Getting Started with Remote Access

In This Section: Overview of the Remote Access Workflow Basic Gateway Configuration Including Users in the Remote Access Community Configuring User Authentication Configuring VPN Access Rules for Remote Access Deploying Remote Access Clients

Overview of the Remote Access Workflow

This is an overview of the workflow to give your employees remote access to your VPN gateway.

1. Enable the IPsec VPN blade on the gateway and do basic gateway configuration.
2. Add the gateway to the Remote Access VPN Community.
3. Include users in the Remote Access VPN Community.
4. Configure user authentication.
5. Configure VPN access rules in the security policy.
6. If necessary, define the Desktop Policy.
7. Install policy on the gateway.
8. Deploy the remote access client to users.

Basic Gateway Configuration

As a best practice, use these gateway settings for most remote access clients. See the documentation for your client for more details.

These instructions use the default Remote Access VPN Community, RemoteAccess. You can also create a new Remote Access VPN Community with a different name.

To configure a gateway for remote access:

1. In SmartConsole, right click the gateway and select Edit.

   The Check Point Gateway window opens.

2. In the Network Security tab, select IPsec VPN to enable the blade.

   Note that some clients also require the Mobile Access blade. See the Required Licenses for your client in Check Point Remote Access Solutions.

3. Add the gateway to the Remote Access VPN Community:
   1. From the Check Point Gateway tree, click IPsec VPN.
   2. In This Security Gateway participates in the following VPN Communities, make sure the gateway shows or click Add to add the gateway.
   3. Click the RemoteAccess community.
   4. Click OK.

      The ICA automatically creates a certificate for the Security Gateway.

4. Set the VPN domain for the Remote Access community.

   The default is All IP Addresses behind Gateway are based on Topology information. You can change this if necessary for your environment.

   Optional: To change the VPN domain:

   1. From the Check Point Gateway tree, click Network Management.
   2. In VPN Domain, click Set domain for Remote Access Community.
5. Configure Visitor Mode.
   1. Select IPSec VPN > Remote Access.
   2. Select Support Visitor Mode and keep All Interfaces selected.
   3. Optional: Select the Visitor Mode Service, which defines the protocol and port of client connections to the gateway.
6. Configure Office Mode.
   1. From the Check Point Gateway tree, select VPN Clients > Office Mode.

      The default is Allow Office Mode to all users.

   2. Optional: Select Offer Office Mode to group and select a group.
   3. Select an Office Mode method. See Office Mode for details.
7. Click OK.

Including Users in the Remote Access Community

By default, the Remote Access VPN Community includes a user group, All Users, that includes all defined users. You can use this group or add different user groups to the Remote Access VPN Community. The community can contain users defined in LDAP, which includes Active Directory, or users defined on the Security Management Server.

For more information about user groups and LDAP, see the Security Management Server Administration Guide.

To add user groups to a Remote Access VPN Community:

1. In SmartConsole >Access Tools, select VPN Communities.
2. Right-click the Remote Access Community object and click Edit.
3. Click Participant User Groups.
4. Add or remove groups.
5. Click OK.

Configuring User Authentication

Users must authenticate to the VPN gateway with a supported authentication method. You can configure authentication methods for the remote access gateway in:

• Gateway Properties > VPN Clients > Authentication
• SmartDashboard > Mobile Access tab > Authentication
• Gateway Properties > Mobile Access > Authentication

If no authentication methods are defined for the gateway, users select an authentication method from the client.

On newer remote access clients that connect to R80.x gateways, users can see multiple login options and select one that applies to them. On older clients or clients that work with pre- R80.10 gateways, users see one configured authentication method.

See User and Client Authentication for Remote Access for details.

Configuring VPN Access Rules for Remote Access

You must configure rules to allow users in the Remote Access VPN Community to access the LAN. You can limit the access to specified services or specified clients. Configure rules in SmartConsole > Security Policies > Access Control.

To make a rule apply to a VPN Community, the VPN column of the Rule Base must contain one of these:

• Any - The rules applies to all VPN Communities. If you configure a new VPN Community after the rule was created, the rule also applies to the new VPN Community.
• One or more specified VPN communities - For example, RemoteAccess. Right-click in the VPN column of a rule and select Specific VPN Communities. The rule applies to the communities shown in the VPN column.

Examples:

• This rule allows traffic from all VPN Communities to the internal network on all services:

  Name	Source	Destination	VPN	Services & Applications
  Allow all remote access	* Any	Internal_Network	* Any	* Any

• This rule allows traffic from RemoteAcccess VPN Community to the internal network on HTTP and HTTPS.

  Name	Source	Destination	VPN	Services & Applications
  Allow RemoteAccess community	* Any	Internal_Network	RemoteAccess	HTTP HTTPS

• This rule allows traffic from RemoteAcccess VPN Community to the internal network on all services when the traffic starts from the Endpoint Security VPN client.

  Name	Source	Destination	VPN	Services & Applications
  Allow all from Endpoint Security VPN	Endpoint Security VPN Access Role	Internal_Network	RemoteAccess	* Any

  See Access Roles for Remote Access for details of how to create Access Roles for Remote Access and VPN Clients to include them in rules in the Access Control Rule Base.

Deploying Remote Access Clients

See the documentation for your remote access client for deployment instructions.

Make sure that users have:

• The site name or URL.
• The credentials or hardware required to authenticate.