topic Re: Two ways to handle Remote Access: How seamlessly can they integrate? in SASE and Remote Access

Two ways to handle Remote Access: How seamlessly can they integrate?

Dave_Hoggan — Thu, 05 Mar 2020 13:24:35 GMT

Hi all,

I've been struggling to find an answer to the following two questions, so hoping someone here might be able to help. I also think some of us might also have the same questions.

---

First, the easy question. As I understand it both Endpoint Security VPN and Mobile for Windows are IPSec clients that can wrap the communication to the gateway in HTTPS (aka visitor mode). Am I right in assuming that this is simply a case of IPSec over port 443 and there is no SSL involved? I am trying to work out if adding, for example, 200 extra VPN client users will have a big effect of gateway performance. If they are simple IPsec tunnels then no, but if they each need to be SSL decrypted, then that is more of an impact.

---

Second, the harder question. Imagine I have an existing deployment of Endpoint Security VPN with appropriate endpoint container licensing for VPN and FW and that I have enough licensing for 50 VPN users. Due to the COVID-19 situation I want to use the Check Point's 60-day MAB license offer for an additional 200 remote users. I understand that these extra users won't have the client FW capability as it's not part of the MAB license. Let's assume that I have obtained the 200 MAB user license from Check Point and added it.

1) Can I deploy the Endpoint Security VPN client to ALL users. I understand users connecting under MAB licensing will not get the endpoint FW capability, but I would like to keep things simple by only having a single client type deployed.

2) I now have two two remote access VPN license schemes installed (50 Endpoint containers and 200 MAB licenses). When a remote VPN user connects, which license scheme is used first? This is important as it will dictate whether the user gets the endpoint FW or not.

1) When enough remote users connect to exhaust one licensing scheme, will it automatically start using the next licensing scheme? For example, if the endpoint container scheme is used first, when the 51st user connects will it automatically see this as a MAB license?

Thanks,

Dave

Re: Two ways to handle Remote Access: How seamlessly can they integrate?

G_W_Albrecht — Thu, 05 Mar 2020 13:34:16 GMT

You can find all answers in sk67820: Check Point Remote Access Solutions !

Please remember that the IP Sec VPN and MAB blade have very different licenses, so seamless integration is impossible.

Re: Two ways to handle Remote Access: How seamlessly can they integrate?

Dave_Hoggan — Thu, 05 Mar 2020 13:56:45 GMT

Hi,

I have actually been reading the sk67820 article before posting my questions, so apologies, but I don't think it answers any of my questions.

It does not specify how IPsec over HTTPS is implemented. I believe that visitor mode works by simply taking an IPsec packet, adding a TCP header and sending it to port 443. In other words is it not really HTTPS (and so does not need any form of HTTPS decryption). But I was really after some confirmation that this is right (or wrong!)

It does not specify the order in which licensing is used, if two license schemes are available. It does not specifiy anything at all about what happens when there are two valid, but different, licensing schemes in place at the same time.

And, apologies in advance (as I do not want to appear rude as it is not my intention) but when you state: "Please remember that the IP Sec VPN and MAB blade have very different licenses, so seamless integration is impossible." I am not sure you have understood my questions. I know that they two blades can function is very different ways (client vs. clientless), but that is not what I am asking. I am not talking about using MAB as a blade. I am talking about using MAB licensing to support an IPsec client and how that works with other IPsec clients using the Endpoint Security (or Sandblast basic).

Thanks,

Dave

Re: Two ways to handle Remote Access: How seamlessly can they integrate?

G_W_Albrecht — Thu, 05 Mar 2020 15:07:43 GMT

MAB does not license any IPSec VPN client at all ! We speak about two different products that have very different licensing (seat based with IPSec and concurrent with MAB). The only thing both IPSec and MAB use is OfficeMode - and that is where the seats or number of concurrent users become important !

In fact, both RA VPN client types use different licensing schemes that have no cross-dependencies at all. This situation has grown out of historic development, namely old SecureClient (IPSEc VPN) and old Connectra (predecessor of MAB) representing very different products...

