Secure Remote Access
In today's business environment, it is clear that workers require remote access to sensitive information from a variety of locations and a variety of devices. Organizations must also make sure that their corporate network remains safe and that remote access does not become a weak point in their IT security.
Types of Solutions
All of Check Point's Remote Access solutions provide:
-
Enterprise-grade, secure connectivity to corporate resources.
-
Strong user authentication.
-
Granular access control.
Factors to consider when choosing remote access solutions for your organization:
-
Client-Based vs. Clientless - Does the solution require a Check Point client to be installed on the endpoint computer or is it clientless, for which only a web browser is required. You might need multiple solutions within your organization to meet different needs.
-
Secure Connectivity and Endpoint Security - Which capabilities does the solution include?
-
Secure Connectivity - Traffic is encrypted between the client and VPN Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.. After users authenticate, they can access the corporate resources that are permitted to them in the access policy. All Check Point solutions supply this.
-
Endpoint Security- Endpoint computers are protected at all times, even when there is no connectivity to the corporate network. Some Check Point solutions supply this.
-
Client-Based vs. Clientless
Check Point remote access solutions use IPsec and SSL encryption protocols to create secure connections. All Check Point clients can work through NAT devices, hotspots, and proxies in situations with complex topologies, such as airports or hotels. These are the types of installations for remote access solutions:
-
Client-based- Client application installed on endpoint computers and devices. The client supplies access to most types of corporate resources according to the access privileges of the user.
-
Clientless - Users connect through a web browser and use HTTPS connections. Clientless solutions usually supply access to web-based corporate resources.
-
On demand client- Users connect through a web browser and a client is installed when necessary. The client supplies access to most types of corporate resources according to the access privileges of the user.
Secure Connectivity and Endpoint Security
You can combine secure connectivity with additional features to protect the network or endpoint computers.
-
Secure Connectivity- Traffic is encrypted between the client and VPN Security Gateway and strong user authentication is supported. All Check Point solutions supply this.
These solutions require licenses based on the number of users connected at the same time.
-
Security Verification for Endpoint computers- Makes sure that devices connecting to the Security Gateway meet security requirements. Endpoint machines that are not compliant with the security policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. have limited or no connectivity to corporate resources. Some Check Point solutions supply this.
-
Endpoint Security:
-
Desktop Firewall- Protects endpoint computers at all times with a centrally managed security policy. This is important because remote clients are not in the protected network and traffic to clients is only inspected if you have a Desktop Firewall. Some Check Point solutions supply this
-
More Endpoint Security Capabilities - Check Point solutions can include more Endpoint Security capabilities, such as anti-malware, disk encryption and more.
These solutions require licenses based on the number of clients installed.
-
Remote Access Solution Comparison
Details of the newest version for each client and a link for more information are in sk67820.
| SSL VPN Portal and Clients | Supported Operating Systems | Client or Clientless | Encryption Protocol | Security Verification for Endpoint Devices | Desktop Firewall on Endpoint Devices | IPv6 Support |
|---|---|---|---|---|---|---|
| Mobile Access Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. Web Portal | Windows, Linux, Mac OS, iOS, Android | Clientless | SSL | | | |
| SSL Network Extender for Mobile Access Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. | Windows, Linux, Mac OS | On demand Client through Mobile Access Portal) | SSL | | ||
| Capsule Workspace for iOS (previously Mobile Enterprise) | iOS | Client | SSL | Jailbreak & Root Detection MDM Cooperative Enforcement (sk98201) | | |
| Capsule Workspace for Android (previously Mobile Enterprise) | Android | Client | SSL | Jailbreak & Root Detection MDM Cooperative Enforcement (sk98201) | |
| Layer-3 VPN Tunnel Clients | Supported Operating Systems | Client or Clientless | Encryption Protocol | Security Verification for Endpoint Devices | Desktop Firewall on Endpoint Devices | IPv6 Support |
|---|---|---|---|---|---|---|
| Capsule Connect for iOS (previously Mobile VPN) | iOS | Client | IPsec / SSL | MDM Cooperative Enforcement (sk98201) | ||
