Print Download PDF Send Feedback

Previous

Next

Office Mode

In This Section:

The Need for Remote Clients to be Part of the LAN

Office Mode

Enabling IP Address per User

Office Mode Considerations

Configuring Office Mode

The Need for Remote Clients to be Part of the LAN

As remote access to internal networks of organizations becomes widespread, it is essential that remote users are able to access as many of the internal resources of the organization as possible. Typically, when remote access is implemented, the client connects using an IP address locally assigned by, for example, an ISP. The client may even receive a non-routable IP which is then hidden behind a NATing device. Because of this, several problems may arise:

Office Mode

Office Mode enables a Security Gateway to assign a remote client an IP address. The assignment takes place once the user connects and authenticates. The assignment lease is renewed as long as the user is connected. The address may be taken either from a general IP address pool, or from an IP address pool specified per user group. The address can be specified per user, or via a DHCP server, enabling the use of a name resolution service. With DNS name resolution, it is easier to access the client from within the corporate network.

It is possible to allow all your users to use Office Mode, or to enable the feature for a specific group of users. This can be used, for example, to allow privileged access to a certain group of users (e.g., administrators accessing the LAN from remote stations). It is also useful in early integration stages of Office Mode, allowing you time to "pilot" this feature on a specific group of users, while the rest of the users continue to work in the traditional way.

Office Mode is supported with the following:

How Office Mode Works

When you connect to the organization, an IKE negotiation is initiated automatically to the Security Gateway. When using Office Mode, a special IKE mode called config mode is inserted between phase 1 and phase 2 of IKE. During config mode, the client requests an IP from the Security Gateway. Several other parameters are also configurable this way, such as a DNS server IP address, and a WINS server IP address.

After the Security Gateway allocates the IP address, the client assigns the IP to a Virtual Adapter on the Operating system. The routing of packets to the corporate LAN is modified to go through this adapter. Packets routed in this way bear the IP address assigned by the Security Gateway as their source IP address. Before exiting through the real adapter, the packets will be IPsec encapsulated using the external IP address (assigned to the real adapter) as the source address. In this way, non-routable IP addresses can be used with Office Mode; the Office Mode non-routable address is concealed within the IPsec packet.

For Office Mode to work, the IP address assigned by the Security Gateway needs to be routable to that Security Gateway from within the corporate LAN. This lets packets on the LAN being sent to the client to be routed back through the Security Gateway.

Note - A remote user with SecuRemote only is not supported in Office Mode.

A Closer Look

The following steps illustrate the process taking place when a remote user connected through Office Mode wishes to exchange some information with resources inside the organization:

Assigning IP Addresses

The internal IP addresses assigned by the Security Gateway to the remote user can be allocated using one of the following methods:

IP Pool

The System Administrator designates a range of IP addresses to be utilized for remote client machines. Each client requesting to connect in Office Mode is provided with a unique IP address from the pool.

IP Assignment Based on Source IP Address

IP addresses from the IP pool may be reserved and assigned to remote users based on their source IP address. When a remote host connects to the Security Gateway, its IP address is compared to a predefined range of source IP addresses. If the IP address is found to be in that range, then it is assigned an Office Mode IP address from a range dedicated for that purpose.

The IP addresses from this reserved pool can be configured to offer a separate set of access permissions given to these remote users.

DHCP Server

A Dynamic Host Configuration Protocol (DHCP) server can be used to allocate IP addresses for Office Mode clients. When a remote user connects to the Security Gateway using Office Mode, the Security Gateway requests the DHCP server to assign the user an IP address from a range of IP addresses designated for Office Mode users.

Security Gateway DHCP requests can contain various client attributes that allow DHCP clients to differentiate themselves. The attributes are pre-configured on the client side operating system, and can be used by different DHCP servers in the process of distributing IP addresses. Security Gateways DHCP request can contain the following attributes:

RADIUS Server

A RADIUS server can be used for authenticating remote users. When a remote user connects to a Security Gateway, the username and password are passed on to the RADIUS server, which checks that the information is correct, and authenticates the user. The RADIUS server can also be configured to allocate IP addresses.

