This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
PhoneBoy
Admin
Admin
‎2023-02-28 09:36 AM

How to Have Remote Access VPN Tunnel Before User is Logged In

This question has come up on the community previously about how to have a Remote Access VPN configured so the tunnel is "always up" before the user is logged in.

The answer is to use Machine Authentication, which provides a certificate-based authentication mechanism not tied to a specific user.
This requires R80.40 and above.
See: https://sc1.checkpoint.com/documents/RemoteAccessClients_forWindows_AdminGuide/Content/Topics-RA-VPN...

To have a user-specific tunnel when a user is logged into the same machine, you have to configure multiple authentication schemes (Machine and User Authentication).
The user-specific VPN will replace the machine-specific VPN tunnel when the user is logged in. 
Refer to: https://sc1.checkpoint.com/documents/RemoteAccessClients_forWindows_AdminGuide/Content/Topics-RA-VPN... 

 

1 Reply
m-o-d
Explorer
‎2023-07-25 09:10 AM

There is one important part missing. Machine certificate authentication required some changes on the gateway side that are not mentioned in the Client Admin Guide. The referenced SK (valid for EOL versions only) in the Client Admin Guide refers to some registry changes on the CLI which are not necessary as they are condfigured in SmoartConsole now. TAC pointed me into the right direction: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_RemoteAccessVPN_AdminGuide/T...

It is especially important to have the machine_certificate realm configured. I did this using GuiDBedit as described on step 6. It also requires a rule with an access role for the machines to get access the required ressources for domain login (DNS, AD, etc).

What I also noticed: the tunnel is disconnected as soon as the user entered his windows credentials and pressed the Enter button. There is no VPN connection until the user starts the VPN client and logs in there. Any logon scripts that are loaded after Windows logon will probably not even be fetched. A delay would be nice to allow such scripts to execute before the machine tunnel being disconnected. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events