Configuring and Using Dynamic DNS in SmartCenter

Similar documents
NGX (R60) Link Selection VPN Deployments August 30, 2005

Configuring a site-to-site VPN with a VPN-1 Gateway using the VPN-1 Edge VPN Wizard

Configuring site-to-site VPN between two VPN-1/FireWall-1 Gateways using mesh topology

ZyWALL (ZLD) VPN Troubleshooting

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the SonicWall Firewall.

How to Configure a Client-to-Site L2TP/IPsec VPN

RSA Ready Implementation Guide for. Checkpoint Mobile VPN for ios v1.458

Barracuda Networks NG Firewall 7.0.0

Proxicast IPSec VPN Client Example

Greenbow VPN Client Example

SonicWALL Security Appliances. SonicWALL SSL-VPN 200 Getting Started Guide

DIGIPASS Authentication for Check Point VPN-1

HTG XROADS NETWORKS. Network Appliance How To Guide: PPTP Client. How To Guide

CradlePoint to Adtran NetVanta VPN Setup Example

How to Create a TINA VPN Tunnel between F- Series Firewalls

Example - Configuring a Site-to-Site IPsec VPN Tunnel

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

Case 1: VPN direction from Vigor2130 to Vigor2820

CHAPTER 7 ADVANCED ADMINISTRATION PC

Connectra Virtual Appliance Evaluation Guide

Internet Load Balancing Guide. Peplink Balance Series. Peplink Balance. Internet Load Balancing Solution Guide

Configuration Guide. How to connect to an IPSec VPN using an iphone in ios. Overview

VPN Tracker for Mac OS X

High Availability Options

Configuration of Shrew VPN Client on RV042, RV042G and RV082 VPN Routers through Windows

DIGIPASS Authentication for Check Point VPN-1

Configuration Guide TL-ER5120/TL-ER6020/TL-ER REV3.0.0

Use Shrew Soft VPN Client to Connect with IPSec VPN Server on RV130 and RV130W

SonicWALL VPN with Win2K using IKE Prepared by SonicWALL, Inc. 05/01/2001

TheGreenBow IPsec VPN Client. Configuration Guide STORMSHIELD. Website: Contact:

Configuring the VPN Client

Stonesoft VPN Client. for Windows Release Notes Revision A

Remote Access Clients for Windows 32/64-bit

ForeScout CounterACT. Controller Plugin. Configuration Guide. Version 1.0

FAQ about Communication

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

Version 2.0 HOW-TO GUIDELINES. Setting up a Clustered VPN between StoneGate and Check Point NG TECHN11SG2.1-3/4/03

VPN Tracker for Mac OS X

Best Practice - Allow Aerohive Access Points Behind a CloudGen Firewall Access to Hive Manager NG

Managing Site-to-Site VPNs

Appendix B NETGEAR VPN Configuration

VPN Tracker for Mac OS X

08 March 2017 NETOP HOST FOR ANDROID USER S GUIDE

LP-1521 Wideband Router 123 Manual L VPN Configuration between two LP-1521`s with Dynamic IP.

Managing Site-to-Site VPNs: The Basics

SAM 8.0 SP2 Deployment at AWS. Version 1.0

VPN-1 Power/UTM. Administration guide Version NGX R

BiGuard C01 BiGuard VPN Client Quick Installation Guide (BiGuard series VPN enabled devices) Secure access to Company Network

ForeScout CounterACT. Configuration Guide. Version 1.2

VPN-1 Pro Interoperability

Configuring VPN from Proventia M Series Appliance to NetScreen Systems

SQL Server AlwaysOn setup on ObserveIT environment

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

VPN Tracker for Mac OS X

Check Point R75 Management Essentials Part 2. Check Point Training Course. Section Heading Index. Module 1 Encryption... 3

