Morning,

I ran across that article also and yes is exactly what I was looking for, thanks!  My plan is to have like a ttm_vendor group which will have our regular full-vpn settings and then the trac_client_1.ttm will have the "split_tunnel" configuration and set to "true".

The only thing I'm not clear on is if we can use our existing vpn groups.  Say I have a VPN-VENDOR AD group, can it be part of the TTM_VENDOR group and get applied correctly or membership must be direct?  Will test it but in case someone knows off hand.

Thanks!

Yes, you can. Just make sure the group name starts with "ttm_", in your case, ttm_VENDOR. I haven't tried configuring the ttm with capital letters, though, but you may try and see if it still works.

In my opinion, since you already have an existing VPN-VENDOR group, why don't you rename it with the new name instead of creating a new group? It will be much easier since you do not need to add any new policy for that new group.

There are processes and other things tied to the existing AD group names.  Not being super familiar with it but what about the screenshot below?  Can I have the Check Point LDAP group named properly but it points to my actual AD group name?  So I can keep my existing naming convention in AD but it will match for the TTM name?

It does appear that creating the ttm_vendor group and pointing it to a different AD group name will work.  I'm having issues having the settings stay consistent though... for example, I switched the vendor.ttm file back to split_tunnel = false and in the client logs it keeps saying the gateway is configured to true.  Is there a trick for getting the gateway to reread the file or consistently have the changes reflect?

As far as I know, TTM settings won't update on the client until the client disconnects and reconnects to the server.

Thanks PhoneBoy.  I've done it multiple times with no change on the client side.  Reading the 'trac.log' file for changes but also running 'netstat -rn' shows the split tunneling even though I have it set to false (in both TTM files right now).  Even tried shutting the client down completely and reconnecting with no change.  I'm updating to R81.20 JHF 105 right now for fun and see if that changes anything.

Guessing a ticket might be in order if this is not expected behaviour.

If you make any changes to a TTM file, you must install the Access Policy for it to take effect.
This is documented here: https://support.checkpoint.com/results/sk/sk75221

Yep, I've installed policy multiple times with no change.  I even check the 'do not use install policy acceleration for all targets.'  I'll keep checking.

That may only apply for the "main" TTM file (not the group-specific ones).
One other thing to try: after making the changes, try checking the file with vpn check_ttm.

Otherwise, you're probably in TAC case territory.