This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
dt7
Contributor
‎2024-09-10 12:45 AM
Jump to solution

Centrally change remote access VPN browser setting used for SAML auth by all clients

Hello everyone,

I would like to know if there is a way to set the idp_browser_mode setting for all VPN clients centrally?

I know that you can change this setting for each client via the trac.defaults config file and I have done that before (cf. sk180395 for reference).

For the context, my issue is that this setting was set to "embedded" in my case when deploying the VPN client as part of Harmony Endpoint E87.31. However, recently when upgrading those clients to a newer Harmony Endpoint version (it seems since E88.41 and above), the SAML portal authentication page now opens using the default browser instead of being embedded, without me changing this. I am not sure if this is part of an included change from the more recent Harmony Endpoint versions (I couldn't find anything related to this in the version release notes). My understanding is that with newer versions, when upgrading versions the existing trac.defaults file is supposed to be kept as-is (and not overwritten), so I am not sure what is causing the change in this setting with the newer versions...

If anybody has more information on this sudden behavior change and if it is possible to rectify the setting back to a certain value (in my case back to "embedded") for all clients at once, that would be great. It's not really practical to have to update all the trac.defaults files for all the clients (in my case 100+) just for this..

Thank you in advance for your help.

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2024-09-10 09:21 PM
In response to dt7
Jump to solution

I don't recall anything special with the gateway parameter.
However, if you can provide a specific reference to where it talks about objects.C, I can have a look.

Yes, you should be able to add the configuration you mentioned to the trac_client_1.ttm and it should take priority over what is configured on the client.
It should not impact other settings there as well.

View solution in original post

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2024-09-10 07:17 AM
Jump to solution

You can force it on the gateway side by changing idp_browser_mode in the TTM file:  https://support.checkpoint.com/results/sk/sk75221

dt7
Contributor
‎2024-09-10 08:04 PM
In response to PhoneBoy
Jump to solution

Thanks for the reply, @PhoneBoy ,

Can I confirm my understanding on how it works with a few follow-up questions:

1) In the SK and documentation they mention multiple times the file objects.C. I believe it refers to the file $FWDIR/conf/objects.C on the gateway? I do not understand this part and how you are supposed to use that file to know if you can use the same parameter as defined in trac.defaults (meaning leaving gateway parameter empty) or not?

Screenshot 2024-09-11 110050.png

:gateway (<gateway parameter>)

 

2) Currently, I don't see the setting idp_browser_mode defined on my cluster member VPN gateways, so I can edit the trac_client_1.ttm with the following section to achieve my goal in setting back to embedded, correct?

:idp_browser_mode (
:gateway (
:map (
:embedded (embedded)
:default_browser (default_browser)
:client_decide (client_decide)
:IE (IE)
:Safari (Safari)
)
:default (embedded)
)
)

This parameter is already set to default_browser on my clients after the upgrade, but since I define it on the gateway it will take precedence, based on the info on the SK:

Screenshot 2024-09-11 104950.png

3) I do already have other settings defined on the trac_client_1.ttm of my gateway (MEP settings, ..) as well as on my clients directly (tunnel related) that are being enforced right now. Adding this new setting on the gateway side will not affect the current behavior of those settings I believe, right? Since in my current setup those settings are already configured as either enforced by the gateway (ex: MEP defined on the gateway) or on the client (ex: enable_machine_auth, machine_tunnel_site, etc.).

Sorry for the detailed post, just looking for clarifications to validate my understanding.

Thank you very much in advance!

0 Kudos
PhoneBoy
Admin
Admin
‎2024-09-10 09:21 PM
In response to dt7
Jump to solution

I don't recall anything special with the gateway parameter.
However, if you can provide a specific reference to where it talks about objects.C, I can have a look.

Yes, you should be able to add the configuration you mentioned to the trac_client_1.ttm and it should take priority over what is configured on the client.
It should not impact other settings there as well.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events