Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jack_Prenderga1
Contributor

Remote Access Configuration and Compliance Help.

Hi,

 

I need some help with the Check Point Remote Access solution.

 

Safe to say, the mobile access blade is clunky and terrible – however, we purchased it and I need a hand configuring some parts.

 

We will be using the SSL extender (SSL VPN) for certain users that need access to the Secure Workspace.

Then, for all corporate laptop users, they will be using the EndPoint Security VPN client to connect (IPSEC)

 

Okay – so, SSL extender is fine. No problem, basic browse to a site, log in. All cool.

 

It’s the IPSEC side that’s causing issues.

 

If I download the Endpoint Security client to my own, personal PC. I can connect to our gateway, and my machine is then affectively on the corporate LAN. This obviously needs to be prevented.

How do I restrict that only corporate laptops can connect to this? I have looked at SVC – which is a headache, painfully complicated, and also doesn’t seem relevant to this? Is it something in Compliance? Please can someone help with how to restrict this?

 

Secondly, I cant manage to disable split tunnelling. There are some sites, i.e ServiceNow that only allows access via our corporate public IP. I need all traffic to route via the gateway and out. I have enabled Hub mode, and also ticked the security option to route all traffic via this gateway. No luck.

 

Any suggestions to both queries please?

 

Thanks all.

23 Replies
G_W_Albrecht
Legend
Legend

First question: I must admit that i do not fully understand the question 😉 Usually, access is restricted by only allowing access to known users - this can be fine-tuned using:

- AD authentication on laptop

- authentication using certificate

- 2 F authentication

- Office Mode IP assigned using ipassignment.conf file

.....

Second question concerning Route all traffic thru GW: This can be found explained in detail in sk101239 Route all traffic from Remote Access clients, including internet traffic, through Security ..., sk111995 How to set Hub Mode / Route all traffic to gateway for Endpoint Remote Access clients to sp... and sk31873 Configuring the "Route all traffic" feature for SSL Network Extender.

CCSE CCTE CCSM SMB Specialist
Jack_Prenderga1
Contributor

Hello.

Thank you for your reply.

Okay for more clarity. We authenticate using RADIUS. I am a known users.

I use my corporate laptop at home for work, and I should be able to boot up the endpoint client, and connect to the gateway to have access to my internal resources.

At home, on my own personal PC, unconnected from anything work related, I download the endpoint client. I type in the IP address of our gateway, and authenticate using RADIUS, same as above. It allows me in, and now I can access internal resources on my own PC. This should NOT be allowed.

How can I prevent so only corporate machines can connect to the gateway, regardless of WHO is connecting.

Thanks in advance.

0 Kudos
G_W_Albrecht
Legend
Legend

Yes, when using this kind of authentication method, such a thing is possible. Using MAB, best way is to use the Endpoint Compliance Scanner Custom Check Rule (see Mobile Access Administration Guide R80.10 p.170 and sk107014 for details) to check for a special invisible file that has to be present on any corporate laptop.

A second possibility is Office Mode IP assignment using ipassignment.conf file - but only if the company laptop IP range is known and fixed....

CCSE CCTE CCSM SMB Specialist
Gaurav_Pandya
Advisor

Hi Jack,

This can be achieved by Mobile access blade as suggested by Gunther. There is a feature called compliance check in Endpoint security on demand where you can define compliance policy.

So if your endpoint meets the compliance check then only He can connect to corporate networks. Plus you can also put compliance check based on your applications. Please refer below Doc.

https://community.checkpoint.com/docs/DOC-2843-endpoint-application-wise-scan-check

0 Kudos
Jack_Prenderga1
Contributor

Hi,

Thank you very much for your replies. I will take a look into this.

Following up on my second question I asked, do you have any suggestions for me regarding Hub mode?

I have enabled this, and in global properties, I have also changed the option that states "all traffic through gateway" or something similar.

Route Print on the remote host shows the 2 routes.

One is: 0.0.0.0 0.0.0.0 and DFW of machine

2nd is 0.0.0.0 192.0.0.0 and default gateway is the VPN tunnel.

As the 2nd is more specific, traffic should be going via the VPN tunnel, correct?

I can not access corporate DNS - Infact, I can not access anything. Traffic does not seem to move in either direction. Its not trying to get locally, via ISP, or go down the tunnel. Any help on this?

0 Kudos
G_W_Albrecht
Legend
Legend

This is rather strange - after policy install, RAT should work fine! Route print should list the CP Virtual Network Adapter for EP VPN client first, first active route and permanent route are 0.0.0.0 0.0.0.0 and GW IP.

CCSE CCTE CCSM SMB Specialist
0 Kudos
Jack_Prenderga1
Contributor

Hello..

