This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Phillip-83
Participant
‎2024-05-12 05:58 AM
Jump to solution

Split Tunnel VPN for Office365 on Mobile devices

Hi everyone, 

Currently, I'm in the process of POC Checkpoint FW + Harmony for a potential customer. 

Topo:
topo.jpg

At the Mobile VPN, they have a test case: when the Employee's Mobile connects VPN (using capsule app), no need to route VPN to HQ when accessing internet, surfing websites,... but only when they use an app/web related to Office365, which needs to automate route the traffic: client -> HQ -> O365.

Note: With endpoint devices VPN must route all traffic to HQ: endpoint -> HQ -> internet. (and I can't create more than 2 remote access community for endpoint and mobile, so can't customize individual VPN domains).

I had seen this sk: How to configure Split Tunnel for Office 365 and other SaaS Applications (checkpoint.com), but seems like its opposite with my case.

Does anyone have experience with this case, or can Checkpoint create a multi Remote Access VPN?

Please help me.

Thanks & Best regards.

Preview file
198 KB
0 Kudos
1 Solution

Accepted Solutions
Nüüül
Advisor
a month ago
Jump to solution

Hello,

 

if this use case applies to all remote users, you might use the solution stated in the sk mentioned using the group object "enc_domain" as normal group with "o365_address_ranges" and if needed other networks as member.

Doing so, all traffic to o365 will be routed via the security gateway.

 

if you have other use cases regarding this setup you might run into problems, as encryption domains can only be set once per RemoteAccess Community. And there is only one RemoteAccess Community at one Management Server.

as therock mentioned, having multiple ... "VPN profiles"  you might likely run into limitations. 

 

View solution in original post

0 Kudos
4 Replies
the_rock
Legend
Legend
‎2024-05-12 06:31 AM
Jump to solution

Just wondering, is this the case of customer wanting to assign different auth methods to different groups? If so, I dont believe thats possible as of yet. If I totally misunderstood, apologies.

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2024-05-13 08:19 AM
Jump to solution

Because this is the usual use case: route everything except for Office 365.
To do what you're trying to do (route Office 365 traffic through the Remote Access VPN), see: https://support.checkpoint.com/results/sk/sk167000 

Note that you might want to investigate Harmony SASE for this use case.

the_rock
Legend
Legend
‎2024-05-13 08:54 AM
In response to PhoneBoy
Jump to solution

Ah, that sk, right.

0 Kudos
Nüüül
Advisor
a month ago
Jump to solution

Hello,

 

if this use case applies to all remote users, you might use the solution stated in the sk mentioned using the group object "enc_domain" as normal group with "o365_address_ranges" and if needed other networks as member.

Doing so, all traffic to o365 will be routed via the security gateway.

 

if you have other use cases regarding this setup you might run into problems, as encryption domains can only be set once per RemoteAccess Community. And there is only one RemoteAccess Community at one Management Server.

as therock mentioned, having multiple ... "VPN profiles"  you might likely run into limitations. 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events