Machine Certificate

The R80.40 release adds a new VPN authentication capability to Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.. Authentication with a machine certificate as of Endpoint Security Client E80.71 is now available for gateways.

Machine certificate authentication supports these modes:

  • User and machine authentication - Authenticate with a machine certificate and a user authentication method.

  • Machine-only authentication - Authenticate with a machine certificate only. This mode is available before and after the user logs in to Windows.

Note - Machine certificate authentication works with the Endpoint Client only. For more details on how to configure this feature on the client side, see Machine Authentication in the E80.72 and Higher Remote Access Clients Administration Guide.

Limitations:

  • The machine must be defined on a Microsoft AD server.

  • The Subject field of a machine certificate must not be empty.

    The hostname must be the first value.

    For example:

    CN = DESKTOP-12345, OU= Computers, DC = example, DC = com

  • Machine-only authenticated tunnels require the Security Gateway authentication method to be “Defined on user record (Legacy authentication)” or a certificate based realm.

  • Check Point Desktop Policy with Machine Groups is not supported.

  • The Check Point Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. does not provide machine certificate enrollment or distribution functionality.

  • You must use Access Roles for the machine entity. Objects such as machine@location are not supported.

Feature Configuration Steps

  1. Refer to sk149253.

    This CA is necessary for the machine authentication procedure.

  2. Refer to sk31841.

  3. Feature status definitions

    • Disabled - The feature is off. Machine certificate authentication does not occur.

    • When available - Clients are allowed to connect with or without a machine certificate. If the Gateway receives a machine certificate, it tries to authenticate the machine.

      • Note: If the machine certificate is not valid, the connection fails.

    • Mandatory - Clients can not connect without a machine certificate.

    Set the Status of the Machine Certificate Authentication

    1. Enable the Identity AwarenessClosed Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. and walk through the Wizard.

    2. Apply the basic Remote Access configuration (community, office mode, and visitor mode).

    3. Go to VPN Clients > Authentication.

    4. At the bottom of the screen, check Send Machine Certificate.

    5. Choose When Available or Mandatory.

    6. Click OK.

  4. Install the Access Control Policy

    1. Connect with SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to the Management Server.

    2. Go to the Objects Menu.

    3. Left-click on New.

    4. Select More > User > Access Role.

      5. The New Access Role window will open.

    5. From the left tree, click the Users pane.

    6. On the Users pane, select one of these:

      • Any user

      • All identified users - This includes any user identified by a supported authentication method (internal users, Active Directory users, or LDAP users).

      • Specific users/groups - For each user or user group, click to select the user or the group from the list.

    7. From the left tree, click the Machines pane.

    8. On the Machines pane, select one of these:

      • Any machine

      • All identified machines - Includes machines identified by a supported authentication method (Active Directory).

      • Specific machines - For each machine, click to select the machine from the list.

    9. Click OK.

    10. From the left navigation panel, click Security Polices.

    11. Choose your network policy tab.

    12. In Access Control, select Policy.

    13. Right-click in the Source column > Add new items… .

    14. Left-click on the Access Role.

    15. Right-click in the VPN column > Specific VPN communities….

    16. Add RemoteAccess community.

    17. Install the Access Control policy on the Security Gateway / ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing..

  5. The Source field contains the object Machines_Access_Role.

    In the access role, choose Specific machines/groups on the Machines pane and add LDAP machine/machines group (leave Any user and Any Network on corresponding panes).

    If a client connects with the machine authentication (Machine only or Machine and User), this ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. matches if the Machine matches the LDAP Machine group.

    The Source field contains the object Users_Access_Role.

    In the access role, choose Specific users/groups on the Users pane and add LDAP user/users group. Leave Any machine and Any Network in the corresponding panes.

    If a client connects with user authentication (User only or Machine and User), this rule matches if the User matches the LDAP User group.

    The Source field contains the object Machines_and_Users_Access_Role.

    In the access role you should choose Specific machines/groups on the Machines pane and Specific users/groups in the Users pane. Leave Any Network in the corresponding pane.

    A connection with Machine and User authentication can match this rule if the Machine and User both match the appropriate LDAP groups.

    Policy Source field contains the object Any.

    If a client connects with User (User only or Machine and User), this rule matches.

  6. Many customers prefer using UserPrincipalName as the User Login Attribute instead of DN.

    A new realm is available: machine_certificate.

    • This makes it possible to configure different realms for machines and users.

    • Users can log in with their UPN without an impact on the machine authentication.

    • The user realm must still have one authentication factor.

    It’s necessary to create the new realm with GuiDBedit in order to make use of this functionality.

    For more details on how to create a new realm with GuiDBedit, see the R80.40 Mobile Access Administration Guide > Section User Authentication.

    • Make sure the name of the newly created realm with the display string is machine_certificate.

    • After the new realm creation, you can change the LDAP lookup type of the user selected realm to be UPN instead of DN.