Management General Management Topics Logging and Reporting Multi-Domain Management Policy Management
- Local User Groups
AI & Machine Learning
I need some help with the Check Point Remote Access solution.
Safe to say, the mobile access blade is clunky and terrible – however, we purchased it and I need a hand configuring some parts.
We will be using the SSL extender (SSL VPN) for certain users that need access to the Secure Workspace.
Then, for all corporate laptop users, they will be using the EndPoint Security VPN client to connect (IPSEC)
Okay – so, SSL extender is fine. No problem, basic browse to a site, log in. All cool.
It’s the IPSEC side that’s causing issues.
If I download the Endpoint Security client to my own, personal PC. I can connect to our gateway, and my machine is then affectively on the corporate LAN. This obviously needs to be prevented.
How do I restrict that only corporate laptops can connect to this? I have looked at SVC – which is a headache, painfully complicated, and also doesn’t seem relevant to this? Is it something in Compliance? Please can someone help with how to restrict this?
Secondly, I cant manage to disable split tunnelling. There are some sites, i.e ServiceNow that only allows access via our corporate public IP. I need all traffic to route via the gateway and out. I have enabled Hub mode, and also ticked the security option to route all traffic via this gateway. No luck.
Any suggestions to both queries please?
First question: I must admit that i do not fully understand the question 😉 Usually, access is restricted by only allowing access to known users - this can be fine-tuned using:
- AD authentication on laptop
- authentication using certificate
- 2 F authentication
- Office Mode IP assigned using ipassignment.conf file
Second question concerning Route all traffic thru GW: This can be found explained in detail in sk101239 Route all traffic from Remote Access clients, including internet traffic, through Security ..., sk111995 How to set Hub Mode / Route all traffic to gateway for Endpoint Remote Access clients to sp... and sk31873 Configuring the "Route all traffic" feature for SSL Network Extender.
Thank you for your reply.
Okay for more clarity. We authenticate using RADIUS. I am a known users.
I use my corporate laptop at home for work, and I should be able to boot up the endpoint client, and connect to the gateway to have access to my internal resources.
At home, on my own personal PC, unconnected from anything work related, I download the endpoint client. I type in the IP address of our gateway, and authenticate using RADIUS, same as above. It allows me in, and now I can access internal resources on my own PC. This should NOT be allowed.
How can I prevent so only corporate machines can connect to the gateway, regardless of WHO is connecting.
Thanks in advance.
Yes, when using this kind of authentication method, such a thing is possible. Using MAB, best way is to use the Endpoint Compliance Scanner Custom Check Rule (see Mobile Access Administration Guide R80.10 p.170 and sk107014 for details) to check for a special invisible file that has to be present on any corporate laptop.
A second possibility is Office Mode IP assignment using ipassignment.conf file - but only if the company laptop IP range is known and fixed....
This can be achieved by Mobile access blade as suggested by Gunther. There is a feature called compliance check in Endpoint security on demand where you can define compliance policy.
So if your endpoint meets the compliance check then only He can connect to corporate networks. Plus you can also put compliance check based on your applications. Please refer below Doc.
Thank you very much for your replies. I will take a look into this.
Following up on my second question I asked, do you have any suggestions for me regarding Hub mode?
I have enabled this, and in global properties, I have also changed the option that states "all traffic through gateway" or something similar.
Route Print on the remote host shows the 2 routes.
One is: 0.0.0.0 0.0.0.0 and DFW of machine
2nd is 0.0.0.0 192.0.0.0 and default gateway is the VPN tunnel.
As the 2nd is more specific, traffic should be going via the VPN tunnel, correct?
I can not access corporate DNS - Infact, I can not access anything. Traffic does not seem to move in either direction. Its not trying to get locally, via ISP, or go down the tunnel. Any help on this?
This is rather strange - after policy install, RAT should work fine! Route print should list the CP Virtual Network Adapter for EP VPN client first, first active route and permanent route are 0.0.0.0 0.0.0.0 and GW IP.
See print below
18...54 8b 62 cf 23 0f ......Check Point Virtual Network Adapter For Endpoint V
17...02 00 4c 4f 4f 50 ......Npcap Loopback Adapter
15...6e 79 80 69 b1 01 ......AppGate Tunneling Adapter
12...d8 fc 93 5a d2 d2 ......Intel(R) Dual Band Wireless-AC 7260
11...34 e6 d7 3e c0 b3 ......Intel(R) Ethernet Connection I218-LM
1...........................Software Loopback Interface 1
IPv4 Route Table
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.75 25
0.0.0.0 192.0.0.0 10.44.0.1 10.44.0.2 1
10.44.0.0 255.255.0.0 On-link 10.44.0.2 256
Dont think thats the issue. I stopped all services of the other VPN client, and these are the routes only populated when the Check Point client is installed.
Any suggestions? What should it look like?
Okay - traffic appears to be getting there. But, I dont understand the logs? All I see is a flood of 'decrypt' actions with the unlocked padlock symbol, and then the service that I was using i.e http, icmp etc....
Where do I actually see where the traffic is going?
To be clear, it is still not working, but hitting the gateway to decrypt. Can anyone help?
On most platforms, and from what I can discern this includes Checkpoint, the only true secure method is to rely on PKI infrastructure. Specifically certificates that are difficult or impossible to be exported and used on a different system than that installed. In my case I utilize a 3-factor Checkpoint VPN deployment: User-based certificate issued by my Microsoft Enterprise CA, which does not permit export of the private key, followed by requiring password for the user on the certificate and last RSA token code. It's not in the realm of possibility for even an administrator to bypass this security control and access from a non-corporate system. Its the way I've always implemented authentication where this is a concern (and it should be to most, unless you are actively permitting foreign devices to gain access). You could also use the checkpoint management system internal system certificate authority to achieve similar results, but I never researched how well secured a certificate issued to a client really is, can it be copied to another system, exported,etc. Additionally, I did not want to manage provisioning of new vpn users from the Checkpoint management server console, instead I can leverage numerous AD and GPO based automation to automatically distribute certificates including if a person gets a loaner laptop, etc. The Checkpoint internal CA is a viable option to meet your needs though I think.
I was replying to the main topic of how to secure remote access possibility to a corporate LAN from a non-corporate/non- authorized system. Specifically, that any non-certificate based approach like looking for software, file, registry key, etc can be very easily circumvented and depending on maturity and security requirements of an organization, they are likely not adequate. I wanted to make sure that people understood there were secure and standard ways to achieve this security requirement and that Checkpoint supports this with either internal or external CAs.