Configuring the Remote Access Blade
In the VPN > Remote Access > Blade Control page you can establish secure encrypted connections between devices such as mobile devices, home desktops and laptops, and the organization through the Internet.
For Remote Access, you must configure users in the system with credentials and configure the required permissions for specified users. The appliance must be accessible from the Internet.
|
|
Note - Remote Access supports connections from IPv4 addresses only. |
These are supported Remote Access VPN
An encrypted tunnel between remote access clients (such as Endpoint Security VPN) and a Security Gateway. connection methods:
-
Install a VPN client on the home desktops or laptops.
-
Browse from home devices (using HTTPS) to the appliance and download a thin client when necessary. This method is known as SSL Network Extender
A secure connectivity framework for remote access VPN to a corporate network. SSL Network Extender uses a thin VPN client installed on the user's remote computer that connects to an SSL-enabled web server on a VPN Gateway. See sk65210. Acronym: SNX..
We highly recommend that you first configure DDNS or a static IP Internet connection on the appliance. If you do not use a static IP address, your appliance's IP address can vary based on your Internet Service Provider. DDNS lets home users connect to the organization by name and not IP address that can change. See Device > DDNS for more details.
To configure DDNS, click the DDNS link or the Internet link for static IP address.
To enable or disable Remote Access VPN:
-
Select On or Off.
-
Click Apply
|
|
Note - When the blade is managed by Cloud Services, a lock icon appears. You cannot toggle between the On and Off states. If you change other policy settings, the change is temporary. Any changes you made locally will be overridden in the next synchronization between the gateway and Cloud Services. |
To configure the default access policy through Remote Access VPN:
-
Select or clear the Allow traffic from Remote Access users (by default) checkbox.
When you clear this option, you must manually configure access from Remote Access VPN users to resources in the organization in one of these ways:
-
Configure the object settings on the Access Policy > Servers page.
-
Configure the required rules on the Access Policy > Firewall Policy page.
-
-
Select or clear the Log traffic from Remote Access users (by default) checkbox.
-
Click Apply
Two-Factor Authentication
Two-Factor Authentication, also called multi-factor authentication, is an extra layer of security to prevent unauthorized access to your system. The gateway sends a passcode to the user
To use Two-Factor Authentication, you must have Remote Access permissions configured, with an email address and mobile phone number.
|
|
Note - By default, the gateway sends the passcode by both email and SMS. |
For SMS, you can use the Check Point SMS provider, or an external SMS provider. If a customer uses a public SMS server, the administrator must provide the username and password for the SMTP server and a Dynamic URL that contains the API of the external service provider.
To configure Two-Factor Authentication:
-
On the VPN > Remote Access > Blade Control page, select Require users to confirm their identity using Two-Factor Authentication.
-
Click configure.
The Two-Factor Authentication Settings window opens.
-
Select the applicable option:
To receive authentication by SMS
-
Select the SMS checkbox.
-
To use Check Point SMS, select Use Check Point SMS provider service.
-
If you select Use External SMS provider, enter the information for these fields:
-
DynamicID URL.
-
Provider user name.
-
Provider password.
-
API ID.
-
Message to display (optional).
-
To receive authentication by Email
-
Select the Email checkbox.
-
Optional: Enter the Message to send.
To select to receive by both options, select both checkboxes.
-
-
On the Advanced tab, below Dynamic ID Settings, enter the:
-
Length of the one-time password.
-
Amount of time in minutes until the password expires.
-
Maximum number of retries.
-
-
Below Country Code, enter the Default country code.
-
Click Apply.
To sign in with Two-Factor Authentication:
-
Connect to your VPN.
-
You get a prompt for a DynamicID One Time Password (OTP) that the gateway sends to your mobile phone as an SMS, or directly to your email account.
|
|
Notes:
|
VPN Remote Access methods
-
Check Point VPN clients - To connect laptops and desktops
-
Mobile client - To connect smartphones and tablets
-
SSL VPN - To connect through SSL VPN
-
Windows VPN Client - To connect through native VPN client (L2TP)
By default, Check Point VPN clients is enabled.
To configure VPN remote access methods:
-
Select the checkbox next to the desired method and click How to connect...
The Usage window opens.
-
Follow the instructions. You can also receive these instructions by email.
-
Close the window and click Apply.
To manage SSL VPN bookmarks:
-
Select the SSL VPN checkbox.
-
Click Apply
-
Click Manage SSL VPN bookmarks.
The VPN > Advanced page opens.
-
In SSL VPN bookmarks, click New to create new bookmarks.
A new window opens.
-
Enter these details:
-
URL
Note - If you select the Global bookmark, all users see this bookmark.
-
Type - Link or RDP (remote desktop protocol)
-
Label - The bookmark name
-
Tooltip - Description
-
-
Click Apply
If you select RDP as the bookmark type, you must enter the user name and password in the RDP Advanced Settings. The gateway sends these credentials to the end user.
|
|
Note - If you select Show characters, the password characters are visible. |
You can also specify the screen size of the remote desktop. The default mode is full screen.
To manage bookmarks:
-
Click on a bookmark.
-
Click Edit or Delete.
-
Click Apply
To assign a VPN certificate:
-
Select the SSL VPN check box.
-
Click Certificate authentication.
The Certificate authentication window opens. The list of uploaded certificates appears in the drop down menu.
-
Select the certificate name.
Note - You cannot select the default Web portal certificate.
-
Click Apply
To send users remote access usage instructions:
-
Click the How to connect link next to the applicable remote access method.
-
Click the E-mail these instructions to automatically open a pre-filled email that contains the instructions.
-
Click Close.
To change the Remote Access port settings:
If the default remote access port (TCP 443) and a server use the same port, a conflict message appears. You must change the default remote access port if the Check Point VPN client, Mobile client, or SSL VPN remote access methods are enabled because they use the TCP port 443 by default.
-
Click the Change port link.
The Remote Access Port Settings window opens.
-
In Remote Access port, enter a new port number.
-
Make sure to select Reserve port 443 for port forwarding.
-
Click Apply
To allow connections between Remote Access VPN users that get an IP address from the Office Mode Pool:
Use this procedure to configure backward connections inside an Encryption Domain The networks that a Security Gateway protects and for which it encrypts and decrypts VPN traffic. with Remote Access VPN.
-
Go to Users & Objects > Network Resources > Network Objects.
-
Click New to create a new network object for the Office Mode network:
-
For Type, enter Network.
-
Enter the Network address and Subnet mask.
-
Enter the Object name.
-
Click Apply.
-
-
Go to Device > Advanced Settings > parameter VPN Remote Access - Back Connections enable.
-
Select the option Back connections enable and click Apply.
-
At the bottom of the page, click Apply.
Example for the object OMPOOL:
Original Source
Original Destination
Original Server
Translated Source
Translated Destination
Translated Service
OMPOOL
OMPOOL
*Any
*Original
*Original
*Original
-
-
Go to Access Policy > Firewall Policy.
-
In the section Incoming, Internal and VPN traffic, create a new rule to allow traffic between computers in the Office Mode network.
-
At the bottom of the page, click Apply.
Example for the object OMPOOL:
Source
Destination
Service
Action
Log
OMPOOL
OMPOOL
*Any
Accept
Log or None
-
