This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dilian_Chernev
Collaborator
‎2022-05-30 12:59 AM

Custom Remote Access VPN domain for different gateways

Hi mates,

I have the following issue to resolve 🙂

Two gateways for company users Remote access with same VPN RA domain configured - working ok.
We need to add third gateway for External Vendors with different VPN RA domain.

All three gateway are defined in the Remote Access community, MEP is turned off.

Everything works, except that external vendors gets the same routing table as defined for company users.

Am I doing something wrong? Is there some manual way to define required routes to be installed for the third gateway.

Thanks

0 Kudos
9 Replies
G_W_Albrecht
Legend
Legend
‎2022-05-30 01:34 AM

Easy - you can use either two RA communities or Access Roles to get a very granular access policy - see https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_RemoteAccessVPN_AdminGuide/T...

CCSE CCTE SMB Specialist
0 Kudos
Ruan_Kotze
Advisor
‎2022-05-30 02:23 AM
In response to G_W_Albrecht

Don't think multiple Remote Access communities are supported.  It was possible to create multiple RA communities at one stage, but this was a bug.

Like you said - Identity based policies using Access Roles would be the way to go here.

0 Kudos
G_W_Albrecht
Legend
Legend
‎2022-05-30 03:44 AM
In response to Ruan_Kotze

Yes, i would suggest to use Access Roles. Another possible configuration uses User Groups in access rules.

CCSE CCTE SMB Specialist
0 Kudos
Dilian_Chernev
Collaborator
‎2022-05-30 04:10 AM
In response to G_W_Albrecht

Thank you for the response, but I don't have issues with rules, but with injected routes on client machines 🙂

As usual it is more complicated than it sounds 🙂

On the first two gw, VPN domain is - All internet without Zoom/Webex services. ( I saw this configuration here somewhere). So clients receive huge routing table that points to the gateway, except for Zoom/Webex.

On the third gw, we want clients to receive only routes to allowed destinations and use their internet services directly, not through the gw. But in fact, they get the same routing tab as members of first two gw.

All remote access vpn domains are defined properly for each gw.
So I was thinking if there is some OS level configuration file that could help for this.

Thanks

0 Kudos
RS_Daniel
Advisor
‎2022-05-30 05:21 AM
In response to Dilian_Chernev

Hello,

Check this sk: Remote Access client download routes from all gateways in the Remote Access Community

I think it fits your scenario, and yes, the solution seems to be configured at OS level. HTH.

Regards

0 Kudos
G_W_Albrecht
Legend
Legend
‎2022-05-30 05:36 AM
In response to RS_Daniel

Here, no MEP is used, so sk92676 should not apply.

CCSE CCTE SMB Specialist
0 Kudos
RS_Daniel
Advisor
‎2022-05-30 05:57 AM
In response to G_W_Albrecht

Hello,

I have mep disabled too, but line client_policies still presents mep&# part. Just tested the sk and my routing table decreased from 321 routes to 65. Did not verify that those 65 correspond exactly to the RA vpn domain of the gateway i am connecting too, but think it is worth a try.

Regard

0 Kudos
Dilian_Chernev
Collaborator
‎2022-05-31 12:00 AM
In response to RS_Daniel

This sk seems promising!

I will try it!

Thanks

0 Kudos
G_W_Albrecht
Legend
Legend
‎2022-05-30 05:35 AM
In response to Dilian_Chernev

I would not suggest such a topology for RA clients. With Access Roles, only parts of the internal networks can be made available to a subgroup of clients.

CCSE CCTE SMB Specialist
0 Kudos