https://community.checkpoint.com/t5/Firewall-and-Security-Management/External-access-to-internal-RDS-gateway/m-p/152921#M25558 <P>Good evening,</P><P>&nbsp;</P><P>Firstly, apologies if I've attached this to the wrong board!</P><P>&nbsp;</P><P>We are looking at how we can use our R80.40 cluster to control external 3rd party access to our internal RDS gateway.</P><P>&nbsp;</P><P>We would like to integrate the solution to AAD for authentication/MFA using SAML. Browser Based Authentication seems like a good way to go with this, but I'm not sure how the gateway would handle the traffic. For example, if user A authenticates to the gateway from IP x.x.x.x, is user B also forced to authenticate if they connect to our gateway from the same IP? Our concern is if two users happen to connect to the gateway from the same remote location which is being NAT'd behind the same public IP, are both users forced to authenticate? Or does one authentication request from that source IP consequently allow traffic from any other hosts NAT'd behind the same IP?</P><P>&nbsp;</P><P>Also, are there any other solutions for this remote access that can integrate with AAD using SAML on an R80.40 gateway?</P><P>&nbsp;</P><P>As always, any advice would be greatly appreciated!</P><P>&nbsp;</P><P>Thanks,</P><P>&nbsp;</P><P>Aaron.</P> Wed, 13 Jul 2022 19:04:23 GMT AaronCP 2022-07-13T19:04:23Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/External-access-to-internal-RDS-gateway/m-p/152921#M25558 <P>Good evening,</P><P>&nbsp;</P><P>Firstly, apologies if I've attached this to the wrong board!</P><P>&nbsp;</P><P>We are looking at how we can use our R80.40 cluster to control external 3rd party access to our internal RDS gateway.</P><P>&nbsp;</P><P>We would like to integrate the solution to AAD for authentication/MFA using SAML. Browser Based Authentication seems like a good way to go with this, but I'm not sure how the gateway would handle the traffic. For example, if user A authenticates to the gateway from IP x.x.x.x, is user B also forced to authenticate if they connect to our gateway from the same IP? Our concern is if two users happen to connect to the gateway from the same remote location which is being NAT'd behind the same public IP, are both users forced to authenticate? Or does one authentication request from that source IP consequently allow traffic from any other hosts NAT'd behind the same IP?</P><P>&nbsp;</P><P>Also, are there any other solutions for this remote access that can integrate with AAD using SAML on an R80.40 gateway?</P><P>&nbsp;</P><P>As always, any advice would be greatly appreciated!</P><P>&nbsp;</P><P>Thanks,</P><P>&nbsp;</P><P>Aaron.</P> Wed, 13 Jul 2022 19:04:23 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/External-access-to-internal-RDS-gateway/m-p/152921#M25558 AaronCP 2022-07-13T19:04:23Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/External-access-to-internal-RDS-gateway/m-p/152932#M25559 <P>Browser Based Authentication is really only for internal hosts, not necessarily external ones.<BR />And, in your case, if one person authenticates from a specific IP, all users who appear to be coming from that IP would also be allowed.</P> <P>A better solution from a remote site would be something like Mobile Access Blade, which would authenticate each user.<BR />This should be able to integrate with AAD via SAML authentication.</P> Thu, 14 Jul 2022 02:04:16 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/External-access-to-internal-RDS-gateway/m-p/152932#M25559 PhoneBoy 2022-07-14T02:04:16Z