topic Re: Centrally change remote access VPN browser setting used for SAML auth by all clients in SASE and Remote Access

Centrally change remote access VPN browser setting used for SAML auth by all clients

dt7 — Tue, 10 Sep 2024 07:45:00 GMT

Hello everyone,

I would like to know if there is a way to set the idp_browser_mode setting for all VPN clients centrally?

I know that you can change this setting for each client via the trac.defaults config file and I have done that before (cf. sk180395 for reference).

For the context, my issue is that this setting was set to "embedded" in my case when deploying the VPN client as part of Harmony Endpoint E87.31. However, recently when upgrading those clients to a newer Harmony Endpoint version (it seems since E88.41 and above), the SAML portal authentication page now opens using the default browser instead of being embedded, without me changing this. I am not sure if this is part of an included change from the more recent Harmony Endpoint versions (I couldn't find anything related to this in the version release notes). My understanding is that with newer versions, when upgrading versions the existing trac.defaults file is supposed to be kept as-is (and not overwritten), so I am not sure what is causing the change in this setting with the newer versions...

If anybody has more information on this sudden behavior change and if it is possible to rectify the setting back to a certain value (in my case back to "embedded") for all clients at once, that would be great. It's not really practical to have to update all the trac.defaults files for all the clients (in my case 100+) just for this..

Thank you in advance for your help.

Re: Centrally change remote access VPN browser setting used for SAML auth by all clients

PhoneBoy — Tue, 10 Sep 2024 14:17:46 GMT

You can force it on the gateway side by changing idp_browser_mode in the TTM file: https://support.checkpoint.com/results/sk/sk75221

Re: Centrally change remote access VPN browser setting used for SAML auth by all clients

dt7 — Wed, 11 Sep 2024 03:07:05 GMT

Thanks for the reply, @PhoneBoy ,

Can I confirm my understanding on how it works with a few follow-up questions:

1) In the SK and documentation they mention multiple times the file objects.C. I believe it refers to the file $FWDIR/conf/objects.C on the gateway? I do not understand this part and how you are supposed to use that file to know if you can use the same parameter as defined in trac.defaults (meaning leaving gateway parameter empty) or not?

:gateway (<gateway parameter>)

2) Currently, I don't see the setting idp_browser_mode defined on my cluster member VPN gateways, so I can edit the trac_client_1.ttm with the following section to achieve my goal in setting back to embedded, correct?

:idp_browser_mode (
:gateway (
:map (
:embedded (embedded)
:default_browser (default_browser)
:client_decide (client_decide)
:IE (IE)
:Safari (Safari)
)
:default (embedded)
)
)

This parameter is already set to default_browser on my clients after the upgrade, but since I define it on the gateway it will take precedence, based on the info on the SK:

3) I do already have other settings defined on the trac_client_1.ttm of my gateway (MEP settings, ..) as well as on my clients directly (tunnel related) that are being enforced right now. Adding this new setting on the gateway side will not affect the current behavior of those settings I believe, right? Since in my current setup those settings are already configured as either enforced by the gateway (ex: MEP defined on the gateway) or on the client (ex: enable_machine_auth, machine_tunnel_site, etc.).

Sorry for the detailed post, just looking for clarifications to validate my understanding.

Thank you very much in advance!

Re: Centrally change remote access VPN browser setting used for SAML auth by all clients

PhoneBoy — Wed, 11 Sep 2024 04:21:41 GMT

I don't recall anything special with the gateway parameter.
However, if you can provide a specific reference to where it talks about objects.C, I can have a look.

Yes, you should be able to add the configuration you mentioned to the trac_client_1.ttm and it should take priority over what is configured on the client.
It should not impact other settings there as well.