Getting Started with Remote Access

Overview of the Remote Access Workflow

This is an overview of the workflow to give your employees remote access to your VPN Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..

1. Enable the IPsec VPN Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access. Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. on the Security Gateway and do basic Security Gateway configuration (see Basic Security Gateway Configuration).

2. Add the Security Gateway to the Remote Access VPN An encrypted tunnel between remote access clients (such as Endpoint Security VPN) and a Security Gateway. Community (see Basic Security Gateway Configuration).

3. Include users in the Remote Access VPN Community A named collection of VPN domains, each protected by a VPN gateway. (see Including Users in the Remote Access Community).

4. Configure user authentication (see Configuring User Authentication).

5. Configure VPN access rules in the security policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. (see Configuring VPN Access Rules for Remote Access).

6. If necessary, define the Desktop Policy (see Desktop Security).

7. Install policy on the Security Gateway.

8. Deploy the remote access client to users (see Deploying Remote Access Clients).

Basic Security Gateway Configuration

As a best practice, use these Security Gateway settings for most remote access clients. See the documentation for your client for more details.

These instructions use the default Remote Access VPN Community, RemoteAccess. You can also create a new Remote Access VPN Community with a different name.

To configure a Security Gateway for remote access:

1. In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., right click the Security Gateway (Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing.) object and select Edit.

2. In the Network Security tab, select IPsec VPN to enable the Software Blade.

   Note that some clients also require the Mobile Access Software Blade.

   See the section Required Licenses in Check Point Remote Access Solutions.

3. Add the Security Gateway to the Remote Access VPN Community:

   1. From the Check Point Gateway tree, click IPsec VPN.

   2. In This Security Gateway participates in the following VPN Communities, make sure the Security Gateway shows or click Add to add the Security Gateway.

   3. Click the RemoteAccess community.

   4. Click OK.

      The ICA Internal Certificate Authority. A component on Check Point Management Server that issues certificates for authentication. automatically creates a certificate for the Security Gateway.

4. Set the VPN domain for the Remote Access community.

   The default is All IP Addresses behind Gateway are based on Topology information. To configure a VPN domain manually, see Advanced VPN Domain Configuration.

   Optional: To change the VPN domain:

   1. From the Check Point Gateway tree, click Network Management.

   2. In VPN Domain, click Set domain for Remote Access Community.

5. Configure Visitor Mode.

   1. Select IPSec VPN > VPN Clients > Remote Access.

   2. Select Support Visitor Mode and keep All Interfaces selected.

   3. Optional: Select the Visitor Mode Service, which defines the protocol and port of client connections to the Security Gateway.

6. Configure Office Mode.

   1. From the Check Point Gateway tree, select VPN Clients > Office Mode.

      The default is Allow Office Mode to all users.

   2. Optional: Select Offer Office Mode to group and select a group.

   3. Select an Office Mode method (see Office Mode).

7. Click OK.

Including Users in the Remote Access Community

By default, the Remote Access VPN Community includes a user group, All Users, that includes all defined users. You can use this group or add different user groups to the Remote Access VPN Community. The community can contain users defined in LDAP, which includes Active Directory, or users defined on the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server..

For more information about user groups and LDAP, see the R81 Security Management Administration Guide.

To add user groups to a Remote Access VPN Community in SmartConsole:

1. From the left navigation panel, click Security Policies.

2. In the top section, click Access Control.

3. In the bottom section Access Tools, click VPN Communities.

4. Right-click the Remote Access Community object and click Edit.

5. Click Participant User Groups.

6. Add or remove groups.

7. Click OK.

Configuring User Authentication

Users must authenticate to the VPN Security Gateway with a supported authentication method. You can configure authentication methods for the remote access Security Gateway in:

• Gateway Properties > VPN Clients > Authentication

• SmartDashboard Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings. > Mobile Access tab > Authentication

• Gateway Properties > Mobile Access > Authentication

If no authentication methods are defined for the Security Gateway, users select an authentication method from the client.

For details, see User and Client Authentication for Remote Access.

