Re: Azure to Checkpoint VPN

Conor_Mulcahy · ‎2018-06-08

Hi,

Just wanted to start a conversation on a issue i'm having with an Azure Microsoft VPN site to site, the VPN tunnel never goes down and seems stable, we have a number of servers in the cloud and can always connect to them via RDP.

The problem is when someones domain accounts password resets the outlook client does not automatically pick up the password change and does not connect with update password in the bottom of the screen.

What should happen is the outlook client should go across the vpn tunnel to authenticate to an ip address which load balances to a number of Microsoft ADFS servers. The only way i can get it to work is put a host entry on the PC to point at Azure via a public IP which is the way it should work if you are outside of the LAN.

Once outlook can talk back to Azure i remove the host entry and everything works across the vpn tunnel until the password expires again.

All services are allowed across the VPN, https inspection is enabled with probe bypass. Sometime some of the admins get time outs when trying to logon to the admin portal for Azure across the VPN, i've tried to bypass all security AV, IPS https etc for this traffic but nothing works.

It should work better across the VPN rather than going directly out to the internet. Anyone have similar problems with Azure, love to hear, don't know how to start troubleshooting this? It all worked fine when we previously has a Fortigate firewall but ssl inspection wasn't enabled. Anyone have any info please share.We are running R80.10.

Thanks

Houssameddine_1 · ‎2018-06-08

Based on your description and you are using host entry to fix the issue. Have you checked to see if your dns traffic is passing through the vpn tunnel or in the clear. Make sure that you have accept dns in global rules set to be before last and make sure you have an explicit DNS rule in the vpn rule.

In addition to that make sure the encryption domain are defined correctly. You mentioned public IP is that the public IP of Azure gw or the load balancer , if it is the public IP of Azure, checkpoint always consider the external IPs part of the encryption domain but azure doesn't.

if you can get a topology explaining the traffic flow by checking with Microsoft the needed ports and the communication flow.

Thanks

Conor_Mulcahy · ‎2018-06-08

It's only when AD password changes, Outlook client can't update password, all other office 365 sync and come online Skype, one drive, you can even logon to email via a browser which authenticates over same Vpn tunnel over same port 443.

Could https inspection interfere with a certain app even if it's on same port, works via a browser but not thought application?

Vladimir · ‎2018-06-08

This could also be a case of the Windows "DNS Leakage". I.e. by default, Windows will attempt to query ANY available DNS server and will accept answer from the one quickest to reply. If you have NS entries from local DHCP as well as VPN virtual interface, you may be resolving names locally, instead of doing it via tunnel. If you allow a split-tunnel connectivity, it'll be even more likely.

See Guide: Prevent DNS leakage while using a VPN on Windows 10 (and Windows 😎 - Neowin

Regards,

Vladimir

Conor_Mulcahy · ‎2018-06-08

Thanks will have a look at guide.

Jeroen_Demets · ‎2018-11-06

did you get this working? Did you try with https inspection disabled for a while and compare?

Conor_Mulcahy · ‎2018-12-16

In the end the company changed to Azure connect client on their local domain controller which authenticated the Outlook client on prem. I still had to bypass https inspection for a couple of URLs from the DC, but then everything worked. The original problem could have been with the Azure side but never got to the bottom of it.

Are you a member of CheckMates?

Azure to Checkpoint VPN