Configuring Remote Access Connectivity

This section describes how to configure Remote Access connectivity in SmartDashboard Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings. and DBedit.

Configuring Small IKE phase II Proposals

Small phase II IKE proposals always include AES-256, but not AES-128. Suppose you want to include AES-128 in the small proposals:

1. Open the command line database editing tool DBedit. There are two properties that control whether small proposals are used or not, one for pre-NG with Application Intelligence, the other for NG with Application Intelligence.

   • phase2_proposal - determines whether an old client (pre-NG with Application Intelligence) will try small proposals - default "false".

   • phase2_proposal_size - determines whether a new client (for NG with Application Intelligence) will try small proposals - default "true".

2. In Global Properties > Remote Access page > VPN -Advanced subpage > User Encryption Properties section, select AES-128. This configures remote users to offer AES-128 as a small proposal.

Configuring Visitor Mode

Visitor Mode requires the configuration of both the Server and the Client. See also: Visitor Mode and MEP.

Visitor Mode and Clusters

Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. support is limited. The High Availability and Load Sharing solutions must provide "stickiness". That is, the visitor mode connection must always go through the same cluster member Security Gateway that is part of a cluster..

Failover from cluster member to cluster member in a High Availability scenario is not supported.

Configuring Remote Clients to Work with Proxy Servers

1. In the Remote Access client, select Detect Proxy from Internet Explorer Settings.

2. Enter a username and password for proxy authentication. This information is later transferred with the "connect" command to the proxy server.

Remote Access clients can read any of the Visitor Mode settings, but only if:

• The client is connected to a LAN or WLAN

• Secure Domain Logon (SDL) is not enabled.

  Note - Visitor mode attempts to connect to the proxy server without authenticating. If a user name and password is required by the proxy, the error message "proxy requires authentication appears".

Windows Proxy Replacement

If a Remote Access client is on a LAN\WLAN and a proxy server is configured on the LAN, the client replaces the proxy settings so that new connections are not sent to the VPN domain via the proxy but go directly to the LAN\WLAN's Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.. This feature works with and without Visitor Mode.

When a Remote Access client replaces the proxy file, it generates a similar plain script PAC file containing the entire VPN domain IP ranges and DNS names (to be returned as "DIRECT"). This file is stored locally, since the Windows OS must receive this information as a plain script PAC file. This file replaces the automatic configuration script as defined in Internet Explorer.

Configuring Windows Proxy Replacement

Windows proxy replacement is configured either on the Security Gateway or on the Remote Access client.

Proxy Replacement for the Security Gateway

To configure the Security Gateway to support Visitor Mode:

1. From Menu, click Global Properties.

2. From the navigation tree, click Advanced.

3. In the Advanced Configuration page, click Configure.

   The Advanced Configuration window opens:

4. From the navigation tree, click VPN Advanced Properties > Remote Access VPN.

5. Select one of these options:

   • ie_proxy_replacement - When selected, Windows proxy replacement is always performed, even if Visitor Mode is not enabled

   • ie_proxy_replacement_limit_to_tcpt - When selected, the proxy replacement is only when Visitor Mode is enabled