topic Re: AD Query feature with SMB Appliances to support MS Azure AD MFA in Hybrid Connect mode. in Spark Firewall (SMB)

AD Query feature with SMB Appliances to support MS Azure AD MFA in Hybrid Connect mode.

Beagle15 — Mon, 13 Sep 2021 17:43:40 GMT

Hello,

I believe that using AD Query is the quickest and easiest (and only way) to natively integrate MS AD MFA authentication and logging (MS AD Hybrid Connect mode) into the the SMB appliances running R80.20.30 on the Embedded Gaia OS?

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk60301&partition=Basic&product=Identity#You%20can%20configure%20each%20gateway%20to%20connect%20to%20different%20Domain%20Controllers%20in%20the%20same%20account%20unit

Is that correct? Is Secure Platform 2.6 the same OS as Embedded Gaia in this article?

I notice that Radius Accounting and Identity Collector features that come with the full Gaia OS is not supported as per SK159772.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk159772#Supported%20Features

Many thanks.

Re: AD Query feature with SMB Appliances to support MS Azure AD MFA in Hybrid Connect mode.

PhoneBoy — Mon, 13 Sep 2021 19:37:01 GMT

You are correct, AD Query is the only option on SMB appliances beyond sharing identities from a non-SMB gateway.
SPLAT is legacy and is not the same as Embedded Gaia.

Re: AD Query feature with SMB Appliances to support MS Azure AD MFA in Hybrid Connect mode.

Beagle15 — Mon, 13 Sep 2021 19:38:55 GMT

Many thanks.

Re: AD Query feature with SMB Appliances to support MS Azure AD MFA in Hybrid Connect mode.

Beagle15 — Tue, 14 Sep 2021 17:02:07 GMT

Hi Dameon,

Sorry two more clarifications:

-Can you confirm if the AD Query feature fully supports an Active Directory on-premise in Hybrid Connect Mode and also Azure AD in the cloud only? I don't believe it matters where the AD is located? On-premise or in the cloud?

- Can you confirm if MFA and SSO via MS Azure AD are fully supported by the AD Query feature on the SMB appliances? I can't find any documentation to show what MFA and SSO features the AD Query feature supports? Are these the correct links? ie on the SMB appliances do you get the full features of the Identity Awareness blade or is AD Query just a subset of the full Identity Awareness blade and MFA and SSO is not supported? In my mind as long as you can connect to the AD both MFA and SSO support should be seamless?

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/check-point-identity-awareness-tutorial

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_IdentityAwareness_AdminGuide/Topics-IDAG/Using-Azure-AD-for-Authorization.htm

Many thanks for any extra insights?

Re: AD Query feature with SMB Appliances to support MS Azure AD MFA in Hybrid Connect mode.

PhoneBoy — Tue, 14 Sep 2021 21:59:20 GMT

Keep in mind AD Query does two things:

Gets events from the AD server over WMI for login events
Queries LDAP for the relevant groups

Which means it’s not directly processing the MFA at all, nor does it really care where AD sits provided it is accessible.
Whether this works with Hybrid Connect Mode or not is a different matter.
I’m assuming the LDAP piece will fail since SMB appliances do not currently support LDAP over SSL, which presumably will be required for any hosted AD.

Re: AD Query feature with SMB Appliances to support MS Azure AD MFA in Hybrid Connect mode.

Beagle15 — Tue, 14 Sep 2021 22:34:58 GMT

Hello, thank you so can the SMB appliances support MS MFA with Azure AD and the Authenticator App out of the box and if so how is it done? This link below seems to imply yes but what are the pre-requisites? Can you show me an SK or some documentation in the MS Azure AD App Gallery that advises this for the SMB appliances?

https://blog.checkpoint.com/2021/05/17/check-point-software-announces-new-microsoft-integrations-at-rsa-conference-2021-to-make-enterprises-more-resilient/

Check Point Remote Access VPN with Azure Active Directory

The Check Point VPN is a tried-and-true solution which is now available in the Azure Active Directory (Azure AD) app gallery. Check Point VPN customers can now quickly enable single sign-on and manage access to the Check Point VPN with Azure AD.

By integrating with Azure AD, organizations can leverage capabilities such as Conditional Access and passwordless authentication to provide secure and seamless access to Check Point VPN.

Conditional Access allows admins to enforce specific requirements (multi-factor authentication, access from a compliance device, have an approved client app, and more) for a user to act on before granting access into the Check Point VPN.
Passwordless authentication is a more convenient and secure method of authentication that replaces easily compromised simple passwords. Passwordless authentication methods that integrate with Azure AD include FIDO2 security keys, Windows Hello for Business and Microsoft Authenticator app. Customers can now use passwordless authentication to sign into the Check Point VPN.

By integrating with Azure AD, Check Point’s VPN solution can support advanced security capabilities that can help organizations on their Zero Trust journey.

Many thanks.

Re: AD Query feature with SMB Appliances to support MS Azure AD MFA in Hybrid Connect mode.

PhoneBoy — Tue, 14 Sep 2021 23:25:34 GMT

In that context, the answer is no, this will definitely not work on SMB appliances.
We only recently added this to our regular appliances running R80.40 and above in the recent JHFs.
More details here: https://community.checkpoint.com/t5/Remote-Access-VPN/SAML-Support-for-Remote-Access-VPN/m-p/117199

Re: AD Query feature with SMB Appliances to support MS Azure AD MFA in Hybrid Connect mode.

Beagle15 — Wed, 15 Sep 2021 00:39:17 GMT

Many thanks. If a radius server and NPS was used would it work around this issue on the OS? https://sc1.checkpoint.com/documents/SMB_R80.20.30/AdminGuides/Centrally_Managed/EN/Topics/Managing-Authentication-Servers.htm?Highlight=radius

Solution design would be like this:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension