Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Silesio
Contributor

How To's - Deploy Check Point Remote Access on Gaia R81

Hi there, in this post we’re going to deploy Check Point Remote Access, using LDAP and Check Point database for user authentication. This lab we’ll be running on VMWare workstation (CMA/SMS R81) and eve-ng community edition (Gateways-R80.20 and clients running windows 8).

This lab assumes your already have a topology running, so I won’t be covering how to set up this lab.

The goal is to deploy remote access, for users that are part of a group (Department) in AD and also allow access for users that don’t belong to any group in AD. This is useful, for situations where your AD is unreachable and you still want to allow access to a certain group of users.

One of the features that will help us meet this goal, is Identity Awareness. If you would like to learn how to enable it, read my previous post How “To's - Deploy Check Point Identity Awareness”.

Now let’s begin by creating an LDAP Group. This will allow us to filter access based on user group.

In side panel go to New > More > User/Identity > LDAP Group

1.png

We’ll select the existing Account Unit, and choose either All Account-Unit’s users or you can specify a specific branch in AD (Organizational Unit).

2.png

As we already have a group of users from AD, we’re going to create two users as a backup option in case the AD becomes unreachable.

 In side panel go to New > More > User/Identity > User…

3.png

For template we’ll choose Default.

Set the username and the password in Authentication tab.

4.png

Now let’s create a user group for all users that require remote access.

In side panel go to New > More > User/Identity > User Group…

5.png

Set the name, and add AD_Group and both users.

6.png

The user part is completed, now let’s configure the VPN part.

By default Check Point allows remote access to all users. Let’s filter this access by specifying the user group created in the VPN Communities object.

7.png

Let’s edit the Remote Access object, in Participant User Groups, add the user group for Remote Access.

8.png

Now let’s enable VPN remote access feature by editing the gateway cluster object. Select Mobile Access and a new window will pop up.

9.png

Leave all the options selected as default. In Web Portal page, change the Main URL to the IP address of the external interface.

10.png

In Applications page select only Demo.

In Active Directory page, it will detect automatically the active directory domain. Press connect.

11.png

Lastly in Users page, add the user group created earlier.

12.png

Next let’s enable the Office Mode feature in cluster members tab. Select the gateway > edit > VPN tab > Office Mode for Remote Access > Allocate IP Address from network CP_default_Office

13.png

In Identity Awareness tab, select Active Directory Query and Remote Access.

14.png

In IPSec VPN tab, add the RemoteAccess vpn community.

15.png

In IP Selection by Remote Peer tab, choose the option Selected address from topology table.

16.png

In VPN Advanced tab, enable Support NAT traversal

17.png

In VPN Clients > Office Mode, select Offer Office Mode to group (choose the VPN group created)

18.png

Press ok and let’s create the policy for remote access.

19.png

Let’s install the policy and test the access.

Download the Check Point remote access client. You can search on Google for "checkpoint remote access" and then it will take you directly to the download page.

20.png

21.png

The installation process is very intuitive.

Once the installation finishes, let’s configure the vpn site.

22.png

In Server address or Name type the gateway external IP address

23.png

Accept the warning certificate and proceed.

In Login Option Selection select Standard > Username and Password > Finish.

I’ll test the access using a user from the Marketing Department, Finance Department and Local user on Check Point Database.

User: mark

Success

We can see that it was assigned a new IP address from the Check Point remote access pool.

24.png

25.png

26.png

User: francis

Success

27.png

28.png

29.png

User: mark.cp

Successful

30.png

31.png

32.png

Now let’s test remote access using the browser.

User:martin

Successful

33.png

34.png

 

We have deployed successfully Remote Access for Check Point.

I hope you enjoyed this post, leave your comments below and I'll see you on the next one.

 

Reference:

https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_RemoteAccessVPN_AdminGuide/Topics-VPNRG/Check-Point-VPN.htm 

 

2 Replies
G_W_Albrecht
Legend Legend
Legend

Why post this two times ? And why post it in General Management Topics instead of Mobile & Endpoint > Remote Access VPN ? Maybe @PhoneBoy could relocate it ?

 

 

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
PhoneBoy
Admin
Admin

I'll give him the benefit of the doubt there was some weird issue that caused it to post twice. 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events