SAML Support for Remote Access VPN
You can configure Remote Access VPN An encrypted tunnel between remote access clients (such as Endpoint Security VPN) and a Security Gateway. to recognize identities from a cloud-based SAMLIdentity Provider.
This feature is available starting from R81.10 Jumbo Hotfix Accumulator Take 9.
This feature is available starting from R81.10 SmartConsole Releases Build 400.
Requirements
These are the required versions of products to use this feature with an R81.10 Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.:
Product |
Requirement |
||
---|---|---|---|
Management Server |
R81.10 with the R81.10 Jumbo Hotfix Accumulator, Take 9 or higher |
||
R81.10 SmartConsole Releases - Build 400 or higher |
|||
|
|||
Endpoint Security Client |
|
Configuration
Procedure
|
Note - If the Security Gateway is already configured to support Remote Access VPN, make sure the configuration applies to SAML and then click OK. For more information about configuring Remote Access VPN, see Getting Started with Remote Access. |
-
Use SmartConsole to connect to the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. / relevant Domain Management Server.
-
From the left navigation panel, click Gateways & Servers.
-
Open the object of the relevant Security Gateway.
-
In General Properties > Network Security tab, select the IPsec VPN Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities..
-
From the left tree, click IPsec VPN.
-
In the section This Security Gateway participates in the following VPN communities, click Add.
The Add this Gateway to Community window opens.
-
Select the relevant Remote Access VPN community.
-
Click OK.
-
From the left tree, expand the VPN Clients > click Remote Access > select Support Visitor Mode.
- From the left tree, click VPN Clients > click Office Mode > select Allow Office Mode > select the relevant Office Mode Method.
-
Click OK.
The Security Gateway object closes.
-
Open the Security Gateway object.
-
From the left tree, click VPN Clients > SAML Portal Settings:
-
Make sure the Main URL field contains the fully qualified domain name (FQDN) of the Security Gateway.
-
Make sure the domain name ends with a DNS suffix registered to your organization.
Example:
https://MyGateway1.mycompany.com/saml-vpn
-
In the Accessibility section, select the relevant settings.
-
-
Click OK.
|
Important - Do this step for each Security Gateway that participates in Remote Access VPN |
-
In SmartConsole, from the right navigation panel click New > More > User/Identity > Identity Provider.
A New Identity Provider window opens.
-
In the New Identity Provider window, configure these settings:
-
Enter the applicable name and comment at the top.
-
In the Gateway field, select the Security Gateway to do the SAML authentication.
-
In the Service field, select Remote Access VPN.
SmartConsole populates these fields automatically:
-
Identifier (Entity ID) - the URL that uniquely identifies a service provider (in this configuration, the Security Gateway).
-
Reply URL - the URL to which the SAML assertions are sent.
-
-
Configure the SAML application on the Identity Provider's website.
Important - Do not close the New Identity Provider window in SmartConsole while you configure the SAML application on the Identity Provider's website.
Note - Depending on your Identity Provider, you may need to purchase a premium subscription to use the features necessary to configure SAML for Remote Access VPN.
Follow the Identity Provider's instructions.
-
Copy the values of the Identifier (Entity ID) and Reply URL fields from the SmartConsole New Identity Provider window and enter them in the relevant fields on the Identity Provider's website.
Notes:
-
The names of the target fields on the Identity Provider's website may differ for specific Identity Providers.
-
In Microsoft Azure, if you configure two or more Identity Provider objects for the same Security Gateway, make sure you paste all Entity IDs and all Reply URLs in the same Enterprise Application.
-
-
Make sure you configure the Identity Provider to send the authenticated username in the email format "
alias@domain
".Important - - The primary email address for a user must be the same in the on-premises LDAP directory and in the user directory of the Identity Provider. This email address must be unique.
-
Optional: To receive the Identity Provider's groups where users are defined, configure the Identity Provider to send the group names as values of the attribute "
group attr
". -
Before you complete the configuration, get this information from the Identity Provider:
-
Entity ID - A URL that uniquely identifies the application.
-
Login URL - A URL to use the application.
-
Certificate - For secure communication between the Security Gateway and the Identity Provider.
Note - Some Identity Providers provide this information in a metadata XML file.
-
-
-
In the New Identity Provider window, in the Data received from the SAML Identity Provider section, select one of these options:
-
Import the Metadata File
Click Import From File and select the metadata file from your Identity Provider.