DFL-210, DFL-800, DFL-1600 How to setup IPSec VPN connection with DI-80xHV

Checkpoint VPN-1 NG/FP3

UIP1869V User Interface Guide

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

SP PRO Communications Internet Connectivity

IP Office 403 and SG VPN Application Note September

SYSLOG Enhancements for Cisco IOS EasyVPN Server

VPN Tracker for Mac OS X

User Guide TL-R470T+/TL-R480T REV9.0.2

How to Configure Route 53 for F-Series Firewalls in AWS

Manual Key Configuration for Two SonicWALLs

Q-Balancer Range FAQ The Q-Balance LB Series General Sales FAQ

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

RX3041. User's Manual

Remote Access via Cisco VPN Client

DHCP and DDNS Services

CheckPoint. Check Point Certified Security Administrator R71

Implementation Guide for protecting. CheckPoint Firewall-1 / VPN-1. with. BlackShield ID

EASYHA SQL SERVER V1.0

How to Set Up External CA VPN Certificates

Virtual Private Cloud. User Guide. Issue 03 Date

ARCSERVE UDP CLOUD DIRECT DISASTER RECOVERY APPLIANCE VMWARE

Managing Site-to-Site VPNs: The Basics

VPN Tracker for Mac OS X

Application Note. Applies to MultiMax

Configuration Summary

Configuring PPP And SIP

Cradlepoint to Palo Alto VPN Example. Summary. Standard IPSec VPN Topology. Global Leader in 4G LTE Network Solutions

Business Connect Secure Remote Access Service (SRAS) Customer Information Package

[Pick the date] DS-300 Configuration Guide v 5.7

1/9. Cellip Lync-trunk

Integrate McAfee Firewall Enterprise VPN

How to Configure Mobile VPN for Forcepoint NGFW TECHNICAL DOCUMENT

T.D.T. R-Router Series

SonicWALL strongly recommends you follow these steps before installing Global VPN Client (GVC) 4.0.0:

ZyWALL 70. Internet Security Appliance. Quick Start Guide Version 3.62 December 2003

Endpoint Security. Gateway Integration Guide R72

Ingate Firewall. interworking with. SSH Sentinel

VMware AirWatch Integration with F5 Guide Enabling secure connections between mobile applications and your backend resources

Unified Communications in RealPresence Access Director System Environments

Certified SonicWALL Security Administrator (CSSA) Instructor-led Training

How to find your IP address information

Configuring Windows 7 VPN (Agile) Client for authentication to McAfee Firewall Enterprise v8. David LePage - Enterprise Solutions Architect, Firewalls

Broadband Router DC-202. User's Guide

Using the Terminal Services Gateway Lesson 10

Transcription:

Configuring and Using Dynamic DNS in SmartCenter This document describes how to configure and use Dynamic DNS for Check Point Embedded NGX gateways, using Check Point SmartCenter R60 and above, with or without the Check Point SmartLSM extension. Note: Embedded NGX gateways include both VPN-1 Edge, IP40, and IP60 gateways. The Embedded NGX screens that appear in this document relate to VPN-1 Edge gateways. Note: This document assumes the reader is familiar with the basic concepts of working with SmartCenter. This document covers the following topics: The Limitations of Working with Dynamic IP Addresses... 2 The Dynamic DNS Solution... 2 How Does Dynamic DNS Work?... 4 Overview of DDNS Configuration... 5 Configuring SmartCenter s Domain Suffix... 6 Configuring Gateways DDNS Settings... 7 Testing the Configuration... 8 Testing the DDNS Configuration... 8 Testing the DDNS-Based VPN Mesh Community Configuration... 9 Connecting to SmartCenter... 9 Viewing VPN Topology Information... 13 1

