CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 4 of 4

Thread: Mobile Access Config Help Please

  1. #1
    Join Date
    2017-11-01
    Posts
    37
    Rep Power
    0

    Default Mobile Access Config Help Please

    Hi,

    I need some help with the Check Point Remote Access solution.

    Safe to say, the mobile access blade is clunky and terrible – however, we purchased it and I need a hand configuring some parts.

    We will be using the SSL extender (SSL VPN) for certain users that need access to the Secure Workspace.
    Then, for all corporate laptop users, they will be using the EndPoint Security VPN client to connect (IPSEC)

    Okay – so, SSL extender is fine. No problem, basic browse to a site, log in. All cool.

    It’s the IPSEC side that’s causing issues.

    If I download the Endpoint Security client to my own, personal PC. I can connect to our gateway, and my machine is then affectively on the corporate LAN. This obviously needs to be prevented.
    How do I restrict that only corporate laptops can connect to this? I have looked at SVC – which is a headache, painfully complicated, and also doesn’t seem relevant to this? Is it something in Compliance? Please can someone help with how to restrict this?

    Secondly, I cant manage to disable split tunnelling. There are some sites, i.e ServiceNow that only allows access via our corporate public IP. I need all traffic to route via the gateway and out. I have enabled Hub mode, and also ticked the security option to route all traffic via this gateway. No luck.

    Any suggestions to both queries please?

    Thanks all.

  2. #2
    Join Date
    2007-06-04
    Posts
    3,278
    Rep Power
    16

    Default Re: Mobile Access Config Help Please

    SCV would be what would be used and would look to check that your machine is domain joined

    : (RegMonitor
    :type (plugin)
    :parameters (
    :string ("SYSTEM\CurrentControlSet\Services\Tcpip\Paramete rs\Domain=checkpoint.com")
    :begin_admin (admin)
    :send_log (alert)
    :mismatchmessage ("Your computer doesn't meet the domain membership requirements. Please contact the IT
    department for assistance. ")
    :end (admin)
    )
    )

    Is example from Check Point SK obviously using checkpoint.com as the Domain.


    Have you configured NAT appropriately as sounds like configured to force all traffic down the VPN Tunnel.

    Maybe worth doing an Install Database to the Management Server and then pushing policy to the Gateway again. Sometimes takes the Install database to force the change in settings to work.

  3. #3
    Join Date
    2017-11-01
    Posts
    37
    Rep Power
    0

    Default Re: Mobile Access Config Help Please

    Hi,

    Speaking specifically about the routing issue now.

    Hub mode is enabled and in global properties, I have also changed the option that states "all traffic through gateway" or something similar.

    Route Print on the remote host shows the 2 routes.
    One is: 0.0.0.0 0.0.0.0 and DFW of machine
    2nd is 0.0.0.0 192.0.0.0 and default gateway is the VPN tunnel.

    As the 2nd is more specific, traffic should be going via the VPN tunnel, correct?

    I can not access corporate DNS - Infact, I can not access anything. Traffic does not seem to move in either direction. Its not trying to get locally, via ISP, or go down the tunnel. Any help on this?

    Quote Originally Posted by mcnallym View Post
    SCV would be what would be used and would look to check that your machine is domain joined

    : (RegMonitor
    :type (plugin)
    :parameters (
    :string ("SYSTEM\CurrentControlSet\Services\Tcpip\Paramete rs\Domain=checkpoint.com")
    :begin_admin (admin)
    :send_log (alert)
    :mismatchmessage ("Your computer doesn't meet the domain membership requirements. Please contact the IT
    department for assistance. ")
    :end (admin)
    )
    )

    Is example from Check Point SK obviously using checkpoint.com as the Domain.


    Have you configured NAT appropriately as sounds like configured to force all traffic down the VPN Tunnel.

    Maybe worth doing an Install Database to the Management Server and then pushing policy to the Gateway again. Sometimes takes the Install database to force the change in settings to work.

  4. #4
    Join Date
    2017-11-01
    Posts
    37
    Rep Power
    0

    Default Re: Mobile Access Config Help Please

    H:\>route print
    ================================================== =========================
    Interface List
    18...54 8b 62 cf 23 0f ......Check Point Virtual Network Adapter For Endpoint V
    PN Client
    17...02 00 4c 4f 4f 50 ......Npcap Loopback Adapter
    15...6e 79 80 69 b1 01 ......AppGate Tunneling Adapter
    12...d8 fc 93 5a d2 d2 ......Intel(R) Dual Band Wireless-AC 7260
    11...34 e6 d7 3e c0 b3 ......Intel(R) Ethernet Connection I218-LM
    1...........................Software Loopback Interface 1
    ================================================== =========================

    IPv4 Route Table
    ================================================== =========================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.75 25
    0.0.0.0 192.0.0.0 10.44.0.1 10.44.0.2 1
    10.44.0.0 255.255.0.0 On-link 10.44.0.2 256
    10.44.0.2 255.255.255.255 On-link 10.44.0.2 256
    10.44.255.255 255.255.255.255 On-link 10.44.0.2 256


    Quote Originally Posted by JPYDX View Post
    Hi,

    Speaking specifically about the routing issue now.

    Hub mode is enabled and in global properties, I have also changed the option that states "all traffic through gateway" or something similar.

    Route Print on the remote host shows the 2 routes.
    One is: 0.0.0.0 0.0.0.0 and DFW of machine
    2nd is 0.0.0.0 192.0.0.0 and default gateway is the VPN tunnel.

    As the 2nd is more specific, traffic should be going via the VPN tunnel, correct?

    I can not access corporate DNS - Infact, I can not access anything. Traffic does not seem to move in either direction. Its not trying to get locally, via ISP, or go down the tunnel. Any help on this?

Similar Threads

  1. Mobile Access vs Remote Access Blade
    By I_Am_King_Midas in forum Firewall Blade
    Replies: 1
    Last Post: 2015-04-03, 12:05
  2. Mobile Access File Share App always shows "Error: Access Denied ..."
    By johnzhang in forum Mobile Access Blade (Formerly Connectra)
    Replies: 4
    Last Post: 2014-11-21, 12:40
  3. Mobile Access + SSO
    By Napoji in forum Mobile Access Blade (Formerly Connectra)
    Replies: 1
    Last Post: 2012-09-11, 23:38
  4. mobile access ssl vpn
    By mmaron in forum Mobile Access Blade (Formerly Connectra)
    Replies: 1
    Last Post: 2012-05-24, 03:00
  5. MOBILE ACCESS: NOT ALLOWED TO ACCESS THIS DIRECTORY
    By klexx in forum Mobile Access Blade (Formerly Connectra)
    Replies: 1
    Last Post: 2011-02-22, 10:44

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •