Secure Remote in Hotels

[pcforty4]

I'm new to Checkpoint as you'll no doubt see by my question/terminology

We have an XP SP2 user who complains that most of the time when he's overseas and in a hotel, he cant connect to the VPN using Secure Remote R56 to our R55 server.
His workaround when in hotels is to first connect by dial up to IPass which is a worldwide Point of presence type service. He then can successfully connect via SR to the VPN. He then removes the modem cable and plugs in the hotels broadband cable and it works for a while until an authentication request is made at which point it drops the connection.

He tells me that he can use it from home with no problems.

Anybody any ideas on this??

[Dominik Zanolari]

Always a good point to start is with an analysis:

- does WWW connectivity work for him at the time?
- what is his IP address?
- do you see a log entry on the gateway?
- browse CheckPoint's knowledgebase

However, most likly it's overlapping address space as you're using Secure Remote which does not support Office Mode.

[mcnallym]

It may also be that the Hotel doesn't allow the VPN protocols through the box, or more likely that they require you to register to a hotspot.

Check Point has work arounds for these but it requires Secure Client, as they have HotSpot registration which allows you time to authenticate to a Hotel Hotspot via http/https before connecting to the VPN, and visitor mode where you run the SecureClient over https. Once you get SecureClient then you also can get Office Mode as well where you can allocate an IP address to the virtual NIC on the SecureClient desktop, which solves issues regarding overlapping IP.

HotSpot registration is in the gateway from R60 but is able to use the R56 client with a bit of editing.

Home connections very rarely require you to authenticate first unless the home owner is a real techno junkie, or paranoid about someone else using there Internet Connection. As such it will work from home but unlikely to from a hotel even when not overseas.

[dantro]

I suggest you set up a Check Point Connectra Gateway. This provides SSL VPN, so your remote use could easily connect from anywhere in the world just via his webbrowser using https. No SecuRemote would be required anymore and you would just get a lot of trouble out of your way.

Best regards,
Danny Trommer
CCSA/CCSE/CCSE+

[melipla]

We use "Visitor Mode" in this type of scenario [where the hotel is blocking some part of the connection]. Its essentially using SecureClient over port 443 instead of the typical port(s). You'll need to set up a profile under Smart Dashboard -> Manage -> Remote Access -> Connection Profiles or create one on the client. The gateway needs to be enabled to support Visitor Mode under Remote Access.

[lammbo]

Quote:

Originally Posted by melipla

We use "Visitor Mode" in this type of scenario [where the hotel is blocking some part of the connection]. Its essentially using SecureClient over port 443 instead of the typical port(s). You'll need to set up a profile under Smart Dashboard -> Manage -> Remote Access -> Connection Profiles or create one on the client. The gateway needs to be enabled to support Visitor Mode under Remote Access.

Note: You need to change the SSL port for your Web Interface from 443 on your gateways before you enable Visitor mode.

For SPLAT: Device --> Web Server

For Nokia Voyager 4: System --> Configuration --> Security and Access --> Voyager Web Access --> Voyager Options --> Voyager SSL Port Number