Re: Two ways to handle Remote Access: How seamlessly can they integrate?

Dave_Hoggan — Thu, 05 Mar 2020 15:34:26 GMT

Hi,

> MAB does not license any IPSec VPN client at all

Are you saying that if I only have the MAB blade enabled I cannot use a VPN client (such as Endpoint Security VPN or Mobile for Windows)? I ask as they are both IPsec VPN clients. Also, when you enable MAB, the wizard does ask if you want use the Endpoint Security VPN and Mobile for Windows clients. I am assuming that if you do use the Endpoint Security VPN client, there is no firewall policy as it isn't a MAB function, but MAB does gives you the option to use it as a VPN client.

And I do understand that the two licensing schemes are different, but it is possible to have both enabled at the same time. So, my question really is the same: when a client connects to a gateway and both MAB licensing and Endpoint containers (or Sandblast Basic) licensing is available, with is used first?

If you are right and you cannot use a client with a MAB license, then it cannot be the MAB license. But, since sk67820 states IPSec VPN clients *can* be used with MAB (see below) - and we have customers doing exactly that - I don't understand your " MAB does not license any IPSec VPN client at all" statement.

Thanks,

Dave

Re: Two ways to handle Remote Access: How seamlessly can they integrate?

mdjmcnally — Thu, 05 Mar 2020 18:50:53 GMT

Let me get back to real basics with this one

You can use Endpoint Security VPN and Mobile Access Blade on the Same Gateway.

ie One User connects with Endpoint Security VPN Client and another connects with say Capsule Connect or Check Point Mobile for Windows Client.

However they use different licenses.

So if you have 50 Endpoint Security VPN Licenses and a 200 Seat MOB license then then you can have 50 Endpoint Security Users and 200 MOB Users connected to the Same Gateway at the same time

However what it won't do is take a 51st Endpoint Security VPN Client Connection and use a Spare MOB license for that user.

It won't take the 201st MOB Connection and use a spare Endpoint Security VPN licensse to allow to connect.

So you can use both at the same time but they won't use others licenses.

Re: Two ways to handle Remote Access: How seamlessly can they integrate?

Dave_Hoggan — Thu, 05 Mar 2020 19:39:33 GMT

> Let me get back to real basics with this one

Yes, at least then there is little room for confusion.

> You can use Endpoint Security VPN and Mobile Access Blade on the Same Gateway.

> ie One User connects with Endpoint Security VPN Client and another connects with say Capsule Connect or Check Point

> Mobile for Windows Client.

> However they use different licenses.

Yes, agree completely - as I have been saying exactly this in my previous posts.

> So if you have 50 Endpoint Security VPN Licenses and a 200 Seat MOB license then then you can have 50 Endpoint Security

> Users and 200 MOB Users connected to the Same Gateway at the same time

Again, completely agree - I have been saying this too in my previous posts.

> However what it won't do is take a 51st Endpoint Security VPN Client Connection and use a Spare MOB license for that

> user.

> It won't take the 201st MOB Connection and use a spare Endpoint Security VPN licensse to allow to connect.

Are you sure? I mean - do you really know this for certain?

The reason I ask is one (1) The Mobile Access Blade configuration explicitly allows you to use the Endpoint Security VPN client with MAB licensing - see screenshot below:

(2) it allows you to connect to a gateway with only the MAB blade ticked and SSLVPN licensing (and no IPSec blade and no Sandblast Basic or Endpoint container licensing).

As I have stated in previous posts, I am not asking whether an Endpoint Security VPN client will get the FW functionality if connecting via MAB licensing - of course it won't.

What I am asking given that the MAB blade clearly supports the use of the Endpoint Security VPN client and counts such a connection again the MAB license and given that I have a 50 seat endpoint container license then:

(1) which licence is used first and

(2) is the product "clever" enough to realise that it has two licensing schemes, both capable of allowing an Endpoint Connect VPN client and so automatically start counting new clients towards the second license once the first is depleted?

Thanks,

Dave

Re: Two ways to handle Remote Access: How seamlessly can they integrate?

