Intelligent Auto-Detect

Remote Access Clients use different network transports in parallel and automatically detects which is preferable. It always detects the optimal connectivity method for IKE and IPSec (and for IPSec transport during Roaming), so there is no additional configuration in the client.

Current transports in use:

  • Visitor Mode -TCP encapsulation over port 443 (by default). This mode is used when NAT-T is not available in routing to the Security Gateway (for example, if there is a proxy or hotspot). Clients need Visitor Mode to operate.

  • NAT-T- UDP encapsulation over port 4500 (by default) and preferable transport for IPSec. The IPSec protocol does not deal with NAT devices, so Remote Access Clients uses NAT-T encapsulation. NAT-T packets must go back to the client through the same interface they entered from. We recommend that you put the Security Gateway in a public DMZ with one interface for all traffic. You can also deploy the default route as the outbound route to the Internet.

To configure auto-detect of network transports:

  1. Close all SmartConsole windows.

  2. Connect with Database Tool (GuiDBEdit Tool) to the Security Management Server.

  3. In the upper left pane, go to the the Global Properties > global_properties.

  4. In the upper right pane, select firewall_properties.

  5. Press CTRL+F (or go to the Search menu - Find) - paste endpoint_vpn_ipsec_transport - click Find Next.

  6. In the lower pane, make sure the value of the endpoint_vpn_ipsec_transport parameter is auto_detect.

  7. If made changes, save them: go to the File menu - click Save All.

  8. Close the Database Tool (GuiDBEdit Tool).

  9. From the SmartConsole, install the policy on the Security Gateways.