This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Khay
Participant
2 weeks ago
Jump to solution

Get rid of Secondary Connect - use VPN routing

Hello,


For now vpn client are using basic authentication (AD login/password) and I want to enforce a new authentication method for vpn client (azure SAML),


The issue is every client usually open a secondary tunnel to our main site, it's totaly transparent for the user.


With SAML I will have a prompt when the second tunnel open, so I want to get ride of this functionnality, the traffic going though this secondary tunnel is legit but I want to use vpn routing instead.


To achieve this, should I disable secondary connect on all gateway with "$FWDIR/conf/trac_client_1.ttm" file ?
Or can I only modify Encryption domain for vpn client to include the destination subnet of the remote gateway ?

 

here is a picture of a part of my infra (default: default encryption domain, azure, vpn-client are specific encryption domain)

site 1 is the center gateway of a star community where site 2 and 3 are satellite

clients on site 2 and 3 usually open a secondary tunnel to site 1 

If I add the subnet in red and blue in encryption domain, should it be enough ? I did some test and I still see a secondary tunnel, if I check routes on client I see subnets from all my gateway is it the issue ?

 

secondaryconnect.jpg

All Gateway version : R81.20 Take 99

Thanks for your help

 

 

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
Monday
Jump to solution

This is expected behavior with SAML as each gateway/cluster is a unique service provider.
I believe it's possible to use Infinity Identity with Secondary Connect, though I'm sure @Royi_Priov will correct me if I'm wrong.

Without Infinity Identity and SAML, yes, you have to disable Secondary Connect if you don't want to be prompted for authentication again.
If you want a specific gateway to allow access to other subnets behind other gateways via VPN routing, you need to add those subnets to the RemoteAccess encryption domain on the relevant gateway.

View solution in original post

1 Reply
PhoneBoy
Admin
Admin
Monday
Jump to solution

This is expected behavior with SAML as each gateway/cluster is a unique service provider.
I believe it's possible to use Infinity Identity with Secondary Connect, though I'm sure @Royi_Priov will correct me if I'm wrong.

Without Infinity Identity and SAML, yes, you have to disable Secondary Connect if you don't want to be prompted for authentication again.
If you want a specific gateway to allow access to other subnets behind other gateways via VPN routing, you need to add those subnets to the RemoteAccess encryption domain on the relevant gateway.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events