Print Download PDF Send Feedback

Previous

Next

Getting Started with Remote Access

In This Section:

Overview of the Remote Access Workflow

Basic Gateway Configuration

Including Users in the Remote Access Community

Configuring User Authentication

Configuring VPN Access Rules for Remote Access

Deploying Remote Access Clients

Overview of the Remote Access Workflow

This is an overview of the workflow to give your employees remote access to your VPN gateway.

  1. Enable the IPsec VPN blade on the gateway and do basic gateway configuration.
  2. Add the gateway to the Remote Access VPN Community.
  3. Include users in the Remote Access VPN Community.
  4. Configure user authentication.
  5. Configure VPN access rules in the security policy.
  6. If necessary, define the Desktop Policy.
  7. Install policy on the gateway.
  8. Deploy the remote access client to users.

Basic Gateway Configuration

As a best practice, use these gateway settings for most remote access clients. See the documentation for your client for more details.

These instructions use the default Remote Access VPN Community, RemoteAccess. You can also create a new Remote Access VPN Community with a different name.

To configure a gateway for remote access:

  1. In SmartConsole, right click the gateway and select Edit.

    The Check Point Gateway window opens.

  2. In the Network Security tab, select IPsec VPN to enable the blade.

    Note that some clients also require the Mobile Access blade. See the Required Licenses for your client in Check Point Remote Access Solutions.

  3. Add the gateway to the Remote Access VPN Community:
    1. From the Check Point Gateway tree, click IPsec VPN.
    2. In This Security Gateway participates in the following VPN Communities, make sure the gateway shows or click Add to add the gateway.
    3. Click the RemoteAccess community.
    4. Click OK.

      The ICA automatically creates a certificate for the Security Gateway.

  4. Set the VPN domain for the Remote Access community.

    The default is All IP Addresses behind Gateway are based on Topology information. You can change this if necessary for your environment.

    Optional: To change the VPN domain:

    1. From the Check Point Gateway tree, click Network Management.
    2. In VPN Domain, click Set domain for Remote Access Community.
  5. Configure Visitor Mode.
    1. Select IPSec VPN > Remote Access.
    2. Select Support Visitor Mode and keep All Interfaces selected.
    3. Optional: Select the Visitor Mode Service, which defines the protocol and port of client connections to the gateway.
  6. Configure Office Mode.
    1. From the Check Point Gateway tree, select VPN Clients > Office Mode.

      The default is Allow Office Mode to all users.

    2. Optional: Select Offer Office Mode to group and select a group.
    3. Select an Office Mode method. See Office Mode for details.
  7. Click OK.

Including Users in the Remote Access Community

By default, the Remote Access VPN Community includes a user group, All Users, that includes all defined users. You can use this group or add different user groups to the Remote Access VPN Community. The community can contain users defined in LDAP, which includes Active Directory, or users defined on the Security Management Server.

For more information about user groups and LDAP, see the R80.10 Security Management Administration Guide.

To add user groups to a Remote Access VPN Community:

  1. In SmartConsole >Access Tools, select VPN Communities.
  2. Right-click the Remote Access Community object and click Edit.
  3. Click Participant User Groups.
  4. Add or remove groups.
  5. Click OK.

Configuring User Authentication

Users must authenticate to the VPN gateway with a supported authentication method. You can configure authentication methods for the remote access gateway in:

If no authentication methods are defined for the gateway, users select an authentication method from the client.

On newer remote access clients that connect to R80.x gateways, users can see multiple login options and select one that applies to them. On older clients or clients that work with pre- R80.10 gateways, users see one configured authentication method.

See User and Client Authentication for Remote Access for details.

Configuring VPN Access Rules for Remote Access

You must configure rules to allow users in the Remote Access VPN Community to access the LAN. You can limit the access to specified services or specified clients. Configure rules in SmartConsole > Security Policies > Access Control.

To make a rule apply to a VPN Community, the VPN column of the Rule Base must contain one of these:

Examples:

Deploying Remote Access Clients

See the documentation for your remote access client for deployment instructions.

Make sure that users have: