SAML Support for Remote Access VPN

You can configure Remote Access VPNClosed An encrypted tunnel between remote access clients (such as Endpoint Security VPN) and a Security Gateway. to recognize identities from a cloud-based SAML Identity Provider.

In Gateway mode, this feature is available starting from R80.40 Jumbo Hotfix Accumulator Take 114.

In VSXClosed Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. mode, or to use the feature with more than one Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. (Mobile AccessClosed Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB., Remote Access VPN, Identity AwarenessClosed Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA.) this feature is available starting from R80.40 Jumbo Hotfix Accumulator Take 119.

This feature is available starting with R80.40 SmartConsole Releases Build 423.

Requirements

These are the required versions of products to use this feature with an R80.40 Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

Product

Requirement

Management Server

R80.40 with the R80.40 Jumbo Hotfix Accumulator, Take 114 or higher

SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.

R80.40 SmartConsole Releases - Build 423 or higher

Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.

Important - To use the feature, you must download a script to the Management Server. See Step 4: Configure the Identity Provider as an Authentication Method.

Endpoint Security Client

  • Endpoint Security Client for Windows - version E84.70 build 986102705 or higher

  • Endpoint Security Client for macOS - version E85.30 or higher

Important - To see the lowest Endpoint Security Client version that your Security Gateway supports, see the Release Notes document for the version of your Security Gateway > Chapter "Supported Clients and Agents".

Configuration

Procedure

Known Limitations

  • This feature supports only IPsec VPNClosed Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access. clients.

  • All Remote Access VPN users and endpoint computers must be configured in an Identity Provider for authentication. This applies to managed endpoint computers and non-managed endpoint computers.

  • In the SAML-based authentication flow, the Identity Provider issues the SAML ticket after one or multiple verification activities.

  • Quantum Spark Appliances with Gaia Embedded OS are not supported.

  • SAML authentication cannot be configured with more authentication factors in the same login option. The Machine Certificate Authentication option is supported. To use Multiple Factor Authentication, configure the external Identity Provider to have multiple verification steps. The complexity and number of verification activities depends on the configuration of the Identity Provider.

  • For Windows and macOS endpoint computers or appliances (managed and non-managed), Check Point Remote Access VPN client must be installed.

  • In the security Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase., you can only enforce identities received from remote access SAML authentication at the VPN termination point.

  • Connecting from a CLI to a realm with Identity Provider is not supported.

  • Remote Access VPN client for ATMs is not supported.

  • Supported web browsers are the VPN client's embedded browsers and Internet Explorer 11 (the latest version).

  • Secure Domain Logon (SDL) with Identity Provider is not supported.

  • Identity Tags are not supported for Remote Access VPN connections.