Getting Started with Remote Access

In This Section: The Remote Access Workflow Examples of VPN Access Rules for Remote Access Basic Gateway Configuration Including Users in the Remote Access Community Configuring User Authentication Examples of VPN Access Rules for Remote Access Deploying Remote Access Clients

The Remote Access Workflow

From SmartConsole:

Use the Gateways & Servers menu to configure the gateway and enable blades.

Step	Description
Step 1	Enable the IPsec VPN blade on the gateway and do basic gateway configuration. From SmartConsole, use the Gateways & Servers menu to configure the gateway and blades. Double-click the gateway. The Check Point Gateway window opens. In the Network Security tab at the bottom, select IPsec VPN to enable the blade. Note - Some clients also require the Mobile Access blade. See the Required Licenses for your client in Check Point Remote Access Solutions.
Step 2	Add the gateway to the Remote Access VPN Community. Go to Gateways & Servers and double-click the gateway. From the Check Point Gateway tree, click IPsec VPN on the left. From This Security Gateway participates in the following VPN Communities, Add the gateway if it is not in the list. To add the gateway, click the RemoteAccess community. Click OK. The ICA automatically creates a certificate for the Security Gateway. Set the VPN domain for the Remote Access community. From the Check Point Gateway tree, click Network Management. The default is All IP Addresses behind Gateway are based on Topology information. You can change the VPN domain. Click Set domain for Remote Access Community.
Step 3	Configure Visitor Mode. From the Check Point Gateway tree, select VPN Clients > Remote Access. Select Support Visitor Mode. In Machine's Interface, keep All Interfaces selected. Optional - Select the Visitor Mode Service, which defines the protocol and port of client connections to the gateway.
Step 4	Configure Office Mode. From the Check Point Gateway tree, select VPN Clients > Office Mode. The default is Allow Office Mode to all users. Optional - Select Offer Office Mode to group and select a group. Select an Office Mode method. Click OK.
Step 5	Include users in the Remote Access VPN Community. The Remote Access VPN Community includes a user group, All Users, by default. You can also add different user groups. The community can contain users defined in LDAP, which includes Active Directory, or users defined on the Security Management Server. For more information about user groups and LDAP, see the R80.20 Security Management Administration Guide. In SmartConsole go to the Object Explorer > VPN Communities. Double-click the Remote Access Community object and click Edit. Click Participant User Groups. Add or remove groups. Click OK.
Step 6	Configure user authentication for the remote access gateway. Go to Gateways & Servers and double-click the gateway. Select VPN Clients > Authentication OR SmartDashboard > Mobile Access tab > Authentication OR Gateway Properties > Mobile Access > Authentication Note - If no authentication methods are defined for the gateway, users select an authentication method from the client. See User and Client Authentication for Remote Access for details on login options and authentication methods.
Step 7	Configure VPN access rules to the LAN in the security policy. To make a rule apply to a VPN Community, the VPN column of the Rule Base must contain one of these: Any - The rules applies to all VPN Communities. If you configure a new VPN Community after the rule was created, the rule also applies to the new VPN Community. One or more specified VPN communities - For example, RemoteAccess. Right-click in the VPN column of a rule and select Specific VPN Communities. The rule applies to the communities shown in the VPN column. Below are some examples of access rules in the Rule Base.
Step 8	If necessary, define the Desktop policy.
Step 9	Install policy on the gateway.
Step 10	Deploy the remote access client to users. Make sure that users have: The site name or URL. The credentials or hardware required to authenticate. Note - See the documentation for the remote access client for deployment instructions.

Examples of VPN Access Rules for Remote Access

Examples:

This rule allows traffic from all VPN Communities to the internal network on all services:

Name	Source	Destination	VPN	Services & Applications
Allow all remote access	* Any	Internal_Network	* Any	* Any

This rule allows traffic from RemoteAccess VPN Community to the internal network on HTTP and HTTPS.

Name	Source	Destination	VPN	Services & Applications
Allow RemoteAccess community	* Any	Internal_Network	RemoteAccess	HTTP HTTPS

This rule allows traffic from RemoteAccess VPN Community to the internal network on all services when the traffic starts from the Endpoint Security VPN client.

