Getting Started with Remote Access

Overview of the Remote Access Workflow

This is an overview of the workflow to give your employees remote access to your VPN Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..

  1. Enable the IPsec VPNClosed Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access. Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. on the Security Gateway and do basic Security Gateway configuration (see Basic Security Gateway Configuration).

  2. Add the Security Gateway to the Remote Access VPNClosed An encrypted tunnel between remote access clients (such as Endpoint Security VPN) and a Security Gateway. Community (see Basic Security Gateway Configuration).

  3. Include users in the Remote Access VPN CommunityClosed A named collection of VPN domains, each protected by a VPN gateway. (see Including Users in the Remote Access Community).

  4. Configure user authentication (see Configuring User Authentication).

  5. Configure VPN access rules in the security policyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. (see Configuring VPN Access Rules for Remote Access).

  6. If necessary, define the Desktop Policy (see Desktop Security).

  7. Install policy on the Security Gateway.

  8. Deploy the remote access client to users (see Deploying Remote Access Clients).

Basic Security Gateway Configuration

As a best practice, use these Security Gateway settings for most remote access clients. See the documentation for your client for more details.

These instructions use the default Remote Access VPN Community, RemoteAccess. You can also create a new Remote Access VPN Community with a different name.

To configure a Security Gateway for remote access:

  1. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., right click the Security Gateway (ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing.) object and select Edit.

  2. In the Network Security tab, select IPsec VPN to enable the Software Blade.

    Note that some clients also require the Mobile Access Software Blade.

    See the section "Required Licenses" in Check Point Remote Access Solutions.

  3. Add the Security Gateway to the Remote Access VPN Community:

    1. From the Check Point Gateway tree, click IPsec VPN.

    2. In This Security Gateway participates in the following VPN Communities, make sure the Security Gateway shows or click Add to add the Security Gateway.

    3. Click the RemoteAccess community.

    4. Click OK.

      The ICAClosed Internal Certificate Authority. A component on Check Point Management Server that issues certificates for authentication. automatically creates a certificate for the Security Gateway.

  4. Set the VPN Domain for the Remote Access community.

    The default is All IP Addresses behind Gateway are based on Topology information. To configure a VPN domain manually, see Advanced VPN Domain Configuration

  5. Configure Visitor Mode.

    1. Select IPsec VPN > VPN Clients > Remote Access.

    2. Select Support Visitor Mode and keep All Interfaces selected.

    3. Optional: Select the Visitor Mode Service, which defines the protocol and port of client connections to the Security Gateway.

  6. Configure Office Mode.

    1. From the Check Point Gateway tree, select VPN Clients > Office Mode.

      The default is Allow Office Mode to all users.

    2. Optional: Select Offer Office Mode to group and select a group.

    3. Select an Office Mode method (see Office Mode).

  7. Click OK.

  8. Install the Access Control Policy.

Including Users in the Remote Access Community

By default, the Remote Access VPN Community includes a user group, All Users, that includes all defined users. You can use this group or add different user groups to the Remote Access VPN Community. The community can contain users defined in LDAP, which includes Active Directory, or users defined on the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server..

For more information about user groups and LDAP, see the R81.20 Security Management Administration Guide.

To add user groups to a Remote Access VPN Community in SmartConsole:

  1. From the left navigation panel, click Security Policies.

  2. In the top section, click Access Control.

  3. In the bottom section Access Tools, click VPN Communities.

  4. Right-click the Remote Access Community object and click Edit.

  5. Click Participant User Groups.

  6. Add or remove groups.

  7. Click OK.

Configuring User Authentication

Users must authenticate to the VPN Security Gateway with a supported authentication method. You can configure authentication methods for the remote access Security Gateway in:

If no authentication methods are defined for the Security Gateway, users select an authentication method from the client.

On newer remote access clients that connect to R80.x gateways, users can see multiple login options and select one that applies to them. On older clients or clients that work with pre-R80.10 gateways, users see one configured authentication method.

For details, see User and Client Authentication for Remote Access.