-
Insert Manually
-
Enter the Identifier (Entity ID) and the Login URL you copied from the Identity Provider.
-
Click Import from File and select the Certificate File from the Identity Provider.
Note - The Identity Provider object in SmartConsole does not support the import of a RAW Certificate.
-
-
|
Note - Do this step only if you do not use an on-premises Active Directory (LDAP). |
-
From the left navigation panel, click Manage & Settings.
-
From the left tree, click Blades.
-
In the Mobile Access section, click Configure in SmartDashboard.
-
In the lower left pane, click the Users tab.
-
In the Users tab, right-click on an empty space and select New > External User Profile > Match all users.
-
Configure the External User Profile properties:
-
On the General Properties page:
-
In the External User Profile name field, make sure the default name is
generic*
. -
In the Expiration Date field, enter the date.
-
-
On the Authentication page, from the Authentication Scheme drop-down list, select Undefined.
-
On the Location, Time, and Encryption pages, configure the relevant settings.
-
Click OK.
-
-
From the top toolbar, click Menu (top left button) > File > Update.
-
Close Legacy SmartDashboard.
-
In SmartConsole, install the Access Control Policy.
-
From the left navigation panel, click Gateways & Servers.
-
Open the relevant Security Gateway object.
-
From the left tree, expand VPN Clients > click Authentication.
-
Clear the checkbox Allow older clients to connect to this gateway.
-
In the section Multiple Authentication Clients Settings, add a new object (click Add > click New) or edit an existing object (click Edit).
The Remote Access client shows the authentication methods in the order shown in this section.
For more information about Multiple Authentication Clients, see User and Client Authentication for Remote Access.
-
In the Multiple Login Options window:
-
From the left tree, click Login Option.
-
In the General Properties section:
-
In the Name field, enter the name of the object in the database.
-
In the Display Name field, enter the name that appears in the Multiple Authentication Clients Settings table and Security Gateway portals.
-
-
In the Authentication Methods section:
-
In the section Authentication Factors, select Identity Provider.
-
Click the "+" button > select the Identity Provider object.
-
Click OK.
-
Note - For Remote Access Multiple Entry Point (MEP), you must configure the same Login Option on all Security Gateways that participate in MEP. Make sure to add all the Identity Provider objects (one per Security Gateway) to a dedicated Login Option.
-
-
From the left tree, click User Directories.
-
Select Manual configuration.
-
Do one of these steps:
-
If you use an on-premises Active Directory (LDAP):
Select only LDAP users > select All Gateway's Directories.
In the Common lookup type drop-down menu, select Email Address (mail).
-
If you do not use an on-premises Active Directory (LDAP), select only External User profiles.
-
-
-
Click OK.
-
-
In the Security Gateway object, click OK.
-
Publish the SmartConsole session.
-
Configure the required settings in the management database:
-
Optional: As a Best Practice, install the Access Control Policy. The Management Server creates a revision snapshot. You can revert to this revision snapshot if you make mistakes in manual database configurations or if you want to remove SAML Support for Remote Access VPN.
Refer to:
-
Close all SmartConsole windows.
Note - To make sure there are no active sessions, run the "
cpstat mg
" command in the Expert mode on the Security Management Server / in the context of each Domain Management Server. -
Connect with the Database Tool (GuiDBEdit Tool) to the Security Management Server / applicable Domain Management Server.
-
In the top left pane, go to Table > Network Objects > network_objects.
-
In the top right pane, select the Security Gateway object.
-
Press
CTRL + F
(or go to the Search menu > click Find) > paste realms_for_blades > select Match whole string only > click Find Next. -
Below realms_for_blades, select the attribute vpn and examine only its inner attributes.
-
Below the directory attribute > the fetch_options attribute, look for these attributes:
-
do_generic_fetch
-
do_internal_fetch
-
do_ldap_fetch
-
fetch_type
If these attributes do not appear, then right-click the attribute fetch_options > click Edit > do not change anything > click OK (do not make any changes).
-
-
Configure the required settings:
-
If you use an on-premises Active Directory (LDAP):
-
Below the attribute fetch_options - If the current value of the attribute do_generic_fetch is not false, then right-click the attribute do_generic_fetch > click Edit > select the value false > click OK.
-
Below the attribute directory - Right-click the attribute UserLoginAttr > click Edit > select the value mail > click OK.
