Office Mode

The Need for Remote Clients to be Part of the LAN

As remote access to internal networks of organizations becomes widespread, it is essential that remote users are able to access as many of the internal resources of the organization as possible. Typically, when remote access is implemented, the client connects using an IP address locally assigned by, for example, an ISP. The client may even receive a non-routable IP which is then hidden behind a NATing device. Because of this, several problems may arise:

• Some networking protocols or resources may require the client’s IP address to be an internal one. Router ACLs (access lists), for example, might be configured to allow only specific or internal IP addresses to access network resources. This is difficult to adjust without knowing the a remote client’s IP address in advance.
• When assigned with a non-routable IP address a conflict may occur, either with similar non-routable addresses used on the corporate LAN, or with other clients which may receive the same IP address while positioned behind some other hiding NAT device.

  For example, if a client user receives an IP of 10.0.0.1 which is entered into the headers of the IPSec packet. The packet is NATed. The packet’s new source IP is 192.168.17.5. The Security Gateway decapsulates the NATed IP and decrypts the packet. The IP address is reverted to its original source IP of 10.0.0.1. If there is an internal host with the same IP, the packet will probably be dropped (if anti-spoofing is turned on). If there is no duplicate IP, and the packet is forwarded to some internal server, the server will then attempt to reply to an non-existent address.

• Two remote users are assigned the same IP address by an ISP (for example, two users are accessing the organization from hotels which provide internal addresses and NAT them on the outbound). Both users try to access the internal network with the same IP address. The resources on the internal network of the organization may have difficulty distinguishing between the users.

Office Mode

Office Mode enables a Security Gateway to assign a remote client an IP address. The assignment takes place once the user connects and authenticates. The assignment lease is renewed as long as the user is connected. The address may be taken either from a general IP address pool, or from an IP address pool specified per user group. The address can be specified per user, or via a DHCP server, enabling the use of a name resolution service. With DNS name resolution, it is easier to access the client from within the corporate network.

It is possible to allow all your users to use Office Mode, or to enable the feature for a specific group of users. This can be used, for example, to allow privileged access to a certain group of users (e.g., administrators accessing the LAN from remote stations). It is also useful in early integration stages of Office Mode, allowing you time to "pilot" this feature on a specific group of users, while the rest of the users continue to work in the traditional way.

Office Mode is supported with the following:

• SecureClient
• Endpoint Connect
• SSL Network Extender
• Crypto
• L2TP

How Office Mode Works

When you connect to the organization, an IKE negotiation is initiated automatically to the Security Gateway. When using Office Mode, a special IKE mode called config mode is inserted between phase 1 and phase 2 of IKE. During config mode, the client requests an IP from the Security Gateway. Several other parameters are also configurable this way, such as a DNS server IP address, and a WINS server IP address.

After the Security Gateway allocates the IP address, the client assigns the IP to a Virtual Adapter on the Operating system. The routing of packets to the corporate LAN is modified to go through this adapter. Packets routed in this way bear the IP address assigned by the Security Gateway as their source IP address. Before exiting through the real adapter, the packets will be IPSec encapsulated using the external IP address (assigned to the real adapter) as the source address. In this way, non-routable IP addresses can be used with Office Mode; the Office Mode non-routable address is concealed within the IPSec packet.

For Office Mode to work, the IP address assigned by the Security Gateway needs to be routable to that Security Gateway from within the corporate LAN. This will allow packets on the LAN being sent to the client to be routed back through the Security Gateway. See also: Office Mode and Static Routes in a Non-flat Network.

A Closer Look

The following steps illustrate the process taking place when a remote user connected through Office Mode wishes to exchange some information with resources inside the organization:

• The user is trying to connect to some resource on the LAN, thus a packet destined for the internal network is to be sent. This packet is routed through the virtual interface that Office Mode had set up, and bears the source IP address allocated for the remote user.
• The packet is encrypted and builds a new encapsulating IP header for it. The source IP of the encapsulating packet is the remote client's original IP address, and its destination is the IP address of the Security Gateway. The encapsulated packet is then sent to the organization through the Internet.
• The Security Gateway of the organization receives the packet, decapsulates and decrypts it, revealing the original packet, which bears the source IP allocated for the remote user. The Security Gateway then forwards the decapsulated packet to its destination.
• The internal resource gets a packet seemingly coming from an internal address. It processes the packet and sends response packets back to the remote user. These packets are routed back to the (internal) IP address assigned to the remote user.
• The Security Gateway gets the packet, encrypts and encapsulates it with the remote users' original (routable) IP address and returns the packet back to the remote user:

• The remote host uses the Office mode address in the encapsulated packet and 10.0.0.1 in the encapsulating header.
• The packet is NATed to the new source address: 192.168.17.5
• The Security Gateway decapsulates the NATed IP address and decrypts the packet. The source IP address is the Office Mode address.
• The packet is forwarded to the internal server, which replies correctly.

