Configuring SSL Network Extender as a VPN Client

To configure SSL Network Extender as a VPN client

From the Gateways & Servers tab, right-click the Mobile Access Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. and select Edit.

The Security Gateway properties window opens and shows the General Properties page.
From the navigation tree, click Mobile Access > SSL Clients.

SSL Network Extender is automatically enabled when the Mobile Access Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. is enabled.
Select an option:
- Automatically decide on client type according to endpoint machine capabilities downloads the SSL Network Extender Network Mode client if the user on the endpoint machine has administrator permissions, and downloads the Application Mode client if the user does not have administrator permissions.
- Application Mode only specifies that the SSL Network Extender Application Mode client is downloaded to the endpoint machines - irrespective of the capabilities of the endpoint machine.
- Network Mode only specifies that the SSL Network Extender Network Mode client is downloaded to the endpoint machines - irrespective of the capabilities of the endpoint machine. The user on the endpoint machine must have administrator permissions in order to access Native Applications.
Click OK.
Install the Access Control policy.

If you had SSL Network Extender configured through IPsec VPN Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access. and now you enabled the Mobile Access Software Blade on the Security Gateway, you must reconfigure the SSL Network Extender policy in the Mobile Access tab of SmartDashboard Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings.. Rules regarding SSL Network Extender in the main security rule base All rules configured in a given Security Policy. Synonym: Rulebase. are not active if the Mobile Access tab is enabled.

Configuring Office Mode

When working with Office Mode, Remote Access clients receive an IP address allocated for them by the VPN administrator. These addresses are used by the clients in the source field of the IP packets they build. Since the IP packets are then encrypted and encapsulated, the packets appear to the Internet with their original IP address. To the organization's internal network, after decapsulation and decryption, they appear with the allocated IP address. The clients seem to be on the internal network.

For more about Office Mode, see the Remote Access VPN Administration Guide for your version.

Configure Office Mode in Gateway Properties > Mobile Access > Office Mode. The settings configured here apply to Mobile Access clients and IPsec VPN clients.

Office Mode Method

Choose the methods used to allocate IP addresses for Office Mode. All of the methods selected below will be tried sequentially until the office mode IP addresses are allocated.

From $FWDIR/conf/ipassignment.conf

You can over-ride the Office Mode settings created on Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server.. Edit the plain text file ipassignment.conf in the $FWDIR/conf/ directory on the Check Point Security Gateway. The Security Gateway uses these Office Mode settings and not those defined for the object in Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

The ipassignment.conf file can specify:
- An IP per user/group, so that a particular user or user group always receives the same Office Mode address. This allows the administrator to assign specific addresses to users, or particular IP ranges/networks to groups when they connect using Office Mode.
- A different WINS server for a particular user or group.
- A different DNS server.
- Different DNS domain suffixes for each entry in the file.
From the RADIUS server used to authenticate the user

A RADIUS server can be used for authenticating remote users. When a remote user connects to a Security Gateway, the user name and password are passed on to the RADIUS server, which checks that the information is correct, and authenticates the user.
Using one of the following methods
- Manually (IP pool)
  
  Create a Network Object Logical object that represents different parts of corporate topology - computers, IP addresses, traffic protocols, and so on. Administrators use these objects in Security Policies. with the relevant addresses. The allocated addresses can be illegal but they have to be routable within the internal network.
- Automatically (Using DHCP)
  
  Specify the machine on which the DHCP server is installed. In addition, specify the virtual IP address to which the DHCP server replies. The DHCP server allocates addresses from the appropriate address range and relates to VPN as a DHCP relay agent. The virtual IP address must be routable to enable the DHCP send replies correctly.
  
  DHCP allocates IP addresses per MAC address. When VPN needs an Office Mode address, it creates a MAC address that represents the client and uses it in the address request. The MAC address can be unique per machine or per user. If it is unique per machine, then VPN ignores the user identity. If different users work from the same Remote Access client they are allocated the same IP address.

Multiple Interfaces

If the Security Gateway has multiple external interfaces, there might be a routing problem for packets whose destination address is a client working in Office Mode. The destination IP address is replaced when the packet is encapsulated and thus previous routing information becomes irrelevant. Resolve this problem by setting the Security Gateway to Support connectivity enhancement for gateways with multiple external interfaces. Do not select this option if your Security Gateway has only one external interface, as this operation affects the performance.

Anti-Spoofing

If this option is selected, VPN verifies that packets whose encapsulated IP address is an Office Mode IP address are indeed coming from an address of a client working in Office Mode.

If the addresses are allocated by a DHCP server, VPN must know the range of allocated addresses from the DHCP scope for the Anti-Spoofing feature to work. Define a Network object that represents the DHCP scope and select it here.

IP Pool Optional Parameters

Configure additional optional parameters for how office mode addresses are assigned by clicking Optional Parameters. If the office mode addresses are allocated from an IP pool, this window allows you to you specify the DNS and WINS addresses by selecting the appropriate Network Objects. In addition, specify the backup DNS and WINS servers and supply the Domain name.

If the office mode addresses are allocated by a DHCP server, DNS and WINS addresses are set on the DHCP server.

These details are transferred to the Remote Access client when a VPN is established.

IP Lease Duration

Specify the amount of time after which the Remote Access client stops using the allocated IP address and disconnects. By default, the duration is 15 minutes. The client tries to renew the IP address by requesting the same address after half of the set time has elapsed. When this request is granted, the client receives the same address until the lease expires. When the new lease expires, it must be renewed again.