topic Re: Is it possible to deploy new VPN site details to Check Point Mobile client? in SASE and Remote Access

Is it possible to deploy new VPN site details to Check Point Mobile client?

Pedro_Silva — Mon, 20 Apr 2020 01:39:54 GMT

We have an existing deployment of Check Point Mobile for Windows clients.

When the clients were installed we manually configured the Site properties for each user.

We now want to add a second site to each client configuration (as a DR option if the main site is down).

Is it possible to push the additional site configuration to the clients when they next log in?

I haven't been able to find a reference/instructions for this.

Thanks

Pedro

Re: Is it possible to deploy new VPN site details to Check Point Mobile client?

PhoneBoy — Mon, 20 Apr 2020 04:04:59 GMT

Yes, you should configure the site as a MEP gateway.
Then when the client connects again, it will get the information about the alternate site.
https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_RemoteAccessVPN_AdminGuide/Content/Topics/137045.htm

Re: Is it possible to deploy new VPN site details to Check Point Mobile client?

Pedro_Silva — Mon, 20 Apr 2020 03:58:29 GMT

Thanks but I think that link i to the wrong sk?

Re: Is it possible to deploy new VPN site details to Check Point Mobile client?

PhoneBoy — Mon, 20 Apr 2020 04:05:24 GMT

Yes, I linked to an SK when I meant to link to the Remote Access VPN docs.
Changed my post above.

Re: Is it possible to deploy new VPN site details to Check Point Mobile client?

Pedro_Silva — Mon, 20 Apr 2020 04:17:58 GMT

Thanks, I've found the configuration instructions.

I will give this a go when we next have a window where everyone isn't on the VPN at once.

Re: Is it possible to deploy new VPN site details to Check Point Mobile client?

Pedro_Silva — Fri, 24 Apr 2020 06:56:17 GMT

I have been reviewing the 80.20 Remote Access VPN Admin guide to try and understand MEP and I am confused about the best way to proceed.

We have a gateway at head office configured with Mobile Access and IP Sec VPN.

It provides Office mode address to Check Point Mobile for Windows clients. This is working fine.

We have now configured a new gateway at a second office. We want this to be used if the internet link at head office fails.

The offices are connected via a WAN link. The Remote Access VPN Domains overlap/are the same.

The moment the second gateway was up and configured we started to see some clients connect via it instead of head office.

I think this is Implicit - First to Respond at work.

Both gateways are configured for Visitor Mode.

I have tried disabling MEP but we are still seeing some clients connect via the second site.

"To disable MEP, set the following command to true in DBedit, the Check Point database tool:

desktop_disable_mep
When MEP is disabled, MEP RDP probing and fail over are not be performed. As a result, remote hosts connect to the Security Gateway defined without considering the MEP configuration. Remote Access clients use Visitor Mode instead of RDP to probe gateways."

Ideally I would prefer to set Primary-Backup but I am finding this next set of instructions regarding the backup gateway configuration confusing:

Primary-Backup

To configure Implicit Primary-Backup:

From Menu, click Global Properties.
From the navigation tree, click VPN > Advanced.
Click Enable Backup Gateway.
Click OK.
Publish the changes.

To configure the backup gateway settings:

Click Gateways & Servers and double-click the primary Security Gateway.
The gateway window opens and shows the General Properties page.
From the navigation tree, click IPsec VPN.
Click Use Backup Gateways.
From the drop-down menu, select the backup gateway.
Determine if the backup gateway uses its own VPN domain.
To configure the backup gateway without a VPN domain of its own:
1. Double-click the Security Gateway and from the navigation tree click Network Management > VPN Domain.
2. Click Manually defined.
3. Click the field and select the group or network that contains only the backup gateway
4. Click OK and publish the changes.
To configure the backup gateway that DOES have a VPN domain of its own:
1. Make sure that the IP address of the backup gateway is not included in the VPN domain of the primary gateway.
2. For each backup gateway, define a VPN domain that does not overlap with the VPN domain of the other backup gateways.
  
  8. Configure IP pool NAT or Hide NAT to handle return packets.

For our scenario, where the gateways are linked by an internal WAN and hence have the same overlapping VPN domain, do I use option 6 and select just the gateway object as the VPN domain on the backup gateway?

And if we are using Office Mode with an Office Mode range for each gateway with our internal routing configured can we ignore step 8 and remove NAT from Office mode?

Thanks

Pedro

Re: Is it possible to deploy new VPN site details to Check Point Mobile client?

PhoneBoy — Tue, 19 Jul 2022 16:51:34 GMT

E86.40 and above on Windows allows updating the VPN Site details via a push operation via the Harmony Endpoint web management.
Mac support for this feature is planned for later in 2022.
This is, to my knowledge, not supported for standalone VPN clients (i.e. not managed by Harmony Endpoint).
See: https://sc1.checkpoint.com/documents/E86.40/EN/CP_E86.40_RemoteAccessClients_forWin_ReleaseNotes/Content/Topics/What-is-New.htm?Highlight=push