cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
David_Spencer
David_Spencer inside Remote Access Solutions yesterday
views 143 7

Mobile VPN for Windows Multiple Authentication options

Currently we have the Checkpoint Mobile for windows deployed, utilizing username+password with LDAP for login.I'm wanting to implement 2FA, but with a staggered approach (start out with a small set of users).I know that multiple authentication options are possible as per sk111583, however i'm a bit confused on the implementation.Based on AD memberships I want one set of users to be on LDAP, and another set to be utilizing RADIUS (which will accept ldap credential, then go off to our 2FA server and do a push notification/PIN to cell, likely using DUO). I'm not sure if I can force the users into certain authentication types based off of LDAP roles, or if the options are presented on the client. Any information on implementing this will be helpful
Jonathan_Griffi
Jonathan_Griffi inside Remote Access Solutions yesterday
views 108 5

R80.10 - Remote Access VPN - Endpoint Security Diffie-Hellman Support

Info:Security Manager / Gateway Environment R80.10Endpoint Security VPN Client: E80.97 Hi,I won't pretend to know the cryptographic intricacies of all the differences between the numerous Diffie-Hellman groups; my question / concern is based on best practice while providing a balance between security and usability. I've spent the last few hours trying to find content relating to why I can't use Diffie-Hellman Group 19/20 with my Remote Access VPN clients...using Endpoint Security E80.9x. Within global properties on my SMS I can set some pretty respectable Encryption / Integrity algorithms. However, the "best" offering regarding Diffie-Hellman Groups is 14 (2048bits). I would like to know why I am unable to use Diffie-Hellman Groups 19/20 as this is really the minimum standard for IPSec as far as I can tell...happy to be corrected if this understanding is wrong?I'm beginning to suspect this is a client limitation. I have checked the database with the guiDB tool and can see groups 19 and 20 are defined. Some clarification and /or direction to the relevant resource would be much appreciated. Thanks,Jon
Anat_Bar-Anan
inside Remote Access Solutions Tuesday
views 674 1 2
Employee

Clientless RDP support in MAB portal - EA program

We are happy to announce an EA program for customers who are interested to try out our new clientless RDP support for MAB’s portal. Short introduction:This addition of RDP application enables MAB users to access their work desktop from remote, using only their browser, just like they access the other applications published on MAB portal.Technology and Requirements:For the clientless RDP, we use Apache Guacamole, which in turn uses HTML5. Therefore, user’s browser should support HTML5 as well (all major browsers’ recent versions support HTML5).Apache Guacamole server has to be installed (It’s also possible to use Docker image) Main features:SSORDP personalized link display on the sslvpn portal (no need for the guacamole native portal)SmartConsole GUI configurationConnection tracking (logs)New portal look & feel This Early Availability is based on R80.10 release and will be available for deployment before end of year (Q4 2018).We will only send it to customers who would be interested to deploy and share their feedback with us. MAB issues will be handled by R&D during this EA period.If you’re interested to be part of this EA – please contact me directly.

2FA segmented by user (R80.10)

When implementing 2FA with SMS gateway and AD (in R80.10), is it possible to have some users with 2FA and others not? The purpose it to have superadmins which can remotely access when there are issues with the SMS gateway.Or the segmentation must be between AD users and local users?Also for the purpose of testing, how can we setup only a user with 2FA (without enabling 2FA for all users)?
Kurt_Abela
Kurt_Abela inside Remote Access Solutions a week ago
views 841 3

Remote Access VPN - ISP redudancy

Dear all,has anyone ever configured Remote Access VPN on an r80.10 mgmt/gw over multiple external links? I am following page 115 of the admin guide http://dl3.checkpoint.com/paid/6a/6a0e3e8c9db992d73daca54eefada918/CP_R80.10_RemoteAccessVPN_AdminGuide.pdf?HashKey=1513… But i am only able to connect on first try as per sk92383.Now, sk114623 and sk113617 show that this is actually not supported, albeit that the SKs are a bit old. But why does it explain how to configure this in admin guide if it is not properly supported?many thanks for your feedback,Kurt
ovidiu_catrina
ovidiu_catrina inside Remote Access Solutions a week ago
views 16481 22 4

remote client VPN authentication with Certificate

hiat the moment we have the standard remote vpn for our users with office mode, authentication done through LDAP and MFA, which works perfectly, no complaints here until so far but i want to start implement certificate based authentication on the remote vpn clients.the CA is internal, our Active Directory will issue the certificates for the users.i have an NPS server(RADIUS), policy is created, although could be wrongly configured.i have the RADIUS server defined on the management.but i am missing 2 steps : 1st : how do i enforce/allow users to user to use the certificate to authenticate. 2nd : could someone provide some step-by-step or a policy configuration for the NPs serverat the moment i have this : and of course the firewalls defined as clients on the radius server.Regards
Pedro_Silva
Pedro_Silva inside Remote Access Solutions 2 weeks ago
views 457 1

