Showing results for 
Search instead for 
Did you mean: 
Create a Post
Remote Access Solutions

The place to discuss all of Check Point's Remote Access VPN solutions, including Mobile Access Software Blade, Endpoint Remote Access VPN, SNX, Capsule Connect, and more!

Dmitriy_Tiper inside Remote Access Solutions yesterday
views 833 4 2

Using MS Active Directory for remote access VPN

Hi everyone,I totally lost in number of somewhat conflicting documentation and community topics and would be grateful if you can help me.1. We are on R80.10 version SMS and gateways3. IP Sec VPN,  Mobile access and Identity awareness blades are enabled 2. We are using Check Point Mobile for Windows client and presently users are created locally. 3. Local users are also assigned to users groups and user groups assigned to users roles that used in access rules to         distinguish what users can and cannot access 4. I need to move to authenticate users against Microsoft AD and also to use AD user group user belongs to in MS AD in access rules for remote access VPN - i.e. some sort of authorization.5. Do I need user directory license if I just want to enable remote VPN authentication against AD? There is no any MS AD management from Check Point side, just querying AD for user presence and if password is valid. 6. What about using MS AD user group user belongs to in access rules? During initial setup for Mobile access I said that I don't want to use AD integration.7. To make things more complicated, I need then to move to Radius authentication with soft RSA token and still be able to query MS AD for a user group connecting user belongs to to be able to use AD group in access rules. Your help is really appreciated!
Xavier_FIQUET inside Remote Access Solutions yesterday
views 86 5

Push the windows Credentials to Endpoint Security client or vice versa

Hello,we are using endpoint security client with AD authentication.we are working to avoid 2 times logins :  one login/password to connect to the vpn , then the same for windows authentication. is there a way to:1- connect first to the vpn client with AD credential ( SDL) , then to "pass" the information to the windows login screen so that the user is logged ?OR2- login to windows login screen and then push the credentials (script,windows credentials).. to the endpoint client that automatically log to the vpn gw ? thank you in advance.we are using E80.x and R80.20 platforms regards
TomShanti inside Remote Access Solutions Thursday
views 117 4

Exclude IP addresses (non local subnets) from hub mode

Hi, is it possible to also exclude specific IP adresses/subnets for a VPN client running in hub mode (route all traffic to gateway) ?I know there is a solution for excluding local LANs ( but I need to exclude specific IPs and I must not disable hub mode. Thanks and regardsThomas 
Nbto inside Remote Access Solutions Wednesday
views 107 2

Chenge expired password in AD via EndPoint

Hello, I got a problem with changing expired password in Active Directiory by Remote Access (VPN SSL port 636).When I try to change password I got an error "Failed to modify password, LDAP error".What can by the source of the problem, I tried to modify user policies which is integrated with CheckPoint - doesn't solved the problem. Ofcourse, I tried solution from this SK:'t help.I will appreciate any suggestions.Thank you,Nbto 
Soeren_Rothe inside Remote Access Solutions Wednesday
views 1113 10 14

