This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Herman
Contributor
‎2021-11-03 04:05 AM

How to setup machine certificate authentication?

Hello community!
I want to undestand how correctly enable machine certificate for separete VPN access for AD domain machines and AD users.
If I right about this, that for enable this feature I should:

  1. Get root cert and intermediate cert in my CA, added this certs to checkpoint environment (according sk149253) for ability generate CSR request for each future machine cert (and this I have a question, after I get cert, generated from CSR, where it is should putted in user machine? For example in windows machine, in certmgr -> "trusted root cert authorities" or other place?);
  2. In VPN Gateway activate feature "VPN Clients" -> "Authentication" -> select checkbox "Send Machine Certificate";
  3. Finally create rule with AccessRole (of couse, before it, activate Identity awareness for required AD server) in RuleBase as follow:
     
    vpnrules.jpg

Please clarify or correct my suggestions about machine certificate option for VPN.

0 Kudos
13 Replies
G_W_Albrecht
Legend
Legend
‎2021-11-03 04:24 AM

sk121173: Machine Certificate Installation on Security Gateway for Authentication to VPN Clients

CCSE CCTE CCSM SMB Specialist
0 Kudos
yunier88
Participant
‎2022-04-26 09:19 AM

Hello,

In my case I would like to be able to find some more detailed documentation or a course where I explain how to configure MAchine Certificat. If you found any documentation that explains better how to activate it, I would appreciate it if you shared it

 

Thanks

0 Kudos
G_W_Albrecht
Legend
Legend
‎2022-04-26 11:34 AM
In response to yunier88

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_RemoteAccessVPN_AdminGuide/T...

CCSE CCTE CCSM SMB Specialist
0 Kudos
yunier88
Participant
‎2022-04-26 11:39 AM
In response to G_W_Albrecht

Thanks for sharing that link, but I can't find all the necessary information is there. For example, nowhere does it explain where and how the certificate is configured on the client side. It also doesn't explain how the client couldn't take the certificate and install it on another computer. This documentation does not help me much, if you have any other information to share I would appreciate it

0 Kudos
G_W_Albrecht
Legend
Legend
‎2022-04-26 11:18 PM
In response to yunier88

I am not quite sure what you are talking about - the 3rd paragraph reads:

Machine certificate authentication works with the Endpoint Client only. For more details on how to configure this feature on the client side, see Machine Authentication in the E80.72 and Higher Remote Access Clients Administration Guide.

CCSE CCTE CCSM SMB Specialist
0 Kudos
yunier88
Participant
‎2022-04-27 08:56 AM
In response to G_W_Albrecht

Hello,

First of all thank you for your quick response. In the documentation that invites me to follow, there is the configuration of the Endpoint Client and the parameters to set to use a certificate. But I can't find anywhere where it explains:
1- Where to install the certificate on the user's computer.
2-Which certificate to install on the user side
I only find the process of creating and installing the certificate on the gateway, but no documentation explains how to work with this certificate on the client's computer. I hope I have been a little clearer in my doubts
Thank you

0 Kudos
JC_S
Employee
Employee
‎2022-12-13 12:36 PM
In response to yunier88

Generally speaking, machine authentication certificates are done through Microsoft AD or similar.  Group policy can be configured related to auto-enrollment from the Microsoft CA, and enforced through their mechanisms.  The machine certificates are stored in the certlm console page (On most Windows computers, just begin typing certificate in and you should see Manage Computer Certificates) which is part of the CAPI store.

If you are manually installing a 3rd party certificate for machine cert, then you will need to make sure you have a way to let your DC know about the machine certificates, as access is generally defined by OU for machine-auth.

0 Kudos
LazarusG
Participant
‎2023-01-09 04:57 AM
In response to JC_S

Hi JC_S 

The manual points to sk149253 as the first step which has instructions to add 3rd party ipsec certificate. I have had many customers querying this. I have been advising them that only steps 1-14 are relevant and to use only the internal CA tied to their Domain. 

Are you saying that I was incorrect and that it is possible to use a third party PKI for this afterall?

If so is there any instruction on how to make AD aware of the 3rd party so that client presented certs will allow authentication against the domain?

Thanks in advance.

0 Kudos
yunier88
Participant
‎2022-04-27 09:13 AM

Hello,

I would like to know if you found the answer to your questions. I also need to know where the certificate is installed on the client side.

Thank you

0 Kudos
evigl
Explorer
‎2022-10-10 07:50 AM
In response to yunier88

Hi all, I'm still straggling myself....in case anyone can provide more detailed info, any help will be much appreciated 🙂 

 

Cheers!

 

Helen

0 Kudos
Mikael
Contributor
‎2022-10-11 07:58 AM
In response to yunier88

Hello,

The cert should be placed in the cert-store for local-machine for use with machine-only tunnels.

2019-01-10_14-30-58.jpg

0 Kudos
Howard_Gyton
Advisor
‎2023-01-25 08:11 AM
In response to Mikael

For us we have the client certificate in Personal, the CA is in Trusted Root, and the Sub-CA is in "Intermediate Certification".  These last two correspond to the Root, and Sub-CA server objects created in SmartConsole respectively.  Certs are deployed via Group Policy.

0 Kudos
zr4
Participant
‎2023-01-25 09:30 AM
In response to Howard_Gyton

nice

0 Kudos