Configuring Policy for Remote Access VPN
Configuring Remote Access Policy
Configure Remote Access VPN An encrypted tunnel between remote access clients (such as Endpoint Security VPN) and a Security Gateway. policy in the Unified Access Control Policy Rule Base All rules configured in a given Security Policy. Synonym: Rulebase..
Make sure that:
-
All Remote Access Gateways are part of a Remote Access VPN Community A named collection of VPN domains, each protected by a VPN gateway..
-
The Remote Access Community is included in the VPN column of the rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session..
For Security Gateways R80.10 and higher, you can include Remote Access and VPN clients in rules as the Source of the rule. To do this create an Access Role for each client.
Creating and Configuring the Security Gateway
-
Create a Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. network object.
-
On the General Properties page, select VPN.
-
Initialize a secure communication channel between the VPN module and the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. by clicking Communication
-
On the Topologypage, define the interfaces and the VPN domain.
The ICA Internal Certificate Authority. A component on Check Point Management Server that issues certificates for authentication. automatically creates a certificate for the Security Gateway.
Defining a Remote Access Community
To define the VPN Remote Access community and its participants:
-
From the Objects Bar, click VPN Communities.
-
Double-click RemoteAccess.
The Remote Access window opens.
-
On the Participating Gateways page, click the Add button and select the Security Gateways that are in the Remote Access Community.
-
On the Participating User Groups page, click the Add button and select the group that contains the Remote Access users.
-
Click OK.
-
Publish the changes.
Defining Access Control Rules
Access control is a layer of security not connected with VPN. When there is a Remote Access Community, it does not mean that members of that community have free, automatic access to the network. Security rules have to be created in the Access Control Policy Rule Base blocking or allowing specific services.
Create a rule in the Access Control Rule Base that handles with remote access connections.
-
Go to Security Policies and right-click the cell in the VPN column.
-
Select Specific VPN Communities.
-
Choose the community and click the add button (+).
-
Close the VPN community window.
-
Define Services & Applications and Actionscolumns.
-
Install the policy.
Example:
To allow remote access users to access the organization's SMTP server, called SMTP_SRV, create the following rule:
Source |
Destination |
VPN |
Service |
Action |
Track |
---|---|---|---|---|---|
Any |
SMTP_SRV |
Remote_Access_ |
SMTP |
Accept |
Log |
Access Roles for Remote Access
For Security Gateways R80.10 and higher, create Access Roles for Remote Access and VPN Clients to include them in rules in the Access Control Rule Base. This applies to Mobile Access Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. and IPsec clients. When an Access Role for a client is in the Source column of a rule, the rule applies to traffic that originates from that client.
You can also use an Access Role in the Destination column.
You must enable Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. on each Security Gateway that is an installation target for rules with Access Roles.
Creating Access Roles for Remote Access and VPN Clients
To create an Access Role for a new Remote Access or VPN client:
-
Open a New Access Role window in one of these ways:
-
In the object tree, click New> More > User > Access Role.
-
From the Source column of the Access Control policy Rule Base: Click > click > select Access Role.
-
-
Enter a Name for the access role.
-
Optional: Enter a Comment or click the down arrow to select a Colorfor the object.
-
From the left pane, select Remote Access Clients.
-
Expand the Specific Client list and click New> Allowed client.
-
Click to select a client and enter an object name.
-
Click OK.
-
Optional: To make the Access Role include only specified users, select Users from the left pane and define the allowed users.
-
Click OK.
Policy Definition for Remote Access
There must be a rule in the Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. Rule Base that grants remote users access to the LAN. Consider which services are allowed. Restrict those services that need to be restricted with an explicit rule in the Security Policy Rule Base.
Modifying Encryption Properties for Remote Access VPN
The encryption properties of the users participating in a Remote Access community are set by default. If you must modify the encryption algorithm, the data integrity method and/or the Diffie-Hellman group, you can either do this globally for all users or configure the properties per user.
To modify the user encryption properties globally:
-
From Global Properties.
, click -
From the navigation tree, click Remote Access > VPN- Authentication and Encryption.
-
From the Encryption algorithms section, click Edit.
The Encryption Properties window opens.
-
In the IKE Security Association (Phase 1) tab, configure the applicable settings:
-
Support encryption algorithms - Select the encryption algorithms that will be supported with remote hosts.
-
Use encryption algorithms - Choose the encryption algorithm that will have the highest priority of the selected algorithms. If given a choice of more than one encryption algorithm to use, the algorithm selected in this field will be used.
-
Support Data Integrity - Select the hash algorithms that will be supported with remote hosts to ensure data integrity.
-
Use Data Integrity - The hash algorithm chosen here will be given the highest priority if more than one choice is offered.
-
Support Diffie-Hellman groups - Select the Diffie-Hellman groups that will be supported with remote hosts.
-
Use Diffie-Hellman group - Client users utilize the Diffie-Hellman group selected in this field.
-
-
Click OK.
-
Install policy.
To configure encryption policies for specified users:
-
Open Global Properties, and click Remote Access > Authentication and Encryption.
-
From the Encryption algorithms section, click Edit.
-
In the Encryption Properties window, click the IPSEC Security Association (Phase 2) tab.
-
Clear Enforce Encryption Algorithm and Data Integrity on all users.
-
Click OK and close the Global Properties window.
-
For each user:
-
From the Objects Bar, double-click the user.
-
From the navigation tree, click Encryption.
-
Click Edit.
The IKE Phase 2 Properties window is displayed.
-
Click the Encryption tab.
-
Click Defined below.
-
Configure the Encryption Algorithm and Data Integrity.
-
Click OK and close the User Properties window.
-
-
Install policy.
Installing the Policy
Install the policy and instruct the users to create or update the site topology.
IPsec and IKE for Remote Access
For Remote users, the IKE settings are configured in Global Properties > Remote Access > VPN Authentication and Encryption.
IKEv2 is not supported for Remote Access.
For more information about IPsec and IKE, see the R81 Site to Site VPN Administration Guide.