Setting Up Your Safe@Office Appliance as a VPN Server

You can make your network available to authorized users connecting from the Internet or from your internal networks, by setting up your Safe@Office appliance as a VPN Server.

When the SecuRemote Remote Access VPN Server or SecuRemote Internal VPN Server is enabled, users can connect to the server via Check Point SecuRemote/SecureClient or via a Safe@Office appliance in Remote Access VPN mode.

The Endpoint Connect VPN Server can be enabled in addition to one or more of the SecuRemote VPN Servers, to allow users to connect from relevant locations using an Endpoint Connect VPN Client. For example, if both the SecuRemote Remote Access VPN Server and the Endpoint Connect VPN Server are enabled, but the SecuRemote Internal VPN Server is not enabled, then users will be able to use the Endpoint Connect VPN Client to connect from the Internet but not from your internal networks. Endpoint Connect users are automatically assigned to the OfficeMode network, enabling you to configure special security rules for them.

When the L2TP (Layer 2 Tunneling Protocol) VPN Server is enabled, users can connect to the server using an L2TP client such as the Microsoft Windows L2TP IPSEC VPN Client. L2TP users are automatically assigned to the OfficeMode network, enabling you to configure special security rules for them.

SecuRemote/SecureClient supports split tunneling, which means that VPN Clients can connect directly to the Internet, while traffic to and from VPN sites passes through the VPN Server. In contrast, the L2TP VPN Client does not support split tunneling, meaning that all Internet traffic to and from a VPN Client passes through the VPN Server and is routed to the Internet.

Enabling the Safe@Office VPN Server for users connecting from your internal networks adds a layer of security to such connections. For example, while you could create a firewall rule allowing a specific user on the DMZ to access the LAN, enabling VPN access for the user means that such connections can be encrypted and authenticated. For more information, see Internal VPN Server.

To set up your Safe@Office appliance as a VPN Server

1. Configure the VPN Server in one or more of the following ways:
   • To accept SecuRemote/SecureClient or Safe@Office remote access connections from the Internet.

     See Configuring the SecuRemote Remote Access VPN Server.

   • To accept SecuRemote/SecureClient connections from your internal networks.

     See Configuring the SecuRemote Internal VPN Server.

   • To accept Endpoint Connect remote access connections from the Internet and/or from your internal networks.

     See Configuring the Endpoint Connect VPN Server.

   • To accept L2TP remote access connections from the Internet, as well L2TP connections from your internal networks.

     See Configuring the L2TP VPN Server.

2. If you configured the SecuRemote Internal VPN Server, install SecuRemote/SecureClient on the desired internal network computers.

   See Installing SecuRemote.

3. If you configured both the SecuRemote Internal VPN Server and the Endpoint Connect VPN Server, install Endpoint Connect on the desired internal network computers.

   See Installing Endpoint Connect.

4. If you configured the L2TP VPN Server, do the following:
   1. Configure the OfficeMode network.

      See Configuring the OfficeMode Network.

      All users connecting via L2TP will be assigned to the OfficeMode network.

   2. Configure L2TP VPN Clients on the desired internal network computers.

      See Configuring L2TP VPN Clients.

5. Set up remote VPN access for users.

   See Setting Up Remote VPN Access for Users.