Remote access community

[tdvit]

Hi,

Is it possible to have more than one remote access community in CP?

Looks like a no?

Have a requirment for one user who needs access to one server and would not be at a fixed IP. I have suggested SSL VPN appliance but wondered was there any other way to do this in checkpoint?

thanks

[MarioL]

It seems you can't which is a bit crap to be honest.

If you use Traditional mode you can define the Client-to-site VPNs exactly as you want, so that might be an option.

You can still use one single community and then use the rules to create granularity.

[coldark]

Personally I would not opt to switch to traditional mode, because Simplified mode offers much more capability and seems to have been developed more by CheckPoint than the old Traditional Mode.

As Mario suggests there is NO WAY to have more than 1 Remote Access VPN Community. But I also dont see this as an issue, because the Rulebase can explicitly determine which users are allowed to go to which destinations and for which services (the granularity that MarioL mentions).

example:

I have a Remote Access Community containing 3 Gateways:
__ FWOslo - with NetOslo as the VPN Domain,
__ FWRome - with NetRome as the VPN Domain,
__ FWToronto - with NetToronto as the VPN Domain
and 3 Usergroups
__ UGRome,
__ UGRome,
__ UGToronto.

I can now configure my rules something like this:

UGRome@any | NetRome | Remote Access | any | Accept
UGOslo@any | NetOslo | Remote Access | any | Accept

and so on.

In your case you could add a usergroup UGwhatever (containing your one customer) and add a rule

UGWhatever@any | SpecificServer | RemoteAccess | RequiredServices | Accept

ofc this also assumes that your SpecificServer is in the vpn domain of one of the gateways in your remote access community.