PhoneBoy — Thu, 05 Mar 2020 20:07:33 GMT

Check Point Mobile (which is the Endpoint VPN Client without the Desktop Firewall) can be used with MAB licenses and is tracked based on concurrent connected users.
Check Point Mobile can operate as IPsec or SSL VPN (Visitor Mode).
SNX is the same deal except it uses Visitor Mode only (I believe).

The Full Endpoint VPN client uses Endpoint licenses and is licensed based on number of installed clients (not necessarily connected ones).
Full Endpoint VPN clients should never use MAB licenses.
Likewise, Check Point Mobile/SNX will never use full Endpoint licenses.

Hope that clears things up.

Re: Two ways to handle Remote Access: How seamlessly can they integrate?

Dave_Hoggan — Thu, 05 Mar 2020 20:26:05 GMT

To be honest, no. When you refer to full Endpoint client, I'm thinking you mean VPN with FW, correct? If so, this is exactly what I am NOT meaning. I mean to use the Endpoint Security VPN client as VPN only.

But you do raise an interesting question. You mention that Mobile for Windows can act as IPsec or SSL VPN (visitor mode). Is this implying that Mobile for Windows in Visitor mode is actually a full SSL VPN tunnel as I was told differently by our Check Point SE. I thought that visitor mode only added a TCP packet to IPsec data and used port 443, but was not actually "real" SSL. Are you saying it is?

Also, it you cannot use the Endpoint Security VPN client. why is is even an option the MAB configuration pane on the gateway object, let alone is actually work. Again I am NOT wanting FW functionality, simply a VPN tunnel.

Thanks,

Dave

Re: Two ways to handle Remote Access: How seamlessly can they integrate?

PhoneBoy — Thu, 05 Mar 2020 22:29:19 GMT

Full Endpoint client includes the firewall, Check Point Mobile doesn't.
For Windows, it's the same installation package for both, with the difference being which option you choose on installation.

I'm not familiar with how Visitor Mode is actually implemented at the protocol level.
"It is implemented by adding additional encapsulations to the traffic" according to the following SK:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk159372
A protocol analyzer on the necessary traffic will probably tell you for certain what it's doing.

And yes, you can use the Endpoint Security VPN client with MAB if you have a full Endpoint license.
What the client will use license-wise is determined by which option was chosen on install.

Re: Two ways to handle Remote Access: How seamlessly can they integrate?

Dave_Hoggan — Fri, 06 Mar 2020 00:06:56 GMT

Is there a reason you are calling it the "full Endpoint client" as opposed to the Endpoint Security VPN client - specifically is there a reason on you keep using the word "full"?

I ask is, as whilst the Endpoint Security VPN license does include the necessary code to implement a client-side firewall, it is not mandatory and I was under the impression that it was disabled internally upon the VPN being established and no policy server being defined. In other words, it might still be *called* the Endpoint Security VPN client but it would then actually be functioning as the Mobile for Windows client. I'm not sure I can find the SR number where I wnet through this with TAC as it was years ago but it sounds like you are saying that this was incorrect?

As for your comment: "you can use the Endpoint Security VPN client with MAB if you have a full Endpoint license.
What the client will use license-wise is determined by which option was chosen on install." I'm sorry but that makes no sense and does not match what we've seen in the lab, or on customer sites. From what you are saying then, if an Endpoint Security VPN license connects, it will look for either a Sandblast license or an endpoint container license and if it does not find them, it will not work. But it doesn't do that , or at least it might first look for those licenses, but it will also work with a MAB license. This has been tested.

I was talking to one of our Endpoint guys and the theory is that this is more to do with there being sufficient office mode addresses licenses available. And as OM is a feature of both MAB licensing and Endpoint container/Sandblast licensing, then the client (which only wants a VPN tunnel) is simply happy to have available OM addressing.

And once again I stress that this is without the FW blade on the endpoint client. I mentioned this again as I'm getting the impression from the replies that people think Endpoint Security VPN = FW. It doesn't. The firewall is an option; not mandatory.

Re: Two ways to handle Remote Access: How seamlessly can they integrate?

