Configuring the Remote Access Blade
In the VPN > Remote Access > Blade Control page you can establish secure encrypted connections between devices such as mobile devices, home desktops and laptops, and the organization through the Internet.
For Remote Access VPN An encrypted tunnel between remote access clients (such as Endpoint Security VPN) and a Security Gateway., you must configure users on the appliance with credentials and configure the required permissions for specified users. The appliance must be accessible from the Internet.
We highly recommend that you first configure DDNS or an Internet connection with a static IP address on the appliance. If you do not use a static IP address, your appliance's IP address can change based on your Internet Service Provider. DDNS lets home users connect to the organization by hostname and not IP address that can change. See Device > System > DDNS & Device Access > DDNS for more details.
To configure DDNS, see Configuring DDNS and Access Service.
To configure the static IP address, see Configuring Internet Connectivity.
|
Note - Remote Access VPN supports connections from IPv4 addresses only. |
Getting Started with VPN Remote Access
-
Enable the VPN Remote Access Blade
-
Go to VPN > Remote Access > Blade Control.
-
Select On.
-
Mandatory: Select Allow traffic from Remote Access users.
-
Optional: Select Log traffic from Remote Access users.
-
Optional: Select Require users to confirm their identity using Two-Factor Authentication.
ProcedureTwo-Factor Authentication, also called multi-factor authentication, is an extra layer of security to prevent unauthorized access to your system. The gateway sends a passcode to the user by email or SMS to allow the user to connect through VPN. Starting from R81.10.07, you can also select to use Google Authenticator.
To use Two-Factor Authentication, you must have Remote Access permissions configured, with an email address and mobile phone number.
For SMS, you can use the Check Point SMS provider, or an external SMS provider. If a customer uses a public SMS server, the administrator must provide the username and password for the SMTP server and a Dynamic URL that contains the API of the external service provider.
Notes:
-
By default, the gateway sends the passcode by both email and SMS.
-
L2TP and SNX do not support Two-Factor Authentication. To make sure these connection work, run this command in Gaia Clish The default shell of the Gaia CLI:
set vpn remote-access advanced allow-older-clients true
To configure Two-Factor Authentication:
-
On the VPN > Remote Access > Blade Control page, select Require users to confirm their identity using Two-Factor Authentication.
-
Click configure.
The Two-Factor Authentication Settings window opens.
-
Select the applicable option:
To select to receive by both SMS and email, select both checkboxes.
To receive authentication by SMS-
Select the SMS checkbox.
-
To use Check Point SMS, select Use Check Point SMS provider service.
-
If you select Use External SMS provider, enter the information for these fields:
-
DynamicID URL.
-
Provider user name.
-
Provider password.
-
API ID.
-
Message to display (optional).
-
To receive authentication by Email-
Select the Email checkbox.
-
Optional: Enter the Message to send.
To receive authentication by SMB Cloud Service (Google Authenticator application)Note - Users must have Remote Access permissions configured for this option.
-
Select the Use Google Authenticator checkbox.
-
Click Apply.
The SMB Cloud Service sends an email that contains a QR code to the email address configured for the user.
-
Scan the QR code with the Google Authenticator application.
-
The one-time password (OTP) appears.
Note - The OTP expires after 30 seconds.
-
On your computer, connect to the VPN. Enter your username and password.
-
For the second authentication, enter the OTP in the Response field.
-
The Cloud Service compares the OTP to the one represented by the QR code in the application. If it matches, you are connected to VPN.
The Cloud Service sends a QR code with an OTP when:
-
A new user is configured.
-
The information for an existing user is edited, such as a new email address is added or the user receives Remote Access permissions.
-
The admin decides that all users must use Cloud Authentication.
-
-
On the Advanced tab, below Dynamic ID Settings, enter the:
-
Length of the one-time password.
-
Amount of time in minutes until the password expires.
-
Maximum number of retries.
-
-
Below Country Code, enter the Default country code.
-
Click Apply.
To sign in with Two-Factor Authentication:
-
Connect to your VPN.
-
You get a prompt for a DynamicID One Time Password (OTP) sent to your mobile phone as an SMS, or directly to your email account, or by scanning the QR code.
Notes:
-
VPN Two-Factor Authentication is per gateway, not administrator.
-
When you turn on Two-Factor Authentication, you enable it for all VPN clients. This means all VPN users must have a configured mobile phone number and email address with which to connect.
-
-
In the section "VPN Remote Access users can connect via", select the applicable Remote Access VPN clients:
-
Check Point VPN clients - Install a VPN client on your desktop or laptop.
-
Mobile client - To connect on your smartphone or tablet (iOS or Android).
