- CheckMates
- :
- Products
- :
- Quantum
- :
- Remote Access VPN
- :
- Re: Remote Access Configuration and Compliance Hel...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Remote Access Configuration and Compliance Help.
Hi,
I need some help with the Check Point Remote Access solution.
Safe to say, the mobile access blade is clunky and terrible – however, we purchased it and I need a hand configuring some parts.
We will be using the SSL extender (SSL VPN) for certain users that need access to the Secure Workspace.
Then, for all corporate laptop users, they will be using the EndPoint Security VPN client to connect (IPSEC)
Okay – so, SSL extender is fine. No problem, basic browse to a site, log in. All cool.
It’s the IPSEC side that’s causing issues.
If I download the Endpoint Security client to my own, personal PC. I can connect to our gateway, and my machine is then affectively on the corporate LAN. This obviously needs to be prevented.
How do I restrict that only corporate laptops can connect to this? I have looked at SVC – which is a headache, painfully complicated, and also doesn’t seem relevant to this? Is it something in Compliance? Please can someone help with how to restrict this?
Secondly, I cant manage to disable split tunnelling. There are some sites, i.e ServiceNow that only allows access via our corporate public IP. I need all traffic to route via the gateway and out. I have enabled Hub mode, and also ticked the security option to route all traffic via this gateway. No luck.
Any suggestions to both queries please?
Thanks all.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First question: I must admit that i do not fully understand the question 😉 Usually, access is restricted by only allowing access to known users - this can be fine-tuned using:
- AD authentication on laptop
- authentication using certificate
- 2 F authentication
- Office Mode IP assigned using ipassignment.conf file
.....
Second question concerning Route all traffic thru GW: This can be found explained in detail in sk101239 Route all traffic from Remote Access clients, including internet traffic, through Security ..., sk111995 How to set Hub Mode / Route all traffic to gateway for Endpoint Remote Access clients to sp... and sk31873 Configuring the "Route all traffic" feature for SSL Network Extender.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello.
Thank you for your reply.
Okay for more clarity. We authenticate using RADIUS. I am a known users.
I use my corporate laptop at home for work, and I should be able to boot up the endpoint client, and connect to the gateway to have access to my internal resources.
At home, on my own personal PC, unconnected from anything work related, I download the endpoint client. I type in the IP address of our gateway, and authenticate using RADIUS, same as above. It allows me in, and now I can access internal resources on my own PC. This should NOT be allowed.
How can I prevent so only corporate machines can connect to the gateway, regardless of WHO is connecting.
Thanks in advance.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, when using this kind of authentication method, such a thing is possible. Using MAB, best way is to use the Endpoint Compliance Scanner Custom Check Rule (see Mobile Access Administration Guide R80.10 p.170 and sk107014 for details) to check for a special invisible file that has to be present on any corporate laptop.
A second possibility is Office Mode IP assignment using ipassignment.conf file - but only if the company laptop IP range is known and fixed....
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jack,
This can be achieved by Mobile access blade as suggested by Gunther. There is a feature called compliance check in Endpoint security on demand where you can define compliance policy.
So if your endpoint meets the compliance check then only He can connect to corporate networks. Plus you can also put compliance check based on your applications. Please refer below Doc.
https://community.checkpoint.com/docs/DOC-2843-endpoint-application-wise-scan-check
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thank you very much for your replies. I will take a look into this.
Following up on my second question I asked, do you have any suggestions for me regarding Hub mode?
I have enabled this, and in global properties, I have also changed the option that states "all traffic through gateway" or something similar.
Route Print on the remote host shows the 2 routes.
One is: 0.0.0.0 0.0.0.0 and DFW of machine
2nd is 0.0.0.0 192.0.0.0 and default gateway is the VPN tunnel.
As the 2nd is more specific, traffic should be going via the VPN tunnel, correct?
I can not access corporate DNS - Infact, I can not access anything. Traffic does not seem to move in either direction. Its not trying to get locally, via ISP, or go down the tunnel. Any help on this?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is rather strange - after policy install, RAT should work fine! Route print should list the CP Virtual Network Adapter for EP VPN client first, first active route and permanent route are 0.0.0.0 0.0.0.0 and GW IP.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello..
