This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Madmaks
Contributor
3 weeks ago

How to Configure Email-Based 2FA for Remote Access VPN Using Office 365 on Check Point Firewall

Hi everyone,

We are currently using a Check Point firewall for Remote Access VPN, and we would like to implement two-factor authentication (2FA) for our VPN users. We are using R82 and last jumbo has installed on it.

Instead of using SMS-based 2FA, we would prefer to use email-based verification. Since our organization uses Office 365 for email, we would like to send the 2FA codes to users via their Office 365 email addresses.

Has anyone implemented email-based 2FA for Remote Access VPN on Check Point before? Is this supported natively, or would we need a third-party integration or RADIUS solution? Any documentation, guides, or suggestions would be highly appreciated.

Thank you in advance!

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
3 weeks ago

What authentication type are you using currently to authenticate the remote users?
You can send a second factor via email using DynamicID: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_MobileAccess_AdminGuide/Cont...

If you're using a SAML-based provider (Azure AD), the other factors should be implemented there.

0 Kudos
Madmaks
Contributor
3 weeks ago
In response to PhoneBoy

Currently, we are only using username and password for authentication via LDAP (Active Directory). In addition to this, we would like to implement 2FA by sending a code via email.

0 Kudos
Madmaks
Contributor
3 weeks ago
In response to Madmaks

Summary of What I've Done:

  1. Created a local user on the Check Point firewall.

  2. Enabled Multi-Factor Authentication (MFA) for that local user.

  3. On Office 365, I generated an App Password using the account vpn-mailer@yourdomain.com, as MFA is enabled for that account.

  4. I configured the Check Point email notification settings using the following format:

     
    mail:TO=$EMAIL;SSL_REQUIRED;SMTPSERVER=smtp://vpn-mailer@yourdomain.com:app_password_here@smtp.office365.com:587;FROM=sslvpn@yourdomain.com;BODY=$RAWMESSAGE

    • I replaced app_password_here with the actual App Password generated from Microsoft 365.

    • The TO address is the email associated with the local user.

  5. I completed the configuration on the Check Point firewall side successfully.

  6. On the client side, I'm using Check Point Endpoint Security to connect via Remote Access VPN.

  7. During connection:

    • The username and password authentication works correctly (using the local user).

    • After that, the endpoint client asks for the MFA response code (OTP), which should be emailed to the user.

Problem:

  • The email containing the OTP code is never delivered to the user's email inbox.

  • No error is shown on the client; it just waits for the OTP.

  • The Check Point firewall is configured to send the OTP via Office 365 SMTP, but it appears the email is either not being sent or not being delivered.

In this case, which logs should I check on the Check Point side, what exactly should I look into, and how can I troubleshoot this issue?

0 Kudos
PhoneBoy
Admin
Admin
3 weeks ago
In response to Madmaks

I'd have a look in $CVPNDIR/log/cvpnd.elg to see if anything interesting is logged there.
Otherwise, I suggest TAC.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events