Note - Authentication and IP assignment must be performed by the same RADIUS server.

Office Mode and Static Routes in a Non-flat Network

A flat network is one in which all stations can reach each other without going through a bridge or a router. One segment of a network is a "flat network". A static route is a route that is manually assigned by the system administrator (to a router) and needs to be manually updated to reflect changes in the network.

If the LAN is non-flat (stations reach each other via routers and bridges) then the OM address of the remote client must be statically assigned to the routers so that packets on the LAN, destined for the remote client, are correctly routed to the Security Gateway.

IP Address Lease duration

When a remote user's machine is assigned an Office mode IP address, that machine can use it for a certain amount of time. This time period is called the "IP address lease duration." The remote client automatically asks for a lease renewal after half of the IP lease duration period has elapsed. If the IP lease duration time is set to 60 minutes, a renewal request is sent after 30 minutes. If a renewal is given, the client will request a renewal again after 30 minutes. If the renewal fails, the client attempts again after half of the remaining time, for example, 15 minutes, then 7.5 minutes, and so on. If no renewal is given and the 60 minutes of the lease duration times out, the tunnel link terminates. To renew the connection the remote user must reconnect to the Security Gateway. Upon reconnection, an IKE renegotiation is initiated and a new tunnel created.

When the IP address is allocated from a predefined IP pool on the Security Gateway, the Security Gateway determines the IP lease duration period. The default is 15 minutes.

When using a DHCP server to assign IP addresses to users, the DHCP server's configuration determines the IP lease duration. When a user disconnects and reconnects to the Security Gateway within a short period of time, it is likely that the user will get the same IP address as before.

Using Name Resolution - WINS and DNS

To facilitate access of a remote user to resources on the internal network, the administrator can specify WINS and DNS servers for the remote user. This information is sent to the remote user during IKE config mode along with the IP address allocation information, and is used by the remote user's operating system for name-to-IP resolution when the user is trying to access the organization's internal resources.

Anti-Spoofing

With Anti-Spoofing, a network administrator configures which IP addresses are expected on each interface of the Security Gateway. Anti-Spoofing ensures IP addresses are only received or transmitted in the context of their respective Security Gateway interfaces. Office Mode poses a problem to the Anti-Spoofing feature, since a client machine can connect and authenticate through several interfaces, e.g. the external interface to the Internet, or the wireless LAN interface; thus an Office Mode IP address may be encountered on more than one interface. Office Mode enhances Anti-Spoofing by making sure an encountered Office Mode IP address is indeed assigned to the user, authenticated on the source IP address on the IPsec encapsulating packet, i.e. the external IP.

Using Office Mode with Multiple External Interfaces

Typically, routing is performed before encryption in VPN. In some complex scenarios of Office Mode, where the Security Gateway may have several external interfaces, this might cause a problem. In these scenarios, packets destined at a remote user's virtual IP address will be marked as packets that are supposed to be routed through one external interface of the Security Gateway. Only after the initial routing decision is made do the packets undergo IPsec encapsulation. After the encapsulation, the destination IP address of these packets is changed to the original IP address of the client. The routing path that should have been selected for the encapsulated packet might be through a different external interface than that of the original packet (since the destination IP address changed), in which case a routing error occurs. Office Mode has the ability to make sure that all Office Mode packets undergo routing after they are encapsulated.

Office Mode Per Site

After a remote user connects and receives an Office Mode IP address from a Security Gateway, every connection to that Security Gateways encryption domain will go out with the Office Mode IP as the internal source IP. The Office Mode IP is what hosts in the encryption domain will recognize as the remote user's IP address.

The Office Mode IP address assigned by a specific Security Gateway can be used in its own encryption domain and in neighboring encryption domains as well. The neighboring encryption domains should reside behind Security Gateways that are members of the same VPN community as the assigning Security Gateway. Since the remote hosts' connections are dependent on the Office Mode IP address it received, if the Security Gateway that issued the IP becomes unavailable, all the connections to the site will terminate.

