High-Availability and Multiple Entry Point Configurations

If your firewall is configured into a High-Availability (HA) configuration, it is possible to use the Gateway Cluster feature to provide seamless failover of SecuRemote connections. Simply configure your gateway objects for each member of the cluster, then add them to the gateway cluster object. You configure all of your encryption schemes and keys within this object. When the SecuRemote client fetches the encryption domain, all of the physical IPs plus the virtual IP of the gateway cluster will be included as part of the gateway definition. This allows any system in the cluster to be used to process a SecuRemote connection.

In addition, it is now possible to have multiple firewalls responsible for the same encryption domain. This allows you to have different firewalls in different physical locations provide access to the same encryption domain. This is useful for large companies that have multiple ways to reach the Internet through different firewalls at (possibly) physically different locations.

The Multiple Entry Point feature also provides a level of High Availability. Although it does not provide for transparent failover (i.e., if the primary gateway fails, connections will not fail over), it does allow you to automatically use a secondary gateway in the event of a failure.

The biggest challenge to overcome in HA environments is to make sure that the same firewall is used for both incoming traffic and outgoing traffic for the client. Office Mode configurations should not have this problem because each client is assigned a unique IP address specific to the gateway being connected to.

If you do not have the appropriate licenses for Office Mode, you can use IP Pool NAT. IP Pool NAT is a sort of "reverse NAT" for incoming SecuRemote connections. As SecuRemote users authenticate and connect into the encryption domain, the client is allocated an IP address from a pool of addresses on a first-come, first-served basis. All packets coming from that SecuRemote client are then statically NATted to that IP address. The pool of addresses chosen must be unique for each firewall. If the pool of IP addresses is on the same subnet as the firewall's internal interface, proxy ARPs must be present for each IP in the pool to ensure that packets are forwarded to the firewall. The preferred method would be to use one or more subnets of nonroutable address space and ensure that internal routing routes these subnets to the correct firewall.

It may be desirable to allow SecuRemote users to access certain resources where you want to allow access only from within the internal network (e.g., the access is restricted by other firewalls or router access control lists). Office Mode is one way to resolve this issue. IP Pool NAT is another. Each incoming SecuRemote user is allocated a unique IP address on the internal network, "masking" the external IP address from internal firewalls or router access control lists.

To enable IP Pool NAT, you must first go to the Global Properties section, NAT frame, and enable IP Pool NAT as shown in Figure 12.26.

Figure 12.26. Global Properties, NAT frame


Now edit the appropriate gateway object and go to the related NAT frame, as shown in Figure 12.27.

Figure 12.27. Gateway Object, NAT frame


This frame shows the following options in the IP Pools section of the screen.

Use IP Pool NAT for VPN clients connections: This option enables the use of IP Pool NAT for SecuRemote users.

Use IP Pool NAT for gateway to gateway connections: This option enables the use of IP Pool NAT for site-to-site VPNs.

Allocate IP Addresses from: Here is where you specify what network(s) the firewall will choose to allocate IP addresses. Only groups and network objects are listed here. This address space should be within your encryption domain.

Return unused addresses to IP Pool after: An IP address is considered unused if the user originally allocated that IP address doesn't use it (i.e., doesn't connect through the firewall) for the specified period of time. Another user can then use that IP address.



In a Gateway Cluster configuration, you need to enable IP Pool NAT but configure the actual addresses in the member gateway objects. While you can specify the same set of addresses on all member gateways, this is not recommended.

Install the security policy, and have your SecuRemote clients update the site. The following caveats apply to Multiple Entry Point configurations:

  • All gateways must belong to the same management console.

  • Partial overlapping of encryption domains is not allowed.

  • When a failover occurs, all existing connections will fail and need to be restarted.

  • Each client must still have a unique nonroutable IP address.

  • Gateway-to-gateway configurations are not supported?this feature was designed only for SecuRemote.