topic Re: Restrict users to disconnect from remote access VPN client in Endpoint

Restrict users to disconnect from remote access VPN client

KirillMuravyev — Fri, 18 Jul 2025 08:28:21 GMT

Hello mates!

We are looking for a solution for remote users to inspect all their Internet traffic while out of a corporate network.

Enabling fulltunnel makes all traffic to be routed through gateway for inspection, but users still able to click "disconnect" in the client.

I know about machine certificate only auth, but we cannot use it as less secure option.

Also, ATM looks not good as well.

I was hoping this can solve my problem:

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/Content/Topics-VPNRG/Desktop-Security.htm?tocpath=Desktop%20Security%7C_____0#Desktop_Security

section "Location-Based Policies". But I didn't get from the documentation exactly how to set this up, where to configure "connected" and "disconnected" policy.

So ideally the idea is to restrict Internet access for users until they are connected to VPN.

has anyone tried this setup?

Re: Restrict users to disconnect from remote access VPN client

_Val_ — Mon, 21 Jul 2025 08:36:56 GMT

You need to create a rule in the disconnected policy which blocks web access.

Re: Restrict users to disconnect from remote access VPN client

G_W_Albrecht — Mon, 21 Jul 2025 09:40:01 GMT

See https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/Content/Topics-VPNRG/Desktop-Security.htm?Highlight=Location-Based%20Policies for all necessary steps!

Re: Restrict users to disconnect from remote access VPN client

KirillMuravyev — Mon, 21 Jul 2025 10:06:27 GMT

Hi, can you share where exactly this disconnected policy exists and how to confgiure it?

Re: Restrict users to disconnect from remote access VPN client

KirillMuravyev — Mon, 21 Jul 2025 10:06:06 GMT

Hi, I know this doc as I shared it in initial message.

This page in guide regarding location-based policy does not specify where exactly should I configure connected/disconnected policy, this is not obvious.

Re: Restrict users to disconnect from remote access VPN client

_Val_ — Mon, 21 Jul 2025 10:16:52 GMT

In that very document, it says (bold markings are mine):

The administrator defines the Desktop Security Policy in the Desktop Rule Base in SmartDashboard. You can assign rules to specified user groups or to all users.

SmartDashboard, Desktop Policy, it is documented.

Re: Restrict users to disconnect from remote access VPN client

_Val_ — Mon, 21 Jul 2025 10:18:24 GMT

Also, in the same document:

Configuring Desktop Security

To enable the Security Gateway to be a Policy Server for Desktop Security:

Click Gateways & Servers and double-click the Security Gateway.

The Security Gateway window opens and shows the General Properties page.
On the Network Security tab, select IPsec VPN and Policy Server.
Click OK.
Publish the changes.

To activate the Desktop Security policy:

Click Security Policies and open the Manage Policies window (CTRL + T).
Click the All icon.
Select the policy to edit and click Edit.

The policy window opens.
Select Desktop Security.
Click OK.
Install policy.

To configure the Desktop Policy rules:

Click Security Policies, and from the navigation tree, click Access Control > Desktop.
Click Open Desktop Policy in SmartDashboard.

SmartDashboard opens and shows the Desktop tab.
Configure the inbound rules: Click Rules>Add Rule to add rules to the policy.

In inbound rules, the client computer (the desktop) is the destination. Select user groups to which the rule applies.
Configure the outbound rules. Click Rules>Add Rule to add rules to the policy.

In outbound rules, the client computer (the desktop) is the source. Select user groups to which the rule applies.
Click Save and close SmartDashboard.
Install the policy.

Make sure that you install the Advanced Security policy on the Security Gateways and the Desktop Security policy on your Policy Servers.

Re: Restrict users to disconnect from remote access VPN client

KirillMuravyev — Mon, 21 Jul 2025 10:41:47 GMT

THanks, but I can read the guide as well and I followed all the steps.

Guide says that we have Connected policy and Disconnected policy.

It is not clear where you configure those 2 different policies?

Below is a screenshot from SmartDashboard, where should I configure Connected policy and Disconnected policy?