In order for all Security Gateways on the site to recognize the remote users Office Mode IP addresses, the Office Mode IP range must be known by all of the Security Gateways and the IP ranges must be routable in all the networks. However, when the Office Mode per Site feature is in use, the IP-per-user feature cannot be implemented.

Note - When Office Mode per Site is activated, Office Mode Anti-Spoofing is not enforced.

In this scenario:

Enabling IP Address per User

In some configurations, a router or other device restricts access to portions of the network to specified IP addresses. A remote user connecting in Office Mode must be able to ensure that he or she is allocated an IP address which will allow the connection to pass through the router.

Note - If this feature is implemented, it is imperative to enable Anti-Spoofing for Office Mode.

There are two ways to implement this feature, depending on whether IP addresses are allocated by a DHCP server or IP Pool.

The Solution

There are two ways to implement this feature, depending on whether IP addresses are allocated by a DHCP server or IP Pool.

DHCP Server

If Office Mode addresses are allocated by a DHCP server, proceed as follows:

  1. Open the Check Point object from the Objects Tree.
  2. In the Object Properties > IPsec VPN > Office Mode page:
    • Enable Office Mode (either for all users or for the relevant group)
    • Select a DHCP server and under MAC address for DHCP allocation, select calculated per user name
  3. Install the Policy on the Security Gateway.
  4. On the Security Gateway, run this command to obtain the MAC address assigned to the user.

    vpn macutil <username>

  5. On the DHCP Server make a new reservation, specifying the IP address and MAC address, assigning the IP address for the exclusive use of the given user.
ipassignment.conf File

The $FWDIR/conf/ipassignment.conf file on the Security Gateway, is used to implement the IP-per-user feature. It lets the administrator to assign specific addresses to specific users or specific ranges to specific groups when they connect using Office Mode or L2TP clients.

Note - This file must be manually added to all Security Gateways.

Sample ipassignment.conf File

# This file is used to implement the IP-per-user feature. It allows the

# administrator to assign specific addresses to specific users or specific

# ranges to specific groups when they connect using Office Mode or L2TP.

#

# The format of this file is simple: Each line specifies the target

# Security Gateway, the IP address (or addresses) we wish to assign and the user

# (or group) name as in the following examples:

#

# Security Gateway Type IP Address User Name

# ============= ===== ===========================

# Paris-GW, 10.5.5.8, Jean

# Brasilia, addr 10.6.5.8, Joao # comments are allowed

# Miami, addr 10.7.5.8, CN=John,OU=users,O=cpmgmt.acme.com.gibeuu

# Miami range 100.107.105.110-100.107.105.119/24 Finance

# Miami net 10.7.5.32/28 Accounting

#

# Note that real records do not begin with a pound-sign (#), and the commas

# are optional. Invalid lines are treated as comments. Also, the

# user name may be followed by a pound-sign and a comment.

#

# The first item is the Security Gateway name. This could be a name, an IP

# address or an asterisk (*) to signify all Security Gateways. A gateway will

# only honor lines that refer to it.

#

# The second item is a descriptor. It can be 'addr', 'range' or 'net'.

# 'addr' specifies one IP for one user. This prefix is optional.

# 'range' and 'net' specify a range of addresses. These prefixes are

# required.

#

# The third item is the IP address or addresses. In the case of a single

# address, it is specified in standard dotted decimal format.

# ranges can be specified either by the first and last IP address, or using

# a net specification. In either case you need to also specify the subnet

# mask length ('/24' means 255.255.255.0). With a range, this is the subnet

# mask. With a net it is both the subnet mask and it also determines the

# addresses in the range.

#

# The last item is the user name. This can be a common name if the

# user authenticates with some username/password method (like hybrid

# or MD5-Challenge) or a DN if the user authenticates with a

# certificate.

Office Mode Considerations

IP Pool versus DHCP

The question of whether IP addresses should be assigned by the Firewall (using IP pools) or by a DHCP server is a network administration and financial issue. Some network administrators may prefer to manage all of their dynamic IP addresses from the same location. For them, a central DHCP server might be preferable. Moreover, DHCP allows a cluster to assign all the addresses from a single pool, rather than have a different pool per cluster member as you have to with Firewall IP pools. On the other hand, purchasing a DHCP server can be viewed by some as an unnecessary financial burden, in which case the IP pool option might be preferred.

Routing Table Modifications

IP addresses, assigned by Office Mode need to be routed by the internal LAN routers to the Security Gateway (or Security Gateway cluster) that assigned the address. This is to make sure packets, destined to remote access Office Mode users, reach the Security Gateway in order to be encapsulated and returned to the client machine. This may require changes to the organization's routing tables.

Using the Multiple External Interfaces Feature

Enabling this feature instructs Office Mode to perform routing decisions after the packets are encapsulated using IPsec, and prevents possible routing problems. This feature adds new checks and changes to the routing of packets through the Security Gateway, and has an impact on performance. As a result, we recommend that you use this feature only when these conditions are met:

Configuring Office Mode

Before configuring Office Mode the assumption is that standard VPN Remote Access has already been configured.

Before starting the Office Mode configuration, you must select an internal address space designated for remote users using Office Mode. This can be any IP address space, as long as the addresses in this space do not conflict with addresses used within the enterprise domain. It is possible to choose address spaces which are not routable on the Internet, such as 10.x.x.x.

The basic configuration of Office Mode is using IP pools. You can also configure Office Mode using DHCP for address allocation.

Office Mode - IP Pool Configuration

To deploy the basic Office Mode (using IP pools):

  1. Create a network object to represent the IP Pool, by selecting Manage > Network Objects > New > Network.
  2. In the Network Properties — General tab, set the IP pool range of addresses as follows:
    1. In Network Address specify the first address to be used (e.g. 10.130.56.0).
    2. In Net Mask enter the subnet mask according to the required amount of IP addresses (entering 255.255.255.0, for example, this will designate all 254 IP addresses from 10.130.56.1 to 10.130.56.254 for Office Mode addresses.)
    3. Changes to the Broadcast Address section and the Network Properties — NAT tab are not necessary.
    4. Close the network object properties window.
  3. Open the Security Gateway object through which the remote users will connect to the internal network and select the IPsec VPN > Office Mode page. Enable Office Mode for either all users or for a certain group.
    1. In the Allocate IP from network select the IP Pool network object you have previously created.
    2. IP lease duration — specify the duration in which the IP is used by the remote host.
    3. Under Multiple Interfaces, specify whether you want routing to be done after the encapsulation of Office Mode packets, allowing traffic to be routed correctly when your Security Gateway has multiple external interfaces.
    4. Select Anti-Spoofing if you wish the firewall to check that Office Mode packets are not spoofed.

It is possible to specify which WINS and DNS servers Office Mode users should use. To specify WINS and/or DNS servers, continue to step 3. Otherwise skip to step 6.

Note - WINS and DNS servers should be set on the Security Management Server machine only when IP pool is the selected method.

  1. Create a DNS server object, by selecting Manage > Network Objects > New > Node > Host and specify the DNS machine's name, IP address and subnet mask. Repeat this step if you have additional DNS servers.
  2. Create a WINS server object, by selecting Manage > Network objects > New > Node > Host and specify the WINS machine's name, IP address and subnet mask. Repeat this step if you have additional WINS servers.
  3. In the Check Point Security Gateway — IPsec VPN > Office Mode page, in the IP Pool section click the "optional parameters" button.
    1. In the IP Pool Optional Parameters window, select the appropriate objects for the primary and backup DNS and WINS servers.
    2. In the Domain name field, specify the suffix of the domain where the internal names are defined. This instructs the Client as per what suffix to add when it addresses the DNS server (e.g. example.com).
  4. Install the Policy.
  5. Make sure that all the internal routers are configured to route all the traffic destined to the internal address space you had reserved to Office Mode users through the Security Gateway. For instance, in the example above it is required to add routes to the class C sub network of 10.130.56.0 through the Security Gateway's IP address.