The Limitations of Working with Dynamic IP Addresses Most Internet Service Providers (ISPs) assign dynamic rather than static IP addresses to their subscribers. If a gateway has a dynamic IP address, then each time the gateway connects to the ISP, its IP address may change. This results in the following problems: It is not possible to create a fully meshed VPN community with dynamic IP gateways, since gateways will not know how to reach each other. The gateway s owner cannot run public Web servers. Remote Access VPN users cannot connect to the gateway s Remote Access VPN Server. These limitations do not exist when working with a static IP address; however a static IP address usually entails an additional cost. The Dynamic DNS Solution The basic function of a standard DNS (Domain Name Service) is to translate domain names into IP addresses. The DNS does this by maintaining a database of domain names and their corresponding static IP addresses. For example, if you try to surf to www.sofaware.com, the DNS server will check its database and direct you to the corresponding IP address, 62.90.136.38. DNS names are helpful because they provide a readable and easy-to-remember reference to IP addresses. However, normally DNS cannot map a domain name to a dynamic IP address, since the IP address might change. Dynamic DNS (DDNS) solves this problem by allowing you to assign a domain name to a gateway with a dynamic IP address. The DDNS service is constantly updated with changes to gateways IP addresses and updates the mapping of domain names to IP addresses accordingly. To facilitate this, SmartCenter NGX can be configured to act as a DDNS server on behalf of the Embedded NGX gateways connected to it. For example, if SmartCenter is registered in the worldwide DNS as the owner of the domain Mycompany.com, and the DDNS service is enabled for a gateway named office, then the gateway will be accessible at all times using the DNS name office.mycompany.com. Each time the gateway s IP address changes, the SmartCenter DDNS service will map this DNS name to the new IP address, so that the gateway is always accessible. As a result: It is possible to create a fully meshed VPN community between all dynamic IP gateways, based on the DDNS information. External users are able to access a Web server behind the gateway, using the DNS name office.mycompany.com. 2

Remote Access VPN users are able to communicate with the Remote Access VPN Server, using the DNS name office.mycompany.com, even if the gateway s IP address often changes. Administrators can remotely manage their Embedded NGX gateways by accessing the gateways using their domain names. For example: https://office.mycompany.com:981. Note: Check Point VPN-1 gateways participating in a meshed VPN community cannot initiate tunnels towards VPN-1 Edge gateways with dynamic IP addresses. Some Internet tools can only be used if you have a static IP address or domain name. DDNS enables you to use these tools with a dynamic IP address. For example, you can ping an Embedded NGX gateway using its domain name (for example, office.mycompany.com). Note: Check Point VPN-1 Pro gateways support DDNS-based link selection, and they can establish VPN tunnels to Embedded NGX gateways with dynamic IP addresses. Likewise, Embedded NGX gateways can establish VPN tunnels to externally managed gateways (such as VPN-1 Pro) with a dynamic IP address that is mapped to a DDNS provider. 3

How Does Dynamic DNS Work? 1. The enterprise registers SmartCenter's static IP address on a worldwide DNS, under a domain name such as Mycompany.com. In other words, SmartCenter is registered as the authoritative DNS server for the Mycompany.com domain. Note: In management High Availability (HA) installations, the secondary management server must be registered as a secondary DNS server for the domain. 2. The enterprise configures DDNS on SmartCenter. As part of this configuration, the enterprise enables the DDNS service for SmartCenter. SmartCenter then becomes a DNS server itself, and starts listening to DNS requests on UDP port 53. For information on configuring DDNS, see Overview of DDNS Configuration, page 5. 3. An Embedded NGX gateway connects to SmartCenter over an Internet connection and reports its current IP address. If the appliance is behind a NAT device, the reported IP address is that of the NAT device. 4. SmartCenter assigns the gateway a domain name using the gateway ID. For example, if the gateway ID is office, then SmartCenter assigns the gateway the DNS name office.mycompany.com. This domain name is mapped to the IP address reported by the gateway. 5. The gateway can now be contacted via the Internet, using its domain name. 6. If the IP address of the gateway changes, the following things happen: a. The gateway reports the change to SmartCenter. b. SmartCenter maps the domain name to the new IP address. 4

Overview of DDNS Configuration To configure DDNS 1. Configure SmartCenter s domain suffix. See Configuring SmartCenter s Domain Suffix, page 6. 2. If SmartCenter is located behind a firewall, or if you want to configure DDNS for Firewall-1 in a VPN Mesh community, register SmartCenter's public IP address on a worldwide DNS service. For information about domain registration, contact your ISP or any domain registration service. Note: Since DNS is a distributed system, it takes time until the domain servers are updated with the DNS name. Note: If SmartCenter is installed behind a firewall or a NAT device, you must open TCP and UDP port 53 towards SmartCenter, to enable SmartCenter to accept DNS requests. 3. Prepare the gateways for DDNS by doing the following: a. Create a gateway object for each gateway for which you want to enable DDNS. For information, refer to SmartCenter documentation. b. Configure DDNS for each gateway object. See Configuring Gateways DDNS Settings, page 7. 4. (Optional) To configure a DDNS-based VPN Mesh community, do the following: a. Create a Mesh or Star community. For information, refer to SmartCenter documentation. b. Add the gateway objects to the community you created. For information, refer to SmartCenter documentation. c. Install the policy on each gateway object. The Embedded NGX gateway downloads the VPN topology. For information, refer to SmartCenter documentation. 5