Remote Access SSL VPN or clientless configuration on R80.20

Hi everyone,I am trying to configure a scenario to allow Remote Access through a R80.20 gateway using SSL VPN/clientless configuration.I am looking for recommendations and documentation to set this up.The Remote Access client needs to have network access to the internal network as this is to be used for IT support. We would prefer to keep it simple by not installing a full IPSec client.I have tried two configurations so far without success:1. Enabled Mobile Access - was able to get authentication to work and establish connectivity with the SNX client, however could not find a way to present the internal routes to the client. SNX only showed routes to subnets directly connected to firewall.2. Disabled Mobile Access and followed instructions in Remote Access VPN R80.20 Admin Guide - Have configured SSL Network Extender support but am not getting a response when I browse to the external IP on the gateway.Any help appreciated.ThanksPedro
Nikolaos_Liakop
Nikolaos_Liakop inside Remote Access Solutions 3 weeks ago
views 321 1

Restrict Client2Site VPN User Group to connect from specific public IP addresses

Hello.I would like to ask if it is possible to define whether a specific User Group can connect to the Gateway via RAS VPN but only from specific public IP addresses.I am aware that there are some fields such as "Known Locations" in the User object properties, or "Known networks" in the Access Role Properties, but these Source Networks/IPs get applied only after the VPN connection has already been established. Thank you.
Alexander_Urits
Alexander_Urits inside Remote Access Solutions 3 weeks ago
views 1806 13

VPN access restriction based on domain membership

Hi.I'm looking for an option to restrict VPN access only for laptops which are "domain members".Is there a way to accomplish that? (All PCs/Part of them?)Thanks,Alex
Udupi_krishna
Udupi_krishna inside Remote Access Solutions 3 weeks ago
views 1360 5