Configuring VPN Access Rules for Remote Access

You must configure rules to allow users in the Remote Access VPN Community to access the LAN. You can limit the access to specified services or specified clients. Configure rules in SmartConsole > Security Policies > Access Control.

To make a rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. apply to a VPN Community, the VPN column of the Rule Base All rules configured in a given Security Policy. Synonym: Rulebase. must contain one of these:

• Any - The rules applies to all VPN Communities. If you configure a new VPN Community after the rule was created, the rule also applies to the new VPN Community.

• One or more specified VPN communities-For example, RemoteAccess. Right-click in the VPN column of a rule and select Specific VPN Communities. The rule applies to the communities shown in the VPN column.

Examples:

• This rule allows traffic from all VPN Communities to the internal network on all services:

  Name	Source	Destination	VPN	Services & Applications
  Allow all remote access	* Any	Internal_Network	* Any	* Any

• This rule allows traffic from RemoteAcccess VPN Community to the internal network on HTTP and HTTPS.

  Name	Source	Destination	VPN	Services & Applications
  Allow RemoteAccess community	* Any	Internal_Network	RemoteAccess	HTTP HTTPS

• This rule allows traffic from RemoteAcccess VPN Community to the internal network on all services when the traffic starts from the Endpoint Security VPN client.

  Name	Source	Destination	VPN	Services & Applications
  Allow all from Endpoint Security VPN	Endpoint Security VPN Access Role	Internal_Network	RemoteAccess	* Any

  See Access Roles for Remote Access for details of how to create Access Roles for Remote Access and VPN Clients to include them in rules in the Access Control Rule Base.

Deploying Remote Access Clients

See the documentation for your remote access client for deployment instructions.

Make sure that users have:

• The site name or URL.

• The credentials or hardware required to authenticate.

Advanced VPN Domain Configuration

If a Security Gateway participates in more than one VPN Community, you can configure a different VPN Domain for the Security Gateway for each VPN Community in which it participates. In SmartConsole, you can configure a specific VPN Domain for a Security Gateway in the Security Gateway object or in the VPN Community object.

To configure a specific VPN Domain in the Security Gateway Object:

1. Open the Network Management > VPN Domain page.

2. In the line Set Specific Domain for Gateway Communities, click Set.

3. Select the VPN Community for which it is necessary to override the VPN Domain and click Set.

4. Select the applicable option:

   • According to the gateway

     This configuration option use the VPN Domain that is configured in the Network Management folder > VPN Domain page > VPN Domain section.

   • User defined

     Select the applicable Network or Group object (or create a new object).
     

     This configuration option overrides:

     • The VPN Domain that is configured in the Security Gateway object > Network Management folder > VPN Domain page > VPN Domain section.

     • The VPN Domain that is configured in the Meshed / Star VPN Community object > Gateways page.

     • The VPN Domain that is configured in the Remote Access VPN Community object > Participating Gateways page.

5. Click OK to close the Set Specific VPN Domain for Gateway Communities window.

6. Click OK to close the Communities Specific VPN Domain window.

To configure a specific VPN Domain in the VPN Community Object:

1. In the Objects pane, click VPN Communities.

2. Click the applicable VPN Community.
   

   The VPN Community configuration window opens.

3. In the Gateways pane, double-click the relevant Security Gateway object (or create a new object).
   

   The VPN Domain configuration window opens.

4. Select the applicable option:
   

   • According to the gateway

     This configuration option use the VPN Domain that is configured in the Network Management folder > VPN Domain page > VPN Domain section.

   • User defined

     Select the applicable Network or Group object (or create a new object).
     

     This configuration option overrides:

     • The VPN Domain that is configured in the Security Gateway object > Network Management folder > VPN Domain page > VPN Domain section.

     • The VPN Domain that is configured in the Meshed / Star VPN Community object > Gateways page.

     • The VPN Domain that is configured in the Remote Access VPN Community object > Participating Gateways page.

5. Click OK to close the VPN Domain configuration window.

6. Click OK to close the VPN Community configuration window.