Re: snx

Alex_Rozhko · ‎2018-02-23

Probably OLD and not interesting Q... but.. When SNX came out it was WOW factor... especially for those who managed to make AD/SMS 2-fa work. As time went by it became more and more unreliable. Is there any plans on CP dev team to make mobile clients be AD integrated and SMS compatible for 2-fa authentication? Certificates was good idea but it seems does not work with enterprise PKI, only FW internal.

G_W_Albrecht · ‎2018-02-23

Sorry, but i feel i do not understand the question . 2FA and MAB/SNX/RA VPN are explained in sk86240 Multiple Authentication Schemes for Mobile Access / Remote Access.

But i think you are (also?) talking about log in to Dashboard = SMS, that is a different pair of shoes...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Alex_Rozhko · ‎2018-02-23

Sorry was not clear about SMS. In my case it is pin via text message as 2nd factor, which does not work with other mobile/RA clients, but only with SNX.

G_W_Albrecht · ‎2018-02-26

I do not know of any 2nd factor, which does not work with other mobile/RA clients, but only with SNX - if you mean Legacy SNX with Mobile Access blade disabled, according to sk86240 there is no 2nd factor, only defined on user or cetificate. With Mobile Access Portal / SNX, Capsule Workspace and Endpoint Security VPN, Check Point Mobile for Windows/Mac OS X, SecuRemote you have 2nd factor auth.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Timothy_Hall · ‎2018-02-26

Hi Alex,

The formal name of the feature you are talking about here is DynamicID. Essentially you enter a cell phone number into a user record, after the user successfully provides their login and password (the first factor), a text is sent to their cell phone with a code they must then enter (the second factor). As far as I know this technique is only available for use with the Mobile Access Blade (which includes SNX).

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

Matan_Suissa · ‎2018-02-26

Hey Alex.

I am Matan Suissa VPN TL in QA. I will send your question to Mobile QA people to verify if and when "make mobile clients be AD integrated and SMS compatible for 2-fa authentication?" is planed.

Can you please expand a bit about why "As time went by it became more and more unreliable." is SNX is unreliable? is 2FA is?

Thanks.

Alex_Rozhko · ‎2018-03-09

SNX unreliability, I am referring to is Network Mode. Using it from Windows 10 and latest MAC OS(es) is the most problematic. Seems like latest Microsoft TCP/MSS deployment contributed to the issue the most (windows side), on MAC side had no choice but switch users to RA clients that do not support SMS/2fa and AD integration in general (back to local accounts). Initial connection and authentication to MAB works fine, problem is when SNX has to be loaded (will take several attempts and in some cases have to remove/reinstall all SNX components to make it work), or after SNX is loaded (rdp sessions will disconnect randomly, and the only way to reconnect is to kill session completely and start all over). There was good idea one time to provide web-enabled rdp proxy, but it never took further on CP side (open source Guacamole rdp-proxy unsupported). It will be also nice for "portfix" (AD integration and authentication to multiple domains using UPN be included in jumbo(s) or in the code and not requested for every new JHF (my firewall infrastructure is r80.10).

Are you a member of CheckMates?

snx