Multiple Login Options for Security Gateways

On Security Gateways you can configure multiple login options for Mobile AccessClosed Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. and IPsec VPNClosed Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access..

The options can be different for each Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. and each supported Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities., and for some client types. Users select one of the available options to log in with a supported client.

To see which clients support the new multiple login options, see sk111583.

Each configured login option is a global object that can be used with multiple Security Gateways and the Mobile Access and IPsec VPN Software Blades.

Configuring Multiple Login Options

You can configure login options from:

The login options selected for Mobile Access clients, such as the Mobile Access Portal and Capsule Workspace, show in the Mobile Access > Authentication page in the Multiple Authentication Client Settings table.

The login options selected for VPN clients, such as Endpoint Security VPN, Check Point Mobile for Windows, and SecuRemote, show in the VPN Clients > Authentication page in the Multiple Authentication Client Settings table.

To configure multiple login options for Mobile Access Clients:

  1. From the Gateway Properties tree of a Security Gateway, select Mobile Access > Authentication.

  2. In the Multiple Authentication Clients Settings table, see a list of configured login options.

    The default login options are:

    • Personal_Certificate - Require a user certificate.

    • Username_Password - Require a username and password.

      Important - As a best security practice, Check Point recommends to configure another authentication method in addition to username and password. In the next step, click Edit and configure at least one additional authentication method.

    • Cert_Username_Password - Require a username and password and a user certificate.

  3. Click Add to create a new option or Edit to change an option. Each configured login option is a global object that can be used with multiple Security Gateways and Software Blades.

  4. For each login option select one or more Authentication Factors and relevant Authentication Settings.

    For example, if you select SecurID, select the SecurID Server and Token Card Type. If you select Personal Certificate, select which certificate field the Security Gateway uses to fetch the username. See the "Certificate Parsing" section.

  5. Select Customize Display to configure what users see when they log in with this option. See the "Customize Display Settings" section.

  6. Click OK.

  7. Use the Up and Down arrows to set the order of the login options.

    • If you include Personal Certificates, it must be first.

    • If you include DynamicID, it cannot be first.

  8. On each Login Option > Usage in Gateway, select if the login option is available from:

    • The Mobile Access Portal

    • Capsule Workspace

  9. Click OK.

Selecting a Client for a Login Option

For login options created from the Mobile Access > Authentication page, you can select if the login option is available for the Mobile Access Portal, Capsule Workspace, or both.

The login option will only be visible for the clients that you select.

Customize Display Settings

Enter descriptive values to make sure that users understand what information to input. These fields must all be the same language but they do not need to be in English.

  • Headline - The title of the login option, for example, Log in with a Certificate or Log in with your SecurID Pinpad.

  • Username label - A description of the username that users must enter, for example, Email address or AD username.

  • Password label - A description of the password that users must enter, for example, AD password.

Certificate Parsing

When you select Personal Certificate as a Login option, you can also configure what information the Security Gateway sends to the LDAP server to parse the certificate. The default is the DN. You can configure the settings to use the user's email address or a serial number instead.

To change the certificate parsing:

  1. In the Multiple Authentication Clients Settings table on the Authentication page, select a Personal_Certificate entry and click Edit.

    The Authentication Factor window opens.

  2. In the Authentication Settings area in the Fetch Username from field, select the information that the Security Gateway uses to parse the certificate.

  3. Click OK.

  4. Install policy.

Deleting Login Options

To permanently delete a Login option:

  1. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.

  2. In SmartDashboard go to the Mobile Access tab > Authentication page.

  3. From the list of login options, select an option and click Delete.

Viewing all Authentication Settings

To see all Security Gateways and their authentication settings:

  1. In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.

  2. In SmartDashboard go to the Mobile Access tab.

  3. From the tree, select Gateways.

  4. Click a Security Gateway to see its authentication settings.