This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
Advisor
‎2022-12-15 04:42 PM
Jump to solution

Remote VPN Solution

Hello, Team,

I hope you can help me to clarify the doubt.

To work with the Remote Access VPN solution, in your experience, is it better to work it using the Mobil Access blade? Because I know that you can also have this solution, activating only the IPsec VPN Blade. So, could we say that the decision of which blade to work with depends on the Firewall administrator?

I have an equipment in Standalone deployment, which has 2 active blades, both the IPsec VPN blade and the Mobile Access blade, but it is difficult for me to "know" which blade is the one that is "working" for the connection of the remote users of the VPN.

Thank you for your support.

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2022-12-16 06:24 AM
Jump to solution

Remote Access VPN can be “served” either by IPsec VPN or Mobile Access Blade being enabled.
The logging is somewhat ambiguous at times because they’re using the same infrastructure underneath for this function.
My opinion: unless you need the web-based portal of Mobile Access Blade, which would include the use of SNX portal, use IPsec VPN.

View solution in original post

9 Replies
Chris_Atkinson
Employee Employee
Employee
‎2022-12-15 05:26 PM
Jump to solution

The license/blade requirements depend on the type of client to be used, please refer:

sk67820: Check Point Remote Access Solutions - Gateway-Based Access

CCSM R77/R80/ELITE
0 Kudos
PhoneBoy
Admin
Admin
‎2022-12-16 06:24 AM
Jump to solution

Remote Access VPN can be “served” either by IPsec VPN or Mobile Access Blade being enabled.
The logging is somewhat ambiguous at times because they’re using the same infrastructure underneath for this function.
My opinion: unless you need the web-based portal of Mobile Access Blade, which would include the use of SNX portal, use IPsec VPN.

Matlu
Advisor
‎2022-12-16 06:39 AM
In response to PhoneBoy
Jump to solution

Thanks for the feedback.

As far as I remember, and according to the SK that was shared with me in this forum, using for example the "Endpoint Security VPN" agent, only works with the IPsec VPN blade, am I correct?

I understand that when you use this agent, the "negotiation" by default in Checkpoint is using the certificate that by default is in the "community" of "RemoteAccess" (all this, to achieve to lift the tunnel), to avoid that the connections of the users "are complex" for them.
Is my point of view correct?

It seems that the environment I have, use both blades, because according to what I have inquired with the client, many users also use the Capsule VPN on their phones and mobiles (Android), and according to the SK, I understand that this application "depends" on the Mobile Access blade.

 

0 Kudos
PhoneBoy
Admin
Admin
‎2022-12-16 07:59 AM
In response to Matlu
Jump to solution

There may be some minor differences in how you configure Remote Access when doing MAB “exclusively” (without IPsec VPN enabled), but Endpoint Security VPN should work with it.
You are correct that the Capsule VPN clients require MAB, this is documented here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
Matlu
Advisor
‎2022-12-16 07:00 PM
In response to PhoneBoy
Jump to solution

Buddy.

So in your experience, the "Endpoint Security VPN" agent can work, if I only have the Mobile Access blade active?

Greetings.

0 Kudos
the_rock
Legend
Legend
‎2022-12-16 07:02 PM
In response to Matlu
Jump to solution

You simply need VPN blade enabled to run base endpoint vpn client.

0 Kudos
PhoneBoy
Admin
Admin
‎2022-12-16 07:32 PM
In response to Matlu
Jump to solution

If you want to control the Firewall and Endpoint Compliance features of Endpoint Security VPN, that requires IPsec VPN.
Otherwise, Mobile Access Blade can be used.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-12-16 07:38 PM
In response to PhoneBoy
Jump to solution

To clarify these are only the Gateway side license requirements.

It would be remiss of us not to mention (again) that specific clients require seat licenses applied to the Management server e.g. CPEP-ACCESS-XX

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend
‎2022-12-16 06:41 AM
Jump to solution

In my experience, most people would stick with ipsec VPN blade, and use mobile access for their mobile users (you connect with app from your smart phone).

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events