Name	Source	Destination	VPN	Services & Applications
Allow all from Endpoint Security VPN	Endpoint Security VPN Access Role	Internal_Network	RemoteAccess	* Any

See Access Roles for Remote Access for details of how to create Access Roles for Remote Access and VPN Clients to include them in rules in the Access Control Rule Base.

Basic Gateway Configuration

As a best practice, use these gateway settings for most remote access clients. See the documentation for your client for more details.

These instructions use the default Remote Access VPN Community, RemoteAccess. You can also create a new Remote Access VPN Community with a different name.

To configure a gateway for remote access:

1. In SmartConsole, right click the gateway and select Edit.

   The Check Point Gateway window opens.

2. In the Network Security tab, select IPsec VPN to enable the blade.

   Note that some clients also require the Mobile Access blade. See the Required Licenses for your client in Check Point Remote Access Solutions.

3. Add the gateway to the Remote Access VPN Community:
   1. From the Check Point Gateway tree, click IPsec VPN.
   2. In This Security Gateway participates in the following VPN Communities, make sure the gateway shows or click Add to add the gateway.
   3. Click the RemoteAccess community.
   4. Click OK.

      The ICA automatically creates a certificate for the Security Gateway.

4. Set the VPN domain for the Remote Access community.

   The default is All IP Addresses behind Gateway are based on Topology information. You can change this if necessary for your environment.

   Optional: To change the VPN domain:

   1. From the Check Point Gateway tree, click Network Management.
   2. In VPN Domain, click Set domain for Remote Access Community.
5. Configure Visitor Mode.
   1. Select IPSec VPN > Remote Access.
   2. Select Support Visitor Mode and keep All Interfaces selected.
   3. Optional: Select the Visitor Mode Service, which defines the protocol and port of client connections to the gateway.
6. Configure Office Mode.
   1. From the Check Point Gateway tree, select VPN Clients > Office Mode.

      The default is Allow Office Mode to all users.

   2. Optional: Select Offer Office Mode to group and select a group.
   3. Select an Office Mode method. See Office Mode for details.
7. Click OK.

Including Users in the Remote Access Community

By default, the Remote Access VPN Community includes a user group, All Users, that includes all defined users. You can use this group or add different user groups to the Remote Access VPN Community. The community can contain users defined in LDAP, which includes Active Directory, or users defined on the Security Management Server.

For more information about user groups and LDAP, see the R80.20 Security Management Administration Guide.

To add user groups to a Remote Access VPN Community:

1. In SmartConsole >Access Tools, select VPN Communities.
2. Right-click the Remote Access Community object and click Edit.
3. Click Participant User Groups.
4. Add or remove groups.
5. Click OK.

Configuring User Authentication

Users must authenticate to the VPN gateway with a supported authentication method. You can configure authentication methods for the remote access gateway in:

• Gateway Properties > VPN Clients > Authentication
• SmartDashboard > Mobile Access tab > Authentication
• Gateway Properties > Mobile Access > Authentication

If no authentication methods are defined for the gateway, users select an authentication method from the client.

On newer remote access clients that connect to R80.x gateways, users can see multiple login options and select one that applies to them. On older clients or clients that work with pre- R80.10 gateways, users see one configured authentication method.

See User and Client Authentication for Remote Access for details.

Examples of VPN Access Rules for Remote Access

Examples:

This rule allows traffic from all VPN Communities to the internal network on all services:

Name	Source	Destination	VPN	Services & Applications
Allow all remote access	* Any	Internal_Network	* Any	* Any

This rule allows traffic from RemoteAccess VPN Community to the internal network on HTTP and HTTPS.

Name	Source	Destination	VPN	Services & Applications
Allow RemoteAccess community	* Any	Internal_Network	RemoteAccess	HTTP HTTPS

This rule allows traffic from RemoteAccess VPN Community to the internal network on all services when the traffic starts from the Endpoint Security VPN client.

Name	Source	Destination	VPN	Services & Applications
Allow all from Endpoint Security VPN	Endpoint Security VPN Access Role	Internal_Network	RemoteAccess	* Any

See Access Roles for Remote Access for details of how to create Access Roles for Remote Access and VPN Clients to include them in rules in the Access Control Rule Base.

Deploying Remote Access Clients

See the documentation for your remote access client for deployment instructions.

Make sure that users have:

• The site name or URL.
• The credentials or hardware required to authenticate.