Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Remote access without visitor mode enabled?

Hello,

What options do I have to configure remote access without enabling Visitor Mode? 

Following the Remote Access VPN guide looks like it's mandatory as it's specified in the basic gateway configuration. It's not clear to me how you can set it up without it.

However, this feature opens ports 80, 443 and 264 TCP to the Internet. Why are all of them necessary and how could I restrict them?

Which VPN client can connect to the gateway when visitor mode is disabled?

Thanks,

George

 

 

0 Kudos
9 Replies
Highlighted
Sapphire

Re: Remote access without visitor mode enabled?

No, it is not mandatory, see for details sk159372: Visitor Mode in Remote Access clients !

0 Kudos
Highlighted

Re: Remote access without visitor mode enabled?

It says it's a backup mechanism but with the Mobile Access blade enabled (which is required in order to use Office Mode with IP pool for the Check Point Mobile client) it's by default enabled and greyed out, it cannot be disabled.

If you only have the IPSec VPN blade enabled, without the visitor mode feature, the gateway doesn't answer to connection requests from VPN clients. It actually warns you when disabling it that VPN Clients (except for the old Secure Client) will not be able to connect.

I haven't found a workaround yet.

 

Thanks,

George

0 Kudos
Highlighted
Silver

Re: Remote access without visitor mode enabled?

There is a reason that is needed and this is what it is.

 

The VERY first time you connect to a VPN Gateway with a Client it asks you to trust the VPN Certificate as being from the ICA then is not a Trusted CA.

That connection is made over HTTPS not IPSEC protocols

You will see subsequently when you connect that before the IPSEC tunnel is initiated then the Client makes a HTTPS connection to the Gateway.

The Visitor Mode allows this HTTPS connection to be made.

No response from the HTTPS request and the IPSEC tunnel doesn't attempt instead it says is unreachable etc.

 

264 is the fw1_topo port that used for downloading the topology.

You don't know in advance where they are coming from so you have to have open everywhere.

 

Same as port 500 and proto 50/51 to allow the IPSec Tunnel to build, you don't know the source so has to be open, of course it doesn't stop them being reported by scanners as vulnerabilties but won't work without them being open

Highlighted

Re: Remote access without visitor mode enabled?

Hello,

Thanks for the details, this makes sense.

Following this logic, after I connect the first time and create the site, I should be able to subsequently connect from the same device even if visitor mode is disabled.

Is this correct? Should I be able to connect using Office mode after initial trust is established, with visitor mode disabled? This means mobile access blade removed, and only IPSec VPN active in order to be able to disable visitor mode.

0 Kudos
Highlighted
Silver

Re: Remote access without visitor mode enabled?

Unfortunately you will still see the Client make an attempt to connect with HTTPS every time make a connection.

You can probably get rid of Visitor Mode as long as have a rule open to allow HTTPS to the Gateway as an Explicit Rule, which effetively results in the same rule.

 

Most people will have moved the Gaia Portal off HTTPS 443 to another port so isn't as if that big a deal having HTTPS open on the box as the HTTPS should only be there for the Remote Access at that point.

0 Kudos
Highlighted

Re: Remote access without visitor mode enabled?

Hi,

Has anyone confirmed that RA VPN clients (EndPoint Security VPN) can connect when visitor mode is disabled (providing an explicit HTTPS rule is added to the policy)?

In my environment we have moved the portal to a different port, when visitor mode is on (running on port 443), the "enable_tcpt" implied rule is implemented (this isn't configurable via the normal implied rule area, sk119497 explains this). The clients can configure sites and establish phase 1 / 2 normally. However, when turning visitor mode off, and then having an explicit HTTPS rule in the access policy the client is no longer able to connect or create a site / establish VPN. The observed behaviour suggests there is a service which is enabled when visitor mode is enabled which answers requests from the Endpoint Security VPN clients (or possibly this is additional function of visitor mode?). I understand the requirement for visitor mode (sk159372 explains this perfectly). Interestingly, sk159372 also advises to avoid visitor mode if there is no need for it.

So how come EndPoint Security VPN Clients are unable to connect to the gateway when Visitor mode is disabled and an explicit HTTPS rule is implemented in the access policy?

Is anyone from Check Point able to answer / confirm the above? 

Thanks,

Jon
0 Kudos
Highlighted

Re: Remote access without visitor mode enabled?

My guess would be that disabling Visitor Mode is affecting something in the MultiPortal feature, which arbitrates access to port 443 on the gateway since it is used by so many different features:

sk155512: How to determine which portal is causing MultiPortal to respond on external interface

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos
Highlighted
Platinum

Re: Remote access without visitor mode enabled?

VPND process is listening on port 443 and Endpoint Security VPN always uses this port to negotiate tunnel. That kind of requires Visitor Mode to be enabled if you want to use this client or capsule. 

0 Kudos
Highlighted

Re: Remote access without visitor mode enabled?

Thanks @Timothy_Hall and @HristoGrigorov ,

You guys helped point me in the right direction.

I did some further reading/testing, It does appear as you say @Timothy_Hall , the mpdaemon has a portal called "clients", which is bound to port 444. When visitor mode is disabled, this portal is removed. It would, therefore, seem visitor mode enables the client portal which supports the hand over of the HTTPS (or whatever visitor mode port is chosen) traffic from Endpoint Security Clients (and possibily other remote access clients) to the vpnd process via port 444.

 

I don't know if the above is 100% accurate, but the behaviour seen would fit that description. 

 

Thanks again,

 

Jon