Configuring the Remote Access Blade

In the VPN > Remote Access > Blade Control page you can establish secure encrypted connections between devices such as mobile devices, home desktops and laptops, and the organization through the Internet.

For Remote Access VPNClosed An encrypted tunnel between remote access clients (such as Endpoint Security VPN) and a Security Gateway., you must configure users on the appliance with credentials and configure the required permissions for specified users. The appliance must be accessible from the Internet.

We highly recommend that you first configure DDNS or an Internet connection with a static IP address on the appliance. If you do not use a static IP address, your appliance's IP address can change based on your Internet Service Provider. DDNS lets home users connect to the organization by hostname and not IP address that can change. See Device > System > DDNS & Device Access > DDNS for more details.

To configure DDNS, see Configuring DDNS and Access Service.

To configure the static IP address, see Configuring Internet Connectivity.

Note - Remote Access VPN supports connections from IPv4 addresses only.

Getting Started with VPN Remote Access

    1. Go to VPN > Remote Access > Blade Control.

    2. Select On.

    3. Mandatory: Select Allow traffic from Remote Access users.

    4. Optional: Select Log traffic from Remote Access users.

    5. Optional: Select Require users to confirm their identity using Two-Factor Authentication.

      Two-Factor Authentication, also called multi-factor authentication, is an extra layer of security to prevent unauthorized access to your system. The gateway sends a passcode to the user by email or SMS to allow the user to connect through VPN. Starting from R81.10.07, you can also select to use Google Authenticator.

      To use Two-Factor Authentication, you must have Remote Access permissions configured, with an email address and mobile phone number.

      For SMS, you can use the Check Point SMS provider, or an external SMS provider. If a customer uses a public SMS server, the administrator must provide the username and password for the SMTP server and a Dynamic URL that contains the API of the external service provider.

      Notes:

      • By default, the gateway sends the passcode by both email and SMS.

      • L2TP and SNX do not support Two-Factor Authentication. To make sure these connection work, run this command in Gaia ClishClosed The default shell of the Gaia CLI:

        set vpn remote-access advanced allow-older-clients true

      To configure Two-Factor Authentication:

      1. On the VPN > Remote Access > Blade Control page, select Require users to confirm their identity using Two-Factor Authentication.

      2. Click configure.

        The Two-Factor Authentication Settings window opens.

      3. Select the applicable option:

        To select to receive by both SMS and email, select both checkboxes.

        1. Select the SMS checkbox.

        2. To use Check Point SMS, select Use Check Point SMS provider service.

        3. If you select Use External SMS provider, enter the information for these fields:

          • DynamicID URL.

          • Provider user name.

          • Provider password.

          • API ID.

          • Message to display (optional).

        1. Select the Email checkbox.

        2. Optional: Enter the Message to send.

        Note - Users must have Remote Access permissions configured for this option.

        1. Select the Use Google Authenticator checkbox.

        2. Click Apply.

          The SMB Cloud Service sends an email that contains a QR code to the email address configured for the user.

        3. Scan the QR code with the Google Authenticator application.

        4. The one-time password (OTP) appears.

          Note - The OTP expires after 30 seconds.

        5. On your computer, connect to the VPN. Enter your username and password.

        6. For the second authentication, enter the OTP in the Response field.

        7. The Cloud Service compares the OTP to the one represented by the QR code in the application. If it matches, you are connected to VPN.

        The Cloud Service sends a QR code with an OTP when:

        • A new user is configured.

        • The information for an existing user is edited, such as a new email address is added or the user receives Remote Access permissions.

        • The admin decides that all users must use Cloud Authentication.

      4. On the Advanced tab, below Dynamic ID Settings, enter the:

        • Length of the one-time password.

        • Amount of time in minutes until the password expires.

        • Maximum number of retries.

      5. Below Country Code, enter the Default country code.

      6. Click Apply.

      To sign in with Two-Factor Authentication:

      1. Connect to your VPN.

      2. You get a prompt for a DynamicID One Time Password (OTP) sent to your mobile phone as an SMS, or directly to your email account, or by scanning the QR code.

      Notes:

      • VPN Two-Factor Authentication is per gateway, not administrator.

      • When you turn on Two-Factor Authentication, you enable it for all VPN clients. This means all VPN users must have a configured mobile phone number and email address with which to connect.

    6. In the section "VPN Remote Access users can connect via", select the applicable Remote Access VPN clients:

      • Check Point VPN clients - Install a VPN client on your desktop or laptop.

      • Mobile client - To connect on your smartphone or tablet (iOS or Android).

