Distributed Enterprise with Branch Offices

Security Challenge

Distributed enterprises have a potential risk of malware and viruses that go from remote branch offices over VPN links to the corporate internal networks.

In addition, you must provide authorized access to users who come from remote branch offices and request an access to the Data Center and the Internet.

Configuration Scenario

Best Practice - We recommend that you configure Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. at the remote branch offices and at headquarters in front of the Data Center and at the perimeter.

At remote branch offices, you can configure low capacity Security Gateway because of a relatively low number of users.

You configure the remote branch Security Gateway in IP Routing Mode and establish a VPN link to the corporate Security Gateway. The remote branch Security Gateways now works as a perimeter Firewall and VPN gateway.

Best Practice - At the corporate headquarters, we recommend that you configure Data Center Security Gateway to protect access to Data Center resources and applications, and to a perimeter Security Gateway. You can install the Data Center Security Gateway in Bridge Mode Security Gateway or Virtual System that works as a Layer 2 bridge device for easy deployment in an existing topology. to prevent changes to the current network.

The local branch office Security Gateway identifies users from the branch office, learns their identities, and then connects to the corporate network over VPN.

The branch office Security Gateway shares these user identities with the headquarters' internal and perimeter Security Gateway. When a user from a branch office attempts to connect to the Data Center, the Security Gateway identifies this user at the headquarters Data Center without the need for additional authentication.

Item	Description
1	Internal network resources - branch office
2	Branch Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Gateway User IDs go to the corporate gateways
3	LDAP server (for example Active Directory)
4	Internet
5	Perimeter corporate Identity Awareness Gateway
6	Identity Awareness Gateway that protects the data center
7	Corporate data center
8	Internal network resources - corporate office

Configuration

Select a Security Gateway in accordance with the performance guideline for your remote branch offices.
Configure the Security Gateway at the branch offices in Routing Mode. Make a specified VPN site-to-site if necessary.
Configure Security Gateway inline at the Data Center. We recommend to use Bridge Mode.

Configure a Security Gateway at the perimeter that protects the internal network in Routing Mode. This perimeter Security Gateway can serve as a VPN Security Gateway for branch offices.

Best Practice

If you have Active Directory domain controllers replicated across your branch offices, make sure that local Security Gateway can connect to the domain controller.
If you do not have a local domain controller, make sure that the Security Gateway has an access to the headquarters' internal domain controller over VPN.

Enable Identity Awareness and select the appropriate methods to get identity.
Create an Access Role Access Role objects let you configure network access according to: Networks, Users and user groups, Computers and computer groups, Remote Access Clients. After you activate the Identity Awareness Software Blade, you can create Access Role objects and use them in the Source and Destination columns of Access Control Policy rules. and apply the roles in the Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. on the branch office Security Gateway, perimeter and Data Center Security Gateway.
Share identities between the branch offices with the headquarters and Data Center Security Gateway:
1. Go to the Identity Awareness tab.
2. Select Get identities from other gateways and Share local identities with other gateways.

Best Practice

We recommend these configurations:

AD Query Check Point clientless identity acquisition tool. It is based on Active Directory integration and it is completely transparent to the user. The technology is based on querying the Active Directory Security Event Logs and extracting the user and computer mapping to the network address from them. It is based on Windows Management Instrumentation (WMI), a standard Microsoft protocol. The Check Point Security Gateway communicates directly with the Active Directory domain controllers and does not require a separate server. No installation is necessary on the clients, or on the Active Directory server. Configuration:

If you use AD Query to authenticate users from the local and branch offices, we recommend you to configure only a local domain controller list per site in the applicable Security Gateway.

For example, if you have a branch office Security Gateway and a Data Center Security Gateway, enable AD Query on all Security Gateways:
1. On the branch office Security Gateway, select the Active Directory domain controllers replications installed in the branch office only.
2. On the Data Center Security Gateway, configure a list of domain controllers installed in the internal headquarters network.
It is not necessary to configure all domain controllers available in the network, because branch and internal Security Gateways share the identity information between themselves as applicable.
Identity Agents Configuration:

If you use Identity Agents, we recommend you to configure the local branch office Security Gateway DNS/IP on the agent. The agents connect to the local Security Gateway, then they authenticate the user and share the identities with the internal headquarters Security Gateway.