C2S - Libreswan 3.23 (Roadwarrior) and R80.30 - working

******************************WORKING RELEASES:CentOS 8.0Fedora 31Mint 19.2Ubuntu 18.04.03 LTSUbuntu 19.10******************************Before you begin, please make sure you have a working Remote Access environment using one of the Check Point Endpoint Clients (Windows / MacOS). This is a guide to connect a Linux VPN Client based on Libreswan to your Check Point environment, using certificates from the InternalCA.Beginning with libreswan all certificates are stored in the NSS database, therefore we need all certificates (User and CP GW) in P12. Linux Mint 19.21) Download the ISO Image linuxmint-19.2-cinnamon-64bit.iso which uses libreswan: 3.23 (netkey)2) After Mint 19.2 Linux was installed, install the latest libreswan binary using # sudo apt-get install libreswan 3) Initialize the NSS Database  # sudo ipsec initnss 4) check Database by running # sudo certutil -L -d sql:/var/lib/ipsec/nss Gateway / SmartCenter The first step is to export the Check Point VPN Gateway Certificate from the SmartCenter. Also create a local User in SmartDashboard and export the User p12 Certificate.R80.30 Jumbo Take 76 - Standalone Firewall VPN Object: home-fwVPN Certificate: defaultCertEncryption Domain:  1) Export the Firewall p12 VPN Certificate (home-fw) from the SmartCenter. To check the Certificate name, open the FW object in SmartDashboard - IPSec VPN - Certificate Nickname  (usually defaultCert).Run in CLI (bash) on the SmartCenter: Usage: export_p12 -obj <network object> -cert <certobj> -file <filename> -passwd <password> Mgmt# export_p12 -obj home-fw -cert defaultCert -f home-fw.p12 -passwd 123456 A file named "home-fw.p12" will be generated. Copy this over to the Linux VM.2) In the User object create a p12 certificate and copy the file over to the Linux VM. For example: soeren.p12Make sure that this user is part of the Remote Access community, you can check if the connections works with a Check Point VPN Client using Username / PW for example. Linux Mint 19.2Now it is time to import the certificates and to do the libreswan config1)Both p12 certificates home-fw.p12 and soeren.p12 are imported using the command "ipsec import"  # sudo ipsec import home-fw.p12 # sudo ipsec import soeren.p12 The following command should display all certificates, also the Certificate Nicknames. The Nickname is important for the libreswan configuration later on. # sudo certutil -L -d sql:/var/lib/ipsec/nss # sudo certutil -L -d sql:/etc/ipsec.d # Fedora # CentOS  soeren.p12 uses the Certificate Nickname "soeren" and home-fw.p12 uses the Certificate Nickname "defaultCert".2)In /etc/ipsec.conf only enable the logging.  # sudo vi /etc/ipsec.conf # /etc/ipsec.conf - Libreswan IPsec configuration file # # Manual: ipsec.conf.5 config setup # Normally, pluto logs via syslog. If you want to log to a file, # specify below or to disable logging, eg for embedded systems, use # the file name /dev/null # Note: SElinux policies might prevent pluto writing to a log file at # an unusual location. logfile=/var/log/pluto.log # # Do not enable debug options to debug configuration issues! # # plutodebug "all", "none" or a combation from below: # "raw crypt parsing emitting control controlmore kernel pfkey # natt x509 dpd dns oppo oppoinfo private". # Note: "private" is not included with "all", as it can show confidential # information. It must be specifically specified # examples: # plutodebug="control parsing" # plutodebug="all crypt" # Again: only enable plutodebug when asked by a developer # plutodebug=none # # NAT-TRAVERSAL support # exclude networks used on server side by adding %v4:!a.b.c.0/24 # It seems that T-Mobile in the US and Rogers/Fido in Canada are # using 25/8 as "private" address space on their wireless networks. # This range has never been announced via BGP (at least up to 2015) virtual_private=%v4:,%v4:,%v4:,%v4:,%v4:,%v6:fd00::/8,%v6:fe80::/10 # There is also a lot of information in the manual page, "man ipsec.conf" # # It is best to add your IPsec connections as separate files in /etc/ipsec.d/ include /etc/ipsec.d/*.conf 3) Create a new file called "ra.conf" and "ra.secrets" in /etc/ipsec.d/ #sudo touch /etc/ipsec.d/ra.conf #sudo touch /etc/ipsec.d/ra.secrets 4) edit the /etc/ipsec.d/ra.conf file  #sudo vi /etc/ipsec.d/ra.confconn home # Right side is libreswan - RoadWarrior right=%defaultroute # or IP address of the Client rightcert=soeren # Certificate Nickname of the users rightid=%fromcert # Certificate ID # Left side is Check Point # put here your Gateway IP Address leftsubnet= # put here your company's network range or for any leftcert=defaultCert # Certificate Nickname of the CP GW leftid=%fromcert # Certificate ID # config type=tunnel keyingtries=3 disablearrivalcheck=no authby=rsasig #ike=aes256-sha1;modp1536 # force AES256, SHA1; DH5 in IKE Phase 1 #phase2alg=aes128-sha1 # force AES128, SHA1 in IKE Phase 2 ikelifetime=8h # IKE Lifetime 8h for IKE Phase P1 salifetime=1h # SA Lifetime 1h for IKE Phase P2 pfs=no # No PFS in IKE Phase 2 mtu=1400 # lower MTU size, if not, several Web Sites won't be accessible ikev2=no # IKEv2 is not supported by Check Point in RemoteAccess keyexchange=ike auto=route 5) Start ipsec with systemctl # systemctl enable ipsec # systemctl start ipsec # systemctl status ipsec (to check if ipsec was started successfully) 6) Initiate VPN connection to Check Point Gateway # sudo ipsec auto --add home # systemctl restart ipsec # sudo ipsec auto --up home Connection from Client was successfully initialized. 7 ) Logs from Check Point GUII still need to test DPD (Dead Peer Detection). If the VPN is removed from the CP side, the connection won't be re-established from libreswan.
AlexNoir inside Remote Access Solutions Tuesday
views 108 1

Remote Access VPN E82.00 for Mac OS 10.15 Catalina caused not loading network adapter

