure the IP address(es).

    4. Click OK.

    5. Publish the SmartConsole session

  3. Configure the applicable IP Pool NAT settings in each Security Gateway / Cluster object:

    1. From the left navigation panel, click Gateways & Servers.

    2. Double-click the Security Gateway / Cluster object, which performs the IP pool NAT translation.

    3. From the left navigation tree, click NAT > IP Pool NAT.

    4. Click Allocate IP Addresses from, and select the corresponding IP pool object.

    5. Select Use IP Pool NAT for VPN client connections.

    6. Optional: Select Use IP Pool NAT for Security Gateway to Security Gateway connections.

    7. Click OK.

  4. Install the Access Control policy on all managed Security Gateways and Clusters.

  5. Edit the routing table of each internal router, so that packets with an IP address assigned from the NAT pool are routed to the appropriate Security Gateway.

Disabling MEP

  1. Connect with SmartConsole to the Management Server.

  2. Click Menu > Global properties.

  3. From the left navigation tree, click Advanced.

  4. Click the Configure button.

  5. From the left navigation tree, click SecuRemote/SecureClient > IKE/IPSec Settings.

  6. Select the option desktop_disable_mep.

  7. Click OK.

  8. Install the Access Control policy on all managed Security Gateways and Clusters.

Important:

  • This change applies to all managed Security Gateways and Clusters.

  • When MEP is disabled, MEP RDP probing and fail over are not performed. As a result, remote hosts connect to the Security Gateway defined without considering the MEP configuration. Remote Access clients use Visitor Mode instead of RDP to probe gateways.