7.2 Remote Access VPN
Key Takeaways
- Endpoint Security VPN replaces the legacy SecureClient and adds endpoint compliance plus a centrally managed desktop firewall.
- Office Mode assigns the client an internal IP so return traffic from the corporate network can reach a road warrior behind a non-routable ISP address.
- Visitor Mode tunnels IPsec over TCP 443 so remote clients can connect from networks that block UDP 500/4500 and ESP.
- SecuRemote is the legacy IPsec client with no endpoint compliance; know the distinction for the exam.
Remote Access VPN on R82
Remote Access VPN lets individual road warriors and home workers connect to the corporate network as if they were on the LAN. Unlike site-to-site, where both endpoints are fixed gateways, remote access endpoints are clients running on Windows, macOS, iOS, Android, or a web browser. R82 splits remote access into two blades: the IPsec VPN Software Blade for client-based IPsec tunnels, and the Mobile Access Software Blade for SSL VPN (covered in the next section).
Client Options
| Client | OS | Protocol | Endpoint compliance |
|---|---|---|---|
| Endpoint Security VPN | Windows / macOS | IPsec | Yes (Windows) |
| Check Point Mobile for Windows | Windows | IPsec | Limited |
| Endpoint Security Suite Remote Access VPN Blade | Windows / macOS | IPsec | Yes, plus desktop firewall, FDE, anti-malware |
| SecuRemote | Windows | IPsec | No (legacy) |
| Capsule VPN (Windows 10 UWP) | Windows 10 | SSL | No |
SecureClient was the name used for the previous-generation IPsec VPN client. On R82 it is replaced by Endpoint Security VPN, which adds endpoint compliance verification and a centrally managed desktop firewall. SecuRemote remains available for legacy interoperability but does not do compliance checking. Required licensing: an IPsec VPN Software Blade license on the Security Gateway, an Endpoint Container license, and an Endpoint VPN Software Blade license on the Security Management Server.
Office Mode
Office Mode solves a classic remote-access problem: the road warrior's PC gets a non-routable address from a hotel or home ISP, so return traffic from the corporate network cannot reach them. With Office Mode enabled, the gateway assigns the client an IP address from a configured internal pool. The client's IP packets are then encapsulated with that internal IP and routed on the corporate network normally.
Configuration: Gateway Properties → VPN Clients → Office Mode. Default is Allow Office Mode to all users; you can restrict it to specific groups. Office Mode is mandatory on the gateway side — once enabled, the client cannot bypass it. The gateway can assign addresses from a Network Object (a configured subnet or range) or via VPN Pool objects. You can also configure DNS and WINS servers pushed to the client so internal name resolution works once the tunnel is up. Without Office Mode, the client keeps its ISP-assigned IP, which means return traffic to that IP routes back out to the internet, not back through the tunnel — usually broken.
Visitor Mode
Where Office Mode fixes addressing, Visitor Mode fixes port blocking. Hotels and hotspots often allow only TCP 80/443 outbound. Visitor Mode tunnels all IPsec traffic through a regular TCP connection on port 443 so the remote client can still build the tunnel. Configure under IPsec VPN → VPN Clients → Remote Access → Support Visitor Mode. Visitor Mode adds overhead but is the difference between no connection and a usable tunnel in heavily filtered environments.
Workflow
- Enable the IPsec VPN Software Blade on the gateway.
- Add the gateway to the Remote Access VPN Community (default name
RemoteAccess). - Add users or user groups to the community and configure authentication (password, certificate, RADIUS, DynamicID, SAML).
- Configure Office Mode and Visitor Mode.
- Create an Access Control rule allowing the client pool to reach internal resources, with the Remote Access community in the VPN column.
- Define a Desktop Policy if you are deploying Endpoint Security clients centrally.
- Install Access Control and Desktop policies.
- Deploy the client to users (or point them at the SecureClient / Endpoint Security VPN download page).
Authentication Methods
R82 supports a layered authentication model on the Remote Access community:
- Password (local user database on the Management Server)
- RADIUS / TACACS+ for external identity stores
- Certificates issued by the ICA or a third-party CA
- DynamicID (Check Point's MFA service, sends OTP via SMS or app)
- SecurID (RSA) and SAML SSO for federated identity
You can require multiple factors per user group. Certificate-based authentication requires the gateway to have SIC to the ICA so it can retrieve the user's certificate.
Office Mode IP Pools and DNS
Office Mode can hand out addresses from a Network Object, an Address Range, or a VPN Pool (a dedicated pool type for remote access). Best practice is to size the pool to the peak concurrent user count plus headroom — when the pool is exhausted, new clients cannot build a tunnel even with valid credentials. You also push DNS and WINS servers to the client; without internal DNS, the road warrior cannot resolve internal host names even though the tunnel is up. Configure split-tunnel DNS carefully: if split tunneling is on, the client uses its local DNS for internet names and the pushed DNS for internal names, which is the default; if split tunneling is off, all DNS goes through the corporate resolver.
Exam Traps
- Office Mode assigns an internal IP; Visitor Mode tunnels through 443. They are not the same and are not mutually exclusive.
- SecuRemote has no endpoint compliance; Endpoint Security VPN does. The exam loves this distinction.
- For clientless browser access you use the Mobile Access blade, not the IPsec VPN blade.
- Authentication methods are configured on the gateway, but certificate-based auth requires SIC to the ICA for the gateway to issue/retrieve user certificates.
- Office Mode is mandatory on the gateway side once enabled — the client cannot opt out.
A road warrior at a hotel can resolve the VPN gateway but cannot build the tunnel, and the hotel only permits TCP 443 outbound. Which feature should you enable?
Which R82 client replaces the legacy SecureClient and adds centrally managed endpoint compliance and desktop firewall on Windows?