Assigning IP Addresses

The internal IP addresses assigned by the Security Gateway to the remote user can be allocated using one of the following methods:

• IP Pool
• DHCP Server

IP Pool

The System Administrator designates a range of IP addresses to be utilized for remote client machines. Each client requesting to connect in Office Mode is provided with a unique IP address from the pool.

IP Assignment Based on Source IP Address

IP addresses from the IP pool may be reserved and assigned to remote users based on their source IP address. When a remote host connects to the Security Gateway, its IP address is compared to a predefined range of source IP addresses. If the IP address is found to be in that range, then it is assigned an Office Mode IP address from a range dedicated for that purpose.

The IP addresses from this reserved pool can be configured to offer a separate set of access permissions given to these remote users.

DHCP Server

A Dynamic Host Configuration Protocol (DHCP) server can be used to allocate IP addresses for Office Mode clients. When a remote user connects to the Security Gateway using Office Mode, the Security Gateway requests the DHCP server to assign the user an IP address from a range of IP addresses designated for Office Mode users.

Security Gateway DHCP requests can contain various client attributes that allow DHCP clients to differentiate themselves. The attributes are pre-configured on the client side operating system, and can be used by different DHCP servers in the process of distributing IP addresses. Security Gateways DHCP request can contain the following attributes:

• Host Name
• Fully Qualified Domain Name (FQDN)
• Vendor Class
• User Class

RADIUS Server

A RADIUS server can be used for authenticating remote users. When a remote user connects to a Security Gateway, the username and password are passed on to the RADIUS server, which checks that the information is correct, and authenticates the user. The RADIUS server can also be configured to allocate IP addresses.

Office Mode and Static Routes in a Non-flat Network

A flat network is one in which all stations can reach each other without going through a bridge or a router. One segment of a network is a "flat network". A static route is a route that is manually assigned by the system administrator (to a router) and needs to be manually updated to reflect changes in the network.

If the LAN is non-flat (stations reach each other via routers and bridges) then the OM address of the remote client must be statically assigned to the routers so that packets on the LAN, destined for the remote client, are correctly routed to the Security Gateway.

IP Address Lease duration

When a remote user's machine is assigned an Office mode IP address, that machine can use it for a certain amount of time. This time period is called the "IP address lease duration." The remote client automatically asks for a lease renewal after half of the IP lease duration period has elapsed. If the IP lease duration time is set to 60 minutes, a renewal request is sent after 30 minutes. If a renewal is given, the client will request a renewal again after 30 minutes. If the renewal fails, the client attempts again after half of the remaining time, for example, 15 minutes, then 7.5 minutes, and so on. If no renewal is given and the 60 minutes of the lease duration times out, the tunnel link terminates. To renew the connection the remote user must reconnect to the Security Gateway. Upon reconnection, an IKE renegotiation is initiated and a new tunnel created.

When the IP address is allocated from a predefined IP pool on the Security Gateway, the Security Gateway determines the IP lease duration period. The default is 15 minutes.

When using a DHCP server to assign IP addresses to users, the DHCP server's configuration determines the IP lease duration. When a user disconnects and reconnects to the Security Gateway within a short period of time, it is likely that the user will get the same IP address as before.

Using Name Resolution - WINS and DNS

To facilitate access of a remote user to resources on the internal network, the administrator can specify WINS and DNS servers for the remote user. This information is sent to the remote user during IKE config mode along with the IP address allocation information, and is used by the remote user's operating system for name-to-IP resolution when the user is trying to access the organization's internal resources.

Anti Spoofing

With Anti Spoofing, a network administrator configures which IP addresses are expected on each interface of the Security Gateway. Anti-spoofing ensures IP addresses are only received or transmitted in the context of their respective Security Gateway interfaces. Office Mode poses a problem to the anti-spoofing feature, since a client machine can connect and authenticate through several interfaces, e.g. the external interface to the Internet, or the wireless LAN interface; thus an Office Mode IP address may be encountered on more than one interface. Office Mode enhances Anti Spoofing by making sure an encountered Office Mode IP address is indeed assigned to the user, authenticated on the source IP address on the IPSec encapsulating packet, i.e. the external IP.

Using Office Mode with Multiple External Interfaces

Typically, routing is performed before encryption in VPN. In some complex scenarios of Office Mode, where the Security Gateway may have several external interfaces, this might cause a problem. In these scenarios, packets destined at a remote user's virtual IP address will be marked as packets that are supposed to be routed through one external interface of the Security Gateway. Only after the initial routing decision is made do the packets undergo IPSEC encapsulation. After the encapsulation, the destination IP address of these packets is changed to the original IP address of the client. The routing path that should have been selected for the encapsulated packet might be through a different external interface than that of the original packet (since the destination IP address changed), in which case a routing error occurs. Office Mode has the ability to make sure that all Office Mode packets undergo routing after they are encapsulated.

Office Mode Per Site

After a remote user connects and receives an Office Mode IP address from a Security Gateway, every connection to that Security Gateways encryption domain will go out with the Office Mode IP as the internal source IP. The Office Mode IP is what hosts in the encryption domain will recognize as the remote user's IP address.

The Office Mode IP address assigned by a specific Security Gateway can be used in its own encryption domain and in neighboring encryption domains as well. The neighboring encryption domains should reside behind Security Gateways that are members of the same VPN community as the assigning Security Gateway. Since the remote hosts' connections are dependent on the Office Mode IP address it received, if the Security Gateway that issued the IP becomes unavailable, all the connections to the site will terminate.

In order for all Security Gateways on the site to recognize the remote users Office Mode IP addresses, the Office Mode IP range must be known by all of the Security Gateways and the IP ranges must be routable in all the networks. However, when the Office Mode per Site feature is in use, the IP-per-user feature cannot be implemented.

In this scenario:

• The remote user makes a connection to Security Gateway 1.
• Security Gateway 1 assigns an Office Mode IP address to the remote user.
• While still connected to Security Gateway 1, the remote user can make a connection to hosts behind Security Gateway 2 using the Office Mode IP address issued by Security Gateway 1.

Enabling IP Address per User

Enabling IP Address per User

In some configurations, a router or other device restricts access to portions of the network to specified IP addresses. A remote user connecting in Office Mode must be able to ensure that he or she is allocated an IP address which will allow the connection to pass through the router.

There are two ways to implement this feature, depending on whether IP addresses are allocated by a DHCP server or IP Pool.

The Solution

There are two ways to implement this feature, depending on whether IP addresses are allocated by a DHCP server or IP Pool.

DHCP Server

If Office Mode addresses are allocated by a DHCP server, proceed as follows:

1. Open the Check Point object from the Objects Tree.
2. In the Object Properties > IPSec VPN > Office Mode page:
   • Enable Office Mode (either for all users or for the relevant group)
   • Select a DHCP server and under MAC address for DHCP allocation, select calculated per user name
3. Install the Policy on the Security Gateway.
4. On the Security Gateway, run this command to obtain the MAC address assigned to the user.

   vpn macutil <username>

5. On the DHCP Server make a new reservation, specifying the IP address and MAC address, assigning the IP address for the exclusive use of the given user.

ipassignment.conf File

The $FWDIR/conf/ipassignment.conf file on the Security Gateway, is used to implement the IP-per-user feature. It allows the administrator to assign specific addresses to specific users or specific ranges to specific groups when they connect using Office Mode or L2TP clients.

For an explanation of the file's syntax, see the comments (the lines beginning with the # character) in the sample file below.

