CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 5 of 5

Thread: Checkpoint RAS solutions

  1. #1
    Join Date
    2018-05-13
    Posts
    11
    Rep Power
    0

    Default Checkpoint RAS solutions

    The more I struggle to clarify a bit Checkpoint's Remote Access Solutions as well as their licensing options,
    the more I get confused.

    What I thought so far with regard to SNX is that it uses SSLVPN and since we are allocated an OM IP address, it consumes from the MOB license (concurrent connections)
    However as the below pic illustrates (taken from sk67820) it seems that there are 2 snx versions ?!?!

    Also according to the same SK the Endpoint Security VPN software demands
    The IPsec VPN Software Blade on the Security Gateway
    An Endpoint Container license
    An Endpoint VPN Software Blade license on the Security Management Server.

    My question is the following:
    I have a trial version of a Checkpoint vm having IPSEC VPN, MOB software blades
    On another PC I have enabled and configured Endpoint Security VPN client to connect to the aforementioned gateway.
    The connection succeeds.
    Why is that since I don't have any of the aforementioned licenses enabled ? And from which license I consume ?
    Attached Thumbnails Attached Thumbnails Click image for larger version. 

Name:	snx.jpg 
Views:	13 
Size:	28.0 KB 
ID:	1418   Click image for larger version. 

Name:	ens.jpg 
Views:	12 
Size:	52.1 KB 
ID:	1419  

  2. #2
    Join Date
    2012-07-19
    Posts
    99
    Rep Power
    7

    Default Re: Checkpoint RAS solutions

    Quote Originally Posted by nickliako View Post
    My question is the following:
    I have a trial version of a Checkpoint vm having IPSEC VPN, MOB software blades
    On another PC I have enabled and configured Endpoint Security VPN client to connect to the aforementioned gateway.
    The connection succeeds.
    Why is that since I don't have any of the aforementioned licenses enabled ? And from which license I consume ?
    You can connect to a MOB gateway with Endpoint Connect. It should be counted as Mobile VPN (Concurrent Connection License). It won't get a desktop policy etc. of course.

    The remote access client is basically always the same (same msi, different options), but features are different. You can tell that Endpoint Connect does more on installation as it requires reboot on install and uninstall, while Mobile VPN does not. Both installations can, however, connect to Mobile Access Gateways. Not sure if Mobile VPN can connect to Endpoint Connect GWs, I don't think so.

    Basically:
    - SecureClient: Does not require a special license (you can't have a license without ipsec VPN with checkpoint), does not support OM or any special features
    - Mobile VPN (aka Capsule Connect aka Capsule VPN on mobile devices like smartphones): Connects to MOB GW, licensed per concurrent connection, also, SSLVPN (Portal/SNX) use the same license.
    - Endpoint Connect: Connects to Endpoint GW (MOB GW also works), licensed per installation, supports extra features like desktop policy etc.

    At least, that is how I understand RAS solutions.

  3. #3
    Join Date
    2007-06-04
    Posts
    3,283
    Rep Power
    16

    Default Re: Checkpoint RAS solutions

    Standlone IPSEC VPN Client

    Endpoint Security VPN ( SecureClient ) - Requires IPSEC VPN Blade, also requires Endpoint VPN License - Provides Office Mode and Desktop Policy from VPN Gateway configured under Desktop Policy in SmartConsole
    Mobile for Windows - Terminates on the MOB using MOB licenses. OM but no Firewall - confusing called Mobile but is for Windows Desktops not Mobile Devices.
    SecuRemote - Requires IPSEC VPN Blade, as previous no OM, No Protection

    All install from the same MSI

    These cannot be installed if using the Endpoint Suite as they are Standalone VPN Clients

    Endpoint VPN

    You can also deploy a VPN Blade as part of the Endpoint Suite which uses Same License as Endpoint Security VPN but connects to Endpoint Security Server. Protection is set via the Endpoint Server not the Desktop Policy.


    SSL Network Extender - Terminates on the MOB if present, otherwise terminates on the IPSEC VPN Blade. Licensed depending upon how terminated.


    For iOS/Android

    Capsule Connect/VPN - Uses MOB license and terminates on Mobile Access Blade

  4. #4
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    276
    Rep Power
    12

    Default Re: Checkpoint RAS solutions

    Quote Originally Posted by Jejerod View Post
    You can connect to a MOB gateway with Endpoint Connect. It should be counted as Mobile VPN (Concurrent Connection License). It won't get a desktop policy etc. of course.

    The remote access client is basically always the same (same msi, different options), but features are different. You can tell that Endpoint Connect does more on installation as it requires reboot on install and uninstall, while Mobile VPN does not. Both installations can, however, connect to Mobile Access Gateways. Not sure if Mobile VPN can connect to Endpoint Connect GWs, I don't think so.

    Basically:
    - SecureClient: Does not require a special license (you can't have a license without ipsec VPN with checkpoint), does not support OM or any special features
    - Mobile VPN (aka Capsule Connect aka Capsule VPN on mobile devices like smartphones): Connects to MOB GW, licensed per concurrent connection, also, SSLVPN (Portal/SNX) use the same license.
    - Endpoint Connect: Connects to Endpoint GW (MOB GW also works), licensed per installation, supports extra features like desktop policy etc.

    At least, that is how I understand RAS solutions.
    SecureClient definitely supports Office Mode. You're thinking of SecuRemote, which is the same software installed in a different mode. I don't think either is supported anymore (i.e., you can't call tech support for help), but both should still work. As a side note, I got several calls in the TAC where someone had installed SecuRemote to hundreds of workstations, then bought the SecureClient license and wanted to enable the features. Once installed as SecuRemote, the client software would never even ask for an Office Mode IP or any of the other features. You had to uninstall SecuRemote, reboot, reinstall it as SecureClient, and reboot again. Meanwhile, if installed as SecureClient, it would happily work with a firewall offering only the SecuRemote feature set. That pointless artificial differentiation caused enormous headaches for support.

    I thought Endpoint Connect was the $0 replacement for SecuRemote and that there was some other name for the Endpoint mode with desktop security policy, client verification, and so on.
    Zimmie

  5. #5
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,490
    Rep Power
    16

    Default Re: Checkpoint RAS solutions

    On a trial license, you have "all of the above" in terms of VPN connectivity.
    Meaning, you can use either the "Endpoint Security" options or the "Mobile Access" options (SNX or Check Point Mobile)--in addition to SecuRemote, which still exists as a "free" option.
    Note that most permanent gateway licenses include 5 users of Mobile Access Blade free of charge.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

Similar Threads

  1. Ransomeware solutions?
    By Spacetrucker in forum IPS Blade (Formerly SmartDefense)
    Replies: 3
    Last Post: 2015-03-09, 18:42
  2. Security Solutions Architect - Sydney, Australia
    By Barry J. Stiefel in forum Employment/Consulting Opportunities For Check Point Administrators
    Replies: 0
    Last Post: 2012-02-03, 02:36
  3. Replies: 2
    Last Post: 2011-12-12, 13:34
  4. R65 and HFA 40 and NICs problem. Working solutions
    By serlud in forum Versions Of Firewall-1/VPN-1
    Replies: 31
    Last Post: 2009-06-08, 12:59
  5. Appliances Make Good VPN Solutions ?
    By pat13b in forum Check Point UTM-1 Appliances
    Replies: 9
    Last Post: 2008-07-15, 11:17

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •