In This Section: |
This is an overview of the workflow to give your employees remote access to your VPN gateway.
As a best practice, use these gateway settings for most remote access clients. See the documentation for your client for more details.
These instructions use the default Remote Access VPN Community, RemoteAccess. You can also create a new Remote Access VPN Community with a different name.
To configure a gateway for remote access:
The Check Point Gateway window opens.
Note that some clients also require the Mobile Access blade. See the Required Licenses for your client in Check Point Remote Access Solutions.
The ICA automatically creates a certificate for the Security Gateway.
The default is All IP Addresses behind Gateway are based on Topology information. You can change this if necessary for your environment.
Optional: To change the VPN domain:
The default is Allow Office Mode to all users.
By default, the Remote Access VPN Community includes a user group, All Users, that includes all defined users. You can use this group or add different user groups to the Remote Access VPN Community. The community can contain users defined in LDAP, which includes Active Directory, or users defined on the Security Management Server.
For more information about user groups and LDAP, see the Security Management Server Administration Guide.
To add user groups to a Remote Access VPN Community:
Users must authenticate to the VPN gateway with a supported authentication method. You can configure authentication methods for the remote access gateway in:
If no authentication methods are defined for the gateway, users select an authentication method from the client.
On newer remote access clients that connect to R80.x gateways, users can see multiple login options and select one that applies to them. On older clients or clients that work with pre- R80.10 gateways, users see one configured authentication method.
See User and Client Authentication for Remote Access for details.
You must configure rules to allow users in the Remote Access VPN Community to access the LAN. You can limit the access to specified services or specified clients. Configure rules in SmartConsole > Security Policies > Access Control.
To make a rule apply to a VPN Community, the VPN column of the Rule Base must contain one of these:
Examples:
Name |
Source |
Destination |
VPN |
Services & Applications |
---|---|---|---|---|
Allow all remote access |
* Any |
Internal_Network |
* Any |
* Any |
Name |
Source |
Destination |
VPN |
Services & Applications |
---|---|---|---|---|
Allow RemoteAccess community |
* Any |
Internal_Network |
RemoteAccess |
HTTP |
Name |
Source |
Destination |
VPN |
Services & Applications |
---|---|---|---|---|
Allow all from Endpoint Security VPN |
Endpoint Security VPN Access Role |
Internal_Network |
RemoteAccess |
* Any |
See Access Roles for Remote Access for details of how to create Access Roles for Remote Access and VPN Clients to include them in rules in the Access Control Rule Base.
See the documentation for your remote access client for deployment instructions.
Make sure that users have: