topic Re: Preventing older vpn clients to connect to CP gateway in SASE and Remote Access

Preventing older vpn clients from connecting to CP gateway

the_rock — Fri, 06 Dec 2024 00:07:19 GMT

Hey guys,

Just wondering about this and wanted to clarify something. Customer was asking about option on the gateway, vpn clients -> authentication -> allow older clients to connect to this gateway.

Now, when we check it, it shows its referring to actual legacy VPN (standalone clients) and NOT harmony endpoint. Their only auth option currently is user+password.

Is there any confirmation anywhere what is LOWEST vpn client version that could connect if say this option was indeed enabled?

Also, is there any way to disable any legacy vpn client from actually connecting and ONLY allow harmony endpoint?

Thanks!

Andy

Re: Preventing older vpn clients to connect to CP gateway

the_rock — Thu, 05 Dec 2024 20:15:41 GMT

For what its worth, this is an explanation from smart console about it.

Andy

Re: Preventing older vpn clients to connect to CP gateway

Chris_Atkinson — Thu, 05 Dec 2024 22:50:19 GMT

If I remember correctly the setting is relevant to the client versions specified in sk111583.

With R82 forcing IKEv2 for remote access would have a similar effect for older client versions earlier than E88.40 aswell.

Similarity not all client types support SAML, so even without specific options you could achieve an outcome through these choices perhaps.

See also: Gateway Properties > Mobile Access > Allowed Clients

Re: Preventing older vpn clients to connect to CP gateway

the_rock — Thu, 05 Dec 2024 22:23:06 GMT

Hey Chris,

Thanks for the response. I think customer is simply wondering what is the LOWEST client version that could connect say if that option was enabled and 2nd, is there any way to prevent anyone who is NOT using harmony endpoint client to conect to the gateway?

Andy

Re: Preventing older vpn clients to connect to CP gateway

Chris_Atkinson — Thu, 05 Dec 2024 22:33:53 GMT

The version element is outlined in the SK I commented above, context is these settings / options

https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_RemoteAccessVPN_AdminGuide/Topics-VPNRG/User-and-Client-Authentication.htm?tocpath=User%20and%20Client%20Authentication%20for%20Remote%20Access%7C_____2#Multiple_Login_Options_for_R80.xx_Gateways

Re: Preventing older vpn clients to connect to CP gateway

the_rock — Fri, 06 Dec 2024 00:08:03 GMT

K thank you, I think that answers my 1st question. Now, for the 2nd one, any way to prevent anyone NOT using harmony endpoint client to connect?

Andy

Re: Preventing older vpn clients to connect to CP gateway

Chris_Atkinson — Fri, 06 Dec 2024 00:38:22 GMT

There are different options available for this requirement:

1. VPN Clients option - Allows restricting some client types

2. Using SCV / Compliance Policies in particular the method enforceable via HEP.

(Note here their is a reliance on the Desktop Firewall / Desktop Policy allowing necessary comms to allow clients checks to occur per sk164861)

3. sk108892 - How to verify the integrity of Endpoint Remote Access VPN clients (Appendix 5)

4. Machine Cert Auth for further enhanced security.

Re: Preventing older vpn clients to connect to CP gateway

the_rock — Fri, 06 Dec 2024 02:12:43 GMT

Thanks Chris. So I know for option 1, I was thinking if that may actually work. Would that technically prevent anyone using legacy endpoint vpn from connecting and still allow people using harmony endpoint to connect?

Best,

Andy

Re: Preventing older vpn clients from connecting to CP gateway

Wolfgang — Fri, 06 Dec 2024 08:26:30 GMT

@the_rock maybe you can try with restrictions via the access-role....

Re: Preventing older vpn clients from connecting to CP gateway

the_rock — Fri, 06 Dec 2024 12:31:18 GMT

Thanks @Wolfgang ! I just want to be sure that option you gave and option 1 @Chris_Atkinson provided would ineed stop ONLY legacu endpoint vpn from connecting and allow harmony endpoint. Let me see if my colleague I had been working with on this and I can test this in the lab to confirm.

Andy