Configuring Remote Access Users

In the VPN > Remote Access Users page you can configure remote access permissions for users and groups.

Users and user groups can be configured in other pages as well (Users & Objects > Users). This page is dedicated to those with remote access permissions. You can add through it:

  • New local users

  • New users groups

  • Active Directory group

  • Active Directory permissions

  • RADIUS group

You can also set SSL VPN bookmarks by user, user group, RADIUS users and Active Directory group.

If no authentication servers are defined, click the Active Directory / RADIUS server link to define them.

Note that when User Awareness is turned off, there is no user identification based on Browser-Based Authentication and Active Directory Queries.

To add a new local user with remote access permissions:

  1. Click Add > New Local User.

  2. In the Remote Access tab in the window that opens, enter this information:

    • User name

    • Password - Enter this again in the Confirm field.

      Note - The password can be up to 100 characters.

    • Comments (optional)

  3. For temporary or guest users, click Temporary user.

    Enter the expiration date and time.

  4. Do not clear the Remote Access permissions checkbox.

  5. In the SSL VPN Bookmarks tab, configure the SSL VPN bookmarks (see below).

  6. Click Apply.

    The user is added to the table on the page.

To add a new local users group with remote access permissions:

  1. Click Add > New Users Group.

  2. In the Remote Access tab, enter the group name.

  3. Do not clear the Remote Access permissions checkbox.

  4. Select initial users to add to the group by clicking the relevant checkboxes from the user list or click New to create new users.

    You can see a summary of the group members above the user list. You can remove members by clicking the X next to the relevant user name.

  5. In the SSL VPN Bookmarks tab, configure the SSL VPN bookmarks (see below).

  6. Click Apply.

    The group is added to the table on the page.

To add remote access permissions to an existing Active Directory group:

  1. Click Add > Active Directory Group.

  2. If no Active Directory was defined, you are prompted to configure one. For more information on configuring Active Directory see VPN > Authentication Servers.

  3. When an Active Directory has been defined, you see a list of available user groups defined in the server.

  4. Select one of the user groups.

  5. Click Apply.

    The Active Directory group is added to the table on the page.

To add remote access permissions to all users in defined in an Active Directory:

  1. Click Edit Permissions or Add > Active Directory Permissions.

  2. Select All users in Active Directory. With this option, it is not necessary to use the VPN > Remote Access Users page to select specific users.

    Note that most Active Directories contain a large list of users and you might not want to grant them all remote access permissions to your organization. Usually you keep the Selected Active Directory user groups option.

  3. Click Apply.

    The Active Directory is added to the table on the page.

To add remote access permissions for users defined in the RADIUS group:

  1. Click Add > RADIUS Group.

  2. If no RADIUS group was defined, you are prompted to configure one.

  3. Select or clear the Enable RADIUS authentication for remote access users checkbox.

  4. When selected, choose which users are given remote access permissions:

    • To allow all users defined in the RADIUS server to authenticate - Select All users defined on RADIUS server

    • Specific user groups defined in the RADIUS server - Select For specific RADIUS groups only and enter in the text field the names of the user groups separated by commas

    • To allow administrators with read-only permissions to authenticate - Select Read-only Administrators

  5. Click Apply.

    The RADIUS server or specific users from the RADIUS server are added to the table on the page.

Two-Factor Authentication

Two-Factor Authentication, also called multi-factor authentication, is an extra layer of security to prevent unauthorized access to your system. To use Two-Factor Authentication, users must have remote access permissions configured, with an email address and mobile phone number.

You can use the Check Point SMS provider, or an external SMS provider. If a customer uses a public SMS server, the administrator must provide the username and password for the SMTP server.

To configure Two-Factor Authentication:

  1. On the VPN Remote Access Control Blade Control page, select Require users to confirm their identity using Two-Factor Authentication.

  2. Click Apply.

  3. Click configure.

    The Two-Factor Authentication Settings window opens.

  4. In the Configuration tab, select SMS.

  5. To use Check Point SMS, select Use Check Point SMS provider service.

  6. If you select Use External SMS provider, enter the:

    • DynamicID URL.

    • Provider user name.

    • Provider password.

    • API ID.

    • Message to display (optional).

  7. In the Advanced tab, under Dynamic ID Settings, enter the:

    • Length of the one-time password.

    • Amount of time in minutes until the password expires.

    • Maximum number of retries.

  8. Under Country Code, enter the Default country code.

  9. Click Apply.

To sign in with Two-Factor Authentication:

  1. Connect to your VPN.

  2. You are prompted for a DynamicID One Time Password (OTP) which is sent to your mobile phone via SMS.

Notes:

  • VPN Two-Factor Authentication is per gateway, not administrator.

  • When you turn on Two-Factor Authentication, you enable it for all VPN clients. This means all VPN clients must have a configured mobile phone number to connect.

To configure remote access permissions for a user:

  1. On the Remote Access Users page, click Add.

    The New Local User window opens:

  2. In the Remote Access tab, enter the:

    • User name.

    • Password.

    • Email.

    • Mobile phone number.

  3. Select Remote Access permissions.

  4. Click Apply.

To configure SSL VPN bookmarks:

  1. Click Add > New Local User/Users Group/Active Directory Group > SSL VPN Bookmarks tab.

    A new window opens.

  2. Enter new bookmarks or select existing bookmarks.

    Note - If you select Global bookmark, this bookmark is always shown.

  3. Click Apply.

To edit a user or group:

  1. Select the user or group from the list.

  2. Click Edit.

  3. Make the relevant changes and click Apply.

To delete a user or group:

  1. Select the user or group from the list.

  2. Click Delete.

  3. Click OK in the confirmation message.

    The user or group is deleted.