Sample ipassignment.conf File

# This file is used to implement the IP-per-user feature. It allows the

# administrator to assign specific addresses to specific users or specific

# ranges to specific groups when they connect using Office Mode or L2TP.

#

# The format of this file is simple: Each line specifies the target

# Security Gateway, the IP address (or addresses) we wish to assign and the user

# (or group) name as in the following examples:

#

# Security Gateway        Type   IP Address                          User Name

# ============= ===== =========================== 

# Paris-GW,             10.5.5.8,                           Jean

# Brasilia,      addr   10.6.5.8,                           Joao  # comments are allowed

# Miami,         addr   10.7.5.8, CN=John,OU=users,O=cpmgmt.acme.com.gibeuu

# Miami          range  100.107.105.110-100.107.105.119/24  Finance

# Miami          net    10.7.5.32/28                        Accounting

#

# Note that real records do not begin with a pound-sign (#), and the commas

# are optional. Invalid lines are treated as comments. Also, the

# user name may be followed by a pound-sign and a comment.

#

# The first item is the Security Gateway name. This could be a name, an IP

# address or an asterisk (*) to signify all Security Gateways. A gateway will

# only honor lines that refer to it.

#

# The second item is a descriptor. It can be 'addr', 'range' or 'net'.

# 'addr' specifies one IP for one user. This prefix is optional.

# 'range' and 'net' specify a range of addresses. These prefixes are

# required.

#

# The third item is the IP address or addresses. In the case of a single

# address, it is specified in standard dotted decimal format.

# ranges can be specified either by the first and last IP address, or using

# a net specification. In either case you need to also specify the subnet

# mask length ('/24' means 255.255.255.0). With a range, this is the subnet

# mask. With a net it is both the subnet mask and it also determines the

# addresses in the range.

#

# The last item is the user name. This can be a common name if the

# user authenticates with some username/password method (like hybrid

# or MD5-Challenge) or a DN if the user authenticates with a

# certificate.

Office Mode Considerations

Before implementing Office mode, consider the following:

IP pool Versus DHCP

The question of whether IP addresses should be assigned by the Firewall (using IP pools) or by a DHCP server is a network administration and financial issue. Some network administrators may prefer to manage all of their dynamic IP addresses from the same location. For them, a central DHCP server might be preferable. Moreover, DHCP allows a cluster to assign all the addresses from a single pool, rather than have a different pool per cluster member as you have to with Firewall IP pools. On the other hand, purchasing a DHCP server can be viewed by some as an unnecessary financial burden, in which case the IP pool option might be preferred.

Routing Table Modifications

IP addresses, assigned by Office Mode need to be routed by the internal LAN routers to the Security Gateway (or Security Gateway cluster) that assigned the address. This is to make sure packets, destined to remote access Office Mode users, reach the Security Gateway in order to be encapsulated and returned to the client machine. This may require changes to the organization's routing tables.

Using the Multiple External Interfaces Feature

Enabling this feature instructs Office Mode to perform routing decisions after the packets are encapsulated using IPSEC, to prevent routing problems discussed in Using Office Mode with Multiple External Interfaces. This feature adds new checks and changes to the routing of packets through the Security Gateway, and has an impact on performance. As a result, it is recommended to use this feature only when:

• The Security Gateway has multiple external interfaces, and
• Office Mode packets are routed to the wrong external interface.

Configuring Office Mode

Before configuring Office Mode the assumption is that standard VPN Remote Access has already been configured. For more details on how to configure VPN Remote Access, see Introduction to Remote Access VPN.

Before starting the Office Mode configuration, you must select an internal address space designated for remote users using Office Mode. This can be any IP address space, as long as the addresses in this space do not conflict with addresses used within the enterprise domain. It is possible to choose address spaces which are not routable on the Internet, such as 10.x.x.x.

The basic configuration of Office Mode is using IP pools. The configuration of Office Mode using DHCP for address allocation can be found in Office Mode ? DHCP Configuration.

Office Mode — IP Pool Configuration

To deploy the basic Office Mode (using IP pools):

1. Create a network object to represent the IP Pool, by selecting Manage > Network Objects > New > Network.
2. In the Network Properties — General tab, set the IP pool range of addresses as follows:
   1. In Network Address specify the first address to be used (e.g. 10.130.56.0).
   2. In Net Mask enter the subnet mask according to the amount of addresses you wish to use (entering 255.255.255.0, for example, this will designate all 254 IP addresses from 10.130.56.1 till 10.130.56.254 for Office Mode addresses.)
   3. Changes to the Broadcast Address section and the Network Properties — NAT tab are not necessary.
   4. Close the network object properties window.
3. Open the Security Gateway object through which the remote users will connect to the internal network and select the IPSec VPN > Office Mode page. Enable Office Mode for either all users or for a certain group.
   1. In the Allocate IP from network select the IP Pool network object you have previously created.
   2. IP lease duration — specify the duration in which the IP is used by the remote host.
   3. Under Multiple Interfaces, specify whether you want routing to be done after the encapsulation of Office Mode packets, allowing traffic to be routed correctly when your Security Gateway has multiple external interfaces.
   4. Select Anti-Spoofing if you wish the firewall to check that Office Mode packets are not spoofed.