| Capsule VPN for Android (previously Mobile VPN) | Android | Client | IPsec/SSL | MDM Cooperative Enforcement (sk98201) | ||
| Check Point VPN Plugin for Windows 8.1 | Windows 8.1 | Pre- installed client | SSL | |||
| Check Point Capsule VPN for Windows 10 | Windows 10 | Client | SSL | |||
| Check Point Mobile for Windows | Windows | Client | IPsec | |
| Layer-3 VPN Tunnel Clients Integrated with Endpoint Security | Supported Operating Systems | Client or Clientless | Encryption Protocol | Security Verification for Endpoint Devices | Desktop Firewall on Endpoint Devices | IPv6 Support |
|---|---|---|---|---|---|---|
| Endpoint Security VPN for Windows | Windows | Client | IPsec | | | |
| Endpoint Security VPN for Mac | Mac OS | Client | IPsec | | ||
| Endpoint Security Suite Remote Access VPN An encrypted tunnel between remote access clients (such as Endpoint Security VPN) and a Security Gateway. Software Blade | Windows, Mac OS | Client | IPsec | | |
| Additional Remote Access Solutions | Supported Operating Systems | Client or Clientless | Encryption Protocol | Security Verification for Endpoint Devices | Desktop Firewall on Endpoint Devices | IPv6 Support |
|---|---|---|---|---|---|---|
| SecuRemote | Windows | Client | IPsec |
Summary of Remote Access Options
Below is a summary of each Remote Access option that Check Point offers. All supply secure remote access to corporate resources, but each has different features and meets different organizational requirements.
Details of the newest version for each client and a link for more information are in sk67820.
SSL Network Extender
SSL Network Extender is a thin SSL VPN on-demand client installed automatically on the user's machine through a web browser. It supplies access to all types of corporate resources.
SSL Network Extender has two modes:
-
Network Mode- Users can access all application types (Native-IP-based and Web-based) in the internal network. To install the Network Mode client, users must have administrator privileges on the client computer.
Supported Platforms: Windows, macOS, Linux
-
Application Mode - Users can access most application types (Native-IP-based and Web-based) in the internal network, including most TCP applications. The user does not require administrator privileges on the endpoint machine.
Supported Platforms - Windows
Required Licenses - Mobile Access Software Blade on the Security Gateway
Where to Get the Client - Included with the Security Gateway. See sk67820.
Capsule Workspace for iOS
Capsule Workspace for iOS is an SSL VPN client. It supplies secure connectivity and access to web-based corporate resources and Microsoft Exchange services. It also gives secure access to Capsule Docs protected documents. It was previously called Mobile Enterprise.
Capsule Workspace is ideal for mobile workers who have privately-owned smart phones or tablets. It protects only the business data inside the App and does not require device-level security measures, such as device-lock or device-wipe.
Required Licenses - Mobile Access Software Blade on the Security Gateway and a mail license on the Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.
Supported Platforms - iOS
Where to Get the Client - Apple App Store
Capsule Workspace for Android
Capsule Workspace for Android is an SSL VPN client. It supplies secure connectivity and access to web-based corporate resources and Microsoft Exchange services. It also gives secure access to Capsule Docs protected documents. It was previously called Mobile Enterprise.
Capsule Workspace for Android is ideal for mobile workers who have privately-owned smart phones or tablets. It protects only the business data inside the App and does not require device-level security measures, such as device-lock or device-wipe.
Required Licenses - Mobile Access Software Blade on the Security Gateway
Supported Platforms - Android
Where to Get the Client - Google Play Store
Capsule Connect for iOS
Capsule Connect is a full L3 tunnel app that gives users network access to all mobile applications. It supplies secure connectivity and access to all types of corporate resources. It was previously called Mobile VPN.
Required Licenses - Mobile Access Software Blade on the Security Gateway and a mail license on the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server.
Supported Platforms - iOS 6.0 +
Where to Get the Client - Apple App Store
Capsule VPN for Android
Capsule VPN for Android devices is an L3 VPN client. It supplies secure connectivity and access to corporate resources using L3 IPSec/SSL VPN Tunnel An encrypted connection between two hosts using standard protocols (such as L2TP) to encrypt traffic going in and decrypt it coming out, creating an encapsulated network through which data can be safely shared as though on a physical private line.. It was previously called Mobile VPN.
