This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
MVP Silver
MVP Silver
‎2023-11-07 04:16 PM
Jump to solution

No Intranet Connection

Hello, Team.

I have a problem with a VPN user connection, which is connected by Endpoint Security VPN agent.

The user logs in, no problem, but once connected, when he tries to access an internal resource (INTRANET).
The access to the internal resource is a URL.

I have a couple of doubts:


1- In the Firewall rule, should the DNS service be allowed, for this type of connection?

2- In which part of the Remote Access VPN configuration, can I be sure that the company's internal DNS are being delivered to the VPN users' connections?

Thanks for the clarification.

0 Kudos
1 Solution

Accepted Solutions
Matlu
MVP Silver
MVP Silver
‎2023-11-08 09:25 AM
In response to the_rock
Jump to solution

Hello,

To update, I was able to solve the problem.

I noticed, that the flow was "incomplete".

It turns out that there was no Firewall rule that allows the connection of the IP pool of the users that connect through the RA VPN to the server that owns the domain. 😁

I would still like to clarify a doubt.

If you have a web service that you publish to the Internet, when you log in through RA VPN, with the Internal DNS provided by the VPN, and you try to access that web service, the network card of the user's PC, to which DNS gives "more priority" at the moment of consuming the service? Is it the DNS assigned to me by the VPN, or is it the DNS of my Local ISP?

Thanks for your help and clarification.

View solution in original post

13 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-11-08 12:05 AM
Jump to solution

Did you define an access rule for the RA users ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2023-11-08 04:19 AM
Jump to solution

What are your office mode settings, DNS suffixes etc?

Are you seeing logs indicating DNS traffic is being dropped?

Are the remote access clients MacOS or Windows?

CCSM R77/R80/ELITE
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-11-08 05:06 AM
Jump to solution

Below is what you need, make sure its correct.

Andy

 

Screenshot_1.png

0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2023-11-08 05:22 AM
In response to the_rock
Jump to solution

Indeed. Just don't expect Google to resolve your internal URLs. 😛

CCSM R77/R80/ELITE
(1)
the_rock
MVP Gold
MVP Gold
‎2023-11-08 05:24 AM
In response to Chris_Atkinson
Jump to solution

Thats why this is a lab 🤣

0 Kudos
Matlu
MVP Silver
MVP Silver
‎2023-11-08 07:11 AM
In response to Chris_Atkinson
Jump to solution

Hello,

I have a question.

If the resource to which you want to access, is a resource that is published both on the Internet, as well as a resource that can be consumed by Intranet, when you are already logged in to the VPN, and try to consume this resource, let's say the URL is https://dev.example.com.

When you are connected to the VPN, and the user tries to open this resource, would it be using the Internal DNS of the VPN, or the External ones that you have from your local ISP connection?

Which DNS takes the highest priority?

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-11-08 07:13 AM
In response to Matlu
Jump to solution

Hey bro,

Chris can confirm for you, but Im pretty sure it would go based on the priority list from screenshot I sent...primary, first backup, second backup.

You got my direct email, so we can do remote and I can show you in my R81.20 lab.

Kind regards,

Andy

0 Kudos
Matlu
MVP Silver
MVP Silver
‎2023-11-08 09:25 AM
In response to the_rock
Jump to solution

Hello,

To update, I was able to solve the problem.

I noticed, that the flow was "incomplete".

It turns out that there was no Firewall rule that allows the connection of the IP pool of the users that connect through the RA VPN to the server that owns the domain. 😁

I would still like to clarify a doubt.

If you have a web service that you publish to the Internet, when you log in through RA VPN, with the Internal DNS provided by the VPN, and you try to access that web service, the network card of the user's PC, to which DNS gives "more priority" at the moment of consuming the service? Is it the DNS assigned to me by the VPN, or is it the DNS of my Local ISP?

Thanks for your help and clarification.

the_rock
MVP Gold
MVP Gold
‎2023-11-08 09:36 AM
In response to Matlu
Jump to solution

It all depends on the fact what DNS is able to resolve once connected, thats all.

Cheers,

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2023-11-08 02:19 PM
In response to Matlu
Jump to solution

Generally, the default DNS of the client gets replaced by whatever the gateway assigns after the Remote Access client connects and gets an Office Mode address assigned.
However, there is nothing preventing the end user from changing their DNS configuration if they have admin rights to their local PC.

the_rock
MVP Gold
MVP Gold
‎2023-11-08 03:00 PM
In response to Matlu
Jump to solution

@Matlu 

@PhoneBoy makes an excellent point, as always. There is literally nothing stopping a person once they connect to RA to change DNS servers, as long as they have admin access to the local PC. Not quite certain about this, "MAYBE" that can be controlled by harmony endpoint product, but again, I could be mistaken on that part.

Regards,

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2023-11-08 03:02 PM
In response to the_rock
Jump to solution

We don't control those settings, but I assume the settings can be locked via GPO or similar.

the_rock
MVP Gold
MVP Gold
‎2023-11-08 03:03 PM
In response to PhoneBoy
Jump to solution

Got it, makes sense.

Cheers,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events