This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Alex_Rozhko
Employee
Employee
‎2018-02-23 12:01 AM

snx

Probably OLD and not interesting Q... but.. When SNX came out it was WOW factor... especially for those who managed to make AD/SMS 2-fa work. As time went by it became more and more unreliable. Is there any plans on CP dev team to make mobile clients be AD integrated and SMS compatible for 2-fa authentication? Certificates was good idea but it seems does not work with enterprise PKI, only FW internal.

0 Kudos
6 Replies
G_W_Albrecht
Legend Legend
Legend
‎2018-02-23 04:09 AM

Sorry, but i feel i do not understand the question Smiley Sad. 2FA and MAB/SNX/RA VPN are explained in sk86240 Multiple Authentication Schemes for Mobile Access / Remote Access.

But i think you are (also?) talking about log in to Dashboard = SMS, that is a different pair of shoes...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Alex_Rozhko
Employee
Employee
‎2018-02-23 01:11 PM
In response to G_W_Albrecht

Sorry was not clear about SMS. In my case it is pin via text message as 2nd factor, which does not work with other mobile/RA clients, but only with SNX.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-02-26 01:57 AM
In response to Alex_Rozhko

I do not know of any 2nd factor, which does not work with other mobile/RA clients, but only with SNX - if you mean Legacy SNX with Mobile Access blade disabled, according to sk86240 there is no 2nd factor, only defined on user or cetificate. With Mobile Access Portal / SNX, Capsule Workspace and Endpoint Security VPN, Check Point Mobile for Windows/Mac OS X, SecuRemote you have 2nd factor auth.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2018-02-26 05:19 AM
In response to Alex_Rozhko

Hi Alex,

The formal name of the feature you are talking about here is DynamicID.  Essentially you enter a cell phone number into a user record, after the user successfully provides their login and password (the first factor), a text is sent to their cell phone with a code they must then enter (the second factor).  As far as I know this technique is only available for use with the Mobile Access Blade (which includes SNX).

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
0 Kudos
Matan_Suissa
Employee
Employee
‎2018-02-26 03:00 AM

Hey Alex.

I am Matan Suissa VPN TL in QA. I will send your question to Mobile QA people to verify if and when  "make mobile clients be AD integrated and SMS compatible for 2-fa authentication?" is planed.

Can you please expand a bit about why  "As time went by it became more and more unreliable." is SNX is unreliable? is 2FA is?

Thanks.

0 Kudos
Alex_Rozhko
Employee
Employee
‎2018-03-09 02:34 PM
In response to Matan_Suissa

SNX unreliability, I am referring to is Network Mode. Using it from Windows 10 and latest MAC OS(es) is the most problematic. Seems like latest Microsoft TCP/MSS deployment contributed to the issue the most (windows side), on MAC side had no choice but switch users to RA clients that do not support SMS/2fa and AD integration in general (back to local accounts).  Initial connection and authentication to MAB works fine, problem is when SNX has to be loaded (will take several attempts and in some cases have to remove/reinstall all SNX components to make it work), or after SNX is loaded (rdp sessions will disconnect randomly, and the only way to reconnect is to kill session completely and start all over). There was good idea one time to provide web-enabled rdp proxy, but it never took further on CP side (open source Guacamole rdp-proxy unsupported). It will be also nice for "portfix" (AD integration and authentication to multiple domains using UPN be included in jumbo(s) or in the code and not requested for every new JHF (my firewall infrastructure is r80.10).

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top