Required Licenses - Mobile Access Software Blade on the Security Gateway
Supported Platforms - Android 4 + (ICS+)
Where to Get the Client - Google Play Store
Check Point VPN Plugin for Windows 8.1
Check Point VPN Plugin for Windows 8.1 is an L3 VPN client. It supplies secure connectivity and access to corporate resources using L3 SSL VPN Tunnel.
Required Licenses - Mobile Access Software Blade on the Security Gateway
Supported Platforms - Windows 8.1
Where to Get the Client - Pre-installed with Windows.
Check Point Capsule VPN for Windows 10
Check Point Capsule VPN for Windows 10 is an L3 VPN client. It supplies secure connectivity and access to corporate resources using L3 SSL VPN Tunnel.
Required Licenses - Mobile Access Software Blade on the Security Gateway
Supported Platforms - Windows 10
Where to Get the Client - Microsoft Software & Apps store.
Check Point Mobile for Windows
Check Point Mobile for Windows is an IPsec VPN Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access. client. It is best for medium to large enterprises that do not require an Endpoint Security policy.
The client gives computers:
-
Secure Connectivity
-
Security Verification
Required Licenses - IPsec VPN and Mobile Access Software Blades on the Security Gateway.
Supported Platforms - Windows
Where to Get the Client - Check Point Support Center - sk67820.
Endpoint Security VPN
Endpoint Security VPN is an IPsec VPN client that replaces SecureClient. It is best for medium to large enterprises.
The client gives computers:
-
Secure Connectivity
-
Security Verification
-
Endpoint Security that includes an integrated Desktop Firewall, centrally managed from the Security Management Server.
Required Licenses - The IPsec VPN Software Blade on the Security Gateway, an Endpoint Container license, and an Endpoint VPN Software Blade license on the Security Management Server.
Supported Platforms - Windows
Where to Get the Client - Check Point Support Center - sk67820.
| | Note - Endpoint Security VPN on macOS includes a Desktop Firewall but not Security Verification. |
Endpoint Security VPN for macOS
Endpoint Security VPN combines Remote Access VPN with Endpoint Security in a client that is installed on endpoint computers. It is recommended for managed endpoints that require a simple and transparent remote access experience together with Desktop Firewall rules. It includes:
-
Enterprise Grade Remote Access Client that replaces SecureClient for Mac.
-
Integrated Desktop Firewall, centrally managed from the Security Management Server.
Required Licenses - The IPsec VPN Software Blade on the Security Gateway, an Endpoint Container license, and an Endpoint VPN Software Blade license on the Security Management Server.
Supported Platforms for Users - macOS
Where to Get the Client - Check Point Support Center - sk67820.
Endpoint Security Suite
The Endpoint Security Suite simplifies endpoint security management by unifying all endpoint security capabilities in a single console. Optional Endpoint Security Software Blades include: Firewall, Compliance Check Point Software Blade on a Management Server to view and apply the Security Best Practices to the managed Security Gateways. This Software Blade includes a library of Check Point-defined Security Best Practices to use as a baseline for good Security Gateway and Policy configuration. Full Disk Encryption, Media Encryption & Port Protection, and Anti- Malware & Program Control. As part of this solution, the Remote Access VPN Software Blade provides full, secure IPsec VPN connectivity.
The Endpoint Security suite is best for medium to large enterprises that want to manage the endpoint security of all of their endpoint computers in one unified console.
Required Licenses - Endpoint Security Container and Management licenses and an Endpoint VPN Software Blade on the Security Management Server.
Supported Platforms - Windows, macOS
Where to Get the Client - Check Point Support Center - sk67820.
SecuRemote
SecuRemote is a secure, but limited-function IPsec VPN client. It provides secure connectivity.
Required Licenses - IPsec VPN Software Blade on the Security Gateway. It is a free client and does not require additional licenses.
Supported Platforms - Windows
Where to Get the Client - Check Point Support Center - sk67820.
