Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Cristian_Rosa
Participant

Connecting to Internal Network VPN/SSL Client

Jump to solution

Hello guys,

How to prevent the user on the LAN internal network from connecting to the SSL VPN/Client itself. We come across this case, where the user should only be able to access an SSL VPN/Client when they are internal, not when they are internal.

I wouldn't want users to access our own SSL/Client VPN from the internal network.


Congrats,

Cristian Rosa

0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
Legend
Legend

Yep - it is rather old and called Location Awareness:

SmartDashboard - go to Policy menu - click on Global Properties... - expand Remote Access - click on Endpoint Connect - in the Connectivity Settings section, refer to Network Location Awareness field - select Yes - click on Configure... button - enjoy the options...

CCSE CCTE SMB Specialist

View solution in original post

(1)
13 Replies
the_rock
Champion
Champion

Im not real sure what you are trying to achieve here. You dont want user thats internal to be able to access VPN client??

0 Kudos
Cristian_Rosa
Participant
 
 
 
 
 
 
 

240 / 5,000

 
 

 

Yes When the user is inside the internal network, he connects to the SSL VPN as if he were externally. Should this happen? Does Checkpoint accept this connection, even the user within the internal network? I wish it weren't possible.
 
 

 

 

0 Kudos
the_rock
Champion
Champion

You can restrict it, but there is no need to do this from internal. 

0 Kudos
(1)
Cristian_Rosa
Participant

And how would I do?

C
an you help me ?

Congrats,

Cristian Rosa

0 Kudos
skandshus
Collaborator

Dont you have the ability to select the interface its accesible from?

i got that on several things if you open the gateway properties

0 Kudos
(1)
Cristian_Rosa
Participant

I don't know how to inform. I searched but couldn't find where to configure it.

0 Kudos
the_rock
Champion
Champion

Honestly, I never heard of a way to do this specifically from the firewall object itself or even global properties. There might be some way possible via gw file trac_client_1.ttm, but not 100% sure how. Maybe someone else will chime in and confirm for you. Personally, there would need to be some sort of mechanism that would recognize user being internal that would prevent them from even being able to connect, unless they come from external source.

0 Kudos
(1)
Cristian_Rosa
Participant
Yes Exactly. I think this is the way I hadn't seen that happen yet.
 
 
 
 
0 Kudos
the_rock
Champion
Champion

Lets see if someone else may have an idea, Im also interested to see the suggestions/advice or if its even possible.

0 Kudos
G_W_Albrecht
Legend
Legend

Yep - it is rather old and called Location Awareness:

SmartDashboard - go to Policy menu - click on Global Properties... - expand Remote Access - click on Endpoint Connect - in the Connectivity Settings section, refer to Network Location Awareness field - select Yes - click on Configure... button - enjoy the options...

CCSE CCTE SMB Specialist
(1)
the_rock
Champion
Champion

Ah, yes, good point, totally forgot about that.

0 Kudos
Cristian_Rosa
Participant

Hello Abrecht,

Your help resolved my case.

Thanks a lot...


Cristian Rosa

CCSA

0 Kudos
Wolfgang
Mentor
Mentor

@Cristian_Rosa you can disable the implied rule for MOB access if you switch your gateway object configuration "Accessibility" to "According to the Firewall policy"

Screenshot 2022-04-19 075749.png

With these setting you have to define access rules for access to the MobileAccessPortal like this one

Screenshot 2022-04-19 080211.png

0 Kudos