This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Geomix7
Collaborator
‎2019-11-22 06:42 AM
Jump to solution

capsule vpn connect but no access any server

Hello Guys!

 Ihave the below scenario.I am writing about r77.30.Client connect through capsule vpn successfully.

Then try to access certain internal server with RDP without  success.From devices(ipad & android phone) i ask him and tried various rdp client without success.Also note that those servers are works properly through mobile access.Finally with fw ctl zdebug drop tcpdump i cannot see any logs.

Any suggestions?

 

0 Kudos
1 Solution

Accepted Solutions
Wolfgang
MVP Gold
MVP Gold
‎2019-11-25 04:25 AM
In response to Jerry
Jump to solution

Jerry,

I think for "capsule connect" no MAB policy is needed.

snip from MAB dosumentation

"The Mobile Access policy applies to the Mobile Access portal and Capsule Workspace. It does not apply to Desktop clients or Capsule Connect."

 

Wolfgang

View solution in original post

0 Kudos
14 Replies
Wolfgang
MVP Gold
MVP Gold
‎2019-11-22 11:26 AM
Jump to solution

GGiorgakis,

Capsule Connect VPN is a full VPN client. You have to configure remote access rules to use them.

These rules are different from MobileAccessBlade rules, they are the same as for a normal Windows VPN client like EndPoint VPN.

If you use SSL-extender and native applications via MOB, you can't use this rules with Capsule VPN. 

Add your gateway to the remote access community, create rules with users as source, your needed destinations and services and in the VPN section add the remote access community.

Wolfgang

0 Kudos
Geomix7
Collaborator
‎2019-11-25 12:26 AM
In response to Wolfgang
Jump to solution

Dear Wolfgang,

I have already configure the above.
I got a successful capsule vpn connection.Then i try to connect and cannot see anything either with fwmonitor & zdebug.




0 Kudos
Jerry
Mentor
Mentor
‎2019-11-25 12:29 AM
In response to Geomix7
Jump to solution

"connect where" ? what are you trying to achieve here?
where about you're trying to connect to?
have you got that configured on MAB Policies?
did you configured office-mode properly or you don't use it?

just answer above please otherwise we're struggling to assist you here really
Jerry
0 Kudos
Geomix7
Collaborator
‎2019-11-25 12:49 AM
In response to Jerry
Jump to solution

Dear Jerry,

"connect where" ?
i connect from android device through vpn capsule and i received an office mode IP address.

what are you trying to achieve here?
I have a rule which legacy user access can login to a server (VPN:remote access included) port:3389

where about you're trying to connect to?
src:legacy user - dst: local server vpn:remote access - port:3389
have you got that configured on MAB Policies?
No
did you configured office-mode properly or you don't use it?
Configured
0 Kudos
Jerry
Mentor
Mentor
‎2019-11-25 12:54 AM
In response to Geomix7
Jump to solution

so you answered yourself then 🙂
you need Mobile Access Blade console (Dashboard) and have policies configured for the VPN user to be able to reach tcp/3389 RDP from the "client" to the "server". Simples.

see MAB Admin Guide (

https://dl3.checkpoint.com/paid/77/774c3c923f00c927527600aadaab3fcf/CP_R80.10_MobileAccess_AdminGuid...

or

https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_MobileAccess_AdminGuide/html...

hope it helps
Jerry
0 Kudos
Jerry
Mentor
Mentor
‎2019-11-23 01:35 AM
Jump to solution

MAB policies !
Jerry
0 Kudos
Geomix7
Collaborator
‎2019-11-25 04:03 AM
In response to Jerry
Jump to solution

Add the network into VPN domain and works properly.

 

Thanks

0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2019-11-25 04:25 AM
In response to Jerry
Jump to solution

Jerry,

I think for "capsule connect" no MAB policy is needed.

snip from MAB dosumentation

"The Mobile Access policy applies to the Mobile Access portal and Capsule Workspace. It does not apply to Desktop clients or Capsule Connect."

 

Wolfgang

0 Kudos
Jerry
Mentor
Mentor
‎2019-11-25 04:59 AM
In response to Wolfgang
Jump to solution

agree but I was in a believe that the main issue isn't about Capsule only but about inbound VPN clients connectivity in gernal hence my tips on that matter. cheers Volfgang
Jerry
0 Kudos
Matlu
MVP Silver
MVP Silver
Friday
In response to Wolfgang
Jump to solution

Hello @Wolfgang 
To use CAPSULE on iPhone/Android, do you need to have the “Mobile Access” blade enabled in your FW?
Currently, my remote users connect using the IPsec VPN blade, using the “Endpoint Security VPN” client, since most of them use PCs to connect, but we want some of them to be able to use their mobile phones for their connections. However, we are unsure whether it is necessary to enable the “mobile access” blade for this.
Thank you for your comments.

0 Kudos
PhoneBoy
Admin
Admin
Friday
In response to Matlu
Jump to solution

Remote Access clients of all varieties can use either IPsec VPN OR Mobile Access without issue.
The only time you need to enable Mobile Access is if you want to use the SSL VPN portal.

0 Kudos
Matlu
MVP Silver
MVP Silver
Saturday
In response to PhoneBoy
Jump to solution

Hello,
Could you tell me in which file a remote VPN user's connection attempts are saved?
I have users who are trying to connect using CAPSULE and are unable to do so.
Are there any diagnostic commands for CAPSULE client scenarios?
Thank you.

0 Kudos
Don_Paterson
MVP Gold
MVP Gold
Saturday
In response to Matlu
Jump to solution

Did you check the gateway logs?

There are steps in this SK for collecting logs on the client side. 

https://support.checkpoint.com/results/sk/sk106755

Tap the "info" (the i in the circle) icon

Tap on the 3 aligned dots (settings) in the top right

Tap "Configure logs"

0 Kudos
Don_Paterson
MVP Gold
MVP Gold
Saturday
In response to PhoneBoy
Jump to solution

My understanding was that the IPSec VPN blade only supported SecuRemote. 

For the gateway to support all other clients it needed Mobile Access as well. 

Should be confirmed here:

https://support.checkpoint.com/results/sk/sk67820

Also confirmed by launching the Mobile Access wizard and hovering the mouse cursor over the different client types. The popup text says which license is required. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events