In This Section: |
From SmartConsole:
Use the Gateways & Servers menu to configure the gateway and enable blades.
Step |
Description |
---|---|
Step 1 |
Enable the IPsec VPN blade on the gateway and do basic gateway configuration. From SmartConsole, use the Gateways & Servers menu to configure the gateway and blades.
Note - Some clients also require the Mobile Access blade. See the Required Licenses for your client in Check Point Remote Access Solutions. |
Step 2 |
Add the gateway to the Remote Access VPN Community.
|
Step 3 |
Configure Visitor Mode.
|
Step 4 |
Configure Office Mode.
|
Step 5 |
Include users in the Remote Access VPN Community. The Remote Access VPN Community includes a user group, All Users, by default. You can also add different user groups. The community can contain users defined in LDAP, which includes Active Directory, or users defined on the Security Management Server. For more information about user groups and LDAP, see the R80.20 Security Management Administration Guide.
|
Step 6 |
Configure user authentication for the remote access gateway.
Note - If no authentication methods are defined for the gateway, users select an authentication method from the client. See User and Client Authentication for Remote Access for details on login options and authentication methods. |
Step 7 |
Configure VPN access rules to the LAN in the security policy. To make a rule apply to a VPN Community, the VPN column of the Rule Base must contain one of these:
Below are some examples of access rules in the Rule Base. |
Step 8 |
If necessary, define the Desktop policy. |
Step 9 |
Install policy on the gateway. |
Step 10 |
Deploy the remote access client to users. Make sure that users have:
|
Examples:
This rule allows traffic from all VPN Communities to the internal network on all services:
Name |
Source |
Destination |
VPN |
Services & Applications |
---|---|---|---|---|
Allow all remote access |
* Any |
Internal_Network |
* Any |
* Any |
This rule allows traffic from RemoteAccess VPN Community to the internal network on HTTP and HTTPS.
Name |
Source |
Destination |
VPN |
Services & Applications |
---|---|---|---|---|
Allow RemoteAccess community |
* Any |
Internal_Network |
RemoteAccess |
HTTP |
This rule allows traffic from RemoteAccess VPN Community to the internal network on all services when the traffic starts from the Endpoint Security VPN client.
Name |
Source |
Destination |
VPN |
Services & Applications |
---|---|---|---|---|
Allow all from Endpoint Security VPN |
Endpoint Security VPN Access Role |
Internal_Network |
RemoteAccess |
* Any |
See Access Roles for Remote Access for details of how to create Access Roles for Remote Access and VPN Clients to include them in rules in the Access Control Rule Base.
As a best practice, use these gateway settings for most remote access clients. See the documentation for your client for more details.
These instructions use the default Remote Access VPN Community, RemoteAccess. You can also create a new Remote Access VPN Community with a different name.
To configure a gateway for remote access:
The Check Point Gateway window opens.
Note that some clients also require the Mobile Access blade. See the Required Licenses for your client in Check Point Remote Access Solutions.
The ICA automatically creates a certificate for the Security Gateway.
The default is All IP Addresses behind Gateway are based on Topology information. You can change this if necessary for your environment.
Optional: To change the VPN domain:
The default is Allow Office Mode to all users.
By default, the Remote Access VPN Community includes a user group, All Users, that includes all defined users. You can use this group or add different user groups to the Remote Access VPN Community. The community can contain users defined in LDAP, which includes Active Directory, or users defined on the Security Management Server.
For more information about user groups and LDAP, see the R80.20 Security Management Administration Guide.
To add user groups to a Remote Access VPN Community:
Users must authenticate to the VPN gateway with a supported authentication method. You can configure authentication methods for the remote access gateway in:
If no authentication methods are defined for the gateway, users select an authentication method from the client.
On newer remote access clients that connect to R80.x gateways, users can see multiple login options and select one that applies to them. On older clients or clients that work with pre- R80.10 gateways, users see one configured authentication method.
See User and Client Authentication for Remote Access for details.
Examples:
This rule allows traffic from all VPN Communities to the internal network on all services:
Name |
Source |
Destination |
VPN |
Services & Applications |
---|---|---|---|---|
Allow all remote access |
* Any |
Internal_Network |
* Any |
* Any |
This rule allows traffic from RemoteAccess VPN Community to the internal network on HTTP and HTTPS.
Name |
Source |
Destination |
VPN |
Services & Applications |
---|---|---|---|---|
Allow RemoteAccess community |
* Any |
Internal_Network |
RemoteAccess |
HTTP |
This rule allows traffic from RemoteAccess VPN Community to the internal network on all services when the traffic starts from the Endpoint Security VPN client.
Name |
Source |
Destination |
VPN |
Services & Applications |
---|---|---|---|---|
Allow all from Endpoint Security VPN |
Endpoint Security VPN Access Role |
Internal_Network |
RemoteAccess |
* Any |
See Access Roles for Remote Access for details of how to create Access Roles for Remote Access and VPN Clients to include them in rules in the Access Control Rule Base.
See the documentation for your remote access client for deployment instructions.
Make sure that users have: