SAML Support for Remote Access VPN

You can configure Remote Access VPNClosed An encrypted tunnel between remote access clients (such as Endpoint Security VPN) and a Security Gateway. to recognize identities from a cloud-based SAML Identity Provider.

Requirements

These are the required versions of products to use this feature with an R81.20 Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.:

Product

Requirement

Management Server

R81.20

SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.

R81.20

Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.

Important - To use the feature with at least one iSecurity Gateway of version R81.10 and lower, you must download a script to the Management Server. See Step 4: Configure the Identity Provider as an Authentication Method.

Endpoint Security Client

  • Endpoint Security Client for Windows - version E84.70 build 986102705 or higher

  • Endpoint Security Client for macOS - version E85.30 or higher

  • Android Capsule VPN - requires R81.20 Jumbo Hotfix Accumulator take 43 or higher on the Security Gateway

  • Capsule Connect for iOS - requires R81.20 Jumbo Hotfix Accumulator take 43 or higher on the Security Gateway

Important - To see the lowest Endpoint Security Client version that your Security Gateway supports, see the Release Notes document for the version of your Security Gateway > Chapter "Supported Clients and Agents".

Configuration

Procedure

Note - If the Security Gateway is already configured to support Remote Access VPN, make sure the configuration applies to SAML and then click OK. For more information about configuring Remote Access VPN, see Getting Started with Remote Access.

  1. Use SmartConsole to connect to the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. / relevant Domain Management Server.

  2. From the left navigation panel, click Gateways & Servers.

  3. Open the object of the relevant Security Gateway.

  4. In General Properties > Network Security tab, select the IPsec VPN Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities..

  5. From the left tree, click IPsec VPN.

  6. In the section This Security Gateway participates in the following VPN communities, click Add.

    The Add this Gateway to Community window opens.

  7. Select the relevant Remote Access VPN community.

  8. Click OK.

  9. From the left tree, expand the VPN Clients > click Remote Access > select Support Visitor Mode.

  10. From the left tree, click VPN Clients > click Office Mode > select Allow Office Mode > select the relevant Office Mode Method.

  11. Click OK.

    The Security Gateway object closes.

  12. Open the Security Gateway object.

  13. From the left tree, click VPN Clients > SAML Portal Settings:

    1. Make sure the Main URL field contains the fully qualified domain name (FQDN) of the Security Gateway.

    2. Make sure the domain name ends with a DNS suffix registered to your organization.

      Example:

      https://MyGateway1.mycompany.com/saml-vpn

    3. In the Accessibility section, select the relevant settings.

  14. Click OK.

Important - Do this step for each Security Gateway that participates in Remote Access VPN

  1. In SmartConsole, from the right navigation panel click New > More > User/Identity > Identity Provider.

    A New Identity Provider window opens.

  2. In the New Identity Provider window, configure these settings:

    1. Enter the applicable name and comment at the top.

    2. In the Gateway field, select the Security Gateway to do the SAML authentication.

    3. In the Service field, select Remote Access VPN.

    SmartConsole populates these fields automatically:

    • Identifier (Entity ID) - the URL that uniquely identifies a service provider (in this configuration, the Security Gateway).

    • Reply URL - the URL to which the SAML assertions are sent.

  3. Configure the SAML application on the Identity Provider's website.

    Important - Do not close the New Identity Provider window in SmartConsole while you configure the SAML application on the Identity Provider's website.

    Note - Depending on your Identity Provider, you may need to purchase a premium subscription to use the features necessary to configure SAML for Remote Access VPN.

    Follow the Identity Provider's instructions.

    1. Copy the values of the Identifier (Entity ID) and Reply URL fields from the SmartConsole New Identity Provider window and enter them in the relevant fields on the Identity Provider's website.

      Notes:

      • The names of the target fields on the Identity Provider's website may differ for specific Identity Providers.

      • In Microsoft Azure, if you configure two or more Identity Provider objects for the same Security Gateway, make sure you paste all Entity IDs and all Reply URLs in the same Enterprise Application.

    2. Make sure you configure the Identity Provider to send the authenticated username in the email format "alias@domain".

      Important - The primary email address for a user must be the same in the on-premises LDAP directory and in the user directory of the Identity Provider. This email address must be unique.

    3. Optional: To receive the Identity Provider's groups where users are defined, configure the Identity Provider to send the group names as values of the attribute "group attr".

    4. Before you complete the configuration, get this information from the Identity Provider:

      • Entity ID - A URL that uniquely identifies the application.

      • Login URL - A URL to use the application.

      • Certificate - For secure communication between the Security Gateway and the Identity Provider.

      Note - Some Identity Providers provide this information in a metadata XML file.

  4. In the New Identity Provider window, in the Data received from the SAML Identity Provider section, select one of these options:

    • Import the Metadata File

      Click Import From File and select the metadata file from your Identity Provider.

    • Insert Manually

      1. Enter the Identifier (Entity ID) and the Login URL you copied from the Identity Provider.

      2. Click Import from File and select the Certificate File from the Identity Provider.

        Note - The Identity Provider object in SmartConsole does not support the import of a RAW Certificate.

Note - Do this step only if you do not use an on-premises Active Directory (LDAP).

  1. From the left navigation panel, click Manage & Settings.

  2. From the left tree, click Blades.

  3. In the Mobile Access section, click Configure in SmartDashboard.

    Legacy SmartDashboardClosed Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings. opens.

  4. In the lower left pane, click the Users tab.

  5. In the Users tab, right-click on an empty space and select New > External User Profile > Match all users.

  6. Configure the External User Profile properties:

    1. On the General Properties page:

      • In the External User Profile name field, make sure the default name is generic*.

      • In the Expiration Date field, enter the date.

    2. On the Authentication page, from the Authentication Scheme drop-down list, select Undefined.

    3. On the Location, Time, and Encryption pages, configure the relevant settings.

    4. Click OK.

  7. From the top toolbar, click Menu (top left button) > File > Update.

  8. Close Legacy SmartDashboard.

  9. In SmartConsole, install the Access Control Policy.

  1. From the left navigation panel, click Gateways & Servers.

  2. Open the relevant Security Gateway object.

  3. From the left tree, expand VPN Clients > click Authentication.

  4. Clear the checkbox Allow older clients to connect to this gateway.

  5. In the section Multiple Authentication Clients Settings, add a new object (click Add > click New) or edit an existing object (click Edit).

    The Remote Access client shows the authentication methods in the order shown in this section.

    For more information about Multiple Authentication Clients, see User and Client Authentication for Remote Access.

  6. In the Multiple Login Options window:

    1. From the left tree, click Login Option.

      • In the General Properties section:

        • In the Name field, enter the name of the object in the database.

        • In the Display Name field, enter the name that appears in the Multiple Authentication Clients Settings table and Security Gateway portals.

      • In the Authentication Methods section:

        1. In the section Authentication Factors, select Identity Provider.

        2. Click the "+" button > select the Identity Provider object.

        3. Click OK.

      Note - For Remote Access Multiple Entry Point (MEP), you must configure the same Login Option on all Security Gateways that participate in MEP. Make sure to add all the Identity Provider objects (one per Security Gateway) to a dedicated Login Option.

    2. From the left tree, click User Directories.

      1. Select Manual configuration.

      2. Do one of these steps:

        • If you use an on-premises Active Directory (LDAP):

          Select only LDAP users > select All Gateway's Directories.

          In the Common lookup type drop-down menu, select Email Address (mail).

        • If you do not use an on-premises Active Directory (LDAP), select only External User profiles.

    3. Click OK.

  7. In the Security Gateway object, click OK.

  8. Publish the SmartConsole session.

  9. Configure the required settings in the management database:

    1. Optional: As a Best Practice, install the Access Control Policy. The Management Server creates a revision snapshot. You can revert to this revision snapshot if you make mistakes in manual database configurations or if you want to remove SAML Support for Remote Access VPN.

      Refer to:

    2. Close all SmartConsole windows.

      Note - To make sure there are no active sessions, run the "cpstat mg" command in the Expert mode on the Security Management Server / in the context of each Domain Management Server.

    3. Connect with the Database Tool (GuiDBEdit Tool) to the Security Management Server / applicable Domain Management Server.

    4. In the top left pane, go to Table > Network Objects > network_objects.

    5. In the top right pane, select the Security Gateway object.

    6. Press CTRL + F (or go to the Search menu > click Find) > paste realms_for_blades > select Match whole string only > click Find Next.

    7. Below realms_for_blades, select the attribute vpn and examine only its inner attributes.

    8. Below the directory attribute > the fetch_options attribute, look for these attributes:

      • do_generic_fetch

      • do_internal_fetch

      • do_ldap_fetch

      • fetch_type

      If these attributes do not appear, then right-click the attribute fetch_options > click Edit > do not change anything > click OK (do not make any changes).

