topic Re: How to Configure Email-Based 2FA for Remote Access VPN Using Office 365 on Check Point Firewall in Endpoint

How to Configure Email-Based 2FA for Remote Access VPN Using Office 365 on Check Point Firewall

Madmaks — Wed, 17 Sep 2025 06:53:45 GMT

Hi everyone,

We are currently using a Check Point firewall for Remote Access VPN, and we would like to implement two-factor authentication (2FA) for our VPN users. We are using R82 and last jumbo has installed on it.

Instead of using SMS-based 2FA, we would prefer to use email-based verification. Since our organization uses Office 365 for email, we would like to send the 2FA codes to users via their Office 365 email addresses.

Has anyone implemented email-based 2FA for Remote Access VPN on Check Point before? Is this supported natively, or would we need a third-party integration or RADIUS solution? Any documentation, guides, or suggestions would be highly appreciated.

Thank you in advance!

Re: How to Configure Email-Based 2FA for Remote Access VPN Using Office 365 on Check Point Firewall

PhoneBoy — Wed, 17 Sep 2025 13:52:35 GMT

What authentication type are you using currently to authenticate the remote users?
You can send a second factor via email using DynamicID: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_MobileAccess_AdminGuide/Content/Topics-MABG/DynamicID.htm

If you're using a SAML-based provider (Azure AD), the other factors should be implemented there.

Re: How to Configure Email-Based 2FA for Remote Access VPN Using Office 365 on Check Point Firewall

Madmaks — Wed, 17 Sep 2025 14:15:21 GMT

Currently, we are only using username and password for authentication via LDAP (Active Directory). In addition to this, we would like to implement 2FA by sending a code via email.

Re: How to Configure Email-Based 2FA for Remote Access VPN Using Office 365 on Check Point Firewall

Madmaks — Wed, 17 Sep 2025 15:28:20 GMT

✅ Summary of What I've Done:

Created a local user on the Check Point firewall.
Enabled Multi-Factor Authentication (MFA) for that local user.
On Office 365, I generated an App Password using the account vpn-mailer@yourdomain.com, as MFA is enabled for that account.
I configured the Check Point email notification settings using the following format:

mail:TO=$EMAIL;SSL_REQUIRED;SMTPSERVER=smtp://vpn-mailer@yourdomain.com:app_password_here@smtp.office365.com:587;FROM=sslvpn@yourdomain.com;BODY=$RAWMESSAGE
- I replaced app_password_here with the actual App Password generated from Microsoft 365.
- The TO address is the email associated with the local user.
I completed the configuration on the Check Point firewall side successfully.
On the client side, I'm using Check Point Endpoint Security to connect via Remote Access VPN.
During connection:
- The username and password authentication works correctly (using the local user).
- After that, the endpoint client asks for the MFA response code (OTP), which should be emailed to the user.

❌ Problem:

The email containing the OTP code is never delivered to the user's email inbox.
No error is shown on the client; it just waits for the OTP.
The Check Point firewall is configured to send the OTP via Office 365 SMTP, but it appears the email is either not being sent or not being delivered.

In this case, which logs should I check on the Check Point side, what exactly should I look into, and how can I troubleshoot this issue?

Re: How to Configure Email-Based 2FA for Remote Access VPN Using Office 365 on Check Point Firewall

PhoneBoy — Wed, 17 Sep 2025 17:03:33 GMT

I'd have a look in $CVPNDIR/log/cvpnd.elg to see if anything interesting is logged there.
Otherwise, I suggest TAC.