SDL with location awareness

Hello Everyone, I am working on a specific requirement with Endpoint security VPN E80.92 clients. I read the admin guide in order to enable SDL and location awareness (Global properties>Endpoint connect). It contains a group with our internal IP addresses. SDL is enabled on the client. Now when these users connect over an external network the SDL pops up which is good. But when the user comes into office, we have configured the parameter to not come up, but it doesn't work.I added below parameter on the Security gateway trac client ttm file, but it still doesn't work.:ignore_sdl_in_encdomain (:gateway (:map (:false (false):true (true)):default (true)Unless I have mistaken on the syntax or procedure, the above statement should be good. In addition to that, when I look at the trac.defaults file of the client, ignore_sdl_in_encdomain is infact set to true.ignore_sdl_in_encdomain STRING true GW_USER 0 While reviewing the logs from the endpoint, I see a weird behavior but unable to conclude what component is possibly causing the issue.[ 4324 5340][16 Apr 9:37:03][TR_CONN_MANAGER] TR_CONN_MANAGER::TrConnManager::SetIsDisableSDLInEncDomain: entering...[ 4324 5340][16 Apr 9:37:03][CONFIG_MANAGER] sdl_enabled return value true, because it is User config variable. Scope: site NULL ,gw NULL ,user USER[ 4324 5340][16 Apr 9:37:03][CONFIG_MANAGER] ignore_sdl_in_encdomain return value true, because it is Default variable. Scope: site clientvpn.flybe.com, gw NULL ,user USER[ 4324 5340][16 Apr 9:37:03][TR_CONN_MANAGER] TR_CONN_MANAGER::TrConnManager::SetIsDisableSDLInEncDomain: check if client is in enc domain[ 4324 5340][16 Apr 9:37:03][TR_CONN_MANAGER] TR_CONN_MANAGER::TrConnManager::GetCurrentClientIP: mLA is NULL[ 4324 5340][16 Apr 9:37:03][TR_CONN_MANAGER] TR_CONN_MANAGER::TrConnManager::SetIsDisableSDLInEncDomain: clientIP is not initialized in LA yet, try getting it directly[ 4324 5340][16 Apr 9:37:03][CONFIG_MANAGER] gw_ipaddr return value XXX.XX.93.6, because it is Gateway config variable. Scope: site clientXXX.XXXXX.com ,gw NULL ,user USER[ 4324 5340][16 Apr 9:37:03][location_awareness] GetExternalInterfaceIndex: GetIpForwardTable needs 1412 bytes[ 4324 5340][16 Apr 9:37:03][location_awareness] GetExternalInterfaceIndex: External index interface is 0x0, Default gw is 0.0.0.0[ 4324 5340][16 Apr 9:37:03][TR_CONN_MANAGER] TR_CONN_MANAGER::TrConnManager::SetIsDisableSDLInEncDomain: GetExternalInterfaceIndex failed[ 4324 5340][16 Apr 9:37:03][TR_CONN_MANAGER] TR_CONN_MANAGER::TrConnManager::SetIsDisableSDLInEncDomain: no client ip - set enc domain result NO_NETWORK[ 4324 5340][16 Apr 9:37:03][TR_CONN_MANAGER] TrConnManager::SaveInEncDomainResult: InEncStatus=no_network[ 4324 5340][16 Apr 9:37:03][slim_utils] RaisDbSetValue: Trying to open or create registry: Software\CheckPoint\TRAC[ 4324 5340][16 Apr 9:37:03][slim_utils] RaisDbSetValue: Successfully opened key Software\CheckPoint\TRAC[ 4324 5340][16 Apr 9:37:03][slim_utils] RaisDbSetValue: Successfully set (DWORD) key IsInEncDomain with value 2[ 4324 5340][16 Apr 9:37:03][TR_CONN_MANAGER] TR_CONN_MANAGER::isUserLoggedOn: Entering... Here are logs from another test.[ 4420 5272][17 Apr 10:30:33][location_awareness] LocationAwareness::_NotifyNetworkChange: entering...[ 4420 5272][17 Apr 10:30:33][TR_CONN_MANAGER] TrConnManager::NotifyNetworkChange: entering, location is UNKNOWN(-1), interfaceIdx=2, interfaceIp=XX.XXX.23.45[ 4420 5272][17 Apr 10:30:33][TR_CONN_MANAGER] TR_CONN_MANAGER::TrConnManager::NotifyNetworkChange: save location result in the registry for sdl[ 4420 5272][17 Apr 10:30:33][TR_CONN_MANAGER] TrConnManager::SaveInEncDomainResult: InEncStatus=out[ 4420 5272][17 Apr 10:30:33][slim_utils] RaisDbSetValue: Trying to open or create registry: Software\CheckPoint\TRAC[ 4420 5272][17 Apr 10:30:33][slim_utils] RaisDbSetValue: Successfully opened key Software\CheckPoint\TRAC[ 4420 5272][17 Apr 10:30:33][slim_utils] RaisDbSetValue: Successfully set (DWORD) key IsInEncDomain with value 0[ 4420 5272][17 Apr 10:30:33][location_awareness] LocationAwareness::NotifyLocation: notify our current location - UNKNOWN[ 4420 5272][17 Apr 10:30:33][TR_CONN_MANAGER] TR_CONN_MANAGER::TrConnManager::LocationNotification: called with location of type -1I have masked the IP address, but the IP seen here is part of the location awareness Internal IP group.Not sure if I am missing some basic stuff here.
MattDunn
MattDunn inside Remote Access Solutions 3 weeks ago
views 80 3

SNX

Hi everyone 🙂A customer is reporting problems with SNX. It keeps disconnecting. They were doing some testing yesterday and found repeats of the following stuff in the log from the SNX SSL VPN Network Extender during drops:[ 3864 4568]@IT[8 May 10:04:35][] fwasync_connbuf_realloc: reallocating 1350b80 from 1208 to 2292[ 3864 4568]@IT[8 May 9:01:33][] fwasync_mux_in: 2348: read: Connection Reset by peer[ 3864 4568]@IT[8 May 9:01:35][] SkSetTCP_NODELAY: fd=1428: Invalid Argument[ 3864 4568]@IT[8 May 9:01:35][] fwasync_conn_params: ->[ 3864 4568]@IT[8 May 9:01:35][] fwasync_connbuf_realloc: reallocating 0 from 0 to 1208[ 3864 4568]@IT[8 May 9:01:35][] fwasync_connbuf_realloc: reallocating 0 from 0 to 66560[ 3864 4568]@IT[8 May 9:01:37][] kmsg_handle_local: 2 records handled[ 3864 4568]@IT[8 May 9:01:37][] fwasync_connbuf_realloc: reallocating 134e078 from 1208 to 2292[ 3864 4568]@IT[8 May 8:52:52][] fwasync_mux_in: 2348: read: Connection Reset by peer[ 3864 4568]@IT[8 May 8:52:54][] SkSetTCP_NODELAY: fd=2348: Invalid Argument[ 3864 4568]@IT[8 May 8:52:54][] fwasync_conn_params: ->[ 3864 4568]@IT[8 May 8:52:54][] fwasync_connbuf_realloc: reallocating 0 from 0 to 1208[ 3864 4568]@IT[8 May 8:52:54][] fwasync_connbuf_realloc: reallocating 0 from 0 to 66560[ 3864 4568]@IT[8 May 8:51:04][] fwasync_mux_in: 1748: read: Connection Reset by peer[ 3864 4568]@IT[8 May 8:51:06][] SkSetTCP_NODELAY: fd=2316: Invalid Argument[ 3864 4568]@IT[8 May 8:51:06][] fwasync_conn_params: ->[ 3864 4568]@IT[8 May 8:51:06][] fwasync_connbuf_realloc: reallocating 0 from 0 to 1208[ 3864 4568]@IT[8 May 8:51:06][] fwasync_connbuf_realloc: reallocating 0 from 0 to 66560[ 3864 4568]@IT[8 May 8:51:14][] kmsg_handle_local: 2 records handled[ 3864 4568]@IT[8 May 8:51:15][] fwasync_connbuf_realloc: reallocating 139eac0 from 1208 to 2292This was recorded for each of the drops they experienced over an hour window. The first thing I notice is the date. Yesterday was 5 May. The logs show 8 May. I presume as it does connect and work for a while each time, the incorrect date isn't the root cause of this problem?Anyone got any ideas?It's R80.10 Take 42.Thanks,Matt
John_Borden1
inside Remote Access Solutions 3 weeks ago
views 1174 6 1
Employee