    9. Configure the required settings:

      • If you use an on-premises Active Directory (LDAP):

        1. Below the attribute fetch_options - If the current value of the attribute do_generic_fetch is not false, then right-click the attribute do_generic_fetch > click Edit > select the value false > click OK.

        2. Below the attribute directory - Right-click the attribute UserLoginAttr > click Edit > select the value mail > click OK.

      • If you do not use an on-premises Active Directory (LDAP):

        1. Below the attribute fetch_options - If the current value of the attribute do_internal_fetch is not false, then right-click the attribute do_internal_fetch > click Edit > select the value false > click OK.

        2. Below the attribute fetch_options - If the current value of the attribute do_ldap_fetch is not false, then right-click the attribute do_ldap_fetch > click Edit > select the value false > click OK.

    10. Right-click the attribute fetch_type > click Edit > select the value fetch_options > click OK.

    11. Do steps (c)-(j) again for all applicable Security Gateways.

    12. Save all changes (click the File menu > click Save All).

    13. Close the Database Tool (GuiDBEdit Tool).

  10. Use SmartConsole to connect to the Security Management Server / relevant Domain Management Server.

  11. Open each Security Gateway object and examine the settings of each Software Blade that uses authentication - VPN, Mobile AccessClosed Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB., and Identity AwarenessClosed Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA..

    • Make sure to select the option LDAP Users only for Software Blades that use LDAP.

    • Make sure to select the option External user profiles only for Software Blades that do not use LDAP.

  12. To use the feature with one or more Security Gateways of version R81.10 and lower, you must download a script to the Management Server.

    1. Download this script to your computer.

    2. Make sure that the Security Gateways have the necessary Jumbo HotfixClosed Software package installed on top of the current software version to fix a wrong or undesired behavior, and to add a new behavior. Accumulators installed. See Requirements.

    3. Copy the script from your computer to the Management Server.

      Note - If you copy a file over SCP to the Management Server, the user that connects must have the default shell /bin/bash in GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. OS.

    4. Connect to the command line on the Management Server.

    5. Log in to the Expert mode.

    6. On a Multi-Domain ServerClosed Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS., go to the main MDS context:

      Copy 
      mdsenv

      Note - On a Multi-Domain Server, if you do not want to enable SAML in all existing domains, document the UIDs of each domain. Run:

      mgmt_cli show domains

    7. Go to the directory where you uploaded the script.

    8. Assign the execution permissions to the script. Run:

      Copy 
      chmod u+x allow_VPN_RA_for_R8040_and_above_gateways_V2.sh

      Run the script (the first argument must be "1"):

      Copy 
      /allow_VPN_RA_for_R8040_and_above_gateways_V2.sh 1

      Note - If the Management API is configured using a TCP port that is not the default port 443 (see output of the api status command), then do one of these:

      • Add the port number as the second argument in the script:
        ./allow_VPN_RA_for_R8040_and_above_gateways.sh 1 <Apache Port Number>

      • Add '--port <Apache Port Number>' in the syntax of each mgmt_cli command in this script.

    9. When the script prompts you to enter your user name and password, enter your SmartConsole credentials.

    10. When the script prompts you to enter a Domain UID:

      • To enable SAML on one of the domains of a Multi-Domain Server, enter the UID of the domain (to see the UID, run “mgmt_cli show domains”).

      • In other cases, or to enable SAML in all domains, leave the prompt empty and press Enter.

  13. In SmartConsole, install the Access Control Policy on each Security Gateway.

Note - This step is relevant only for Endpoint Security Client for Windows and Endpoint Security Client for macOS.

  1. Install Remote Access VPN clients for Windows or for macOS. For more information, see sk172909.

  2. Optional: Configure the Identity Provider browser mode. By default, the Windows client uses its embedded browser, and the macOS client uses the Safari browser to prove its identity in the Identity Provider's portal.

    Configuring Remote Access VPN client for Windows to use the endpoint computer's default browser (example: Chrome):

    Note - This configuration is supported starting from Remote Access VPN client for Windows version E87.30.

    1. Log in to the Windows endpoint computer as an Administrator.

    2. Open a plain text editor.

    3. Open the trac.defaults file in the text editor.

      File location on 32-bit Windows:

      %ProgramFiles%\CheckPoint\Endpoint Connect\trac.defaults

      File location on 64-bit Windows:

      %ProgramFiles(x86)%\CheckPoint\Endpoint Connect\trac.defaults

    4. Change the value of the "idp_browser_mode" attribute from "embedded" to "default_browser".

    5. Save the changes in the file and close the text editor.

    6. Stop the Remote Access VPN client and start it again.

    7. Open the Windows Command Prompt and run these commands:

      1. net stop TracSrvWrapper

      2. net start TracSrvWrapper

    Configuring Remote Access VPN client for macOS to use the endpoint computer's default browser (example: Chrome):

    Note - This configuration is supported starting from Remote Access VPN client for macOS version E87.30.

