topic Re: cluster as a vpn server and proxy server in SASE and Remote Access

cluster as a vpn server and proxy server

Dilmurat_Zakiro — Tue, 17 Jul 2018 11:51:20 GMT

Hello guys,

now i use my Checkpoint cluster as a corporate non transparent proxy server. Additionally to that i use it as a vpn server for my remote access users. Now my current task is configure so my remote access users can use my proxy server to reach internet resouces according to the Access Policy on my cluster. in case If i define internal interfaces ip address of cluster as a proxy (on my vpn users browser settings) - web pages cannot be displayed. in case if i define external interfaces ip address of cluster as a proxy (on my vpn users browser settings) - users can open web pages, but they have unlimited access to internet (access not restricted according to Access Policy on my cluster).

how to solve this task?

Re: cluster as a vpn server and proxy server

Maarten_Sjouw — Tue, 17 Jul 2018 22:00:06 GMT

Here are some things to check:

Make sure to add the internal Proxy IP to the remote access VPN topology.

Does the rule allowing access to the proxy contain the Officemode IP range as source?

Why do you want them to use explicit Proxy? Is it due to the fact it is already set for the corporate network?

When you use a PAC or WPAD.dat file you could exclude the Officemode network from the proxy and when set to hubmode, you can still force all traffic through the FW and apply a "at home" policy to that traffic.

The gateway can be used as transparant and explicit proxy at the same time. Doing the same on a 15600 with about 600Mbps fully filtered.

Re: cluster as a vpn server and proxy server

Dilmurat_Zakiro — Wed, 18 Jul 2018 10:15:54 GMT

Q:Does the rule allowing access to the proxy contain the Officemode IP range as source?

A:yes, clients can reach proxy by its tcp port 8080. connection established, logs confirm that fact

Q:Why do you want them to use explicit Proxy? Is it due to the fact it is already set for the corporate network?

A:the main task is configure access for remote access users in order to they have the same Access policy both when they are in corporate network and when connected via vpn client

Q:When you use a PAC or WPAD.dat file you could exclude the Officemode network from the proxy and when set to hubmode, you can still force all traffic through the FW and apply a "at home" policy to that traffic.

A: Can you explain how i can implement it(is there any useful/helpful link? i never did anything like that)? does it mean that i can configure the same policy as on my security gateway for my remote access clients?

Re: cluster as a vpn server and proxy server

Maarten_Sjouw — Wed, 18 Jul 2018 12:56:38 GMT

Q1: Do you also see a request from the gateway to the requested site? Or does the FW (Security Gateway) give the user a blockpage (which might not be shown)?

Q2: So you can achieve that by just making sure that all traffic is routed through the FW when connected. Go into the Global Properties and select Remote Access -> Endpoint Securrity VPN, now under Security Settings the first item is Route all traffic to gateway, there select Yes. Now open the FW Object got to VPN Clients -> Remote Access, here you will find the option "Allow VPN Clients to route all traffic through the gateway" under Hub Mode configuration, set it to on.

Q3: How to set up a Proxy.pac file and how to use it has many results in all search engines.

Transparant and proxied is only controlled by policy, if traffic is allowed by a specific rule it will be allowed to go through that part of the policy, so if you have an inline Application policy just make sure to allow the Officemode network to use that rule by adding it to the source. Do not forget to set a NAT rule for outbound traffic from the officemode network and two rules above it that disables NAT for inbound from the clients and vice versa.