What is Check Point Secure Remote Office Mode

The general idea of a virtual private networking (VPN) over Internet is that it bridges two or more networks separated across Internet together as one through encrypted VPN tunnels.

In the case of the Check Point Secure Remote solution, one end of the VPN tunnel is the Secure Remote client software installed on a user’s PC, and the other, the VPN gateway on a Check Point firewall located at the headquarters.

After successful user authentication and a  VPN connection has been established, when the remote user’s IP packet enters the VPN tunnel and exits at the VPN gateway on the other end, the source address of that IP packet is the same one that he has on his PC in the remote office. On exiting the VPN  gateway, the packet will be routed to the destination address in the headquarters.

How does the reply packet return to the user’s PC?

If the user’s IP address is “alien-looking”, i.e. no explicit route within the headquarters, presumably it will be routed to the firewall (default gateway for headquarters), and the firewall will recognize the address and put the reply packet into the VPN tunnel connected to the user’s PC.

But what happens if the user’s remote office is administered by a different organization and the IP addressing scheme is similar to the headquarters?

The reply packet will no longer appear “alien-looking” to routers in the headquarters. It will be misrouted (or looped till its TTL expires) within the headquarters network, instead of being routed to the firewall.

This is where Check Point SecureRemote “office-mode” comes into the picture.

When an office-mode user authenticates successfully, Check Point will assign this user an IP address from a network address range dedicated (e.g. through explicit static route in the core routers) within headquarters for the purpose of VPN. This address range is special because that all packets destined for this range of addresses will always be routed to the Check Point firewall.