Enabling Secondary Connect for Remote Access Clients E75.20 and above
Remote Access Clients E75.20 introduces the Secondary Connect feature that provides access to multiple VPN gateways at the same time, to transparently connect to distributed resources.
Secondary Connect gives access to multiple VPN gateways at the same time, to transparently connect users to distributed resources. Users log in once to a selected site and get transparent access to resources on different gateways. Tunnels are created dynamically as needed, based on the destination of the traffic.
For example: Your organization has Remote Access gateways in New York and Japan. You log in to a VPN site that connects you to the New York gateway. When you try to access a resource that is behind the Japan gateway, a VPN tunnel is created and you can access the resource behind the Japan gateway.
Traffic flows directly from the user to the gateway, without site-to-site communication. VPN tunnels and routing parameters are automatically taken from the network topology and destination server IP address.
In an environment with Secondary Connect, the Security Gateway, on which the client first authenticates, is the Primary gateway.
A Security Gateway, to which the client connects to through a secondary VPN, is a Secondary gateway.
Important: Although the terms Primary and Secondary are used above to describe the scenario, we are not discussing a Cluster here.
Security Gateway support for Secondary Connect feature
Support for Secondary Connect feature is integrated in the following Security Gateways:
For Security Gateways R75.20, the required hotfix can be downloaded from here:
|SecurePlatform and XOS
Hotfix installation instructions for SecurePlatform / XOS / IPSO:
Hotfix has to be installed on Security Gateway.
Note: In cluster environment, this procedure must be performed on all members of the cluster.
Transfer the hotfix package to the machine (into some directory, e.g., /some_path_to_fix/).
Unpack and install the hotfix package:
[Expert@HostName]# cd /some_path_to_fix/
Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
[Expert@HostName]# tar -zxvf fw1_wrapper_<HOTFIX_NAME>.tgz
Reboot the machine.
For instructions on how to configure Secondary Connect, refer to Chapter 4 "Configuring Client Features" - section "Secondary Connect" in the following Administration Guides:
- 00776364 , 00780926 , 00822602 , 01041746 , 00782054 , 01123505 , 00781612 , 00825465 , 01162949 , 00843048 , 00858405 , 00817762 , 01044118