This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
--THX1138--
Explorer
‎2020-01-29 02:44 AM
Jump to solution

VPN Mobile Client Tunneling Exceptions

Hi,

We're using VPN Mobile Clients. We have not set them to full-tunneling, so we use split DNS. In other words, the regular internet-traffic (Facebook, Netflix etc) does not enter the tunnel. Only traffic to our on-premise resources (domain, fileservers etc.) enters the tunnel. So far so good. Been doing this for 20 years.

But, enter 2020 we now use Cloud resources at Azure/AWS. To secure these services we have set up whitelist-filters so only our office IP addresses are allowed to manage the cloud. So users at the office can access Azure/AWS and do their clouddance.

But users on VPN Mobile cannot access the same Cloud resources, since that traffic is classified as public Internet, and does not enter the tunnel. This is a problem.
I don't want to set the Mobile clients to full-tunneling and ditch split-DNS, because then I'll get hit with Netflix, Facebook and other private crap I don't want to know about.

So what are my options ? Is there any way to tell the VPN Mobile client to route certain traffic over the VPN, even though the IP addresses of that traffic are public and not part of my on-premise encryption domain ?

I cannot believe I'm the only one with this predicament. 

Any thoughts ?

Grtz

0 Kudos
1 Solution

Accepted Solutions
JackPrendergast
Advisor
Advisor
‎2020-11-27 01:32 AM
Jump to solution

Hi,

 

Its a pain - but see SK167000

 

This will help get around your issue. You will need to engineer this SK to fit your needs as this is about doing a full tunnel without MS IP's.

You use the methods to add Microsoft IP's into an enc domain which will force MS traffic over the VPN.

In short, use this link to download the script kindly made by a forum member on here https://github.com/CheckPointSW-Community/IPaddressFeed2CheckPoint

Use the objects that is created in your enc domain, along with your internal IP addresses as usual.

 

I would like to see Check Point design a feature in upcoming releases to adding dynamic objects or even domain objects(somehow), into an enc domain for the reason defined in the SK - but would help in the instance of this thread too.

@--THX1138--  - Let me know if you need help designing this.

View solution in original post

5 Replies
Carlos_Diaz
Employee
Employee
‎2020-04-02 03:30 PM
Jump to solution

I have the same problem

😞
0 Kudos
Andreas_van_Fon
Explorer
‎2020-04-02 10:40 PM
Jump to solution

Similar issue here.

We want VPN user traffic to go through our corporate internet filter, how connections to internet hosted video conferencing/collaboration services should route via the users internet service to reduce latency. This would probably need to based upon domains (if possible)

0 Kudos
bklujan28
Explorer
‎2020-11-26 09:20 AM
Jump to solution

we have the same problem

0 Kudos
JackPrendergast
Advisor
Advisor
‎2020-11-27 01:32 AM
Jump to solution

Hi,

 

Its a pain - but see SK167000

 

This will help get around your issue. You will need to engineer this SK to fit your needs as this is about doing a full tunnel without MS IP's.

You use the methods to add Microsoft IP's into an enc domain which will force MS traffic over the VPN.

In short, use this link to download the script kindly made by a forum member on here https://github.com/CheckPointSW-Community/IPaddressFeed2CheckPoint

Use the objects that is created in your enc domain, along with your internal IP addresses as usual.

 

I would like to see Check Point design a feature in upcoming releases to adding dynamic objects or even domain objects(somehow), into an enc domain for the reason defined in the SK - but would help in the instance of this thread too.

@--THX1138--  - Let me know if you need help designing this.

rrbranco
Collaborator
Collaborator
‎2024-06-12 09:59 AM
In response to JackPrendergast
Jump to solution

seems that sk167000  was updated

 

"

...

Starting from R81.20, see the Remote Access VPN Administration guide for the relevant version > "Dynamic Split Tunneling for SaaS Using Updatable Objects".
...

"

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events