topic Re: Traffic between 2 users connected to Remote Access. in General Topics

Traffic between 2 users connected to Remote Access.

Gusa2727 — Thu, 12 Mar 2020 19:00:06 GMT

Hello,

I have a simple question, is possible to allow 2 users connected through Remote Access in the same Gateway to talk each other? I am trying to ping another Laptop connected in RA but I cannot but I can ping both devices from internal LAN. Thanks!

Best Regards.

Re: Traffic between 2 users connected to Remote Access.

_Val_ — Fri, 13 Mar 2020 08:26:42 GMT

Technically, with Office Mode IP addresses, VPN routing through GW is possible. However, these IP assignments are dynamic, hence in practice it is really hard to achieve.

So, the practical answer is, most probably no

Re: Traffic between 2 users connected to Remote Access.

Gusa2727 — Fri, 13 Mar 2020 08:33:40 GMT

Hello,

Thank you for your answer. IPs being assigned dynamically is not a problem, the thing is that we need that two users connected to RA VPN access, should be able to talk using Cisco Jabber, so I need IP connectivity between these users. I have select the Hub Mode option (Allow VPN Clients to route traffic through this gateway) but it does not work :-(. I think that there should be a solution for this, two remote users being able to call and talk each other using VoIP is not an uncommon scenario.

Best Regards.

Re: Traffic between 2 users connected to Remote Access.

_Val_ — Fri, 13 Mar 2020 10:54:51 GMT

Check you have specifically allow Jabber connectivity through VPN tunnel.

Re: Traffic between 2 users connected to Remote Access.

Bob_Bumpus1 — Fri, 13 Mar 2020 15:21:00 GMT

You probably need to add the Office Mode network to the VPN Domain of the gateway. If that doesn't help, double check the traffic logs and see if it gives an indication as to why this doesn't work.

Re: Traffic between 2 users connected to Remote Access.

Gusa2727 — Tue, 17 Mar 2020 12:45:11 GMT

Yes, I have added the network in the VPN Domain for Remote Access and I even add a rule to permit traffic between remote access pool network and remote access pool network .

The thing is that I have the same scenario on a Cisco ASA and it works, two users connected to RA VPN are able to call each other using Jabber.

Looking the Checkpoint Logs, I cannot find anything related this traffic but I can see that my PC is sending the traffic to the firewall when I try to reach another user connected to RA VPN. I was able to see it using Wireshark. There is something in the Checkpoint which is dropping this traffic silently but I cannot find the reason 😞

Thanks.

Re: Traffic between 2 users connected to Remote Access.

Vladimir — Wed, 03 Feb 2021 01:22:34 GMT

@Gusa2727 , were you ever able to find a solution to this issue? Looks like one of my clients with Jabber is looking to replace their AnyConnect solution with Check Point RA and I may run into same situation.

Thank you.

Re: Traffic between 2 users connected to Remote Access.

Fernandosilva — Wed, 03 Feb 2021 01:46:33 GMT

I have in our environment this scenario, we use VPN Client 84.00 and Cisco Jabber, we call eatch other withou problem. Send me an e-mail, we can make a remote session in webex.

fernando.bvds@gmail.com

Re: Traffic between 2 users connected to Remote Access.

Gareth_somers — Wed, 03 Feb 2021 10:38:51 GMT

There should be no issue, we allow Remote Access Clients to communicate with each other (Jabber, Remote access for ICT, etc.) without issue, We use Office Mode to assign IPs and a post connection script to update DNS in AD so they resolve correctly.

We did see an issue with certain users (less then .2% of the user base) where SecureXL templates weren't being created correctly and Remote Access to Remote Access failed for them (so no ping, Jabber calls, SMB etc.) but access from the LAN worked fine. Disabling SecureXL (fwaccel off) fixed this and once we moved to R80.40, we were able to reenable SecureXL without issue.

Re: Traffic between 2 users connected to Remote Access.

Vladimir — Wed, 03 Feb 2021 13:22:40 GMT

Thank you @Gareth_somers . Can you clarify few things for me:

1. Are your remote clients using Secure Domain Logon (SDL)?

2. Do you serve them IPs from AD DHCP or the Office mode range?

3. Do you allow Reverse Lookup Zone in AD DNS to use Nonsecure and Secure updates?

If it is not too much trouble, can you share the script or drop it to me in DM?

Re: Traffic between 2 users connected to Remote Access.

Gareth_somers — Wed, 03 Feb 2021 14:16:11 GMT

1. Are your remote clients using Secure Domain Logon (SDL)?

No - We decided against this as a security risk, we didn't want the VPN up before the user was logged in. Instead we use User Certs stored in their personal store so in order to connect to the network they must first authenticated.

2. Do you serve them IPs from AD DHCP or the Office mode range?

Originally we used DHCP from AD, however we do not have AD in the Datacenter that the Remote Access firewalls are located in and this meant traversing other firewalls and a VPN tunnel in order to get IPs. Given the dependency on this we moved to the firewalls providing IPs locally which meant that we had to add logic via a post connect script to update DNS (only secure DNS changes are allowed in our AD) and for updating GPOs.

3. Do you allow Reverse Lookup Zone in AD DNS to use Nonsecure and Secure updates?

Secure updates as above, this is handled via a script run post connection from the end users device.

Re: Traffic between 2 users connected to Remote Access.

Ave_Joe — Wed, 03 Feb 2021 20:46:22 GMT

I would start by checking the route table on RA client PC's when connected to RA VPN. If the route to the Office Mode network is there then I suspect the voice issue may be NAT related. I would look to see if there is a no-NAT rule for the Office Mode IP's.

Re: Traffic between 2 users connected to Remote Access.

Ave_Joe — Wed, 03 Feb 2021 20:53:05 GMT

The post connection script may be just the ticket I am looking for to address DNS inconsistency that has showed it's head from time to time in my environment. Are you willing to share a 'cleaned' version of the script?

Re: Traffic between 2 users connected to Remote Access.

Gareth_somers — Wed, 03 Feb 2021 21:56:25 GMT

Sure I may have made it sound more impressive than it actually is, the DNS update is just done via a call to gpupdate:

@echo off
echo **************************************
echo **************************************
echo ** **
echo ** Please wait while we connect you **
echo ** **
echo **************************************
echo **************************************
ping 127.0.0.1 -n 5 > nul
gpupdate /wait:0
WMIC /namespace:\\root\ccm path sms_client CALL TriggerSchedule "{00000000-0000-0000-0000-000000000003}" /NOINTERACTIVE
@echo on
exit