Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kevin_Werner
Contributor
Jump to solution

Excluding specific destination from hub mode

The CPU utilization on my vpn gateway gets out of control during company-wide webex meetings.  For a lot of design reasons, the vast majority of my workforce needs to connect to my gateway in hub mode.  Is there any way to exclude traffic to the webex ip address from going through the vpn tunnel back to my firewalls when my users are in hub mode.

To reiterate, I'd like my users to stay in hub mode, I just need to find a way to make traffic to webex get sent out of my end users' isp as opposed to through the vpn tunnel back to my gateway.

0 Kudos
1 Solution

Accepted Solutions
LukeOxley
Participant

If you'd like configure the Remote Access routing to essentially route all traffic to the gateway, EXCEPT a certain list of hosts/subnets, then you need to do the following:

  1. Ensure "Route all traffic to gateway" is set to NO in Global Properties > Remote Access > SecureClient Mobile & Endpoint Connect. 
  2. Ensure Hub Mode is set to ALLOW on the gateway object under VPN Clients > Remote Access.
  3. Create a new network group named 'All_Internet_Group', and add the default 'All_Internet' object to it.
  4. Create a new network group named 'ED-RemoteAccess_Exclusions'. Add all of the hosts/networks you'd like to be excluded from hub mode (I.E, routed locally on the client's end rather than across the VPN to the gateway).
  5. Create a new "group with exclusions" called 'ED-RemoteAccess', reference the 'All_Internet_Group' we created as the main group and the 'ED-RemoteAccess_Exclusions' we created as the exclusion group.
  6. Set the 'ED-RemoteAccess' group as the Remote Access encryption domain on the gateway topology.
  7. Ensure security rules and NAT rules are setup to support this configuration (I.E, security rules allow the OfficeMode subnet access to the Internet, and the OfficeMode subnet is NAT'd behind the gateway).
  8. Install policy, then disconnect/reconnect any existing connected clients so that they get the new routing table.

To put this into a scenario, lets say you want all traffic to be routed to the gateway (like it is in hub mode), apart from 167.20.10.0/24 (some random network I thought of, insert yours here) - you want the clients to route this out of their local connection rather than via the security gateway. Following the scenario above and adding the 167.20.10.0/24 network to the 'ED-RemoteAccess_Exclusions' group will achieve this.

Hope that helps!

Luke

View solution in original post

5 Replies
--THX1138--
Explorer

Hi

I don't have an answer for you. But I do want to inform you of my question in the same forum. Have a look.

https://community.checkpoint.com/t5/Remote-Access-Solutions/VPN-Mobile-Client-Tunneling-Exceptions/td-p/73650/jump-to/first-unread-message

Basically, I want the exact opposite of what you want (no hub-mode, except for certain traffic). The solution could be perhaps used for both our questions. Perhaps it's a good idea to keep an eye out for each others posts for potential solutions.

Greetz

 

LukeOxley
Participant

If you'd like configure the Remote Access routing to essentially route all traffic to the gateway, EXCEPT a certain list of hosts/subnets, then you need to do the following:

  1. Disable hub mode.
  2. Create a new network group named 'All_Internet_Group', and add the default 'All_Internet' object to it.
  3. Create a new network group named 'ED-RemoteAccess_Exclusions'. Add all of the hosts/networks you'd like to be excluded from hub mode (I.E, routed locally on the client's end rather than across the VPN to the gateway).
  4. Create a new "group with exclusions" called 'ED-RemoteAccess', reference the 'All_Internet_Group' we created as the main group and the 'ED-RemoteAccess_Exclusions' we created as the exclusion group.
  5. Set the 'ED-RemoteAccess' group as the Remote Access encryption domain on the gateway topology.
  6. Ensure security rules and NAT rules are setup to support this configuration (I.E, security rules allow the OfficeMode subnet access to the Internet, and the OfficeMode subnet is NAT'd behind the gateway).
  7. Install policy, then disconnect/reconnect any existing connected clients so that they get the new routing table.

To put this into a scenario, lets say you want all traffic to be routed to the gateway (like it is in hub mode), apart from 167.20.10.0/24 (some random network I thought of, insert yours here) - you want the clients to route this out of their local connection rather than via the security gateway. Following the scenario above and adding the 167.20.10.0/24 network to the 'ED-RemoteAccess_Exclusions' group will achieve this.

Hope that helps!

Luke

0 Kudos
LukeOxley
Participant

If you'd like configure the Remote Access routing to essentially route all traffic to the gateway, EXCEPT a certain list of hosts/subnets, then you need to do the following:

  1. Ensure "Route all traffic to gateway" is set to NO in Global Properties > Remote Access > SecureClient Mobile & Endpoint Connect. 
  2. Ensure Hub Mode is set to ALLOW on the gateway object under VPN Clients > Remote Access.
  3. Create a new network group named 'All_Internet_Group', and add the default 'All_Internet' object to it.
  4. Create a new network group named 'ED-RemoteAccess_Exclusions'. Add all of the hosts/networks you'd like to be excluded from hub mode (I.E, routed locally on the client's end rather than across the VPN to the gateway).
  5. Create a new "group with exclusions" called 'ED-RemoteAccess', reference the 'All_Internet_Group' we created as the main group and the 'ED-RemoteAccess_Exclusions' we created as the exclusion group.
  6. Set the 'ED-RemoteAccess' group as the Remote Access encryption domain on the gateway topology.
  7. Ensure security rules and NAT rules are setup to support this configuration (I.E, security rules allow the OfficeMode subnet access to the Internet, and the OfficeMode subnet is NAT'd behind the gateway).
  8. Install policy, then disconnect/reconnect any existing connected clients so that they get the new routing table.

To put this into a scenario, lets say you want all traffic to be routed to the gateway (like it is in hub mode), apart from 167.20.10.0/24 (some random network I thought of, insert yours here) - you want the clients to route this out of their local connection rather than via the security gateway. Following the scenario above and adding the 167.20.10.0/24 network to the 'ED-RemoteAccess_Exclusions' group will achieve this.

Hope that helps!

Luke

Kevin_Werner
Contributor

Tremendous idea Luke, I'll test it out, sounds like it should absolutely work

0 Kudos
LukeOxley
Participant
Yep - we've had it working across a couple of setups quite well. Let me know how you get along. Available on DM if you hit any issues.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events