- Products
- Learn
- Local User Groups
- Partners
-
More
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Hi,
We're using VPN Mobile Clients. We have not set them to full-tunneling, so we use split DNS. In other words, the regular internet-traffic (Facebook, Netflix etc) does not enter the tunnel. Only traffic to our on-premise resources (domain, fileservers etc.) enters the tunnel. So far so good. Been doing this for 20 years.
But, enter 2020 we now use Cloud resources at Azure/AWS. To secure these services we have set up whitelist-filters so only our office IP addresses are allowed to manage the cloud. So users at the office can access Azure/AWS and do their clouddance.
But users on VPN Mobile cannot access the same Cloud resources, since that traffic is classified as public Internet, and does not enter the tunnel. This is a problem.
I don't want to set the Mobile clients to full-tunneling and ditch split-DNS, because then I'll get hit with Netflix, Facebook and other private crap I don't want to know about.
So what are my options ? Is there any way to tell the VPN Mobile client to route certain traffic over the VPN, even though the IP addresses of that traffic are public and not part of my on-premise encryption domain ?
I cannot believe I'm the only one with this predicament.
Any thoughts ?
Grtz
Hi,
Its a pain - but see SK167000
This will help get around your issue. You will need to engineer this SK to fit your needs as this is about doing a full tunnel without MS IP's.
You use the methods to add Microsoft IP's into an enc domain which will force MS traffic over the VPN.
In short, use this link to download the script kindly made by a forum member on here https://github.com/CheckPointSW-Community/IPaddressFeed2CheckPoint
Use the objects that is created in your enc domain, along with your internal IP addresses as usual.
I would like to see Check Point design a feature in upcoming releases to adding dynamic objects or even domain objects(somehow), into an enc domain for the reason defined in the SK - but would help in the instance of this thread too.
@--THX1138-- - Let me know if you need help designing this.
Similar issue here.
We want VPN user traffic to go through our corporate internet filter, how connections to internet hosted video conferencing/collaboration services should route via the users internet service to reduce latency. This would probably need to based upon domains (if possible)
we have the same problem
Hi,
Its a pain - but see SK167000
This will help get around your issue. You will need to engineer this SK to fit your needs as this is about doing a full tunnel without MS IP's.
You use the methods to add Microsoft IP's into an enc domain which will force MS traffic over the VPN.
In short, use this link to download the script kindly made by a forum member on here https://github.com/CheckPointSW-Community/IPaddressFeed2CheckPoint
Use the objects that is created in your enc domain, along with your internal IP addresses as usual.
I would like to see Check Point design a feature in upcoming releases to adding dynamic objects or even domain objects(somehow), into an enc domain for the reason defined in the SK - but would help in the instance of this thread too.
@--THX1138-- - Let me know if you need help designing this.
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY