This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
aner_sagi
Contributor
‎2018-06-03 04:38 AM

VPN client location awareness question

The bank is trying to configure endpoint vpn clients + desktop policy.
it's a strict policy that block internet access and allow only HTTPS access to a specific server.

When the vpn client disconnect the users should regain access to internet. it does not work.
we configured "location awareness" on trac_client_1.ttm and changed network location setting to yes in dashboard but it didn't help.
when the vpn client is disconnected we get default policy.

Thanks in advance
aner.

5 Replies
G_W_Albrecht
Legend Legend
Legend
‎2018-06-04 01:14 AM

I must admit that i have never heard of such an issue - may be a wrong default policy is defined ? You neither mention any version nor if you defined it in Desktop Security in SmartDashboard or SmartEndpoint.

The feature you need is found in Remote Access VPN Administration Guide R80.10 p.69 - Location-Based Policies.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-06-04 01:16 AM
In response to G_W_Albrecht

...and i would suggest to move this question from General Products to either Endpoint Security or Remote Access, based on the used product...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin
‎2018-06-04 09:42 PM
In response to G_W_Albrecht

Agreed, this is a Remote Access‌ question.

0 Kudos
Houssameddine_1
Collaborator
‎2018-06-04 07:16 AM

You are mixing to features. The first feature which is location awareness, this feature tells the client to don't connect using vpn when the client is inside the corporate network. The client opens tries to open https connection to the gw, after the gw receives the request it checks from which interface the request come from, if it is received from internal it will tell the client to disconnect (There are other options to detect if the client is inside or not but https connection is the most reliable and requires good design and if you have too many client you can DDOS the gw and vpnd will run high cpu or crash).

The second feature which is desktop policy. it is a set of   firewall rules will be installed on the client. I think your problem in the configuration and enforcing the default policy. the trick is when you use specific users group in the desktop policy that will be enforced while the client is connected. whenever you use all users group in the desktop policy that will be enforced when the client is disconnected.

Thanks

G_W_Albrecht
Legend Legend
Legend
‎2018-06-05 01:00 AM
In response to Houssameddine_1

To be even more precise, what matters here is the connected versus the disconnected policy: While connected using VPN, only traffic to internal servers is allowed, after disconnecting, internet access is possible.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events