Remote Access VPN

If employees remotely access sensitive information from different locations and devices, system administrators must make sure that this access does not become a security vulnerability. Check Point's Remote Access VPN solutions let you create a VPN tunnel between a remote user and the internal network. The Mobile Access Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. extends the functionality of Remote Access solutions to include many clients and deployments.

VPN Connectivity Modes

When securely connecting remote clients with the internal resources, organizations face connectivity challenges, such as these:

The IP addresses of a remote access client might be unknown
The remote access client can be connected to a LAN with internal IP addresses (such as, at hotels)
It is necessary for the remote client to use protocols that are not supported

Office Mode

Remote users can be assigned the same or non-routable IP addresses from the local ISP. Office Mode solves these routing problems and encapsulates the IP packets with an available IP address from the internal network. Remote users can send traffic as if they are in the office and avoid VPN routing problems.
Visitor Mode

Remote users can be restricted to using only HTTP and HTTPS protocols. Visitor Mode lets these users tunnel all protocols through regular TCP connections on port 443.

Here is an example of a Remote Access VPN workflow:

Use SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to enable Remote Access VPN on the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..
Add the remote user information to the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server.:
- Create and configure an LDAP Account Unit
- Enter the information in the SmartConsole user database
Optional: Configure the Security Gateway for remote user authentication.
Define the Access Control and encryption rules for the Security Gateway.
Create the group objects to use in the Security Gateway rules:
- LDAP Group object - for an LDAP Account Unit
- User Group object - for users configured in the SmartConsole user database
Create and configure the encryption settings for the VPN community object in Menu > Global properties > Remote Access > VPN - Authentication and Encryption.
Add Access Control rules to the Access Control Rule Base All rules configured in a given Security Policy. Synonym: Rulebase. to allow VPN traffic to the internal networks.

		Enable remote access VPN

Configure LDAP Account Unit	LDAP	Manage Users?	SmartConsole	Configure users

Configure user authentication				Configure user authentication

Create LDAP user group object		Create VPN Community		Create user group object

		Configure rules for VPN access in Access Control Rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. Base

		Install policy

Make sure that the VPN Software Blade is enabled before you configure the Remote Access community.