Hi all!Recently, I upgraded from Mac OS 10.14 to 10.15 Catalina. I also upgraded the version of the Remote Access VPN client to a compatible one with this OS version, the E82.00. The problem is that, after rebooting, it seems that some kernel extension prevents the OS to load the network adapter, so there is no wifi, ethernet, etc.. Eventually a kernel panic appears and a reboot is forced. Is there a workaround to fix this behaviour, or a is there a bug and we should wait for a new version to be fixed?All the best,Alex
Sergo89 inside Remote Access Solutions Monday
views 213 5

ssl network extender client

Hello,I need to download SSL Extender Client from portal? sorry maybe i missed something, but dont know how to do it.Checked config lot of times... where is this button? DOnt see anything, except default World_Clock...  thanks!
Rodrigo_Silva inside Remote Access Solutions Monday
views 1668 8 8

Checkpoint VPN with Microsoft 2-Factor Authentication

Hello everyoneI would like to share with you how I managed to get VPN users to use Microsoft Azure Multi-Factor Authentication.I saw in some posts that this was possible by using MFA Server, but Microsoft stopped offering MFA Server on July 1, 2019.What I needed to do:1 - Office 365 users with MFA enabled.2 - Dedicated NPS Server.All Radius requests made to this server will have MFA directed to Microsoft.3 - NPS extension for Azure MFAThis extension will direct your MFA requests to Microsoft.You can find the installation and download instructions at the link below. user can define which method will be used in the Microsoft portal.I tested the methods below on VPN Clients, Mobile Access and Capsule Workspace and they all worked perfectly.- Notification through mobile app- Verification code from mobile app- Text message to phoneI hope this post helps youGood luck
Daniel_Peschke1 inside Remote Access Solutions Saturday
views 2787 6

VPN Client disconnects after one hour

Hello,I ran into a problem with remote access VPN.The connection can be established successfully and the ressources are available, but exactly after one hour the client disconnects with the error message "Failed to renew encryption keys".In ike.elg it looks like phase 2 is failing, but everything is fine at the initial connection.I checked and changed several lease times and renegotiation times, the client still disconnects after one hour.I already have a service request open since three weeks now with no solution.Did anyone experience this before?
abihsot__ inside Remote Access Solutions a week ago
views 196 3 1

wildcard certificate for Mobile Access Portal

Hi there,Have anyone investigated the option of using lets encrypt wild card certificate for Mobile Access Portal? Since certificate is valid only for 3 months obviously it is not an option to change it manually in SmartConsole. There should be some level of automation. Any ideas?
Johan_Rudberg inside Remote Access Solutions a week ago
views 3455 6

Endpoint VPN and auto connect

Does the endpoint vpn have a function to auto connect to the gateway once the user brings their client computer home and connect it to the Internet?
Freddy_Logie inside Remote Access Solutions a week ago
views 616 2 1

IPSec VPN Blade

When I try to activate the IPSec blade on my cluster, it gives me the error "You have defined the gateway's encryption domain using its valid addresses but you have not defined these addresses.  Define valid addresses by editing the interfaces in the network management tab."  I have valid IP's in network management so I'm not sure what this is asking me to do.
Thomas_Andersen inside Remote Access Solutions a week ago
views 1053 8 1

Enable password field in endpoint vpn client

Hi,I'm trying to build a new .msi as we are updating from E80.70 to E80.90.I've rebuild the .msi but one problem still remains.In E80.70, the user could write username and password in one place, and then pres connect.In E80.90, they are required to enter username, press connect, and THEN type the password.When they enter the username, there IS a password field, but it is disabled.I've looked all over in trac.config/default to change this behavior, but wit no luck.Does anyone have an advice on this?Br,Thomas
keiner99 inside Remote Access Solutions a week ago
views 235 2

Check Point VPN silent Installation

Hello,is it possible to install the Check Point VPN silently on Windows? I want to install the Check Point Mobile Version (Enterprise Grade Remote Access Client), but I can't find any silent parameter to use this version. is there a solution for that?Best regards, keiner99
inside Remote Access Solutions 2 weeks ago
views 1229 2 3

Clientless RDP support in MAB portal - EA program

We are happy to announce an EA program for customers who are interested to try out our new clientless RDP support for MAB’s portal. Short introduction:This addition of RDP application enables MAB users to access their work desktop from remote, using only their browser, just like they access the other applications published on MAB portal.Technology and Requirements:For the clientless RDP, we use Apache Guacamole, which in turn uses HTML5. Therefore, user’s browser should support HTML5 as well (all major browsers’ recent versions support HTML5).Apache Guacamole server has to be installed (It’s also possible to use Docker image) Main features:SSORDP personalized link display on the sslvpn portal (no need for the guacamole native portal)SmartConsole GUI configurationConnection tracking (logs)New portal look & feel  This Early Availability is based on R80.10 release and will be available for deployment before end of year (Q4 2018).We will only send it to customers who would be interested to deploy and share their feedback with us. MAB issues will be handled by R&D during this EA period.If you’re interested to be part of this EA – please contact me directly.