Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Matlu
Advisor
Jump to solution

Remote VPN Solution

Hello, Team,

I hope you can help me to clarify the doubt.

To work with the Remote Access VPN solution, in your experience, is it better to work it using the Mobil Access blade? Because I know that you can also have this solution, activating only the IPsec VPN Blade. So, could we say that the decision of which blade to work with depends on the Firewall administrator?

I have an equipment in Standalone deployment, which has 2 active blades, both the IPsec VPN blade and the Mobile Access blade, but it is difficult for me to "know" which blade is the one that is "working" for the connection of the remote users of the VPN.

Thank you for your support.

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Remote Access VPN can be “served” either by IPsec VPN or Mobile Access Blade being enabled.
The logging is somewhat ambiguous at times because they’re using the same infrastructure underneath for this function.
My opinion: unless you need the web-based portal of Mobile Access Blade, which would include the use of SNX portal, use IPsec VPN.

View solution in original post

9 Replies
Chris_Atkinson
Employee Employee
Employee

The license/blade requirements depend on the type of client to be used, please refer:

sk67820: Check Point Remote Access Solutions - Gateway-Based Access

CCSM R77/R80/ELITE
0 Kudos
PhoneBoy
Admin
Admin

Remote Access VPN can be “served” either by IPsec VPN or Mobile Access Blade being enabled.
The logging is somewhat ambiguous at times because they’re using the same infrastructure underneath for this function.
My opinion: unless you need the web-based portal of Mobile Access Blade, which would include the use of SNX portal, use IPsec VPN.

Matlu
Advisor

Thanks for the feedback.

As far as I remember, and according to the SK that was shared with me in this forum, using for example the "Endpoint Security VPN" agent, only works with the IPsec VPN blade, am I correct?

I understand that when you use this agent, the "negotiation" by default in Checkpoint is using the certificate that by default is in the "community" of "RemoteAccess" (all this, to achieve to lift the tunnel), to avoid that the connections of the users "are complex" for them.
Is my point of view correct?

It seems that the environment I have, use both blades, because according to what I have inquired with the client, many users also use the Capsule VPN on their phones and mobiles (Android), and according to the SK, I understand that this application "depends" on the Mobile Access blade.

 

0 Kudos
PhoneBoy
Admin
Admin

There may be some minor differences in how you configure Remote Access when doing MAB “exclusively” (without IPsec VPN enabled), but Endpoint Security VPN should work with it.
You are correct that the Capsule VPN clients require MAB, this is documented here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
Matlu
Advisor

Buddy.

So in your experience, the "Endpoint Security VPN" agent can work, if I only have the Mobile Access blade active?

Greetings.

0 Kudos
the_rock
Legend
Legend

You simply need VPN blade enabled to run base endpoint vpn client.

0 Kudos
PhoneBoy
Admin
Admin

If you want to control the Firewall and Endpoint Compliance features of Endpoint Security VPN, that requires IPsec VPN.
Otherwise, Mobile Access Blade can be used.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

To clarify these are only the Gateway side license requirements.

It would be remiss of us not to mention (again) that specific clients require seat licenses applied to the Management server e.g. CPEP-ACCESS-XX

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend

In my experience, most people would stick with ipsec VPN blade, and use mobile access for their mobile users (you connect with app from your smart phone).

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events