5. Test the configuration by doing the following on each gateway: a. Test the DDNS configuration. See Testing the DDNS Configuration, page 8. b. If you configured a DDNS-based VPN Mesh community, test its configuration by doing the following: 1) Connect each gateway to SmartCenter. See Connecting to SmartCenter, page 9. 2) View the gateway s VPN topology information. See Viewing VPN Topology Information, page 13. Configuring SmartCenter s Domain Suffix To configure SmartCenter s domain suffix 1. In SmartDashboard, in the Policy menu, choose Global Properties. The Global Properties dialog box appears. 2. In the menu, expand VPN, and click the Advanced tab. The Advanced tab appears. 6

3. In the Domain name for DNS resolving field, type the domain suffix to use for SmartCenter. 4. Click OK. 5. In the toolbar, click Save. Configuring Gateways DDNS Settings To configure a gateway object's DDNS settings 1. In SmartDashboard, double-click the desired gateway object. The VPN-1 Edge/Embedded Gateway dialog box appears displaying the General Properties tab. 1. In the menu, expand VPN, and click the Link Selection tab. The Link Selection tab appears. 2. Click Use DNS resolving. 7

3. Do one of the following: To specify the full hostname for the gateway, click Full hostname, and type the desired hostname in the field provided. To specify that SmartCenter should automatically create a hostname for the gateway, click Gateway s name and domain name (recommended). The hostname is created in the following format: <gateway s name>.<domain suffix> For example, if the gateway s name is Office, and the domain suffix you configured in Configuring SmartCenter s Domain Suffix, page 6 is mycompany.com, then the gateway s hostname will be Office.mycompany.com. Note: The Outgoing link tracking option is not supported when configuring DDNS. 4. Click OK. Testing the Configuration Testing the DDNS Configuration To test the DDNS configuration Open a command line window, and ping the gateway's domain name (for example, gateway.mycompany.net). 8

Testing the DDNS-Based VPN Mesh Community Configuration Connecting to SmartCenter To connect a gateway to SmartCenter 1. Click Services in the main menu, and click the Account tab. The Account page appears. 2. In the Service Account area, click Connect. 9

The Services Wizard opens, with the Service Center dialog box displayed. 3. Make sure the Connect to a different Service Center check box is selected. 4. Select Specified IP and then in the Specified IP field, enter SmartCenter s IP address, as given to you by your system administrator. 5. Click Next. The Connecting screen appears. If the Service Center requires authentication, the Service Center Login dialog box appears. Enter your gateway ID and registration key in the appropriate fields, as given to you by your enterprise, then click Next. The Connecting screen appears. 10

The Confirmation dialog box appears with a list of services to which you are subscribed. Make sure that the Dynamic DNS service appears in the list. 6. Click Next. The Done screen appears with a success message. 7. Click Finish. 11

On the Account page, the Dynamic DNS service's status is "Connected", and the gateway s domain name is displayed in the Information column. 12

Viewing VPN Topology Information To view VPN topology information 1. Surf to http://my.firewall/vpntopo.html. The VPN network topology appears. The RDP Resolution Mechanism field displays DNS Lookup. The Gateway Resolution Name field displays the gateway s hostname, as configured in Configuring Gateways DDNS Settings, page 7. 2. From another gateway, ping the second IP address listed in the Interfaces field. In our example, the IP address to ping is 192.168.10.10. 13

The Gateway Dynamic IP field appears displaying the gateway s current IP address. Note: The Embedded NGX gateway will try to resolve the remote gateway s external IP address every time an IKE or IPSEC security association is established. 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback