If your firewall is configured into a High-Availability (HA) configuration, it is possible to use the Gateway Cluster feature to provide seamless failover of SecuRemote connections. Simply configure your gateway objects for each member of the cluster, then add them to the gateway cluster object. You configure all of your encryption schemes and keys within this object. When the SecuRemote client fetches the encryption domain, all of the physical IPs plus the virtual IP of the gateway cluster will be included as part of the gateway definition. This allows any system in the cluster to be used to process a SecuRemote connection. In addition, it is now possible to have multiple firewalls responsible for the same encryption domain. This allows you to have different firewalls in different physical locations provide access to the same encryption domain. This is useful for large companies that have multiple ways to reach the Internet through different firewalls at (possibly) physically different locations. The Multiple Entry Point feature also provides a level of High Availability. Although it does not provide for transparent failover (i.e., if the primary gateway fails, connections will not fail over), it does allow you to automatically use a secondary gateway in the event of a failure. The biggest challenge to overcome in HA environments is to make sure that the same firewall is used for both incoming traffic and outgoing traffic for the client. Office Mode configurations should not have this problem because each client is assigned a unique IP address specific to the gateway being connected to. If you do not have the appropriate licenses for Office Mode, you can use IP Pool NAT. IP Pool NAT is a sort of "reverse NAT" for incoming SecuRemote connections. As SecuRemote users authenticate and connect into the encryption domain, the client is allocated an IP address from a pool of addresses on a first-come, first- served basis. All packets coming from that SecuRemote client are then statically NATted to that IP address. The pool of addresses chosen must be unique for each firewall. If the pool of IP addresses is on the same subnet as the firewall's internal interface, proxy ARPs must be present for each IP in the pool to ensure that packets are forwarded to the firewall. The preferred method would be to use one or more subnets of nonroutable address space and ensure that internal routing routes these subnets to the correct firewall. It may be desirable to allow SecuRemote users to access certain resources where you want to allow access only from within the internal network (e.g., the access is restricted by other firewalls or router access control lists). Office Mode is one way to resolve this issue. IP Pool NAT is another. Each incoming SecuRemote user is allocated a unique IP address on the internal network, "masking" the external IP address from internal firewalls or router access control lists. To enable IP Pool NAT, you must first go to the Global Properties section, NAT frame, and enable IP Pool NAT as shown in Figure 12.26. Figure 12.26. Global Properties, NAT frame
Now edit the appropriate gateway object and go to the related NAT frame, as shown in Figure 12.27. Figure 12.27. Gateway Object, NAT frame
This frame shows the following options in the IP Pools section of the screen.
NOTE!
Install the security policy, and have your SecuRemote clients update the site. The following caveats apply to Multiple Entry Point configurations:
|