In addition to the steps mentioned for the Security Gateway side configuration, a few configuration steps have to be performed on the client side in order to connect to the Security Gateway in Office Mode.

Configuring IP Assignment Based on Source IP Address

Configure the settings of the IP Assignment Based on Source IP Address feature in the $FWDIR/conf/user.def file. This file is located on the Security Management Server, which manages the gateways used for remote access.

You must define a range of source IP addresses and a range of Office Mode addresses. The $FWDIR/conf/user.def file can contain multiple definitions for multiple gateways.

The first range defined in each line is the source IP address range. The second range in the line is the Office Mode IP address range.

For example:

all@module1 om_per_src_range={<10.10.5.0, 10.10.5.129; 1.1.1.5, 1.1.1.87>,
<10.10.9.0, 10.10.9.255; 1.1.1.88, 1.1.1.95>};
all@module2 om_per_src_range={<70.70.70.4, 70.70.70.90; 8.8.8.6,8.8.8.86>};

In this scenario:

For example: A user with a source IP address between 10.10.10.5.0 and 10.10.5.129, will receive an Office Mode address between 1.1.1.5 and 1.1.1.87.

To enable IP Assignment Based on Source IP Address:

In the $FWDIR/conf/user.def file add: om_use_ip_per_src_range (<value>)

Where valid values are:

Office Mode through the ipassignment.conf File

You can over-ride the Office Mode settings created on Security Management server. Edit the plain text file called ipassignment.conf in $FWDIR/conf on the Check Point Security Gateway. The gateway uses these Office Mode settings and not those defined for the object in Security Management server.

ipassignment.conf can specify:

Subnet masks and Office Mode Addresses

You cannot use the ipassignment.conf file to assign a subnet mask to a single user. If using IP pools, the mask is taken from the network object, or defaults to 255.255.255.0 if using DHCP.

Checking the Syntax

The syntax of the ipassignment file can be checked using the command ipafile_check.

From a shell prompt run: vpn ipafile_check ipassignment.conf

The two parameters are:

For example:

[user@Checkpoint conf]# vpn ipafile_check ipassignment.conf warn

Reading file records...

Invalid IP address specification in line 0057

Invalid IP address specification in line 0058

Invalid subnet in line 0060

 

[user @Checkpoint conf]# vpn ipafile_check ipassignment.conf detail

Reading file records...

 

Line 0051 is a comment (starts with #)

Line 0052 is a comment (starts with #)

Line 0053 is a comment (starts with #)

Line 0054 is a comment (starts with #)

Line 0055 is a comment (starts with #)

Line 0056 ignored because it is empty

Invalid IP address specification in line 0057

Invalid IP address specification in line 0058

line 0059 is OK. User="paul"

Invalid subnet in line 0060

line 0061 is OK. Group="dns=1.1.1.1

Line 0062 ignored because it is empty

Line 0063 ignored because it is empty

Could not read line 64 in conf file - maybe EOF

[user@Checkpoint conf]#

 

