Secondary Connect

Secondary Connect

With Secondary Connect, end users can access resources behind multiple VPN Gateways at the same time. Users log in once to a selected site and get access to resources behind different VPN Gateways. VPN Gateways create tunnels dynamically as needed, based on the destination of the traffic.

Secondary Connect is enabled by default.

Traffic flows directly from the end user's computer to the VPN Gateway, without site-to-site communication. The end user's computer and the VPN Gateway automatically create a VPN tunnel based on routing parameters from the network topology and destination server IP address.

End users can access all VPN Gateways that are in a Remote Access Community on the same Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. or Domain.

Use Case: Your organization has Remote Access VPNClosed An encrypted tunnel between remote access clients (such as Endpoint Security VPN) and a Security Gateway. Gateways in New York and Tokyo. You log in to a VPN site that connects you to the New York gateway. To access a resource behind the Tokyo gateway, your computer and the Tokyo gateway create a VPN tunnel.

In an environment with Secondary Connect, the client first connects to the Primary Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., and then through a secondary VPN to the Secondary Security Gateway.

Secondary Connect is compatible with legacy SecureClient settings.

For Security Gateway requirements for Secondary Connect, see sk65312.

Configuring Secondary Connect

Note - You must configure or disable Secondary connect for each Primary and Secondary VPN Gateway seperately.

Prerequistes

  • All VPN Gateways that participate in Secondary Connect must have a server certificate that is signed by the Internal Certificate Authority.

  • If you use Office Mode IP addresses, make sure that the Primary VPN Gateway and the Secondary VPN Gateway use different IP addresses, to prevent conflicts. The endpoint user's computer uses the Office Mode IP address issued to it by the first Security Gateway to access the secondary Security Gateway. If the endpoint user's computer does not cache authentication credentials, the endpoint user must enter credentials again to access resources on a different Security Gateway.

Note - On a VSX GatewayClosed Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0., this is the path for "trac_client_1.ttm":

/var/opt/CPsuite-R81/fw1/CTX/CTX<VSID>/conf/trac_client_1.ttm

" CTX<VSID>" represents the Virtual System context: "CTX00001" for VS1, "CTX00002" for VS2, and so on.

To disable Secondary Connect:

Note - Make sure the Security Gateway has a server certificate that is signed by the Internal Certificate Authority.

  1. On each Security Gateway, edit the "$FWDIR/conf/trac_client_1.ttm" file.

  2. Set the ":default" value of "automatic_mep_topology" to "true".

  3. Find enable_secondary_connect. If you do not see this parameter, add it manually:

    :enable_secondary_connect (
        :gateway (
            :map (
                :true (true)
                :false (false)
                :client_decide (client_decide)
            )
            :default (true)
        )
    )

  4. Change the ":default" value of "enable_secondary_connect" to "false".

  5. Save the file.

  6. Install the Access Control Policy.

To enable Secondary Connect:

  1. Make sure the Security Gateway has a server certificate that is signed by the Internal Certificate Authority.

  2. On each Security Gateway, edit the "$FWDIR/conf/trac_client_1.ttm" file.

  3. Set the ":default" value of "automatic_mep_topology" to "true".

  4. Find "{enable_secondary_connect". If you do not see this parameter, add it manually:

    :enable_secondary_connect (
        :gateway (
            :map (
                :true (true)
                :false (false)
                :client_decide (client_decide)
            )
            :default (false)
        )
    )

  5. Change the ":default" value of "enable_secondary_connect" to "true".

  6. Save the file.

  7. Install the Access Control policy.