This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sergo89
Contributor
‎2022-04-19 07:39 AM

Limited Remote VPN access

Jump to solution

Hi Everybody,

I need to configure a limited remote access via Endpoint client, for example Group A (windows group) has Full access to all internal network and Group B just to one subnet. I configured like that (still not sure does it work properly or not)

Source: Access Role with LDAP group (here i use Group A or B)

Dest: All internal networks for Group A or another rule - one subnet for group B

VPN: RemoteAccess Community

Services: all

It works for my Primary firewall, i had problem before - we have to use OfficeMode (i know its requirements for Full Endpoint Client), and sometimes its stop working, because OfficeMode means all remote clients have IP addresses and technically its standard network, and has to following standard firewall rules (add OfficeMode network to rules like source). But for my second firewall this schema doesnt work, i havet create rule - source OfficeMode Net - Dest - Internal networks, but with this rule, all my previous rules  (Access Roles etc) totally useless, Group A and B have same full access.

Any idea how to configure it properly?

thanks

0 Kudos
1 Solution

Accepted Solutions
Danny
Champion
Champion
‎2022-04-19 07:57 AM

Jump to solution

I'd start with something like this on your primary firewall:

image.png

As you can see this doesn't allow a separation of OfficeMode IPs for RAS Group A and B.
Solution (also for your second firewall) : sk33422 - Office Mode IP and ipassignment.conf file

This allows you to assign specific IP addresses of your Office Mode Pool to users of RAS VPN Group B.
Then you can create two new subnet objects 'OfficeMode1' and 'OfficeMode2' and use them in your rulebase (leave the original OfficeMode object as it is).

Result:

image.png

View solution in original post

2 Replies
Danny
Champion
Champion
‎2022-04-19 07:57 AM

Jump to solution

I'd start with something like this on your primary firewall:

image.png

As you can see this doesn't allow a separation of OfficeMode IPs for RAS Group A and B.
Solution (also for your second firewall) : sk33422 - Office Mode IP and ipassignment.conf file

This allows you to assign specific IP addresses of your Office Mode Pool to users of RAS VPN Group B.
Then you can create two new subnet objects 'OfficeMode1' and 'OfficeMode2' and use them in your rulebase (leave the original OfficeMode object as it is).

Result:

image.png

Sergo89
Contributor
‎2022-04-19 04:32 PM
In response to Danny

Jump to solution

Wow Danny! it works! unbelievable!