-
-
If you do not use an on-premises Active Directory (LDAP):
-
Below the attribute fetch_options - If the current value of the attribute do_internal_fetch is not false, then right-click the attribute do_internal_fetch > click Edit > select the value false > click OK.
-
Below the attribute fetch_options - If the current value of the attribute do_ldap_fetch is not false, then right-click the attribute do_ldap_fetch > click Edit > select the value false > click OK.
-
-
-
Right-click the attribute fetch_type > click Edit > select the value fetch_options > click OK.
-
Do steps (c)-(j) again for all applicable Security Gateways.
-
Save all changes (click the File menu > click Save All).
-
Close the Database Tool (GuiDBEdit Tool).
-
-
Use SmartConsole to connect to the Security Management Server / relevant Domain Management Server.
-
Open each Security Gateway object and examine the settings of each Software Blade that uses authentication - VPN, Mobile Access Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB., and Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA..
-
Make sure to select the option LDAP Users only for Software Blades that use LDAP.
-
Make sure to select the option External user profiles only for Software Blades that do not use LDAP.
-
-
To use the feature with at least one Security Gateway of version R81.10 and lower, you must download a script to the Management Server.
-
Download this script to your computer.
-
Make sure that the Security Gateways have the necessary Jumbo Hotfix Software package installed on top of the current software version to fix a wrong or undesired behavior, and to add a new behavior. Accumulators installed. See Requirements.
-
Copy the script from your computer to the Management Server.
Note - If you copy a file over SCP to the Management Server, the user that connects must have the default shell
/bin/bash
in Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. OS. -
Connect to the command line on the Management Server.
-
Log in to the Expert mode.
-
On a Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS., go to the main MDS context:
mdsenv
Note - On a Multi-Domain Server, if you do not want to enable SAML in all existing domains, document the UIDs of each domain.
Run:
mgmt_cli show domains
-
Go to the directory where you uploaded the script.
-
Assign the execution permissions to the script. Run:
Copychmod u+x allow_VPN_RA_for_R8040_and_above_gateways_V2.sh
Run the script (the first argument must be "
1
"):Copy/allow_VPN_RA_for_R8040_and_above_gateways_V2.sh 1
Note - If the Management API is configured using a TCP port that is not the default port
443
(see output of theapi status
command), then do one of these:-
Add the port number as the second argument in the script:
./allow_VPN_RA_for_R8040_and_above_gateways.sh 1 <Apache Port Number>
-
Add '
--port <Apache Port Number>
' in the syntax of eachmgmt_cli
command in this script.
-
-
When the script prompts you to enter your user name and password, enter your SmartConsole credentials.
-
When the script prompts you to enter a Domain UID:
-
To enable SAML on one of the domains of a Multi-Domain Server, enter the UID of the domain (to see the UID, run “
mgmt_cli show domains
”). -
In other cases, or to enable SAML in all domains, leave the prompt empty and press
Enter
.
-
-
In SmartConsole, install the Access Control Policy on each Security Gateway.
|
Note -This step is relevant only for Endpoint Security Client for Windows and Endpoint Security Client for macOS. |
-
Install Remote Access VPN clients for Windows or for macOS. For more information, see sk172909.
-
Optional: Configure the Identity Provider browser mode. By default, the Windows client uses its embedded browser, and the macOS client uses the Safari browser to prove its identity in the Identity Provider's portal.
Configuring Remote Access VPN client for Windows to use the endpoint computer's default browser (example: Chrome):
Note - This configuration is supported starting from Remote Access VPN client for Windows version E87.30.
-
Log in to the Windows endpoint computer as an Administrator.
-
Open a plain text editor.
-
Open the trac.defaults file in the text editor.
File location on 32-bit Windows:
%ProgramFiles%\CheckPoint\Endpoint Connect\trac.defaults
File location on 64-bit Windows:
%ProgramFiles(x86)%\CheckPoint\Endpoint Connect\trac.defaults
-
Change the value of the "idp_browser_mode" attribute from "embedded" to "default_browser".
-
Save the changes in the file and close the text editor.
-
Stop the Remote Access VPN client and start it again.
-
Open the Windows Command Prompt and run these commands:
-
net stop TracSrvWrapper
-
net start TracSrvWrapper
-
Configuring Remote Access VPN client for macOS to use the endpoint computer's default browser (example: Chrome):
Note - This configuration is supported starting from Remote Access VPN client for macOS version E87.30.