Re: Restrict users to disconnect from remote access VPN client

_Val_ — Mon, 21 Jul 2025 12:44:22 GMT

This screenshot does not look right. Which version are you using? The GUI looks like a very old version

Re: Restrict users to disconnect from remote access VPN client

PhoneBoy — Mon, 21 Jul 2025 21:25:00 GMT

You don't really configure a specific "disconnected" policy, but it changes the relevant "encrypt" rules to allow.
See here: https://sc1.checkpoint.com/documents/RemoteAccessClients_forWindows_AdminGuide/Content/Topics-RA-VPN-for-Win/Location-Based-Policies.htm?Highlight=disconnected

Re: Restrict users to disconnect from remote access VPN client

KirillMuravyev — Tue, 22 Jul 2025 07:01:10 GMT

Screenshot looks right, SMS version is 81.20 take 105.

This is a SmartDashboard for configuring desktop policy, screenshot below shows where you open it

Re: Restrict users to disconnect from remote access VPN client

KirillMuravyev — Tue, 22 Jul 2025 07:40:10 GMT

Again, I saw this doc and followed all the steps. If it was clear from the guide how it works I wouldn't create this topic.

The goal is to restrict user's Internet access while not connected to VPN. I was hoping to configure connected/disconnected policy like it is mentioned in the guide, but it is not clear exactly how.

The guide says:

Connected Policy - Enforced when:
- VPN is connected.
- VPN is disconnected and Location Awareness determines that the endpoint computer is on an internal network. The Connected Policy is not enforced "as is" but modified according to the feature's mode (the disconnected_in_house_fw_policy_mode property).
Disconnected Policy - Enforced when the VPN is not connected and Location Awareness sees that the endpoint computer is not on an internal network.

So, it says that connected policy will be inforced also when VPN is disconnected but modified according to property

Later guide says regarding this property (disconnected_in_house_fw_policy_mode):

Possible values are:

encrypt_to_allow - Connected policy will be enforced, based on last connected user. Encrypt rules will be transformed to Allow rules (default).
any_any_allow - "Any - Any - Allow" will be enforced.

So, it is not clear what does it mean "based on last connected user" and "Encrypt rules will be transformed to Allow rules", what user we talking about, what encrypt rules we talking about?

All in all not clear what this feature do exactly

Re: Restrict users to disconnect from remote access VPN client

G_W_Albrecht — Tue, 22 Jul 2025 11:14:18 GMT

As this is a legacy feature very seldom enabled and used, i would suggest to open SR# with CP TAC to get the procedure to accomplish your goal !

Re: Restrict users to disconnect from remote access VPN client

the_rock — Tue, 22 Jul 2025 14:53:38 GMT

On way would be if you have IA enabled to set up access role for this. I attached a screenshot.

Andy

Re: Restrict users to disconnect from remote access VPN client

KirillMuravyev — Wed, 23 Jul 2025 07:22:49 GMT

What is IA?

Can you elaborate please how access role in access rule can help accomplish the goal?

Re: Restrict users to disconnect from remote access VPN client

the_rock — Wed, 23 Jul 2025 11:15:43 GMT

Identity awareness. I will take video later and upload.

Andy

Re: Restrict users to disconnect from remote access VPN client

the_rock — Wed, 23 Jul 2025 12:27:53 GMT

@KirillMuravyev

Attached. Btw, once you have access role configured, you can use it in policy rule to restrict access.

Andy

Re: Restrict users to disconnect from remote access VPN client

KirillMuravyev — Wed, 23 Jul 2025 14:24:29 GMT

Thanks for video, I do have IA enabled and I understand how to configure the access role.

The question was how this setup will help me restrict remote user's Internet access while not connected to VPN ?

The goal is to force people connect to VPN while they are remote, always-connect feature is on but it still allowes user to click "disconnect" button

Re: Restrict users to disconnect from remote access VPN client

the_rock — Wed, 23 Jul 2025 14:35:25 GMT

One way it can help is to add type of clients in access role and then use that role to allow or restrict access.

Andy

Re: Restrict users to disconnect from remote access VPN client

KirillMuravyev — Wed, 23 Jul 2025 15:06:38 GMT

So how to set this policy work only for "disconnected" clients?