See print below

H:\>route print
===========================================================================
Interface List
18...54 8b 62 cf 23 0f ......Check Point Virtual Network Adapter For Endpoint V
PN Client
17...02 00 4c 4f 4f 50 ......Npcap Loopback Adapter
15...6e 79 80 69 b1 01 ......AppGate Tunneling Adapter
12...d8 fc 93 5a d2 d2 ......Intel(R) Dual Band Wireless-AC 7260
11...34 e6 d7 3e c0 b3 ......Intel(R) Ethernet Connection I218-LM
1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination    Netmask      Gateway               Interface          Metric
0.0.0.0                          0.0.0.0        192.168.1.254      192.168.1.75    25
0.0.0.0                         192.0.0.0      10.44.0.1              10.44.0.2          1
10.44.0.0                     255.255.0.0   On-link                10.44.0.2          256

0 Kudos
G_W_Albrecht
Legend
Legend

Maybe some other VPN client o.s.s. is installed here ?

CCSE CCTE CCSM SMB Specialist
0 Kudos
Jack_Prenderga1
Contributor

Hi,

Dont think thats the issue. I stopped all services of the other VPN client, and these are the routes only populated when the Check Point client is installed. 

Any suggestions? What should it look like?

0 Kudos
G_W_Albrecht
Legend
Legend

I would test this on a clean machine without any other VPN client / services.... Please also check trac_client_1.ttm on client.

CCSE CCTE CCSM SMB Specialist
0 Kudos
G_W_Albrecht
Legend
Legend

And of course beware of overlapping networks 😉

CCSE CCTE CCSM SMB Specialist
0 Kudos
Jack_Prenderga1
Contributor

As requested, clean machine.. same results..

H:\>route print
===========================================================================
Interface List
18...54 8b 62 cf 46 0e ......Check Point Virtual Network Adapter For Endpoint VPN Client
12...d8 fc 93 4f g8 e4 ......Intel(R) Dual Band Wireless-AC 7260
11...34 e6 57 7e 2f r3 ......Intel(R) Ethernet Connection I218-LM
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination    Netmask      Gateway               Interface          Metric
0.0.0.0                          0.0.0.0        192.168.1.254      192.168.1.75    25
0.0.0.0                         192.0.0.0      10.44.0.1              10.44.0.2          1
10.44.0.0                     255.255.0.0   On-link                10.44.0.2          256

0 Kudos
G_W_Albrecht
Legend
Legend

I would involve TAC here.

CCSE CCTE CCSM SMB Specialist
0 Kudos
Gaurav_Pandya
Advisor

Hi Jack,

When you browse to internet, are you getting any logs on the tracker? or traffic is not going to gateway at all.

0 Kudos
Jack_Prenderga1
Contributor

Okay - traffic appears to be getting there. But, I dont understand the logs? All I see is a flood of 'decrypt' actions with the unlocked padlock symbol, and then the service that I was using i.e http, icmp etc....

Where do I actually see where the traffic is going?

To be clear, it is still not working, but hitting the gateway to decrypt. Can anyone help?

0 Kudos
Jack_Prenderga1
Contributor

Infact, ive also seen blocked messages due to Main Mode peer does not support IKE. Can someone help with that?

0 Kudos
G_W_Albrecht
Legend
Legend

Involve TAC - we can only do guesswork here...

CCSE CCTE CCSM SMB Specialist
0 Kudos
Gaurav_Pandya
Advisor

Hi Jack,

Please refer below URL. If this does not resolve issue, Raise TAC

https://community.checkpoint.com/message/12386-mobile-access-default-route

0 Kudos
G_W_Albrecht
Legend
Legend

And how was the issue resolved ?

CCSE CCTE CCSM SMB Specialist
0 Kudos
Mark_Colatosti
Contributor

On most platforms, and from what I can discern this includes Checkpoint, the only true secure method is to rely on PKI infrastructure.  Specifically certificates that are difficult or impossible to be exported and used on a different system than that installed.  In my case I utilize a 3-factor Checkpoint VPN deployment:  User-based certificate issued by my Microsoft Enterprise CA, which does not permit export of the private key, followed by requiring password for the user on the certificate and last RSA token code.  It's not in the realm of possibility for even an administrator to bypass this security control and access from a non-corporate system.  Its the way I've always implemented authentication where this is a concern (and it should be to most, unless you are actively permitting foreign devices to gain access).  You could also  use the checkpoint management system internal system certificate authority to achieve similar results, but I never researched how well secured a certificate issued to a client really is, can it be copied to another system, exported,etc.  Additionally, I did not want to manage provisioning of new vpn users from the Checkpoint management server console, instead I can leverage numerous AD and GPO based automation to automatically distribute certificates including if a person gets a loaner laptop, etc.  The Checkpoint internal CA is a viable option to meet your needs though I think.

G_W_Albrecht
Legend
Legend

I do not see a place for your remarks here, as this is not at all relevant for any of the asked questions...

CCSE CCTE CCSM SMB Specialist
0 Kudos
Mark_Colatosti
Contributor

I was replying to the main topic of how to secure remote access possibility to a corporate LAN from a non-corporate/non- authorized system.  Specifically, that any non-certificate based approach like looking for software, file, registry key, etc can be very easily circumvented and depending on maturity and security requirements of an organization, they are likely not adequate.  I wanted to make sure that people understood there were secure and standard ways to achieve this security requirement and that Checkpoint supports this with either internal or external CAs.

0 Kudos
Mark_Colatosti
Contributor

I realize the original poster has moved on in all likelihood, but another individual searching these archives might be helped.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events