https://community.checkpoint.com/t5/SASE-and-Remote-Access/2FA-for-ssl-VPN/m-p/248647#M1992 <P>Hi, hard situation. Low cost, not so beautiful, but certificate based VPN can be the solution.</P> <P>Page 40:&nbsp;</P> <P>Digital User Certificates<BR />Digital Certificates are the most recommended and manageable method for authentication.<BR />Both parties present certificates as a means of proving their identity. Both parties verify that the<BR />peer's certificate is valid (i.e. that it was signed by a known and trusted CA, and that the<BR />certificate has not expired or been revoked).<BR />Digital certificates are issued either by Check Point's Internal Certificate Authority or third-party<BR />PKI solutions. Check Point's ICA is tightly integrated with VPN and is the easiest way to<BR />configure a Remote Access VPN. The ICA can issue certificates both to Security Gateways<BR />(automatically) and to remote users (generated or initiated).<BR />Generate digital certificates easily in SmartConsole &gt; Security Policies &gt; Access Tools &gt;<BR />Client Certificates.</P> <P><A href="https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/CP_R81.20_RemoteAccessVPN_AdminGuide.pdf" target="_blank">https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/CP_R81.20_RemoteAccessVPN_AdminGuide.pdf</A></P> Mon, 12 May 2025 11:38:00 GMT AkosBakos 2025-05-12T11:38:00Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/2FA-for-ssl-VPN/m-p/248642#M1991 <P>Hai</P><P>&nbsp;</P><P>One of the client needs to enable 2FA, MFA for ssl vpn&nbsp; checkpoint for 15 users .</P><P>Client got on premise AD and no radius server.</P><P>Please provide a recommended solution, and what components required for that solution, like radius server</P><P>&nbsp;</P> Mon, 12 May 2025 11:29:26 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/2FA-for-ssl-VPN/m-p/248642#M1991 kevin100 2025-05-12T11:29:26Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/2FA-for-ssl-VPN/m-p/248647#M1992 <P>Hi, hard situation. Low cost, not so beautiful, but certificate based VPN can be the solution.</P> <P>Page 40:&nbsp;</P> <P>Digital User Certificates<BR />Digital Certificates are the most recommended and manageable method for authentication.<BR />Both parties present certificates as a means of proving their identity. Both parties verify that the<BR />peer's certificate is valid (i.e. that it was signed by a known and trusted CA, and that the<BR />certificate has not expired or been revoked).<BR />Digital certificates are issued either by Check Point's Internal Certificate Authority or third-party<BR />PKI solutions. Check Point's ICA is tightly integrated with VPN and is the easiest way to<BR />configure a Remote Access VPN. The ICA can issue certificates both to Security Gateways<BR />(automatically) and to remote users (generated or initiated).<BR />Generate digital certificates easily in SmartConsole &gt; Security Policies &gt; Access Tools &gt;<BR />Client Certificates.</P> <P><A href="https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/CP_R81.20_RemoteAccessVPN_AdminGuide.pdf" target="_blank">https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/CP_R81.20_RemoteAccessVPN_AdminGuide.pdf</A></P> Mon, 12 May 2025 11:38:00 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/2FA-for-ssl-VPN/m-p/248647#M1992 AkosBakos 2025-05-12T11:38:00Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/2FA-for-ssl-VPN/m-p/248650#M1993 <P>Hai thanks for the reply, will Duo 2fa work with checkpoint ssl VPN&nbsp;</P> Mon, 12 May 2025 11:50:34 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/2FA-for-ssl-VPN/m-p/248650#M1993 kevin100 2025-05-12T11:50:34Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/2FA-for-ssl-VPN/m-p/248652#M1994 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/108557">@kevin100</a>&nbsp;</P> <P>I thought that you don't want to invest any money.</P> <P>If yes, the Cisco DUO is the one of the best and cheapest solution for this. I have experience with that, it works, as expected!</P> <P>Akos</P> Mon, 12 May 2025 11:53:55 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/2FA-for-ssl-VPN/m-p/248652#M1994 AkosBakos 2025-05-12T11:53:55Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/2FA-for-ssl-VPN/m-p/248653#M1995 <P>Dear Akos</P><P>&nbsp;</P><P>Thanks for the info, do this solution setup need a separate radius server?</P><P>Also hope checkpoint ssl vpn works with laptops&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Thank you</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 12 May 2025 11:57:18 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/2FA-for-ssl-VPN/m-p/248653#M1995 kevin100 2025-05-12T11:57:18Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/2FA-for-ssl-VPN/m-p/248661#M1996 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/108557">@kevin100</a>&nbsp;</P> <P>A small connector tool is needed for the Cisco DUO. It must be installed locally.</P> <P>SSL VPN ha browsed dependencies. It should work with laptop, of course,</P> <P>Akos</P> Mon, 12 May 2025 12:36:32 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/2FA-for-ssl-VPN/m-p/248661#M1996 AkosBakos 2025-05-12T12:36:32Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/2FA-for-ssl-VPN/m-p/248663#M1997 <P>Yea, DUO works 100%. I know few customers who use it without any issues.</P> <P>Andy</P> Mon, 12 May 2025 13:07:37 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/2FA-for-ssl-VPN/m-p/248663#M1997 the_rock 2025-05-12T13:07:37Z