Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
MrSaintz
Contributor

Check Point Capsule VPN w/Conditional Access

Jump to solution

Hi there,

The question I'm about to start might lead people into suggesting other ways, but I've had my share of struggle looking into different approaches.

Objective:

Using Check Point Capsule VPN plugin with Azure Conditional Access Always On

Explanation:

VPN Azure Conditional Access provides complying devices, a short-term certificate to be used for Authentication

If the device doesn't comply with the requirements, the certificate is not provided.

If someone runs a manual configuration using this plugin, username and password login option is not allowed, and certificate option will only trust our ICA and that specific CA that only sign's a certificate for authorized devices according to policy.

The problem:

The problem is the short-term certificate, being short-term, can't be "remembered", and always on option will break.

I need to setup a VPN profile that:

Maps automatically an existing certificate given a specific OID from EKU, instead of being asked for a certificate, the vpn configuration will automatically then use it automatically, allowing login to proceed everytime it need to connect.

I was able to create a profile through MDM, that already pin points for the valid certificate option, but it's not using it automatically.

Also, the profile when synced, asks for the login option as well at least one time.

I need to export Capsule VPN configuration into valid settings that I can add to the distribution profile that will:

Force certificate authentication, instead of asking;

Select and use automatically specific certificate for authentication.

MDM VPN Profile allows XML settings to be added into it, but what I can't figure out so far is what are the valid available settings I can use for Capsule VPN pluging, that will allow me access to set this thing up and distribute it.

I see that we can setup config through powershell and force certificate auth instead of asking, but that is not XML format,

> Get-VpnConnection -Name Template

Name : Template
ServerAddress : x.x.x.x
Guid : {3866B121-1965-489E-B8A1-A30E9DAF4ADF}
ConnectionStatus : Disconnected
RememberCredential : True
SplitTunneling : True
DnsSuffix :
IdleDisconnectSeconds : 0
PlugInApplicationID : B4D42709.CheckPointVPN_wz4qkf3wxpc74
CustomConfiguration : #document

I'm curious about this #document in the end, I believe this is were all settings are, if not, can anyone help out there?

Were can I find this information?

 

Best regards

Carlos Santos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Since the current information I was reading was in the context of a customer release, the client version is likely also a customer release.
If it is of interest I recommend reach out out to your local Check Point office who can get you more details.
That said if you can wait, I’d wait until it’s in the R80.40 JHF (hopefully soon).

We have a few threads on SCV.
This one might be the most useful: https://community.checkpoint.com/t5/Remote-Access-VPN/Real-World-local-scv-Example/m-p/81381#M3084

View solution in original post

7 Replies
G_W_Albrecht
Legend
Legend
0 Kudos
MrSaintz
Contributor

Hey G,

Yes, the Powershell  script I mentioned above, is that from the sk, but it allows me to setup, no to extract the field settings, and how to structure it in proper xml format to be used in the custom xml settings to be included in mdm vpn profile for distribution. 
also the script alone doesn’t include conditional access configuration checks to obtain the short-term certificate. 

So the “build” through ps1 only is going to be incomplete anyway if used as the distributed configuration. 
I just need more documention on the settings I could use through xml to see if I can make work transparently. 
thanks for replying anyway it means a lot. 

Carlos Santos
PhoneBoy
Admin
Admin

That’s actually an interesting way to achieve what will probably be much easier to do in the near future when our VPN client supports authentication with a SAML provider…which can support these sort of conditional checks.
I believe we will include this in an R80.40 JHF (and later the R81 JHF) in the coming weeks.

MrSaintz
Contributor

Can that be included on JHF for R80.30?? 😅, all I get is that, for all the features/blades I’m running my infrastructure on, I should wait for more stable versions...

VSX the running ssl inspection, almost every software blade active, running very well on R80.30 lots of bumps until we got here, and if hear to hold my fingers, I just froze the upgrade button for a while, specially working remotely, if anything fails now downtime’s can be increasingly longer. 
And what vpn client flavors will benefit from saml auth, it’s always good to hear some interesting news like that... aside from not including R80.30 on that feed *snif

cheers

Carlos Santos
0 Kudos
PhoneBoy
Admin
Admin

Since this feature relies on SAML support that already exists in the gateway (added in R80.40), it is unlikely this will be backported to R80.30.
At least in the customer release that already allows this, only a specific build of the Endpoint Security VPN client is supported.
I presume this will be available in the most recent non-Capsule VPN clients, but that's only a guess.

The reason I exclude Capsule VPN from this is because it is merely a wrapper for built-in VPN functionality in the OS (e.g. Windows) which may or may not support this form of authentication. 

MrSaintz
Contributor

Yes, I understand, not matter my frustration, we need to move forward rather than pushing backwards, we need to discuss pro and cons of what we currently have, that might get affected, to get this SAML support on-boarded also.

By the way, what specific build of Endpoint Security VPN client are we talking about? Is it just build related or flavour related as well? As in, this specific build running EPS can have SAML, but the same build running Check Point Mobile doesn't...

I'm not a major fan of Capsule VPN to be honest, and maybe I can look at this in a different perspective, give my partners remote access through, lets say Capsule VPN, enforce restrictive access conditions to anyone using this flavour. And give another try on local.scv to enforce some starting compliance points, until we have that "precious" SAML...

Also Capsule VPN doesn't have SDL which is also a major drawback if we want to, let's say, remove offline login with domain accounts, from sensitive devices.

Is there any specific part on Check Mates, or elsewhere in the knowledge base, I can look for good local.scv policy configuration examples, to enable some checks login domain joined devices only, along with other neat security health checks we can use?

Thank you Dameon

Carlos Santos
0 Kudos
PhoneBoy
Admin
Admin

Since the current information I was reading was in the context of a customer release, the client version is likely also a customer release.
If it is of interest I recommend reach out out to your local Check Point office who can get you more details.
That said if you can wait, I’d wait until it’s in the R80.40 JHF (hopefully soon).

We have a few threads on SCV.
This one might be the most useful: https://community.checkpoint.com/t5/Remote-Access-VPN/Real-World-local-scv-Example/m-p/81381#M3084

View solution in original post