This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
This widget could not be displayed.
1 Solution

Accepted Solutions
Preview file
198 KB

Hi everyone, 

Currently, I'm in the process of POC Checkpoint FW + Harmony for a potential customer. 

Topo:
topo.jpg

At the Mobile VPN, they have a test case: when the Employee's Mobile connects VPN (using capsule app), no need to route VPN to HQ when accessing internet, surfing websites,... but only when they use an app/web related to Office365, which needs to automate route the traffic: client -> HQ -> O365.

Note: With endpoint devices VPN must route all traffic to HQ: endpoint -> HQ -> internet. (and I can't create more than 2 remote access community for endpoint and mobile, so can't customize individual VPN domains).

I had seen this sk: How to configure Split Tunnel for Office 365 and other SaaS Applications (checkpoint.com), but seems like its opposite with my case.

Does anyone have experience with this case, or can Checkpoint create a multi Remote Access VPN?

Please help me.

Thanks & Best regards.

Preview file
198 KB
Jump to solution

Split Tunnel VPN for Office365 on Mobile devices

Jump to solution

Split Tunnel VPN for Office365 on Mobile devices

Hi everyone, 

Currently, I'm in the process of POC Checkpoint FW + Harmony for a potential customer. 

Topo:
topo.jpg

At the Mobile VPN, they have a test case: when the Employee's Mobile connects VPN (using capsule app), no need to route VPN to HQ when accessing internet, surfing websites,... but only when they use an app/web related to Office365, which needs to automate route the traffic: client -> HQ -> O365.

Note: With endpoint devices VPN must route all traffic to HQ: endpoint -> HQ -> internet. (and I can't create more than 2 remote access community for endpoint and mobile, so can't customize individual VPN domains).

I had seen this sk: How to configure Split Tunnel for Office 365 and other SaaS Applications (checkpoint.com), but seems like its opposite with my case.

Does anyone have experience with this case, or can Checkpoint create a multi Remote Access VPN?

Please help me.

Thanks & Best regards.

Preview file
198 KB

Hi everyone, 

Currently, I'm in the process of POC Checkpoint FW + Harmony for a potential customer. 

Topo:
topo.jpg

At the Mobile VPN, they have a test case: when the Employee's Mobile connects VPN (using capsule app), no need to route VPN to HQ when accessing internet, surfing websites,... but only when they use an app/web related to Office365, which needs to automate route the traffic: client -> HQ -> O365.

Note: With endpoint devices VPN must route all traffic to HQ: endpoint -> HQ -> internet. (and I can't create more than 2 remote access community for endpoint and mobile, so can't customize individual VPN domains).

I had seen this sk: How to configure Split Tunnel for Office 365 and other SaaS Applications (checkpoint.com), but seems like its opposite with my case.

Does anyone have experience with this case, or can Checkpoint create a multi Remote Access VPN?

Please help me.

Thanks & Best regards.

Preview file
198 KB
0 Kudos
0 Kudos
4 Replies
the_rock
MVP Diamond
MVP Diamond
‎2024-05-12 06:31 AM
the_rock
MVP Diamond
MVP Diamond
‎2024-05-12 06:31 AM
Jump to solution

Jump to solution

Just wondering, is this the case of customer wanting to assign different auth methods to different groups? If so, I dont believe thats possible as of yet. If I totally misunderstood, apologies.

Andy

Best,
Andy
"Have a great day and if its not, change it"

Just wondering, is this the case of customer wanting to assign different auth methods to different groups? If so, I dont believe thats possible as of yet. If I totally misunderstood, apologies.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
0 Kudos
PhoneBoy
Admin
Admin
‎2024-05-13 08:19 AM
PhoneBoy
Admin
Admin
‎2024-05-13 08:19 AM
Jump to solution

Jump to solution

Because this is the usual use case: route everything except for Office 365.
To do what you're trying to do (route Office 365 traffic through the Remote Access VPN), see: https://support.checkpoint.com/results/sk/sk167000 

Note that you might want to investigate Harmony SASE for this use case.

Because this is the usual use case: route everything except for Office 365.
To do what you're trying to do (route Office 365 traffic through the Remote Access VPN), see: https://support.checkpoint.com/results/sk/sk167000 

Note that you might want to investigate Harmony SASE for this use case.

the_rock
MVP Diamond
MVP Diamond
‎2024-05-13 08:54 AM
the_rock
MVP Diamond
MVP Diamond
‎2024-05-13 08:54 AM
In response to PhoneBoy
In response to PhoneBoy
Jump to solution

Jump to solution

Ah, that sk, right.

Best,
Andy
"Have a great day and if its not, change it"

Ah, that sk, right.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
0 Kudos
Nüüül
Advisor
Advisor
‎2024-05-20 08:40 AM
Nüüül
Advisor
Advisor
‎2024-05-20 08:40 AM
Jump to solution

Jump to solution

Hello,

 

if this use case applies to all remote users, you might use the solution stated in the sk mentioned using the group object "enc_domain" as normal group with "o365_address_ranges" and if needed other networks as member.

Doing so, all traffic to o365 will be routed via the security gateway.

 

if you have other use cases regarding this setup you might run into problems, as encryption domains can only be set once per RemoteAccess Community. And there is only one RemoteAccess Community at one Management Server.

as therock mentioned, having multiple ... "VPN profiles"  you might likely run into limitations. 

 

Hello,

 

if this use case applies to all remote users, you might use the solution stated in the sk mentioned using the group object "enc_domain" as normal group with "o365_address_ranges" and if needed other networks as member.

Doing so, all traffic to o365 will be routed via the security gateway.

 

if you have other use cases regarding this setup you might run into problems, as encryption domains can only be set once per RemoteAccess Community. And there is only one RemoteAccess Community at one Management Server.

as therock mentioned, having multiple ... "VPN profiles"  you might likely run into limitations. 

 

0 Kudos
0 Kudos