This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dilmurat_Zakiro
Participant
‎2018-07-17 04:51 AM

cluster as a vpn server and proxy server

Hello guys,

now i use my Checkpoint cluster as a corporate non  transparent proxy server. Additionally to that i use it as a vpn server for my remote access users. Now my current task is configure so my remote access users can use my proxy server to reach internet resouces according to the Access Policy on my cluster. in case If i define internal interfaces ip address of cluster as a proxy (on my vpn users browser settings) - web pages cannot be displayed. in case if i define external interfaces ip address of cluster as a proxy (on my vpn users browser settings)  - users can open web pages, but they have unlimited access to internet (access not restricted according to Access Policy on my cluster).

how to solve this task?

0 Kudos
3 Replies
Maarten_Sjouw
Champion
Champion
‎2018-07-17 03:00 PM

Here are some things to check:

Make sure to add the internal Proxy IP to the remote access VPN topology. 

Does the rule allowing access to the proxy contain the Officemode IP range as source?

Why do you want them to use explicit Proxy?  Is it due to the fact it is already set for the corporate network?

When you use a PAC or WPAD.dat file you could exclude the Officemode network from the proxy and when set to hubmode, you can still force all traffic through the FW and apply a "at home" policy to that traffic.

The gateway can be used as transparant and explicit proxy at the same time. Doing the same on a 15600 with about 600Mbps fully filtered.

Regards, Maarten
0 Kudos
Dilmurat_Zakiro
Participant
‎2018-07-18 03:15 AM
In response to Maarten_Sjouw

Q:Does the rule allowing access to the proxy contain the Officemode IP range as source? 

A:yes, clients can reach proxy by its tcp port 8080. connection established, logs confirm that fact

Q:Why do you want them to use explicit Proxy?  Is it due to the fact it is already set for the corporate network?

A:the main task is configure access for remote access users in order to they have the same Access policy both when they are  in corporate network and when connected via vpn client

Q:When you use a PAC or WPAD.dat file you could exclude the Officemode network from the proxy and when set to hubmode, you can still force all traffic through the FW and apply a "at home" policy to that traffic.

A: Can you explain how i can implement it(is there any useful/helpful link? i never did anything like that)? does it mean that i can configure the same policy as on my security gateway for my remote access clients?

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2018-07-18 05:56 AM
In response to Dilmurat_Zakiro

Q1: Do you also see a request from the gateway to the requested site? Or does the FW (Security Gateway) give the user a blockpage (which might not be shown)?

Q2: So you can achieve that by just making sure that all traffic is routed through the FW when connected. Go into the Global Properties and select Remote Access -> Endpoint Securrity VPN, now under Security Settings the first item is Route all traffic to gateway, there select Yes. Now open the FW Object  got to VPN Clients -> Remote Access, here you will find the option "Allow VPN Clients to route all traffic through the gateway" under Hub Mode configuration, set it to on.

Q3: How to set up a Proxy.pac file and how to use it has many results in all search engines.

Transparant and proxied is only controlled by policy, if traffic is allowed by a specific rule it will be allowed to go through that part of the policy, so if you have an inline Application policy just make sure to allow the Officemode network to use that rule by adding it to the source. Do not forget to set a NAT rule for outbound traffic from the officemode network and two rules above it that disables NAT for inbound from the clients and vice versa.

Regards, Maarten
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events