Office Mode - DHCP Configuration

  1. When DHCP is the selected mode, DNS and WINS parameters are downloaded from the DHCP server. If using Office Mode in DHCP mode and you wish to supply the user with DNS and/or WINS information, make sure that the DNS and/or WINS information on your DHCP server is set to the correct IP addresses.
  2. On your DHCP server's configuration, make sure that you have designated an IP address space for Office Mode users (e.g., 10.130.56.0).
  3. Create a new node object by selecting Manage > Network objects > New > Node > Host, representing the DHCP server and specify the machine's name, IP address and subnet mask.
  4. Open the Security Gateway object through which the remote users will connect to the internal network and select the IPsec VPN > Office Mode page. Enable Office Mode to either all users or to a certain group.
    • Check the Automatic (use DHCP) option.
    • Select the DHCP object you have previously created.
    • In the Virtual IP address for DHCP server replies, specify an IP address from the sub network of the IP addresses which are designated for Office Mode usage (e.g. 10.130.56.254). Since Office Mode supports DHCP Relay method for IP assignment, you can direct the DHCP server as to where to send its replies. The routing on the DHCP server and that of internal routers must be adjusted so that packets from the DHCP server to this address are routed through the Security Gateway.
    • If you wish to use the Anti-Spoofing feature, continue to step 5, otherwise skip to step 7.
  5. Create a network object to represent the address space you've allocated for Office Mode on your DHCP server, by selecting Manage > Network Objects > New > Network.

    In the Network Properties — General tab, set the DHCP address range as follows:

    • In Network Address specify the first address that is used (e.g. 10.130.56.0).
    • In Net Mask enter the subnet mask according to the amount of addresses that is used (entering 255.255.255.0, for example, designates that all 254 IP addresses from 10.130.56.1 until 10.130.56.254 are set aside for remote host Office Mode addresses on the DHCP server).
    • Changes to the Broadcast Address section and the Network Properties — NAT tab are not necessary.
    • Close the network object properties window.
  6. Return to the Security Gateway object, open the IPsec VPN > Office Mode page. In the Additional IP addresses for Anti-Spoofing, select the network object you have created with the IP address range you have set aside for Office Mode on the DHCP server.
  7. Install the policy.
  8. Make sure that all the internal routers are configured to route all the traffic destined to the internal address space you had reserved to Office Mode users through the Security Gateway. For instance, in the example above it is required to add routes to the class C sub network of 10.130.56.0 through the Security Gateway's IP address.

In addition to the steps mentioned for the Security Gateway side configuration, a few configuration steps have to be performed on the client side in order to connect to the Security Gateway in Office mode.

Note - Office Mode is supported only in Connect Mode.

Office Mode - Using a RADIUS Server

To configure the RADIUS server to allocate IP addresses:

  1. In SmartDashboard, click Manage > Servers and OPSEC Applications.
  2. Select RADIUS server and click Edit.

    The RADIUS Server Properties window appears.

  3. Click the RADIUS Accounting tab.
  4. Select Enable IP Pool Management.
  5. Select the service the RADIUS server uses to communicate with remote users.

To configure the RADIUS server to perform authentication for remote users:

  1. In SmartDashboard, click Manage > Network Objects.
  2. Select Security Gateway and click Edit.
  3. In Security Gateway properties, select IPsec VPN > Office Mode.
  4. In the Office Mode Method section, select From the RADIUS server used to authenticate the user.
  5. Click OK.

Office Mode Configuration on SecureClient

On the client's machine the following steps should be performed in order to connect to the Security Gateway using Office mode:

  1. Right click the SecureClient icon in the system tray. From the pop-up menu, select Configure.
  2. Select Tools > Configure Connection Profile > Advanced and select Support Office Mode.
  3. Click OK, Save and Close and then select Exit from your File menu.
  4. Double click your SecureClient icon on the bottom right side of your screen. If you're using a dial-up connection to connect to the Security Gateway select Use Dial-up and choose the name of your dial-up connection profile from the drop-down menu (it is assumed that such a profile already exists. If dial-up is not used (i.e. connection to the Security Gateway is done through a network interface card) proceed to step 5.
  5. Select Connect to connect to the organization using Office Mode.

The administrator can simplify configuration, by configuring a profile in advance and providing it to the user.

Office Mode per Site

  1. In SmartDashboard, click Policy > Global Properties > Remote Access > VPN - Advanced.

    The VPN - Advanced page shows the office Mode Settings.

  2. In the Office Mode section, select Use first allocated Office Mode IP address for all connections to the Security Gateways of the site.
  3. Click OK.