It is possible to specify which WINS and DNS servers Office Mode users should use. To specify WINS and/or DNS servers, continue to step 3. Otherwise skip to step 6.

1. Create a DNS server object, by selecting Manage > Network Objects > New > Node > Host and specify the DNS machine's name, IP address and subnet mask. Repeat this step if you have additional DNS servers.
2. Create a WINS server object, by selecting Manage > Network objects > New > Node > Host and specify the WINS machine's name, IP address and subnet mask. Repeat this step if you have additional WINS servers.
3. In the Check Point Security Gateway — IPsec VPN > Office Mode page, in the IP Pool section click the "optional parameters" button.
   1. In the IP Pool Optional Parameters window, select the appropriate objects for the primary and backup DNS and WINS servers.
   2. In the Domain name field, specify the suffix of the domain where the internal names are defined. This instructs the Client as per what suffix to add when it addresses the DNS server (e.g. example.com).
4. Install the Policy.
5. Make sure that all the internal routers are configured to route all the traffic destined to the internal address space you had reserved to Office Mode users through the Security Gateway. For instance, in the example above it is required to add routes to the class C sub network of 10.130.56.0 through the Security Gateway's IP address.

In addition to the steps mentioned for the Security Gateway side configuration, a few configuration steps have to be performed on the client side in order to connect to the Security Gateway in Office Mode.

Configuring IP Assignment Based on Source IP Address

The settings for the IP Assignment Based on Source IP Address feature are configured by editing a plain text file called user.def. This file is located in the \FWDIR\conf directory of the Security Management server which manages the enforcement modules used for remote access.

A range of source IP addresses must be defined along with a corresponding range of Office Mode addresses. The \FWDIR\conf\user.def file can contain multiple definitions for multiple modules.

The first range defined per line is the source IP address range. The second range defined per line is the Office Mode IP address range.

In this scenario:

• (10.10.5.0, 10.10.5.129), (10.10.9.0, 10.10.9.255), and (70.70.70.4, 70.70.70.90) are the VPN remote clients source IP address ranges
• (1.1.1.5, 1.1.1.87), (1.1.1.88, 1.1.1.95), and (8.8.8.6, 8.8.8.68) are the Office Mode IP addresses that will be assigned to the remote users whose source IP falls in the range defined on the same line.
• For example: A user with a source IP address between 10.10.10.5.0 and 10.10.5.129, will receive an Office Mode address between 1.1.1.5 and 1.1.1.87.

IP Assignment Based on Source IP Address is enabled using a flag in the \FWDIR\conf\objects_5_0.C file. Add the following flag:

om_use_ip_per_src_range (followed by value)

One of the following values should be applied to the flag:

• [Exclusively] - If the remote hosts IP is not found in the source range, remote user does not get an Office Mode IP address.
• [True] - If the remote hosts IP is not found in the source IP range, the user will get an Office Mode IP address using another method.
• [False] (default)- The flag is not used.

Office Mode through the ipassignment.conf File

It is possible to over-ride the Office Mode settings created on Security Management server by editing a plain text file called ipassignment.conf in the \FWDIR\conf directory of the VPN module. The module uses these Office Mode settings and not those defined for the object in Security Management server.

Ipassignment.conf can specify:

• An IP per user/group, so that a particular user or user group always receives the same Office Mode address. This allows the administrator to assign specific addresses to users, or particular IP ranges/networks to groups when they connect using Office Mode.
• A different WINS server for a particular user or group
• A different DNS server
• Different DNS domain suffixes for each entry in the file.

Subnet masks and Office Mode Addresses

You cannot use the ipassignment.conf file to assign a subnet mask to a single user. If using IP pools, the mask is taken from the network object, or defaults to 255.255.255.0 if using DHCP.

Checking the Syntax

The syntax of the ipassignment file can be checked using the command ipafile_check.