-
SSL VPN - To connect through SSL VPN. Enter the IP address in your web browser.
-
Windows VPN client - L2TP. For either Windows or Mac, connect with a pre-shared key. For instructions, click How to connect.
To configure VPN remote access methods:
-
Select the checkbox next to the desired method and click How to connect....
The Usage window opens.
-
Follow the instructions on the screen.
-
Close the window.
-
Click Apply.
-
-
At the bottom of the page, click Apply.
Note - When the Remote Access VPN blade is managed by Cloud Services, a lock icon appears. You cannot toggle between the On and Off states. If you change other policy settings, the change is temporary. Any changes you made locally are overridden in the next synchronization between the gateway and Cloud Services.
-
-
Configure users and user groups for the Remote Access VPN
Follow the applicable procedure:
Adding a new local user-
Go to VPN >Remote Access > Remote Access Users.
-
Click Add.
The New Local User window opens.
-
Enter the required information in the fields.
Note - The Email and Phone number fields are optional. However, if you want to give this user Remote Access VPN permissions, this information is necessary for Two-Factor Authentication during the Remote Access VPN connection.
-
Select Remote Access permissions.
-
Click Apply.
Adding new users from Active Directory / RADIUSYou can use the Active Directory or RADIUS servers to automatically populate your users and groups.
See Configuring Remote Access Authentication Servers.
To see a table of the defined authentication servers, go to VPN > Remote Access > Authentication Servers.
Configuring an existing local user-
Click the username in the table and click Edit.
You can also double-click the username.
-
Select Remote Access permissions.
-
Click OK.
Configuring the permissions for existing local users / user groups-
Click Edit permissions.
-
At the top, click the applicable filter:
-
Click Users to see the locally configured users.
-
Click Active Directory to see the user groups configured on an Active Directory server.
-
-
In the left column, select the checkbox near the applicable usernames / user groups.
-
Click Apply.
-
-
Monitor Remote Access VPN
-
To see the currently connected Remote Users, go to VPN > Remote Access > Connected Remote Users.
-
To see the current Remote Access VPN tunnels, go to Logs & Monitoring > Status > VPN Tunnels.
-
To see the traffic from the currently connected Remote Access VPN users, go to Logs & Monitoring > Logs > Security Logs (on the VPN > Remote Access > Blade Control page, you must select Log traffic from Remote Access users).
-
Advanced options
For more information, see Configuring Advanced Remote Access Options.
Changing the Default Remote Access VPN Port
The default Remote Access VPN port is TCP 443. If you configured the WebUI on the appliance to work on the TCP port 443 as well, a conflict message appears on the VPN > Remote Access > Blade Control page.
If you enabled one of these Remote Access VPN clients:
-
Check Point VPN clients
-
Mobile client
-
SSL VPN
then you must change the default Remote Access VPN port:
-
Click the Change port link.
The Remote Access Port Settings window opens.
-
In the Remote Access port field, enter a new port number.
-
Select Reserve port 443 for port forwarding.
-
Click Apply.
Connections Between Remote Access VPN Clients in the Same Office Mode Pool
Follow this procedure to allow connections between Remote Access VPN clients that get an IP address from the same Office Mode Pool.
-
Go to Users & Objects > Network Resources > Network Objects.
-
Click New to create a new Network object for the Office Mode network:
-
In the Type menu, select Network.
-
In the Network address field, enter the applicable network IP address.
-
In the Subnet mask field, enter the required subnet mask.
-
In the Object name field, enter the applicable name.
For example:
OMPOOL
. -
Click Apply.
-
-
Go to Device > Advanced > Advanced Settings.
-
Configure the parameter VPN Remote Access - Back Connections enable:
-
In the top search field, enter:
VPN Remote Access - Back Connections enable.
-
Select the parameter VPN Remote Access - Back Connections enable and click Edit.
-
Select the option Back connections enable.
-
Click Apply.
-
-
Configure an Access Policy rule to allow traffic between computers in the Office Mode network:
-
Go to Access Policy > Firewall > Policy.
-
In the section Incoming, Internal and VPN traffic, click New.
-
Configure this rule:
Source
Destination
Service
Action
Log
OMPOOL
OMPOOL
*Any
Accept
Log
, orNone
-
Click Apply.
-
-
Configure the NAT Policy rule to disable NAT on the traffic between computers in the Office Mode network:
-
Go to Access Policy > Firewall > NAT.
-
In the section NAT Rules, click View NAT rules.
-
Click New.
-
Configure this rule:
Original Source
Original Destination
Original Service
Translated Source
Translated Destination
Translated Service
OMPOOL
OMPOOL
*Any
*Original
*Original
*Original
-
Click Apply.
-