PhoneBoy — Fri, 06 Mar 2020 00:32:24 GMT

You're absolutely correct in that that firewall is "optional" on the "full" Endpoint Security VPN client.
I should have been more precise.
If you're not using the Desktop Firewall feature and the Endpoint VPN client connects, where only a VPN tunnel is configured, I can see how it can potentially act as "either or" depending on what license(s) are available.
Will have to clarify which is used first.

Note that Endpoint Security VPN clients on a Mac will always use the Endpoint VPN license.
They cannot use the Mobile Access Blade licenses except with the SNX client.

Re: Two ways to handle Remote Access: How seamlessly can they integrate?

Daniel_Collins — Fri, 06 Mar 2020 09:32:39 GMT

I'm guessing that's because there is no client in the "Endpoint" part of the suite that terminates on MAB for Mac?

I.E. there's no "Check Point Mobile" for Mac clients, other than SNX which is something rather different and deployed/accessed differently.

Whereas the VPN functionality that is in the Endpoint client for Windows, has the ability to terminate on MAB "in-house" based on how it's installed.

Re: Two ways to handle Remote Access: How seamlessly can they integrate?

G_W_Albrecht — Fri, 06 Mar 2020 10:19:03 GMT

To make the confusion complete, Endpoint Security VPN Client (!!!) has three modes of installation out of the same Win .exe, find details in Changing the Standalone Remote Access Client flavo...:

- Endpoint Security VPN including Desktoip FW

- Mobile Endpoint Client (SSL for MAB)

- SecuRemote VPN client (without OfficeMode, works without license !)

Interestingly, the first variant uses EP RA IPSec VPN licensing by seats, the second SSL VPN MAB concurrent licensing and the third needs no license at all 8)!

Re: Two ways to handle Remote Access: How seamlessly can they integrate?

mdjmcnally — Fri, 06 Mar 2020 11:55:33 GMT

There is a reason why specifically separated Endpoint Security VPN and Mobile for Windows.

Endpoint Security VPN is an IPSec VPN Client that uses the VPN Blade from the Endpoint Suite Licenses, ie the Suite that has FDE, MEPP, Sandblast Agent etc. It does NOT use MOB licenses even if trying to connect to a Gateway without the Desktop Security configured. It does not connect to the Mobile Access Blade but connects to the IPSec VPN Blade.

If you are using the Endpoint Suite then you won't be using the Endpoint Security VPN Client as that is the Standalone VPN Client, but does use the same license as the Endpoint Security VPN.

Mobile for Windows is a VPN Client that terminates against the Mobile Access Blade and uses MOB license. It won't use a Remote Access VPN Client License.

As has been pointed out lower down it is the same installation file but gives you different client.

There is also the 3rd Option of SecuRemote that requires no Client License but has not Office Mode.

All 3 are the same install file but will give you different clients

When you enable the Mobile Access Blade then it also has to have the IPSec VPN Blade enabled and be a part of the Remote Access Community.

So if rolling out the client then ensure that installing as Mobile for Windows and then they will use the MOB license

At that point you are installing Mobile for Windows and NOT the Endpoint Security VPN product (even though is the same installation file)

At this point the the Gateway will respond to Remote Access IPSec VPN Client connections such as Endpoint Security VPN or SecuRemote or even the VPN part of the Endpoint Suite, you just have to create rules

So if on your laptop you install Endpoint Security VPN and connect to the Gateway then it will look for a VPN license.

If you install the Mobile for Windows and connect to the Gateway then it will look for a MOB License

Even though are the same installation file.

Endpoint Security VPN Client is licensed per Seat ie deploy 200 client then you should have a 200 license even if only 50 at a time connect.

Mobile for Windows using MOB is licensed per Concurrent Connections so if deploy 200 seats but never have more then 50 connect at a time then you only need a 50 license

Whilst the same installation file they give you different clients with different termination points and different license requirements.

Re: Two ways to handle Remote Access: How seamlessly can they integrate?

Dave_Hoggan — Fri, 06 Mar 2020 12:57:20 GMT

I think the confusion is, in part, as the names used are quite similar.

