https://community.checkpoint.com/t5/SASE-and-Remote-Access/No-Intranet-Connection/m-p/197482#M4429 <P>Hello,</P> <P><STRONG>To update, I was able to solve the problem.</STRONG></P> <P>I noticed, that the flow was "incomplete".</P> <P>It turns out that there was no Firewall rule that allows the connection of the IP pool of the users that connect through the RA VPN to the server that owns the domain.&nbsp;<span class="lia-unicode-emoji" title=":beaming_face_with_smiling_eyes:">😁</span></P> <P><STRONG>I would still like to clarify a doubt.</STRONG></P> <P><EM>If you have a web service that you publish to the Internet, when you log in through RA VPN, with the Internal DNS provided by the VPN, and you try to access that web service, the network card of the user's PC, to which DNS gives "more priority" at the moment of consuming the service? Is it the DNS assigned to me by the VPN, or is it the DNS of my Local ISP?</EM></P> <P>Thanks for your help and clarification.</P> Wed, 08 Nov 2023 17:25:38 GMT Matlu 2023-11-08T17:25:38Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/No-Intranet-Connection/m-p/197371#M4421 <P>Hello, Team.</P> <P>I have a problem with a VPN user connection, which is connected by Endpoint Security VPN agent.</P> <P>The user logs in, no problem, but once connected, when he tries to access an internal resource (INTRANET).<BR />The access to the internal resource is a URL.</P> <P>I have a couple of doubts:</P> <P><BR />1- In the Firewall rule, should the DNS service be allowed, for this type of connection?</P> <P>2- In which part of the Remote Access VPN configuration, can I be sure that the company's internal DNS are being delivered to the VPN users' connections?</P> <P>Thanks for the clarification.</P> Wed, 08 Nov 2023 00:16:16 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/No-Intranet-Connection/m-p/197371#M4421 Matlu 2023-11-08T00:16:16Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/No-Intranet-Connection/m-p/197379#M4422 <P>Did you define an access rule for the RA users ?</P> Wed, 08 Nov 2023 08:05:46 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/No-Intranet-Connection/m-p/197379#M4422 G_W_Albrecht 2023-11-08T08:05:46Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/No-Intranet-Connection/m-p/197421#M4423 <P>What are your office mode settings, DNS suffixes etc?</P> <P>Are you seeing logs indicating DNS traffic is being dropped?</P> <P>Are the remote access clients MacOS or Windows?</P> Wed, 08 Nov 2023 12:19:53 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/No-Intranet-Connection/m-p/197421#M4423 Chris_Atkinson 2023-11-08T12:19:53Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/No-Intranet-Connection/m-p/197428#M4424 <P>Below is what you need, make sure its correct.</P> <P>Andy</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot_1.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/23103i504E68C5E83B5135/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot_1.png" alt="Screenshot_1.png" /></span></P> <P> </P> Wed, 08 Nov 2023 13:06:07 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/No-Intranet-Connection/m-p/197428#M4424 the_rock 2023-11-08T13:06:07Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/No-Intranet-Connection/m-p/197431#M4425 <P>Indeed. Just don't expect Google to resolve your internal URLs. <span class="lia-unicode-emoji" title=":face_with_tongue:">😛</span></P> Wed, 08 Nov 2023 13:22:32 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/No-Intranet-Connection/m-p/197431#M4425 Chris_Atkinson 2023-11-08T13:22:32Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/No-Intranet-Connection/m-p/197432#M4426 <P>Thats why this is a lab <span class="lia-unicode-emoji" title=":rolling_on_the_floor_laughing:">🤣</span></P> Wed, 08 Nov 2023 13:24:00 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/No-Intranet-Connection/m-p/197432#M4426 the_rock 2023-11-08T13:24:00Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/No-Intranet-Connection/m-p/197448#M4427 <P>Hello,</P> <P>I have a question.</P> <P>If the resource to which you want to access, is a resource that is published both on the Internet, as well as a resource that can be consumed by Intranet, when you are already logged in to the VPN, and try to consume this resource, let's say the URL is <A href="https://dev.example.com" target="_blank">https://dev.example.com</A>.</P> <P>When you are connected to the VPN, and the user tries to open this resource, would it be using the Internal DNS of the VPN, or the External ones that you have from your local ISP connection?</P> <P>Which DNS takes the highest priority?</P> Wed, 08 Nov 2023 15:11:20 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/No-Intranet-Connection/m-p/197448#M4427 Matlu 2023-11-08T15:11:20Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/No-Intranet-Connection/m-p/197449#M4428 <P>Hey bro,</P> <P>Chris can confirm for you, but Im pretty sure it would go based on the priority list from screenshot I sent...primary, first backup, second backup.</P> <P>You got my direct email, so we can do remote and I can show you in my R81.20 lab.</P> <P>Kind regards,</P> <P>Andy</P> Wed, 08 Nov 2023 15:13:44 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/No-Intranet-Connection/m-p/197449#M4428 the_rock 2023-11-08T15:13:44Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/No-Intranet-Connection/m-p/197482#M4429 <P>Hello,</P> <P><STRONG>To update, I was able to solve the problem.</STRONG></P> <P>I noticed, that the flow was "incomplete".</P> <P>It turns out that there was no Firewall rule that allows the connection of the IP pool of the users that connect through the RA VPN to the server that owns the domain.&nbsp;<span class="lia-unicode-emoji" title=":beaming_face_with_smiling_eyes:">😁</span></P> <P><STRONG>I would still like to clarify a doubt.</STRONG></P> <P><EM>If you have a web service that you publish to the Internet, when you log in through RA VPN, with the Internal DNS provided by the VPN, and you try to access that web service, the network card of the user's PC, to which DNS gives "more priority" at the moment of consuming the service? Is it the DNS assigned to me by the VPN, or is it the DNS of my Local ISP?</EM></P> <P>Thanks for your help and clarification.</P> Wed, 08 Nov 2023 17:25:38 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/No-Intranet-Connection/m-p/197482#M4429 Matlu 2023-11-08T17:25:38Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/No-Intranet-Connection/m-p/197483#M4430 <P>It all depends on the fact what DNS is able to resolve once connected, thats all.</P> <P>Cheers,</P> <P>Andy</P> Wed, 08 Nov 2023 17:36:37 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/No-Intranet-Connection/m-p/197483#M4430 the_rock 2023-11-08T17:36:37Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/No-Intranet-Connection/m-p/197519#M4431 <P>Generally, the default DNS of the client gets replaced by whatever the gateway assigns after the Remote Access client connects and gets an Office Mode address assigned.<BR />However, there is nothing preventing the end user from changing their DNS configuration if they have admin rights to their local PC.<BR /><BR /></P> Wed, 08 Nov 2023 22:19:28 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/No-Intranet-Connection/m-p/197519#M4431 PhoneBoy 2023-11-08T22:19:28Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/No-Intranet-Connection/m-p/197523#M4432 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/82839">@Matlu</a>&nbsp;</P> <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;makes an excellent point, as always. There is literally nothing stopping a person once they connect to RA to change DNS servers, as long as they have admin access to the local PC. Not quite certain about this, "MAYBE" that can be controlled by harmony endpoint product, but again, I could be mistaken on that part.</P> <P>Regards,</P> <P>Andy</P> Wed, 08 Nov 2023 23:00:13 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/No-Intranet-Connection/m-p/197523#M4432 the_rock 2023-11-08T23:00:13Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/No-Intranet-Connection/m-p/197524#M4433 <P>We don't control those settings, but I assume the settings can be locked via GPO or similar.</P> Wed, 08 Nov 2023 23:02:06 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/No-Intranet-Connection/m-p/197524#M4433 PhoneBoy 2023-11-08T23:02:06Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/No-Intranet-Connection/m-p/197526#M4434 <P>Got it, makes sense.</P> <P>Cheers,</P> <P>Andy</P> Wed, 08 Nov 2023 23:03:37 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/No-Intranet-Connection/m-p/197526#M4434 the_rock 2023-11-08T23:03:37Z