https://community.checkpoint.com/t5/SASE-and-Remote-Access/How-to-Configure-Check-Point-to-forward-VPN-Certificate/m-p/95454#M9952 <P>Thanks PhoneBoy,</P> <P>Are you saying I still need to import the customers CA Key for verification using SSLVPN to do a cert request like the below example?</P> <P>Will this be one cert per cluster or do I need a cert per gateway?</P> <P>Do I then to add ISE as a Radius server and the Domain Controller as and LDAP server? I saw a few threads related to needing both configured in smartconsole</P> Fri, 28 Aug 2020 00:31:28 GMT Edmund_Carbon 2020-08-28T00:31:28Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/How-to-Configure-Check-Point-to-forward-VPN-Certificate/m-p/95449#M9950 <P>Hi, has anyone configured Check Point Gateway to forward VPN request using Certificates to Cisco ISE for authentication to AD.</P> <P>Basically users with Capsule Connect client&nbsp; will VPN into the Gateway using only a pre-configured certificate push by an MDM. Check Point will receive the request and forward ito ISE. Cisco ISE will authorize and authenticate using Active Directory. The request should come back to Check Point gateway and then user will be allowed access to the network.</P> <P>Thanks</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 27 Aug 2020 23:11:33 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/How-to-Configure-Check-Point-to-forward-VPN-Certificate/m-p/95449#M9950 Edmund_Carbon 2020-08-27T23:11:33Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/How-to-Configure-Check-Point-to-forward-VPN-Certificate/m-p/95450#M9951 <P>You don't really "forward" requests for certificate authentication anywhere.<BR />You import the relevant CA key into the Check Point management (as an OPSEC CA) and set your gateway (cluster) object to accept this CA as valid for VPN purposes.<BR />We can validate the certificate and the other attributes in the certificate, associating it to the relevant user.<BR />I believe that can be Cisco ISE (via RADIUS), but haven't tried it myself.&nbsp;</P> Thu, 27 Aug 2020 23:49:06 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/How-to-Configure-Check-Point-to-forward-VPN-Certificate/m-p/95450#M9951 PhoneBoy 2020-08-27T23:49:06Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/How-to-Configure-Check-Point-to-forward-VPN-Certificate/m-p/95454#M9952 <P>Thanks PhoneBoy,</P> <P>Are you saying I still need to import the customers CA Key for verification using SSLVPN to do a cert request like the below example?</P> <P>Will this be one cert per cluster or do I need a cert per gateway?</P> <P>Do I then to add ISE as a Radius server and the Domain Controller as and LDAP server? I saw a few threads related to needing both configured in smartconsole</P> Fri, 28 Aug 2020 00:31:28 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/How-to-Configure-Check-Point-to-forward-VPN-Certificate/m-p/95454#M9952 Edmund_Carbon 2020-08-28T00:31:28Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/How-to-Configure-Check-Point-to-forward-VPN-Certificate/m-p/95457#M9953 <P>You would import the CA key once and configure each gateway to accept it.<BR />And yes ISE would be configured as RADIUS and AD for LDAP.</P> Fri, 28 Aug 2020 04:52:15 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/How-to-Configure-Check-Point-to-forward-VPN-Certificate/m-p/95457#M9953 PhoneBoy 2020-08-28T04:52:15Z