Re: Help for Remote Access user via Remote Desktop

CheckMate-R77 · ‎2024-01-27

Hello,

Is it possible to initiate a connection back to RA VPN user? Let's say for example that user is connected via RA VPN to internal network and has a problem with an application or printer or whatever. Helpdesk would like to help him by Remote Desktop connection back to his machine (laptop/desktop) via that existing RA VPN connection. That user's machine is using Office Mode address.

Is RA VPN only "one way"?

the_rock · ‎2024-01-27

There is an option in global properties I believe under remote access for back connections, but I dont think that does what it implies. I cant recall now what the purpose of it is, but you can give it a go and install the policy. To answer your ?, yes, remote access VPN would only be one way.

Best,

Andy

PhoneBoy · ‎2024-01-27

Yes, this setting in Global Properties needs to be set.
There should also be an explicit rule in the Access Policy that permits the desired traffic.

CheckMate-R77 · ‎2024-01-29

Hello.

In "Remote Access VPN R81.10 Administration Guide" it is said something about "Remote Client to Client Communication"

Remote client to client connectivity is achieved in two ways:

By routing all the traffic through the Security Gateway

Including the Office Mode range of addresses in the VPN domain of the Security Gateway

There is also an example:

"Two remote users use VoIP software to hold a secure conversation. The traffic between them is directed through a central Hub"

There are also following topics:

"User Groups as the Destination in RA communities" and "Configuring Directional VPN with Remote Access Communities":

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_RemoteAccessVPN_AdminGuide/T...

I don't want to communicate between 2 remote clients, but from internal (helpdesk) network via RDP over Remote Access VPN to remote client.

I have created directional rule, but I get an error

Hub Mode is enabled

Regards

Mirek

the_rock · ‎2024-01-29

I dont think enabling routing vpn traffic through gateway would solve your issue, thats if you want clients to route all their Internet traffic through your firewall once they connect to VPN. Most companies do NOT want that.

I will send you screemshot later for back connections and error you see in the policy.

Best,

Andy

the_rock · ‎2024-01-29

Hey Mirek,

I attached doc with screenshots I was referring to, as promised. Let me know if any questions, Im happy to clarify.

Best,

Andy

CheckMate-R77 · ‎2024-01-29

@the_rock

I really appreciate Your help.

Without active option "Enable VPN Directional Match in VPN Column" it would be impossible to create such directional rule as in my first attached screenshot. And error isn't gone.

I was about to ask what is this option "Enable Back Connections (from gateway to client)" for, and I've found it in "Remote Access VPN R81.10 Administration Guide" chapter "Resolving Connectivity Issues" and under "NAT and Back Connections from Security Gateway to Client"

So Directional VPN has nothing in common with Back Connections? So what rule should I add to allow back connections via RDP over RA VPN? Sorry, but I don't get it right now :-(.

the_rock · ‎2024-01-29

No worries, you are welcome.

To answer your first question, correct, without that option, rule would not work.

As far as 2nd question, I still dont understand myself what this option actually does. 3 years ago, I had case with TAC with RA issue and T3 guy asked us to enable this setting for back connections and when I asked him to logically explain to me what it does, he could not and said would ask esc. buddy, but that sadly went nowhere as far as good explanation.

Below is what it says in the dashboard, but honestly, I cant "digest" it to understand it in layman's terms, if you will.

Back connections

Usually communication with remote clients must be initialized by the clients. However, once a client has opened a connection, the hosts behind VPN can open a return or back connection to the client. For a back connection, the client's details must be maintained on all the devices between the client and the gateway, and on the gateway itself. Determine whether the back connection is enabled, and the frequency of the Keep Alive packets sent by the client in order to maintain the connection with the gateway.

Best,

Andy

the_rock · ‎2024-01-29

This is what they gave me back in the day, this link and section below. I dont know, obviously Im not nearly as smart as lots of other people, cause enabling this back then never worked and we could never get it going no matter what we were asked to try : - )

Best,

Andy

https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_RemoteAccessVPN_AdminGuid...

Usually to communicate with hosts behind a Security Gateway, remote access VPN client must initialize a connection to the VPN Security Gateway. However, once a remote access VPN client has opened a connection, the hosts behind the VPN Security Gateway can open a return or back connection to the remote access VPN client. For a back connection to succeed, the remote access client's details must be maintained on all the devices between the remote access VPN client and the VPN Security Gateway, and on the VPN Security Gateway itself.

In SmartConsole, click Menu > Global properties.
In the Additional Properties section, select Enable Back Connections (from gateway to client).
Click OK.
Install the Access Control Policy on the VPN Security Gateway.

Are you a member of CheckMates?

Help for Remote Access user via Remote Desktop