https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-Question/m-p/171833#M5484 <P>I only can understand your question 1: Full tunnel is how it usually does work, i saw nothing in the sk that could confuse anyone!</P> <P>You can find split tunneling in <A href="https://support.checkpoint.com/results/sk/sk167000" target="_blank" rel="noopener noreferrer"><SPAN>sk167000: How to configure <STRONG>Split</STRONG> <STRONG>Tunnel</STRONG> for Office 365 and other SaaS Applications</SPAN></A>&nbsp;and <A href="https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/Content/Topics-VPNRG/Dynamic-Split-Tunneling-for-SaaS.htm" target="_blank" rel="noopener noreferrer"><SPAN>R81.20 Remote Access VPN Administration Guide - Dynamic <STRONG>Split</STRONG> <STRONG>Tunneling</STRONG> for SaaS Using Updatable Objects</SPAN></A></P> <P>For Q2 you may talk about IP and Site name resolved by DNS, but i never heard of a VPN between DC and DRC (???)...</P> Fri, 17 Feb 2023 06:50:34 GMT G_W_Albrecht 2023-02-17T06:50:34Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-Question/m-p/171829#M5483 <P>Hi Checkmates,<BR /><BR />Right now im on implementing RA VPN in customer environment, <SPAN>but found difficulties in configuration.. i tried some config following Admin Guide and SK but the issue still persist :</SPAN></P><OL><LI>By default, is the VPN checkpoint configuration full tunnel or split tunnel? as i know is full tunnel, but after i check this SK&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk167000" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk167000</A>&nbsp;I become confused</LI><LI>About Domain Site, initially only using IP for site access, but now it will change to domain. I've changed but still can't, do you have any ideas for solving it?</LI><LI>There is a question from customer, if the domain for VPN between DC and DRC is made the same (redundant), is it possible? I was looking for this information but could not find it.</LI></OL><P>&nbsp;</P><P>Thankyou Checkmates, looking forward the answer <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 17 Feb 2023 05:02:45 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-Question/m-p/171829#M5483 Fabz 2023-02-17T05:02:45Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-Question/m-p/171833#M5484 <P>I only can understand your question 1: Full tunnel is how it usually does work, i saw nothing in the sk that could confuse anyone!</P> <P>You can find split tunneling in <A href="https://support.checkpoint.com/results/sk/sk167000" target="_blank" rel="noopener noreferrer"><SPAN>sk167000: How to configure <STRONG>Split</STRONG> <STRONG>Tunnel</STRONG> for Office 365 and other SaaS Applications</SPAN></A>&nbsp;and <A href="https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/Content/Topics-VPNRG/Dynamic-Split-Tunneling-for-SaaS.htm" target="_blank" rel="noopener noreferrer"><SPAN>R81.20 Remote Access VPN Administration Guide - Dynamic <STRONG>Split</STRONG> <STRONG>Tunneling</STRONG> for SaaS Using Updatable Objects</SPAN></A></P> <P>For Q2 you may talk about IP and Site name resolved by DNS, but i never heard of a VPN between DC and DRC (???)...</P> Fri, 17 Feb 2023 06:50:34 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-Question/m-p/171833#M5484 G_W_Albrecht 2023-02-17T06:50:34Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-Question/m-p/171836#M5485 <P>Hi!</P><P>So by default the configuration is Full Tunnel right?&nbsp;</P><P>Thankyou,&nbsp; i will check it for the second link is it only applicable for 81.20 only? my customer still on 81.10</P><P>&nbsp;</P><P>Im sorry for not clear enough about my question, for Q2 i mean like below</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="aaa.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/19652iDBF4A0C638B7F49B/image-size/medium?v=v2&amp;px=400" role="button" title="aaa.png" alt="aaa.png" /></span></P><P>When i used IP Public Address for&nbsp;<STRONG>"site",&nbsp;</STRONG>users can connect normally. but when i was trying to change <STRONG>"site"&nbsp;</STRONG>access using domain like <EM>vpn.company.co.uk</EM> user cant connect. Thanks!</P> Fri, 17 Feb 2023 07:27:08 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-Question/m-p/171836#M5485 Fabz 2023-02-17T07:27:08Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-Question/m-p/171840#M5486 <P>What does the used client DNS resolve <EM>vpn.company.co.uk</EM> to ? The IP must be known to the DNS.</P> Fri, 17 Feb 2023 08:06:28 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-Question/m-p/171840#M5486 G_W_Albrecht 2023-02-17T08:06:28Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-Question/m-p/171914#M5487 <P>Split tunnel (allowing direct access to Internet versus routing all traffic through the VPN headend) is the default.<BR />You change this in Global Properties &gt; Remote Access &gt; Endpoint Connect &gt; Route All Traffic to Gateway<BR />There is also a setting on the client when the above setting is set to "Configured on Endpoint Client."&nbsp;</P> <P>For access by DNS name, that generally involves:</P> <UL> <LI>Configuring Office Mode (requires appropriate licenses). This will assign the VPN client an IP address on the configured network and, more importantly, DNS servers for the client to use.</LI> <LI><SPAN>If you are using SecuRemote (which does not have license requirements), refer to this for configuring SecuRemote DNS objects:&nbsp;<A href="https://community.checkpoint.com/t5/Remote-Access-VPN/Quick-Primer-on-How-to-Configure-your-Gateway-for-SecuRemote/m-p/79081#M2717" target="_blank">https://community.checkpoint.com/t5/Remote-Access-VPN/Quick-Primer-on-How-to-Configure-your-Gateway-for-SecuRemote/m-p/79081#M2717</A></SPAN></LI> </UL> <P><SPAN>Depending on the precise requirements for accessing the Disaster site, you may want to configure Multiple Entry Point.<BR />See: <A href="https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/Content/Topics-VPNRG/MEP.htm" target="_blank">https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/Content/Topics-VPNRG/MEP.htm</A></SPAN></P> Fri, 17 Feb 2023 21:17:17 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-Question/m-p/171914#M5487 PhoneBoy 2023-02-17T21:17:17Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-Question/m-p/188129#M5488 <P>When using Office Mode (i.e with enterprise clients Endpoint Security VPN or Mobile VPN), how do you manage split DNS? If you provide your internal DNS via Office Mode (ex: DHCP), everything will be resolved via the internal DNS servers configured. How to force that public domains should be resolved via the LAN adapter (public ISP DNS servers) instead? From what I have observed and tested so far, the Checkpoint VPN adapter interface metric is lower (=0) compared to the LAN/WiFi interfaces on the computer, so has higher priority and takes precedence over the others, meaning everything will be resolved by the DNS specified via Office Mode.</P><P>I still have not found a way to manage split DNS properly (forcing public domains resolution not on the internal DNS servers) when using enterprise clients and Office mode... Any advice is welcome.</P><P>Thanks.</P> Mon, 31 Jul 2023 15:39:03 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-Question/m-p/188129#M5488 dt7 2023-07-31T15:39:03Z