Configuring the Remote Access Blade

In the VPN > Remote Access > Blade Control page you can establish secure encrypted connections between devices such as mobile devices, home desktops and laptops, and the organization through the Internet.

For Remote Access, you must configure users in the system with credentials and configure the required permissions for specified users. The appliance must be accessible from the Internet.

Note - Remote Access supports connections from IPv4 addresses only.

These are supported Remote Access VPNClosed An encrypted tunnel between remote access clients (such as Endpoint Security VPN) and a Security Gateway. connection methods:

We highly recommend that you first configure DDNS or a static IP Internet connection on the appliance. If you do not use a static IP address, your appliance's IP address can vary based on your Internet Service Provider. DDNS lets home users connect to the organization by name and not IP address that can change. See Device > DDNS for more details.

To configure DDNS, click the DDNS link or the Internet link for static IP address.

To enable or disable Remote Access VPN:

  1. Select On or Off.

  2. Click Apply

Note - When the blade is managed by Cloud Services, a lock icon appears. You cannot toggle between the On and Off states. If you change other policy settings, the change is temporary. Any changes you made locally will be overridden in the next synchronization between the gateway and Cloud Services.

To configure the default access policy through Remote Access VPN:

  1. Select or clear the Allow traffic from Remote Access users (by default) checkbox.

    When you clear this option, you must manually configure access from Remote Access VPN users to resources in the organization in one of these ways:

    • Configure the object settings on the Access Policy > Servers page.

    • Configure the required rules on the Access Policy > Firewall Policy page.

  2. Select or clear the Log traffic from Remote Access users (by default) checkbox.

  3. Click Apply

Two-Factor Authentication

Two-Factor Authentication, also called multi-factor authentication, is an extra layer of security to prevent unauthorized access to your system. The gateway sends a passcode to the user

To use Two-Factor Authentication, you must have Remote Access permissions configured, with an email address and mobile phone number.

Note - By default, the gateway sends the passcode by both email and SMS.

For SMS, you can use the Check Point SMS provider, or an external SMS provider. If a customer uses a public SMS server, the administrator must provide the username and password for the SMTP server and a Dynamic URL that contains the API of the external service provider.

To configure Two-Factor Authentication:

  1. On the VPN > Remote Access > Blade Control page, select Require users to confirm their identity using Two-Factor Authentication.

  2. Click configure.

    The Two-Factor Authentication Settings window opens.

  3. Select the applicable option:

    To select to receive by both options, select both checkboxes.

  4. On the Advanced tab, below Dynamic ID Settings, enter the:

    • Length of the one-time password.

    • Amount of time in minutes until the password expires.

    • Maximum number of retries.

  5. Below Country Code, enter the Default country code.

  6. Click Apply.

To sign in with Two-Factor Authentication:

  1. Connect to your VPN.

  2. You get a prompt for a DynamicID One Time Password (OTP) that the gateway sends to your mobile phone as an SMS, or directly to your email account.

Notes:

  • VPN Two-Factor Authentication is per gateway, not administrator.

  • When you turn on Two-Factor Authentication, you enable it for all VPN clients. This means all VPN users must have a configured mobile phone number with which to connect.

VPN Remote Access methods

  • Check Point VPN clients - To connect laptops and desktops

  • Mobile client - To connect smartphones and tablets

  • SSL VPN - To connect through SSL VPN

  • Windows VPN Client - To connect through native VPN client (L2TP)

    By default, Check Point VPN clients is enabled.

To configure VPN remote access methods:

  1. Select the checkbox next to the desired method and click How to connect...

    The Usage window opens.

  2. Follow the instructions. You can also receive these instructions by email.

  3. Close the window and click Apply.

To manage SSL VPN bookmarks:

  1. Select the SSL VPN checkbox.

  2. Click Apply

  3. Click Manage SSL VPN bookmarks.

    The VPN > Advanced page opens.

  4. In SSL VPN bookmarks, click New to create new bookmarks.

    A new window opens.

  5. Enter these details:

    • URL

      Note - If you select the Global bookmark, all users see this bookmark.

    • Type - Link or RDP (remote desktop protocol)

    • Label - The bookmark name

    • Tooltip - Description

  6. Click Apply

If you select RDP as the bookmark type, you must enter the user name and password in the RDP Advanced Settings. The gateway sends these credentials to the end user.

Note - If you select Show characters, the password characters are visible.

You can also specify the screen size of the remote desktop. The default mode is full screen.

To manage bookmarks:

  1. Click on a bookmark.

  2. Click Edit or Delete.

  3. Click Apply

To assign a VPN certificate:

  1. Select the SSL VPN check box.

  2. Click Certificate authentication.

    The Certificate authentication window opens. The list of uploaded certificates appears in the drop down menu.

  3. Select the certificate name.

    Note - You cannot select the default Web portal certificate.

  4. Click Apply

To send users remote access usage instructions:

  1. Click the How to connect link next to the applicable remote access method.

  2. Click the E-mail these instructions to automatically open a pre-filled email that contains the instructions.

  3. Click Close.

To change the Remote Access port settings:

If the default remote access port (TCP 443) and a server use the same port, a conflict message appears. You must change the default remote access port if the Check Point VPN client, Mobile client, or SSL VPN remote access methods are enabled because they use the TCP port 443 by default.

  1. Click the Change port link.

    The Remote Access Port Settings window opens.

  2. In Remote Access port, enter a new port number.

  3. Make sure to select Reserve port 443 for port forwarding.

  4. Click Apply

To allow connections between Remote Access VPN users that get an IP address from the Office Mode Pool:

Use this procedure to configure backward connections inside an Encryption DomainClosed The networks that a Security Gateway protects and for which it encrypts and decrypts VPN traffic. with Remote Access VPN.

  1. Go to Users & Objects > Network Resources > Network Objects.

  2. Click New to create a new network object for the Office Mode network:

    • For Type, enter Network.

    • Enter the Network address and Subnet mask.

    • Enter the Object name.

    • Click Apply.

  3. Go to DeviceAdvanced Settings > parameter VPN Remote Access - Back Connections enable.

    1. Select the option Back connections enable and click Apply.

    2. At the bottom of the page, click Apply.

      Example for the object OMPOOL:

      Original Source

      Original Destination

      Original Server

      Translated Source

      Translated Destination

      Translated Service

      OMPOOL

      OMPOOL

      *Any

      *Original

      *Original

      *Original

  4. Go to Access PolicyFirewall Policy.

    1. In the section Incoming, Internal and VPN traffic, create a new rule to allow traffic between computers in the Office Mode network.

    2. At the bottom of the page, click Apply.

      Example for the object OMPOOL:

      Source

      Destination

      Service

      Action

      Log

      OMPOOL

      OMPOOL

      *Any

      Accept

      Log or None