    1. Log in to the macOS endpoint computer as an Administrator.

    2. Open a plain-text editor.

    3. Open the trac.defaults file in the text editor. File location:

      /Library/Application Support/Checkpoint/Endpoint Security/Endpoint Connect/Trac.defaults

    4. Change the value of the idp_browser_mode attribute from "embedded" to "default_browser".

    5. Save the changes in the file and close the text editor.

    6. Stop the Remote Access VPN client and start it again.

    7. Open the Terminal and run these commands:

      1. sudo launchctl stop com.checkpoint.epc.service

      2. sudo launchctl start com.checkpoint.epc.service

    Configuring Remote Access VPN client for Windows to use the Internet Explorer browser:

    1. Log in to the Windows endpoint computer as an Administrator.

    2. Open a plain text editor.

    3. Open the trac.defaults file in the text editor.

      • On 32-bit Windows:

        %ProgramFiles%\CheckPoint\Endpoint Connect\trac.defaults

      • On 64-bit Windows:

        %ProgramFiles(x86)%\CheckPoint\Endpoint Connect\trac.defaults

    4. Change the value of the "idp_browser_mode" attribute from "embedded" to "IE".

    5. Keep the changes in the file and close the text editor.

    6. Stop the Remote Access VPN client and start it again. Open the Windows Command Prompt as an Administrator and run these commands:

      1. net stop TracSrvWrapper

      2. net start TracSrvWrapper

    Configuring the browser mode for a Windows endpoint computer in a configuration file on the Remote Access VPNGateway:

    Starting from Remote Access VPN Client for Windows version E88.41, you can configure the browser mode for the endpoint computer in a configuration file on the Remote Access VPNGateway. The idp_browser_mode parameter in the trac_client_1.ttm file controls the browser mode. For more information, see sk75221.

Authorization is for these types of groups:

  • Identity Provider groups - The groups the Identity Provider sends.

  • Internal groups - The groups that are received from User Directories configured in SmartConsole (internal user groups or LDAP groups).

To configure the Identity Provider groups:

  1. In the Identity Provider's interface, configure a SAML attribute:

    1. Define an optional attribute named group_attr.

    2. Configure the attribute according to the Identity Provider's requirements.

  2. In SmartConsole, create an internal User Group object with this name (case-sensitive, spaces not supported):

    EXT_ID_<Name_of_Role>

    For example, for a role in the Identity Provider's interface with the name my_group, create an internal User Group object in SmartConsole with the name EXT_ID_my_group.

    Note - In Microsoft Azure, Identity Tags are not supported for Remote Access connections.

Identity Provider groups and Internal groups (example: LDAP) are used for authorization.

Authorization types: Remote Access VPN Community and Access Roles

To apply authorization by Remote Access VPN, add the applicable group to the Remote Access VPN.

To apply authorization by Access Roles, add the applicable group to an Access Role in the Access Control Policy.

Known Limitations

  • This feature supports only IPsec VPNClosed Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access. clients.

  • All Remote Access VPN users and endpoint computers must be configured in an Identity Provider for authentication. This applies to managed endpoint computers and non-managed endpoint computers.

  • In the SAML-based authentication flow, the Identity Provider issues the SAML ticket after one or multiple verification activities.

  • Quantum Spark Appliances with Gaia Embedded OS are not supported.

  • SAML authentication cannot be configured with more authentication factors in the same login option. The Machine Certificate Authentication option is supported. To use Multiple Factor Authentication, configure the external Identity Provider to have multiple verification steps. The complexity and number of verification activities depends on the configuration of the Identity Provider.

  • For Windows and macOS endpoint computers or appliances (managed and non-managed), Check Point Remote Access VPN client must be installed.

  • In the security Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase., you can only enforce identities received from remote access SAML authentication at the VPN termination point.

  • Connecting from a CLI to a realm with Identity Provider is not supported.

  • Remote Access VPN client for ATMs is not supported.

  • Secure Domain Logon (SDL) with Identity Provider is not supported.

  • Identity Tags are not supported for Remote Access VPN connections.