What is the current & simplest preferred VPN solut...

Rob_Shears · ‎2022-05-31

Hi all,

I need to deploy remote connectivity to a new Checkpoint ClusterXL 81.10 for <5 users on Windows.

My head is spinning reading the Remote Admin guide and the plethora of options so wondering if I can get your advice.

I think my options are SecuRemote/Capsule/Endpoint VPN/Network Xtender?

I'm 1 of the <5 users and I want to be able to manage the Checkpoint through it as well (launch VPN, launch SmartConsole and connect to the mgmt server).

Thanks for any advice.

Vladimir · ‎2022-05-31

If it is less than 5 clients and all you are after is RDP, use EndPoint Security VPN. This one does not require any additional blades to be licensed or enabled. I also think (please verify) that you are entitled to 5 licenses automatically.

FYI: use local IP ranges on gateway/cluster to assign IPs to remote clients in Office Mode. Integration with external DHCPs seem to be broken in last two JHFAs.

Rob_Shears · ‎2022-06-01

Thank you.

Per: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

EndPoint Security VPN seems to require:

Required Licenses

The IPsec VPN Software Blade on the Security Gateway, an Endpoint Container license, and an Endpoint VPN Software Blade license on the Security Management Server.

Which seems to disagree with your statement that no additional blades are required? (Endpoint Container + Endpoint VPN Blade on Mgmt?) Or am I looking at the wrong thing?

G_W_Albrecht · ‎2022-06-01

The IPsec VPN is included with 5 RA Users - if you can paste your cplic print we will see that.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Rob_Shears · ‎2022-06-01

Features
CPSG-VE+4 CPSB-BASE CPSB-FW CPSM-C-2 CPSB-VPN CPSB-NPM CPSB-LOGS CPSB-IA CPSB-ADNC CPSB-SSLVPN-5 CPSB-IPS-S1 CPSB-URLF CPSB-APCL-S1 CPSB-AV CPSB-ABOT-S CPSB-ASPM CPSB-CTNT CK-577E***** (Wasn't sure if that was unique to me)

I think I see the IPSEC Vpn, but what about the "Endpoint Container" & "Endpoint VPN Blade on Mgmt" part?

G_W_Albrecht · ‎2022-06-01

For RA VPN clients Endpoint Container and Endpoint Management Blade are not needed. Endpoint Security VPN is the StandAlone client managed by NPM Blade on Management (Desktop Policy) only.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

PhoneBoy · ‎2022-06-01

Actually, you have to install as Check Point Mobile (same package as Endpoint Security VPN, just different option).
Endpoint Security requires different licensing that isn't included on a gateway.

G_W_Albrecht · ‎2022-06-01

This is clear from sk84560: Check Point VPN License Guide listing the possible clients for CPSB-SSLVPN-5 - License.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Rob_Shears · ‎2022-06-02

Sorry, I don't see where thats clear.

I followed the "Standalone Client" link here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Downloaded the MSI and I think what you're saying is during install out of the 3 Options:

*Endpoint Security VPN

*Checkpoint Mobile

*SecuRemote

I select Checkpoint Mobile? Is that correct?

G_W_Albrecht · ‎2022-06-02

Yes, this is correct !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Rob_Shears · ‎2022-06-03

Thanks. Trying to now figure out how to set the "gateway ip address" for my WAN interface instead of one of the internal ones now. Endpoint Client gets stuck on "retrieving site information" and if I check trac.log it shows a non-wan ip address for the vpn gateway.

Edit: figured that out. Remaining challenge is to allow my remote client access to manage the CP Cluster itself (2 GWs and a mgmt server). I have two rules with an access role as source on both. One destination as all CP objects, another rule specifies the entire subnet. Services are any, VPN community set to remote access. I can ping but https for instance is blocked.

Edit 2: Ah it seems that Identity Awareness (which it forced me to enable to Access Roles in a rule) is not picking up the user that signed in from Endpoint. I could probably use the "Office Mode" ip pool, but would prefer to leverage Access Roles. Any ideas on what I could be missing?

Rob_Shears · ‎2022-06-03

Aha! It as under cluster properties -> identity awareness -> check the Remote Access (the "install screen" for identity awareness only provided Browser, AD and Agent options)

Vladimir · ‎2022-06-02

Can we get an official statement from CP licensing to that effect please?

the line "By default, a Security Gateway comes with a license for 5 users. You can attach a larger blade, if more users are required. " does not allude to specific license type.

Choice of CP Mobile requires enabling another blade and configuration of the different branch of the gateway/cluster properties.

Additionally, it creates an impression that MOB should be enabled in the Layer.

Rob_Shears · ‎2022-06-03

Agreed. Its not very clear and Checkpoint seems to love rebranding the names.

the_rock · ‎2022-05-31

I agree 100% with @Vladimir

Are you a member of CheckMates?

What is the current & simplest preferred VPN solution for Remote Desktop clients?