      • SSL VPN - To connect through SSL VPN. Enter the IP address in your web browser.

      • Windows VPN client - L2TP. For either Windows or Mac, connect with a pre-shared key. For instructions, click How to connect.

      To configure VPN remote access methods:

      1. Select the checkbox next to the desired method and click How to connect....

        The Usage window opens.

      2. Follow the instructions on the screen.

      3. Close the window.

      4. Click Apply.

    7. At the bottom of the page, click Apply.

    Note - When the Remote Access VPN blade is managed by Cloud Services, a lock icon appears. You cannot toggle between the On and Off states. If you change other policy settings, the change is temporary. Any changes you made locally are overridden in the next synchronization between the gateway and Cloud Services.

  2. Follow the applicable procedure:

    1. Go to VPN >Remote Access > Remote Access Users.

    2. Click Add.

      The New Local User window opens.

    3. Enter the required information in the fields.

      Note - The Email and Phone number fields are optional. However, if you want to give this user Remote Access VPN permissions, this information is necessary for Two-Factor Authentication during the Remote Access VPN connection.

    4. Select Remote Access permissions.

    5. Click Apply.

    You can use the Active Directory or RADIUS servers to automatically populate your users and groups.

    See Configuring Remote Access Authentication Servers.

    To see a table of the defined authentication servers, go to VPN > Remote Access > Authentication Servers.

    1. Click the username in the table and click Edit.

      You can also double-click the username.

    2. Select Remote Access permissions.

    3. Click OK.

    1. Click Edit permissions.

    2. At the top, click the applicable filter:

      • Click Users to see the locally configured users.

      • Click Active Directory to see the user groups configured on an Active Directory server.

    3. In the left column, select the checkbox near the applicable usernames / user groups.

    4. Click Apply.

    • To see the currently connected Remote Users, go to VPNRemote Access > Connected Remote Users.

    • To see the current Remote Access VPN tunnels, go to Logs & MonitoringStatusVPN Tunnels.

    • To see the traffic from the currently connected Remote Access VPN users, go to Logs & Monitoring LogsSecurity Logs (on the VPN > Remote AccessBlade Control page, you must select Log traffic from Remote Access users).

Advanced options

For more information, see Configuring Advanced Remote Access Options.

Changing the Default Remote Access VPN Port

The default Remote Access VPN port is TCP 443. If you configured the WebUI on the appliance to work on the TCP port 443 as well, a conflict message appears on the VPN > Remote Access > Blade Control page.

If you enabled one of these Remote Access VPN clients:

  • Check Point VPN clients

  • Mobile client

  • SSL VPN

then you must change the default Remote Access VPN port:

  1. Click the Change port link.

    The Remote Access Port Settings window opens.

  2. In the Remote Access port field, enter a new port number.

  3. Select Reserve port 443 for port forwarding.

  4. Click Apply.

Connections Between Remote Access VPN Clients in the Same Office Mode Pool

Follow this procedure to allow connections between Remote Access VPN clients that get an IP address from the same Office Mode Pool.

  1. Go to Users & Objects > Network Resources > Network Objects.

  2. Click New to create a new Network object for the Office Mode network:

    1. In the Type menu, select Network.

    2. In the Network address field, enter the applicable network IP address.

    3. In the Subnet mask field, enter the required subnet mask.

    4. In the Object name field, enter the applicable name.

      For example: OMPOOL.

    5. Click Apply.

  3. Go to Device > Advanced > Advanced Settings.

  4. Configure the parameter VPN Remote Access - Back Connections enable:

    1. In the top search field, enter:

      VPN Remote Access - Back Connections enable.

    2. Select the parameter VPN Remote Access - Back Connections enable and click Edit.

    3. Select the option Back connections enable.

    4. Click Apply.

  5. Configure an Access Policy rule to allow traffic between computers in the Office Mode network:

    1. Go to Access Policy > Firewall > Policy.

    2. In the section Incoming, Internal and VPN traffic, click New.

    3. Configure this rule:

      Source

      Destination

      Service

      Action

      Log

      OMPOOL

      OMPOOL

      *Any

      Accept

      Log, or None

    4. Click Apply.

  6. Configure the NAT Policy rule to disable NAT on the traffic between computers in the Office Mode network:

    1. Go to Access Policy > Firewall > NAT.

    2. In the section NAT Rules, click View NAT rules.

    3. Click New.

    4. Configure this rule:

      Original Source

      Original Destination

      Original Service

      Translated Source

      Translated Destination

      Translated Service

      OMPOOL

      OMPOOL

      *Any

      *Original

      *Original

      *Original

    5. Click Apply.