Dynamic ID and 2way SMS Provider

Dynamic ID and two-way SMS providers. Most SMS Providers are now requiring two-way SMS in US. Clickatell is now requring this format to send an SMS text.curl -v --capath $CVPNDIR/var/ssl/ca-bundle/ "https://platform.clickatell.com/messages/http/send?apiKey=%APIKEY%==&to=%PHONE #%&content=%DYNAMICCODE%&from=%FROMNUMBER%"Is this possible in our Dynamic setup? I can send this command directly from gateway and I get the text message, but can't get the Dynamic SMS within Check Point to send this request. Trying to help customer with this. If there is a SMS provider users are using that is working that is also an option. Thanks,John Borden CCSA
Gaurav_Pandya
Gaurav_Pandya inside Remote Access Solutions 3 weeks ago
views 154 1

Remote access & SCV configuration

When we edit the $FWDIR/conf/local.scv file on the management server to start enforcing the OsMonitor checks like sk147416 instructs we get failures when attempting to push the Desktop Policy out to the Gateways. The customer wants to block users from connecting into the environment on computers running Windows XP. Anyone has any idea how we can troubleshoot issue
cezar_varlan1
cezar_varlan1 inside Remote Access Solutions 3 weeks ago
views 891 5

Remote Access Communities

Hello,I am trying to configure a more complicated VPN setup for Remote Access but it doesn't look like it works the way i was expecting. There is only one Remote Access Community. In the manual we have the line: "You can also create a new Remote Access VPN Community with a different name." but there is no instruction on how to do so. If i add new community i have only Star or Mesh options and they look like they are a bit different than the built in Remote Access. 1. First of all can i have more than one Remote Access Community per Gateway? I can edit VPN Domain per Remote Access but i can't really get how you can create a second Remote Access Community.2. I know that there is one Office Mode Pool by default per gateway. If i need to allocate two different ip subnets to users connecting to the gateway based on Group/Username can i do it in any other way than stated in sk33422 (Office Mode IP and ipassignment.conf file)? This one 3. For non-global split-tunnel we have this sk114882 where you can control tunneling mode based on group membership.Does anyone have a similar setup where let's say?:Internal VPN Users can access Full-Tunnel and all internal subnets External VPN Users can access Split-Tunnel and some pre-defined internet destinations with VPN GW NATAll of this on only one Security GatewayThank you,Cezar
Christoph_Holzi
Christoph_Holzi inside Remote Access Solutions 3 weeks ago
views 1471 20 2

Multiple Remote Access Communities (GW Version?)

Hello, when playing around in R80.10-Management today, I discovered that it's now possible to define multiple remote access communities (including defining different vpn domains for each RAC). First of all, thank you CheckPoint - I've been waiting for this feature for so long. [edit 07.01.: more a bug than a feature, see below]I couldn't find any hints regarding multiple RACs in the R80.10 Release Notes/HFA Notes/Support-Center.So my questions are:Is there any official statement whether the GW has to run R80.10 or can this be configured for a R77.30 GW (managed by R80.10 SM) as well?(added) Any experiences/considerations when using on VSX?Thanks in advance!Greetings Christoph