CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 5 of 5

Thread: Network Load Balancing Server

  1. #1
    Join Date
    2016-10-06
    Posts
    24
    Rep Power
    0

    Default Network Load Balancing Server

    Hi to all,
    I would like to create a NLB on Checkpoint 80.30 for Microsoft Exchange.
    I've created a logical servers (one public ip and three MS exchange servers), it works like a charm if policy triggered (different network), but on the same subnet it doesn't work.
    Any idea?
    Thank you.

  2. #2
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    363
    Rep Power
    14

    Default Re: Network Load Balancing Server

    I doubt the firewall would do automatic proxy ARP for the virtual server. You could try adding a proxy ARP statement or using a VIP which isn't on any real network you use.

  3. #3
    Join Date
    2014-09-02
    Posts
    374
    Rep Power
    10

    Default Re: Network Load Balancing Server

    I agree with Zimmie. If your client is coming from the same subnet as the servers, but trying to hit the public IP, you're likely creating a hairpin situation that could confuse things a bit.

    Maybe create a second Logical Server using a Private IP instead, and have internal clients hit that?

    You could also try creating the Logical Server using a Private IP and then creating a manual static NAT?

    If we're missing something, please clarify/expand on your original post.

    -E

  4. #4
    Join Date
    2016-10-06
    Posts
    24
    Rep Power
    0

    Default Re: Network Load Balancing Server

    First of all, thanks for your replies.
    The client and the server are on different network, no problem with it.
    I try to explain:
    Client on eth1 (10.10.10.X)
    NLB on eth2 (200.200.200.X/24)
    Some server that needs to comunicate with exchange on eth2 (200.200.200.X/24)
    Exchange server on eth2 (200.200.200.X/24)
    All works correctly except with the servers on eth2, because this server open a session to NLB but receive the answer directly form exchange server bypassing the firewall.
    I moved the Exchange Servers on eth3 (50.50.50.X/24) and using the "NAT hide" behind the ip of the NLB, seems working correctly.
    Thank you.

  5. #5
    Join Date
    2014-09-02
    Posts
    374
    Rep Power
    10

    Default Re: Network Load Balancing Server

    That makes perfect sense. If the server is on the same subnet, Exchange servers will reply directly. You could work around this by NATing the traffic, making the Exchange servers think it's coming from eth2 itself, but I can't imagine what the benefit would be, other than forcing the traffic through the GW.

    If your goal is to inspect that traffic, then putting Exchange on a separate network is the proper way to go anyway.

    -E

Similar Threads

  1. Load balancing capabilities?
    By Flamer in forum R77.30
    Replies: 7
    Last Post: 2018-05-11, 13:22
  2. VPN and ISP Load Balancing
    By sroghen in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2009-07-24, 10:52
  3. How to perform Two WAN Load Balancing
    By vicky in forum Check Point UTM-1 Appliances
    Replies: 1
    Last Post: 2008-12-05, 23:13
  4. Load balancing
    By MBreve in forum ISP Redundancy
    Replies: 1
    Last Post: 2007-04-04, 02:14
  5. Load balancing
    By giumi in forum ISP Redundancy
    Replies: 2
    Last Post: 2005-08-19, 03:58

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •