Check Point Remote Access VPN Features
There are a number of Check Point Remote Access VPN terms and features. This guides attempts to explain them.
Office mode allows your remote VPN user to receive an IP address designated by the Check Point Gateway, internal DHCP server or radius server.
Visitor Mode allows your VPN client to connect to the gateway over SSL on port 443. This can be used where the user is unable to connect to the gateway due to being behind devices which are blocking non standard ports.
Secure Client allows the use of Connection profiles. Connection profiles gives you the ability and flexibility to build customized connection configs (such as MEP, Backup gateways, Visitor Mode, HA Policies Servers etc.) along with allowing the user the ability to choose which connection profiles they require.
SSL Network Extender
Check Points SSL Nextwork Extender (SNX) is a Clientless VPN solution which allows for the user to use their web browser as a the VPN Client and connect to the gateway over SSL (port 443).
There are 2 main types of connection modes which defines how the connection is initalised.
- Connect Mode - This is by comparision the standard method of connecting. You open the client, choose your site and login. Once you are finished you disconnect.
- Transparent Mode - If you direct any traffic to a host in the encryption domain your client will display a login prompt requesting your log in credentials so that it can automattically establish a VPN. This term is also known (post NGX R65) as Auto Connect.
Wire mode allows you to bypass the firewall to enusre that the traffic is not subject to stateful inspection.
The gateway defines internal interfaces snd communities as trusted. when a packet reaches the gateway 2 questions are raised :
- Is the information coming from a trusted source
- Is the information coming from a trusted destination
If both answers are yes then stateful inspection is not enforced.
This feature is useful for MEP and Route based VPNs where differences in state tables due to network changes could cause prevent the traffic from passing the gateway.
Directional VPN Enforcement between communities
This allows for you to specify within the VPN column of the policy the direction in which to allow traffic between communities.
Say you had a New-york Star community and a Mesh Paris community. You could allow traffic to only initiate in the direction from Paris to New-york.
For backup gateways each gateway should have their own VPN Domain configured which shouldn't over lap.
To enable this :
- Enable the Backup gateway feature within Global Properties | VPN | Advanced
- Under each Gateway object under VPN you will be presented with a drop down box for you to select your backup gateway.
Multiple Entry Points is an addition to Backup Gateways and has 3 modes :
- First to Respond
- Primary Backup
- Load Distribution
Below outlines the ways in which you can configure the different modes :
First to Respond - Each Gateway should have the same encryption domain. RDP Probing packets are sent out from the client to determine which gateway they should connect to.
Primary Backup - This requires a connection profile. Within this profile you can specify the primary and backup gateway.
Load Distrubution - This allows the client to randomly select which gateway to connect to. This is enabled via "Properties | Remote access | VPN - Basic | Enable Load Distribution"