See print below
H:\>route print
===========================================================================
Interface List
18...54 8b 62 cf 23 0f ......Check Point Virtual Network Adapter For Endpoint V
PN Client
17...02 00 4c 4f 4f 50 ......Npcap Loopback Adapter
15...6e 79 80 69 b1 01 ......AppGate Tunneling Adapter
12...d8 fc 93 5a d2 d2 ......Intel(R) Dual Band Wireless-AC 7260
11...34 e6 d7 3e c0 b3 ......Intel(R) Ethernet Connection I218-LM
1...........................Software Loopback Interface 1
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.75 25
0.0.0.0 192.0.0.0 10.44.0.1 10.44.0.2 1
10.44.0.0 255.255.0.0 On-link 10.44.0.2 256
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe some other VPN client o.s.s. is installed here ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Dont think thats the issue. I stopped all services of the other VPN client, and these are the routes only populated when the Check Point client is installed.
Any suggestions? What should it look like?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would test this on a clean machine without any other VPN client / services.... Please also check trac_client_1.ttm on client.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And of course beware of overlapping networks 😉
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As requested, clean machine.. same results..
H:\>route print
===========================================================================
Interface List
18...54 8b 62 cf 46 0e ......Check Point Virtual Network Adapter For Endpoint VPN Client
12...d8 fc 93 4f g8 e4 ......Intel(R) Dual Band Wireless-AC 7260
11...34 e6 57 7e 2f r3 ......Intel(R) Ethernet Connection I218-LM
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.75 25
0.0.0.0 192.0.0.0 10.44.0.1 10.44.0.2 1
10.44.0.0 255.255.0.0 On-link 10.44.0.2 256
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would involve TAC here.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jack,
When you browse to internet, are you getting any logs on the tracker? or traffic is not going to gateway at all.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay - traffic appears to be getting there. But, I dont understand the logs? All I see is a flood of 'decrypt' actions with the unlocked padlock symbol, and then the service that I was using i.e http, icmp etc....
Where do I actually see where the traffic is going?
To be clear, it is still not working, but hitting the gateway to decrypt. Can anyone help?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Infact, ive also seen blocked messages due to Main Mode peer does not support IKE. Can someone help with that?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Involve TAC - we can only do guesswork here...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jack,
Please refer below URL. If this does not resolve issue, Raise TAC
https://community.checkpoint.com/message/12386-mobile-access-default-route
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And how was the issue resolved ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On most platforms, and from what I can discern this includes Checkpoint, the only true secure method is to rely on PKI infrastructure. Specifically certificates that are difficult or impossible to be exported and used on a different system than that installed. In my case I utilize a 3-factor Checkpoint VPN deployment: User-based certificate issued by my Microsoft Enterprise CA, which does not permit export of the private key, followed by requiring password for the user on the certificate and last RSA token code. It's not in the realm of possibility for even an administrator to bypass this security control and access from a non-corporate system. Its the way I've always implemented authentication where this is a concern (and it should be to most, unless you are actively permitting foreign devices to gain access). You could also use the checkpoint management system internal system certificate authority to achieve similar results, but I never researched how well secured a certificate issued to a client really is, can it be copied to another system, exported,etc. Additionally, I did not want to manage provisioning of new vpn users from the Checkpoint management server console, instead I can leverage numerous AD and GPO based automation to automatically distribute certificates including if a person gets a loaner laptop, etc. The Checkpoint internal CA is a viable option to meet your needs though I think.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do not see a place for your remarks here, as this is not at all relevant for any of the asked questions...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was replying to the main topic of how to secure remote access possibility to a corporate LAN from a non-corporate/non- authorized system. Specifically, that any non-certificate based approach like looking for software, file, registry key, etc can be very easily circumvented and depending on maturity and security requirements of an organization, they are likely not adequate. I wanted to make sure that people understood there were secure and standard ways to achieve this security requirement and that Checkpoint supports this with either internal or external CAs.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I realize the original poster has moved on in all likelihood, but another individual searching these archives might be helped.