Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Rob_Shears
Contributor

What is the current & simplest preferred VPN solution for Remote Desktop clients?

Hi all,

I need to deploy remote connectivity to a new Checkpoint ClusterXL 81.10 for <5 users on Windows.

My head is spinning reading the Remote Admin guide and the plethora of options so wondering if I can get your advice.

I think my options are SecuRemote/Capsule/Endpoint VPN/Network Xtender?

I'm 1 of the <5 users and I want to be able to manage the Checkpoint through it as well (launch VPN, launch SmartConsole and connect to the mgmt server).

 

Thanks for any advice.

 

0 Kudos
14 Replies
Vladimir
Champion
Champion

If it is less than 5 clients and all you are after is RDP, use EndPoint Security VPN. This one does not require any additional blades to be licensed or enabled. I also think (please verify) that you are entitled to 5 licenses automatically.

FYI: use local IP ranges on gateway/cluster to assign IPs to remote clients in Office Mode. Integration with external DHCPs seem to be broken in last two JHFAs.

Rob_Shears
Contributor

Thank you.


Per: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

EndPoint Security VPN seems to require: 

Required Licenses

The IPsec VPN Software Blade on the Security Gateway, an Endpoint Container license, and an Endpoint VPN Software Blade license on the Security Management Server.

 

Which seems to disagree with your statement that no additional blades are required? (Endpoint Container + Endpoint VPN Blade on Mgmt?) Or am I looking at the wrong thing?

0 Kudos
G_W_Albrecht
Legend
Legend

The IPsec VPN is included with 5 RA Users - if you can paste your cplic print we will see that.

CCSE CCTE CCSM SMB Specialist
Rob_Shears
Contributor

Features
CPSG-VE+4 CPSB-BASE CPSB-FW CPSM-C-2 CPSB-VPN CPSB-NPM CPSB-LOGS CPSB-IA CPSB-ADNC CPSB-SSLVPN-5 CPSB-IPS-S1 CPSB-URLF CPSB-APCL-S1 CPSB-AV CPSB-ABOT-S CPSB-ASPM CPSB-CTNT CK-577E***** (Wasn't sure if that was unique to me)

I think I see the IPSEC Vpn, but what about the "Endpoint Container" & "Endpoint VPN Blade on Mgmt" part?

0 Kudos
G_W_Albrecht
Legend
Legend

For RA VPN clients Endpoint Container and Endpoint Management Blade are not needed. Endpoint Security VPN is the StandAlone client managed by NPM Blade on Management (Desktop Policy) only.

CCSE CCTE CCSM SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin

Actually, you have to install as Check Point Mobile (same package as Endpoint Security VPN, just different option).
Endpoint Security requires different licensing that isn't included on a gateway. 

G_W_Albrecht
Legend
Legend

This is clear from sk84560: Check Point VPN License Guide  listing the possible clients for CPSB-SSLVPN-5 - License.

CCSE CCTE CCSM SMB Specialist
Rob_Shears
Contributor

Sorry, I don't see where thats clear.

 

I followed the "Standalone Client" link here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Downloaded the MSI and I think what you're saying is during install out of the 3 Options:

 

*Endpoint Security VPN

*Checkpoint Mobile

*SecuRemote

 

I select Checkpoint Mobile? Is that correct?

0 Kudos
G_W_Albrecht
Legend
Legend

Yes, this is correct !

CCSE CCTE CCSM SMB Specialist
0 Kudos
Rob_Shears
Contributor

Thanks. Trying to now figure out how to set the "gateway ip address" for my WAN interface instead of one of the internal ones now. Endpoint Client gets stuck on "retrieving site information" and if I check trac.log it shows a non-wan ip address for the vpn gateway.

 

Edit: figured that out. Remaining challenge is to allow my remote client access to manage the CP Cluster itself (2 GWs and a mgmt server). I have two rules with an access role as source on both. One destination as all CP objects, another rule specifies the entire subnet. Services are any, VPN community set to remote access. I can ping but https for instance is blocked.

 

Edit 2: Ah it seems that Identity Awareness (which it forced me to enable to Access Roles in a rule) is not picking up the user that signed in from Endpoint. I could probably use the "Office Mode" ip pool, but would prefer to leverage Access Roles. Any ideas on what I could be missing?

0 Kudos
Rob_Shears
Contributor

Aha! It as under cluster properties -> identity awareness -> check the Remote Access (the "install screen" for identity awareness only provided Browser, AD and Agent options)

0 Kudos
Vladimir
Champion
Champion

Can we get an official statement from CP licensing to that effect please?

 

the line "By default, a Security Gateway comes with a license for 5 users. You can attach a larger blade, if more users are required. " does not allude to specific license type.

Choice of CP Mobile requires enabling another blade and configuration of the different branch of the gateway/cluster properties.

Additionally, it creates an impression that MOB should be enabled in the Layer.

Rob_Shears
Contributor

Agreed. Its not very clear and Checkpoint seems to love rebranding the names.

0 Kudos
the_rock
Legend
Legend

I agree 100% with @Vladimir