 | ||
 VPN Users in one site can't seen network services in other sites. | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
 2007-11-15 | |||
| |||
 VPN Users in one site can't seen network services in other sites. Greetings to all - I've been administering three Checkpoint Edge devices for about a year and only recently discovered CPUG (as recently as today - yay for Google). Does anyone have experience with the following issue? We're using three Edge devices (2 Edge X devices and one Edge W device) connected site-to-site. Topology is as follows: [IMG]  [/IMG]VPN users in any site (A, B or C) may connect and view network resources in that site. However, they may not view network resources in other sites without enabling "Route All Traffic Through Gateway". "Route All Traffic..." has been deemed unacceptable since it forces them to browse the Internet through their VPN-tunnel (substantially slower than what they would normally get). I've been asked to find a different way. Working with Checkpoint support has led us to the "No - only 'Route All Traffic...' will work" answer. Other people have hinted that you can hack the user.c file successfully and use that topology info to see resources in all three sites without "Route All Traffic..." turned on. Can you hack the User.C file? If so - how to do so successfully? I've already tried incorporating all three sites "topology" entries into one single site - this causes Secureremote NOT to work (services will not start; had to reinstall). I should also mention that I haven't completely mined CPUG yet for this answer (did usual text searches) - if a FAQ has already been written and I haven't seen it, apologies and would you be kind enough to steer me toward it? Thanks! Tim Last edited by tim@nextmedium; 2007-11-15 at 16:22.  |
| 2007-11-28 | |||
| |||
| Re: VPN Users in one site can't seen network services in other sites. ...bump... |
| 2007-11-28 | |||
| |||
| Re: VPN Users in one site can't seen network services in other sites. I could do this if you had a full Gateway at one location as you can have a seperate Secure Remote Topology to a Site to Site Topology. It also relies on Secure Client Office Mode to route the traffic back correctly to the first gateway. If a full gateway then EdgeA-Enc-Dom = LocalNet EdgeB-Enc-Dom = LocalNet VPN1-Site-Enc-Dom = LocalNet+Office Mode net VPN1-RemoteAccess-EncDom=All 3 local nets. This way you remote into the Central Site and can access all three sites going across the Site-to-Site VPN's between the Edge and Central. However I don't think it is possible with just 3 Edge Boxes. |
| 2007-11-29 | |||
| |||
| Re: VPN Users in one site can't seen network services in other sites. Thanks for the response - We've come to the same conclusion and are looking at alternatives. Again - thanks so much for responding. |
| 2007-11-30 | |||
| |||
| Re: VPN Users in one site can't seen network services in other sites. This isn't hard to do... Here is what we do. Make sure you have rules in Desktop policy that allow the UserGroup@encDomainA talk to EncDomain B and the reverse. Then when a client is in one of the encDomains we always have them disable the site. The client is still being protected by the SecureClient firewall and rules in that firewall are still in effect. Works with us. John |
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