Configuring VPN Access Rules for Remote Access

You must configure rules to allow users in the Remote Access VPN Community to access the LAN. You can limit the access to specified services or specified clients. Configure rules in SmartConsole > Security Policies > Access Control.

To make a ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. apply to a VPN Community, the VPN column of the Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase. must contain one of these:

  • Any - The rules applies to all VPN Communities. If you configure a new VPN Community after the rule was created, the rule also applies to the new VPN Community.

  • One or more specified VPN communities - For example, RemoteAccess. Right-click in the VPN column of a rule and select Specific VPN Communities. The rule applies to the communities shown in the VPN column.

Examples:

  • This rule allows traffic from all VPN Communities to the internal network on all services:

    Name

    Source

    Destination

    VPN

    Services & Applications

    Allow all remote access

    * Any

    Internal_Network

    * Any

    * Any

  • This rule allows traffic from RemoteAcccess VPN Community to the internal network on HTTP and HTTPS.

    Name

    Source

    Destination

    VPN

    Services & Applications

    Allow RemoteAccess community

    * Any

    Internal_Network

    RemoteAccess

    HTTP
    HTTPS

  • This rule allows traffic from RemoteAcccess VPN Community to the internal network on all services when the traffic starts from the Endpoint Security VPN client.

    Name

    Source

    Destination

    VPN

    Services & Applications

    Allow all from Endpoint Security VPN

    Endpoint Security VPN Access Role

    Internal_Network

    RemoteAccess

    * Any

    See Configuring Policy for Remote Access VPN for details of how to create Access Roles for Remote Access and VPN Clients to include them in rules in the Access Control Rule Base.

Deploying Remote Access Clients

See the documentation for your remote access client for deployment instructions.

Make sure that users have:

  • The site name or URL.

  • The credentials or hardware required to authenticate.

Advanced VPN Domain Configuration

If a Security Gateway participates in more than one VPN Community, you can configure a different VPN Domain for the Security Gateway for each VPN Community in which it participates. In SmartConsole, you can configure a specific VPN Domain for a Security Gateway in the Security Gateway object or in the VPN Community object.

Important - This feature requires Security Gateway versions R80.40 and higher.

To configure a specific VPN Domain in the Security Gateway Object:

  1. Open the Network Management > VPN Domain page.

  2. In the line Set Specific Domain for Gateway Communities, click Set.

  3. Select the VPN Community for which it is necessary to override the VPN Domain and click Set.

  4. Select the applicable option:

    • According to the gateway

      This configuration option use the VPN Domain that is configured in the Network Management folder > VPN Domain page > VPN Domain section.

    • User defined

      Select the applicable Network or Group object (or create a new object).

      This configuration option overrides:

      • The VPN Domain that is configured in the Security Gateway object > Network Management folder > VPN Domain page > VPN Domain section.

      • The VPN Domain that is configured in the Meshed / Star VPN Community object > Gateways page.

      • The VPN Domain that is configured in the Remote Access VPN Community object > Participating Gateways page.

  5. Click OK to close the Set Specific VPN Domain for Gateway Communities window.

  6. Click OK to close the Communities Specific VPN Domain window.

To configure a specific VPN Domain in the VPN Community Object:

  1. In the Objects pane, click VPN Communities.

  2. Click the applicable VPN Community.

    The VPN Community configuration window opens.

  3. In the Gateways pane, double-click the relevant Security Gateway object (or create a new object).

    The VPN Domain configuration window opens.

  4. Select the applicable option:

    • According to the gateway

      This configuration option use the VPN Domain that is configured in the Network Management folder > VPN Domain page > VPN Domain section.

    • User defined

      Select the applicable Network or Group object (or create a new object).

      This configuration option overrides:

      • The VPN Domain that is configured in the Security Gateway object > Network Management folder > VPN Domain page > VPN Domain section.

      • The VPN Domain that is configured in the Meshed / Star VPN Community object > Gateways page.

      • The VPN Domain that is configured in the Remote Access VPN Community object > Participating Gateways page.

  5. Click OK to close the VPN Domain configuration window.

  6. Click OK to close the VPN Community configuration window.