-
Log in to the macOS endpoint computer as an Administrator.
-
Open a plain-text editor.
-
Open the trac.defaults file in the text editor. File location:
/Library/Application Support/Checkpoint/Endpoint Security/Endpoint Connect/Trac.defaults
-
Change the value of the
idp_browser_mode
attribute from "embedded" to "default_browser". -
Save the changes in the file and close the text editor.
-
Stop the Remote Access VPN client and start it again.
-
Open the Terminal and run these commands:
-
sudo launchctl stop com.checkpoint.epc.service
-
sudo launchctl start com.checkpoint.epc.service
-
Configuring Remote Access VPN client for Windows to use the Internet Explorer browser:
-
Log in to the Windows endpoint computer as an Administrator.
-
Open a plain text editor.
-
Open the
trac.defaults
file in the text editor.-
On 32-bit Windows:
%ProgramFiles%\CheckPoint\Endpoint Connect\trac.defaults
-
On 64-bit Windows:
%ProgramFiles(x86)%\CheckPoint\Endpoint Connect\trac.defaults
-
-
Change the value of the "idp_browser_mode" attribute from "embedded" to "IE".
-
Keep the changes in the file and close the text editor.
-
Stop the Remote Access VPN client and start it again. Open the Windows Command Prompt as an Administrator and run these commands:
-
net stop TracSrvWrapper
-
net start TracSrvWrapper
-
Configuring the browser mode for a Windows endpoint computer in a configuration file on the Remote Access VPNGateway:
Starting from Remote Access VPN Client for Windows version E88.41, you can configure the browser mode for the endpoint computer in a configuration file on the Remote Access VPNGateway. The
idp_browser_mode
parameter in the trac_client_1.ttm file controls the browser mode. For more information, see sk75221. -
Authorization is for these types of groups:
-
Identity Provider groups - The groups the Identity Provider sends.
-
Internal groups - The groups that are received from User Directories configured in SmartConsole (internal user groups or LDAP groups).
To configure the Identity Provider groups:
-
In the Identity Provider's interface, configure a SAML attribute:
-
Define an optional attribute named group_attr.
-
Configure the attribute according to the Identity Provider's requirements.
-
-
In SmartConsole, create an internal User Group object with this name (case-sensitive, spaces not supported):
EXT_ID_<Name_of_Role>
For example, for a role in the Identity Provider's interface with the name my_group, create an internal User Group object in SmartConsole with the name EXT_ID_my_group.
Note - In Microsoft Azure, are not supported for Remote Access connections.
Identity Provider groups and Internal groups (example: LDAP) are used for authorization.
Authorization types: Remote Access VPN Community and Access Roles
-
Remote Access VPN Community - Grants users access to Remote Access VPN. For more information, see User and Client Authentication for Remote Access.
-
Access Roles (requires the Identity Awareness Software Blade) - Grants access to users according to policy rules and user identities. For more information, see the R81.10 Identity Awareness Administration Guide > Chapter "Configuring Identity Awareness" > Section "Creating Access Roles".
To apply authorization by Remote Access VPN, add the applicable group to the Remote Access VPN.
To apply authorization by Access Roles, add the applicable group to an Access Role in the Access Control Policy.
Known Limitations
-
This feature supports only IPsec VPN Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access. clients.
-
All Remote Access VPN users and endpoint computers must be configured in an Identity Provider for authentication. This applies to managed endpoint computers and non-managed endpoint computers.
-
In the SAML-based authentication flow, the Identity Provider issues the SAML ticket after one or multiple verification activities.
-
Quantum Spark Appliances with OS are not supported.
-
SAML authentication cannot be configured with more authentication factors in the same login option. The Machine Certificate Authentication option is supported. To use Multiple Factor Authentication, configure the external Identity Provider to have multiple verification steps. The complexity and number of verification activities depends on the configuration of the Identity Provider.
-
For Windows and macOS endpoint computers or appliances (managed and non-managed), Check Point Remote Access VPN client must be installed.
-
In the security Rule Base All rules configured in a given Security Policy. Synonym: Rulebase., you can only enforce identities received from remote access SAML authentication at the VPN termination point.
-
Connecting from a CLI to a realm with Identity Provider is not supported.
-
Remote Access VPN client for ATMs is not supported.
-
Secure Domain Logon (SDL) with Identity Provider is not supported.
-
Remote Access VPN connections.
are not supported for