Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Ivory

Remote Access VPN best practices

Jump to solution

Hello folks,

My company has been looking at replacing our Sonicwall VPN appliances used for remote user access with our existing CP infrastructure, so I've been labbing some test options out at home on my 3800 box. I have a few questions based on my experience so far based off of my experience.

My lab at home is a flat topology with a 3800 GW (R80.40) on a stick, and with both an internal user subnet and a separate remote access user subnet (default office mode subnet). Separate SMS server and GW with the SMS server on the internal subnet.

1. I've read a number of tutorials and it seems the interface on CP changes very frequently. As of right now it looks like many of the same settings are present both under the VPN blade and the Remote Access blade. Which should I be using? For example, office mode settings are present both under "VPN clients" and under "Mobile Access". Based on my experimentation, the two seem to be synced so changing one changes the other. Just seem a little fishy overall.

2. With my office mode setup, I selected the CP_default_Office_Mode_addresses_pool as opposed to using my own internal dhcp server. I disabled "Add automatic address translation rules" so that when accessing internal resources, the original IP would be present. I also have appropriate FW rules to allow office mode users internal access. My office mode users can reach any resource on my internal network, except for the GW (the CP GW itself). I assume this is a routing issue, but I'm not sure what the best practice is for making this work. It's a minor thing for me as access to the GW would be limited to just my jumpboxes in any case, but still would prefer to figure this one out.

3. It appears split tunneling is in effect for office mode users by default. How would I go about forcing all users to route their traffic through the tunnel only?

4. For the purpose of tracking users, when looking at office mode user logs, I don't see anything about identity. I do not have IA enabled at this point, but, if I were to enable it without enabling any method of identity collection, would user information be gathered and tracked for users based off of their login to VPN? Or would I need to gather identity information in a more traditional way with an identity collector or agent?

Loving the product so far! Only downside I'm seeing is too many features/menus 🙂

 

Thanks,

Dmitriy

0 Kudos
1 Solution

Accepted Solutions
Highlighted
Admin
Admin

I am glad you like it.

There is a bunch of articles in the community about RAS VPN. The most basic is probably this one: https://community.checkpoint.com/t5/Check-Point-for-Beginners-2-0/Remote-Access-VPN-Configuration-fo...

 

To route through the GW, mark Hub Mode on the GW object under "VPN Clients / Remote Access"

 

Screenshot 2020-07-10 at 11.35.10.png

 

View solution in original post

0 Kudos
4 Replies
Highlighted
Admin
Admin

I am glad you like it.

There is a bunch of articles in the community about RAS VPN. The most basic is probably this one: https://community.checkpoint.com/t5/Check-Point-for-Beginners-2-0/Remote-Access-VPN-Configuration-fo...

 

To route through the GW, mark Hub Mode on the GW object under "VPN Clients / Remote Access"

 

Screenshot 2020-07-10 at 11.35.10.png

 

View solution in original post

0 Kudos
Highlighted
Ivory
Excellent. I worked through the guide and it answered quite a few of my questions. Follow up question, on my Endpoint VPN client, under VPN Tunneling, "Encrypt all traffic and route to gateway" is unchecked. How do I enforce this setting being checked through smartconsole?
0 Kudos
Highlighted
Ivory
Cool! Also, found the way to enforce full tunnel on the client. It was under global properties. Seems to be working fine now!
0 Kudos
Highlighted
Admin
Admin

Cool

0 Kudos