From a shell prompt run: vpn ipafile_check ipassignment.conf

The two parameters are:

• warn. Display errors
• detail. Show all details

For example:

Office Mode — DHCP Configuration

1. When DHCP is the selected mode, DNS and WINS parameters are downloaded from the DHCP server. If using Office Mode in DHCP mode and you wish to supply the user with DNS and/or WINS information, make sure that the DNS and/or WINS information on your DHCP server is set to the correct IP addresses.
2. On your DHCP server's configuration, make sure that you have designated an IP address space for Office Mode users (e.g., 10.130.56.0).
3. Create a new node object by selecting Manage > Network objects > New > Node > Host, representing the DHCP server and specify the machine's name, IP address and subnet mask.
4. Open the Security Gateway object through which the remote users will connect to the internal network and select the IPSec VPN > Office Mode page. Enable Office Mode to either all users or to a certain group.
   • Check the Automatic (use DHCP) option.
   • Select the DHCP object you have previously created.
   • In the Virtual IP address for DHCP server replies, specify an IP address from the sub network of the IP addresses which are designated for Office Mode usage (e.g. 10.130.56.254). Since Office Mode supports DHCP Relay method for IP assignment, you can direct the DHCP server as to where to send its replies. The routing on the DHCP server and that of internal routers must be adjusted so that packets from the DHCP server to this address are routed through the Security Gateway.
   • If you wish to use the Anti-Spoofing feature, continue to step 5, otherwise skip to step 7.
5. Create a network object to represent the address space you've allocated for Office Mode on your DHCP server, by selecting Manage > Network Objects > New > Network.

   In the Network Properties — General tab, set the DHCP address range as follows:

   • In Network Address specify the first address that is used (e.g. 10.130.56.0).
   • In Net Mask enter the subnet mask according to the amount of addresses that is used (entering 255.255.255.0, for example, designates that all 254 IP addresses from 10.130.56.1 until 10.130.56.254 are set aside for remote host Office Mode addresses on the DHCP server).
   • Changes to the Broadcast Address section and the Network Properties — NAT tab are not necessary.
   • Close the network object properties window.
6. Return to the Security Gateway object, open the IPSec VPN > Office Mode page. In the Additional IP addresses for Anti-Spoofing, select the network object you have created with the IP address range you have set aside for Office Mode on the DHCP server.
7. Install the policy.
8. Make sure that all the internal routers are configured to route all the traffic destined to the internal address space you had reserved to Office Mode users through the Security Gateway. For instance, in the example above it is required to add routes to the class C sub network of 10.130.56.0 through the Security Gateway's IP address.

In addition to the steps mentioned for the Security Gateway side configuration, a few configuration steps have to be performed on the client side in order to connect to the Security Gateway in Office mode.

Office Mode - Using a RADIUS Server

To configure the RADIUS server to allocate IP addresses:

1. In SmartDashboard, click Manage > Servers and OPSEC Applications.
2. Select RADIUS server and click Edit.

   The RADIUS Server Properties window appears.

3. Click the RADIUS Accounting tab.
4. Select Enable IP Pool Management.
5. Select the service the RADIUS server uses to communicate with remote users.

To configure the RADIUS server to perform authentication for remote users:

1. In SmartDashboard, click Manage > Network Objects.
2. Select Security Gateway and click Edit.
3. In Security Gateway properties, select IPSec VPN > Office Mode.
4. In the Office Mode Method section, select From the RADIUS server used to authenticate the user.
5. Click OK.

Office Mode Configuration on SecureClient

On the client's machine the following steps should be performed in order to connect to the Security Gateway using Office mode:

1. Right click the SecureClient icon in the system tray. From the pop-up menu, select Configure.
2. Select Tools > Configure Connection Profile > Advanced and select Support Office Mode.
3. Click OK, Save and Close and then select Exit from your File menu.
4. Double click your SecureClient icon on the bottom right side of your screen. If you're using a dial-up connection to connect to the Security Gateway select Use Dial-up and choose the name of your dial-up connection profile from the drop-down menu (it is assumed that such a profile already exists. If dial-up is not used (i.e. connection to the Security Gateway is done through a network interface card) proceed to step 5.
5. Select Connect to connect to the organization using Office Mode.

The administrator can simplify configuration, by configuring a profile in advance and providing it to the user.

Office Mode per Site

1. In SmartDashboard, click Policy > Global Properties > Remote Access > VPN - Advanced.

   The VPN - Advanced page shows the office Mode Settings.

2. In the Office Mode section, select Use first allocated Office Mode IP address for all connections to the Security Gateways of the site.
3. Click OK.