Hello,

Thank you for your answer. IPs being assigned dynamically is not a problem, the thing is that we need that two users connected to RA VPN access, should be able to talk using Cisco Jabber, so I need IP connectivity between these users.  I have select the Hub Mode option (Allow VPN Clients to route traffic through this gateway) but it does not work :-(. I think that there should be a solution for this, two remote users being able to call and talk each other using VoIP is not an uncommon scenario.

Best Regards.

Check you have specifically allow Jabber connectivity through VPN tunnel. 

Yes, I have added the network in the VPN Domain for Remote Access and I even add a rule to permit traffic between remote access pool network and remote access pool network .

The thing is that I have the same scenario on a Cisco ASA and it works, two users connected to RA VPN are able to call each other using Jabber.

Looking the Checkpoint Logs, I cannot find anything related this traffic but I can see that my PC is sending the traffic to the firewall when I try to reach another user connected to RA VPN. I was able to see it using Wireshark. There is something in the Checkpoint which is dropping this traffic silently but I cannot find the reason 😞

Thanks.

@Gusa2727 , were you ever able to find a solution to this issue? Looks like one of my clients with Jabber is looking to replace their AnyConnect solution with Check Point RA and I may run into same situation.

Thank you.

There should be no issue, we allow Remote Access Clients to communicate with each other (Jabber, Remote access for ICT, etc.) without issue, We use Office Mode to assign IPs and a post connection script to update DNS in AD so they resolve correctly. 

We did see an issue with certain users (less then .2% of the user base) where SecureXL templates weren't being created correctly and Remote Access to Remote Access failed for them (so no ping, Jabber calls, SMB etc.) but access from the LAN worked fine.  Disabling SecureXL (fwaccel off) fixed this and once we moved to R80.40, we were able to reenable SecureXL without issue. 

Thank you @Gareth_somers . Can you clarify few things for me:

1. Are your remote clients using Secure Domain Logon (SDL)?

2. Do you serve them IPs from AD DHCP or the Office mode range?

3. Do you allow Reverse Lookup Zone in AD DNS to use Nonsecure and Secure updates?

If it is not too much trouble, can you share the script or drop it to me in DM?

1. Are your remote clients using Secure Domain Logon (SDL)?

No - We decided against this as a security risk, we didn't want the VPN up before the user was logged in.  Instead we use User Certs stored in their personal store so in order to connect to the network they must first authenticated.

2. Do you serve them IPs from AD DHCP or the Office mode range?

Originally we used DHCP from AD, however we do not have AD in the Datacenter that the Remote Access firewalls are located in and this meant traversing other firewalls and a VPN tunnel in order to get IPs. Given the dependency on this we moved to the firewalls providing IPs locally which meant that we had to add logic via a post connect script to update DNS (only secure DNS changes are allowed in our AD) and for updating GPOs.

3. Do you allow Reverse Lookup Zone in AD DNS to use Nonsecure and Secure updates?

Secure updates as above, this is handled via a script run post connection from the end users device.

The post connection script may be just the ticket I am looking for to address DNS inconsistency that has showed it's head from time to time in my environment.  Are you willing to share a 'cleaned' version of the script?

Sure I may have made it sound more impressive than it actually is, the DNS update is just done via a call to gpupdate:

@echo off
echo **************************************
echo **************************************
echo ** **
echo ** Please wait while we connect you **
echo ** **
echo **************************************
echo **************************************
ping 127.0.0.1 -n 5 > nul
gpupdate /wait:0
WMIC /namespace:\\root\ccm path sms_client CALL TriggerSchedule "{00000000-0000-0000-0000-000000000003}" /NOINTERACTIVE
@echo on
exit

I would start by checking the route table on RA client PC's when connected to RA VPN.  If the route to the Office Mode network is there then I suspect the voice issue may be NAT related.  I would look to see if there is a no-NAT rule for the Office Mode IP's.