Print Download PDF Send Feedback

Previous

Remote Access Solutions for Different Deployments

In This Section:

Configuring Desktop Security - Server Side

Configuring Office Mode and L2TP Support

Configuring the CA to Issue Certificates (L2TP)

Configuring SCV - Server Side

Configuring Client to Client Routing

Multiple External Interfaces

Configuring Directional VPN with Remote Access Communities

Authentication Timeout Interval

Configuring the SecuRemote DNS Server

Proxy Replacement for the Security Gateway

Configuring Desktop Security - Server Side

To enable the gateway to be a Policy Server for Desktop Security:

  1. Click Gateways & Servers and double-click the Security Gateway.

    The gateway window opens and shows the General Properties page.

  2. On the Network Security tab section select IPsec VPN and Policy Server.
  3. Click OK and publish the changes.

To activate the Desktop Security policy:

  1. Click Security Policies and open the Manage Policies window (CTRL + T).
  2. Click the All icon.
  3. Select the policy that you want to edit and click Edit.

    The policy window opens.

  4. Select Desktop Security.
  5. Click OK and publish the changes.

To configure the Desktop Policy rules:

  1. Click Security Policies and from the navigation tree click Access Control > Desktop.
  2. Click Open Desktop Policy in SmartDashboard.

    SmartDashboard opens and shows the Desktop tab.

  3. Configure the inbound rules. Using the Rules>Add Rule menu item, you can add rules to the policy.

    In inbound rules, the SecureClient (the desktop) is the destination, and you can specify the users to which the rule is to be applied.

  4. Configure the outbound rules.

    In outbound rules, the SecureClient (the desktop) is the source, and you can specify the users to which the rule is to be applied.

  5. Click Save and close SmartDashboard.
  6. Publish the changes and install the policy.

    Make sure that you install the Advanced Security policy on the Security Gateways and the Desktop Security policy on your Policy Servers.

Configuring Office Mode and L2TP Support

To configure L2TP support:

  1. Configure Office Mode.
  2. Click Gateways & Servers and double-click the Security Gateway.

    The gateway window opens and shows the General Properties page.

  3. From the navigation tree, click VPN Clients > Remote Access.
  4. Click Support L2TP.
  5. Select the Authentication Method for the users:
    • To use certificates, choose Smart Card or other Certificates (encryption enabled).
    • To use a username and a shared secret (password), choose MD5-challenge.
  6. For Use this certificate, select the certificate that the Security Gateway presents in order to authenticate itself to users.
  7. Click OK and publish the changes.

Configuring the CA to Issue Certificates (L2TP)

To configure the CA with the ICA Management Tool:

  1. Run the ICA Management tool:
  2. Change the property IKE Certificate Extended Key Usage property to the value 1, to issue Security Gateway certificates with the "server authentication" purpose.
  3. Change the property IKE Certificate Extended Key Usage to the value 2 to issue user certificates with the "client authentication" purpose.

    If you are using an OPSEC certified CA to issue certificates, use the DBedit command line or GuiDBedit, the graphical Database Tool to change the value of the global property cert_req_ext_key_usage to 1. This causes the Security Management Server to request a certificate that has purposes (Extended Key Usage extension) in the certificate.

To configure the CA with R80 SmartConsole:

  1. Click Gateways & Servers and double-click the Security Gateway.

    The gateway window opens and shows the General Properties page.

  2. From the navigation tree, click IPsec VPN.
  3. In the Repository of Certificates Available to the Gateway section, click Add.
  4. The Certificate Properties window opens.
  5. Configure the settings for the certificate and click OK.
  6. Select the certificate and click View.
  7. Make sure that the Extended Key Usage Extension appears in the certificate.
  8. From the navigation tree, click VPN Clients > Remote Access.
  9. In the L2TP Support section, select the new certificate.
  10. Click OK and publish the changes.

Configuring SCV - Server Side

To configure SCV settings in Global Properties:

  1. From Menu, click Global Properties.
  2. From the navigation tree, click Remote Access > Secure Configuration Verification (SCV).
  3. Configure the settings:
    • Apply Secure Configurations on Simplified Mode - Specifies if SCV is applied to all remote access rules in the simplified policy mode.
    • Upon Verification failure - Specifies the action that is performed when the client fails one or more SCV checks. The options are to Block the client's connection or to Accept it and send a log about the event.
    • Basic configuration verification on client's machine - Specifies whether SecureClient performs SCV checks to determine if the policy is installed on all network interfaces cards on the client's desktop, and if only TCP/IP protocols are installed on these interfaces.
    • Configurations Violation Notification on client's machine - Specifies if a log record is saved on the Security Management Server machine indicating that a remote user is not verified by SCV (this is a general indication, without a specification of a certain SCV check the user's desktop had failed).
  4. Click OK and publish the changes.

Configuring Client to Client Routing

R80 SmartConsole includes a default object for Office Mode IP addresses, CP_default_Office_Mode_addresses_pool. You can use the default object, or create a new one for your network.

To create a new Office Mode IP address object:

  1. In R80 SmartConsole, click Objects > Object Explorer (Ctrl+E).
  2. Click New > Network.
  3. Enter the Name, IP address and Net mask.
  4. Click OK and publish the changes.

To configure VPN routing for remote access clients with the VPN domain:

  1. Create a network group, click New > Network Group.
  2. Add these settings:
    • VPN domain
    • Office Mode range
    • Encryption domain settings
  3. Click OK and publish the changes.
  4. Click Gateways & Servers and double-click the Security Gateway.

    The gateway window opens and shows the General Properties page.

  5. From the navigation tree, click Network Management > VPN Domain.
  6. Click Manually defined.
  7. Select the new network group.
  8. Click OK and publish the changes.

    The remote clients must connect to the site and perform a site update before they can communicate with each other.

Multiple External Interfaces

To use multiple external interfaces with Remote Access clients:

  1. Open R80 SmartConsole.
  2. Click Gateways & Servers and double-click the Security Gateway.

    The gateway window opens and shows the General Properties page.

  3. From the navigation tree, click VPN Clients > Office Mode.
  4. In the Multiple Interfaces section, select Support connectivity enhancement for gateways with multiple external interfaces.
  5. Click OK.
  6. Install policy on the gateway.

Configuring Directional VPN with Remote Access Communities

To configure Directional VPN with Remote Access communities:

  1. From Menu, click Global Properties.
  2. From the navigation tree, click VPN > Advanced.
  3. Click Enable VPN Directional Match in VPN Column.
  4. Click OK and publish the changes.
  5. Go to Security Policies > Access Control Policy.
  6. Right-click the VPN cell for the rule, and select Directional Match Condition.

    The New Directional Match Condition window opens.

  7. Configure the directional VPN:
    • From Traffic reaching from, select the source of the connection
    • From Traffic leaving to, select the connection's destination
  8. Click OK and publish the changes.
  9. Install the policy.

Authentication Timeout Interval

For Connect Mode, the countdown to the timeout begins from the time that the Client is connected.

To specify the length of time between re-authentications:

  1. From Menu, click Global Properties.
  2. From the navigation tree, click Remote Access.
  3. In the Authentication Timeout section, configure the setting:
    • Use default value
    • In Validation timeout every, enter the number of minutes between re-authentications
  4. Click OK and publish the changes.

Configuring the SecuRemote DNS Server

Names in the domain that correspond to the rule that the SecuRemote DNS Server resolves. All other names are resolved by the SecuRemote client's default DNS server.

To configure the object for the SecuRemote DNS Server:

  1. In R80 SmartConsole, click Open Object Explorer (Ctrl+E).
  2. Click New > Server > More > SecuRemote DNS.

    The SecuRemote DNS Properties window opens.

  3. In the General tab, configure these settings:
    • Name of the SecuRemote DNS Server
    • Select the Host object for this server
  4. In the Domains tab, click Add.
  5. In Domain Suffix, enter the value that the SecuRemote DNS Server resolves to the internal names. For example, checkpoint.com
  6. Configure the settings for the Domain Match Case.
    • Select Match only *.suffix to specify that the maximum number of labels resolved is 1.

      For example, if Domain Suffix is checkpoint.com and Match only *.suffix is selected, then the SecuRemote DNS Server resolves www.checkpoint.com and sample.checkpoint.com. It does not resolve www.internal.checkpoint.com

    • Select Match up to...labels preceding the suffix to increase the number of labels to be matched.

      For example, if Domain Suffix is checkpoint.com and Match up to...labels preceding the suffix is selected and set to 3, then the SecuRemote DNS Server used to resolves www.checkpoint.com and www.internal.checkpoint.com. It does not resolve www.internal.inside.checkpoint.com

  7. Click OK and close the SecuRemote DNS Properties window.
  8. Publish the changes.

Proxy Replacement for the Security Gateway

To configure the Security Gateway to support Visitor Mode:

  1. From Menu, click Global Properties.
  2. From the navigation tree, click Advanced.
  3. In the Advanced Configuration page, click Configure.

    The Advanced Configuration window opens:

  4. From the navigation tree, click VPN Advanced Properties > Remote Access VPN.
  5. Select one of these options:
    • ie_proxy_replacement - When selected, Windows proxy replacement is always performed, even if Visitor Mode is not enabled
    • ie_proxy_replacement_limit_to_tcpt - When selected, the proxy replacement is only when Visitor Mode is enabled
31 March 2016 © 2016 Check Point Software Technologies Ltd. All rights reserved.