Steve,
You said:
> >The firewalls WILL have overlapping
> >encryption domains because they are gateways to the same network.
The firewalls need to have the SAME encryption domain, consisting of the two
firewalls and the internal network.
> >they are dialling in through a proprietary dialup network which could
route them to one
> >or other of the gateway locations in a random (load balanced) way.
> >This means that the SR user could end up at either gateway. If the SR
setup says that
> >they have a primary gateway at 10.0.1.1, for example, and they end up at
the other on 10.0.2.1
> >then they won't get a connection, presumably.
I don't see that it matters which gateway they come into if the firewalls
are set up as MEP and they have the same encryption domain.
Case 1: User routed to 10.0.1.1, set as primary gateway, SR uses primary
with no problems
Case 2: User routed to 10.0.2.1, set as secondary. SR checks for primary,
times out, uses secondary
There _will_ be an initial delay when users come into the second gateway,
but you can minimize that by setting low values in user.C for these two
values:
resolver_session_interval - interval between SR checks for primary gateway
resolver_ttl - how long SR waits before concluding gateway is
down
Certificates:
It's the management console that deals with certificates, and you need to be
using the same management console to manage the two gateways anyway, so I
don't see that as an issue at all.
Michael
-----michael cannella ccsi mailto:[EMAIL PROTECTED]
-----Internet Security Systems, Secure University
-----http://www.iss.net/
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