The is no "Endpoint Security VPN client" installable as you suggest. There is a "Endpoint Security" installable that does indeed have three deployment options: Endpoint Security VPN; Mobile for Windows and SecuRemote.

I would also want to clarify your next statements:

> Endpoint Security VPN including Desktoip FW

Endpoint Security VPN includes the ability to enforce an optional desktop FW. It is an IPsec client and provides office mode address assignment. If using the optional desktop firewall, it requires an IPsec gateway license and either endpoint container licensing (VPN + FW) or Sandblast client licensing and is licensed per-seat. If not using the optional desktop firewall, it uses MAB licensing and is licensed per-connected-user.

> Mobile Endpoint Client (SSL for MAB)

Mobile for Windows offers VPN connectivity only. It is an IPsec client and provides office mode address assignment. It requires a IPsec gateway license and MAB gateway license. If a cluster, MAB licensing must be on both cluster members. It is licensed per-connected-user.

- SecuRemote VPN client (without OfficeMode, works without license !)

SecuRemote offers VPN connectivity only. It does not provide office mode address assignment and so can cause users issues if used with more than a small number of VPN users. It requires an IPsec gateway license. There are no licensing restrictions on the number of users.

To clarify the two terms: "per-seat" and "per-connected-user". Per seat means that, if you have 1500 potential remote access VPN users you need 1500 licenses, even if only at most 200 are connected one one time. Per connected user means that with 1500 potential users, you only need to buy licenses for 200 tunnels if that is the most that connect at one time.

Re: Two ways to handle Remote Access: How seamlessly can they integrate?

Dave_Hoggan — Fri, 06 Mar 2020 12:59:14 GMT

@PhoneBoy , yes, please can you check which license would be used first in this situation.

Re: Two ways to handle Remote Access: How seamlessly can they integrate?

G_W_Albrecht — Fri, 06 Mar 2020 12:59:56 GMT

So you did find your answers at last !

Re: Two ways to handle Remote Access: How seamlessly can they integrate?

Dave_Hoggan — Fri, 06 Mar 2020 13:01:31 GMT

@G_W_Albrecht

No, this is all information I already knew before asking here. My questions - that I have been asking since the original post - are still unanswered.

Re: Two ways to handle Remote Access: How seamlessly can they integrate?

Dave_Hoggan — Fri, 06 Mar 2020 15:48:58 GMT

@mdjmcnally

> It does NOT use MOB licenses even if trying to connect to a Gateway without the Desktop Security configured.

I understand what you are saying but (and apologies in advance for saying) I think you're misunderstanding the process that is occurring. I am not saying that I am right, but all I can report is what I'm seeing in debugs and what you say is not what we are seeing. Can you point me in the direction of where this is documented please?

I am beginning to suspect that, due to how the two licensing options for a VPN client are 'sold' that this is where a lot of the confusion is coming from. I'll try and explain (I say 'try' as I am trying to understand all of this myself), but - again - we are NOT using the desktop firewall. We are using the VPN tunnel and OM addressing.

This all seems to be related to what one of our endpoint guys has been saying which is: when a client connects to a gateway and established a VPN tunnel with either the Endpoint Security VPN or the Mobile for Windows clients, it does not look for a MAB license or a Endpoint container license - all it looks for is whether there is a free office mode address available. As we all agree upon, the available office mode address space can be provided by either the MAB license or the endpoint security container/sandblast license, or potentially both.

When a Mobile for Windows user connects in, this is not shown as a MAB user, but it is shown as a OM license being consumed. The same is true when a Endpoint Security VPN client connects into to a gateway without policy server, but with MAB enabled and the SSLVPN license component - another OM address being consumed, but this is not seen as a MAB user.

So, that is why I disagree with your statement. Rather I do agree with it, but it is an invalid in this case. I agree with you because I think you are right: an Endpoint Security VPN client will not use a MAB license. But that is irrelevant as neither does a Mobile for Windows client. You can easily see this when you try connecting with either client with only the MAB blade enabled - the MAB user count does not increment. What they are really using is the OM address space that a MAB or endpoint container license provides and you can see this is various place, including a VPN debug.