cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Remote Access VPN and Identity Agent

Hello,

we have migrated our VPN Users to a Firewall which also is the host for Identity Agent using Active Directoy credentials.

In the inner network there is no problem with the Identity Agent. It Authenticates and the Identity Portal is working in the browser.

When you connect with Endpoint Security VPN the VPN Connection using Radius 2Factor authentication the Connections works as espected. But the Identity Agent does not work. If you open the Identity Portal with the browser you get redirected to the SNX Portal.

How can we change this behaviour?

We are using R80.10 Management with R77.30 Gateways.

Thanks,

Jan

4 Replies
Admin
Admin

Re: Remote Access VPN and Identity Agent

I'm not sure I understand the use case for Identity Agent when your VPN client provides a source of identity the gateways can use.

Is there some use case I'm missing here?

0 Kudos

Re: Remote Access VPN and Identity Agent

Hello,

for Identity Awareness we are using Active Directory. As we use 2 factor authentication for VPN, the users are not recognized as the AD-Users only as Users of a Radius Group. So the rules made for these Users are not matching.

I do not know how to match these Users.

Also if the user is also an Administrator and needs sometimes access to Systems that are not in his default user rule he has to Identify as another user on the IA Portal. But this would be a rare problem.

Apart from that I don't know how to put an explicit RADIUS User in a Rule without defining the User in the Checkpoint Firewall.

I have made a Service Request. So we will see if there is a better aproach.

Thanks,

Jan

Re: Remote Access VPN and Identity Agent

Jan,

Did you solve this problem? It is also problem of my customer ....

Best regards,

Tomasz

0 Kudos

Re: Remote Access VPN and Identity Agent

Hello,

no we didn't solve the problem. We are redesigning our network at the moment. We will have a second firewall in the internal Network, that will run the Identity Portal. So we will not have the problem anymore.

The only option at the moment I see is, to bind the Portal to all Interfaces. But then the interface facing the Internet will also have the Identity Portal. I think this is a security concern, so that I will not do this.

Another option could be to duplicate the Identity Rules and  replace the Identity-Users with the VPN-Users.

As we are using the rules only for Administrators at the moment I decided to wait for the redesign.

Best regards,

Jan

0 Kudos