Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Herman
Participant

How to setup machine certificate authentication?

Hello community!
I want to undestand how correctly enable machine certificate for separete VPN access for AD domain machines and AD users.
If I right about this, that for enable this feature I should:

  1. Get root cert and intermediate cert in my CA, added this certs to checkpoint environment (according sk149253) for ability generate CSR request for each future machine cert (and this I have a question, after I get cert, generated from CSR, where it is should putted in user machine? For example in windows machine, in certmgr -> "trusted root cert authorities" or other place?);
  2. In VPN Gateway activate feature "VPN Clients" -> "Authentication" -> select checkbox "Send Machine Certificate";
  3. Finally create rule with AccessRole (of couse, before it, activate Identity awareness for required AD server) in RuleBase as follow:
     
    vpnrules.jpg

Please clarify or correct my suggestions about machine certificate option for VPN.

0 Kudos
7 Replies
G_W_Albrecht
Legend
Legend

0 Kudos
yunier88
Participant

Hello,

In my case I would like to be able to find some more detailed documentation or a course where I explain how to configure MAchine Certificat. If you found any documentation that explains better how to activate it, I would appreciate it if you shared it

 

Thanks

0 Kudos
G_W_Albrecht
Legend
Legend

0 Kudos
yunier88
Participant

Thanks for sharing that link, but I can't find all the necessary information is there. For example, nowhere does it explain where and how the certificate is configured on the client side. It also doesn't explain how the client couldn't take the certificate and install it on another computer. This documentation does not help me much, if you have any other information to share I would appreciate it

0 Kudos
G_W_Albrecht
Legend
Legend

I am not quite sure what you are talking about - the 3rd paragraph reads:

Machine certificate authentication works with the Endpoint Client only. For more details on how to configure this feature on the client side, see Machine Authentication in the E80.72 and Higher Remote Access Clients Administration Guide.

CCSE CCTE SMB Specialist
0 Kudos
yunier88
Participant

Hello,

First of all thank you for your quick response. In the documentation that invites me to follow, there is the configuration of the Endpoint Client and the parameters to set to use a certificate. But I can't find anywhere where it explains:
1- Where to install the certificate on the user's computer.
2-Which certificate to install on the user side
I only find the process of creating and installing the certificate on the gateway, but no documentation explains how to work with this certificate on the client's computer. I hope I have been a little clearer in my doubts
Thank you

0 Kudos
yunier88
Participant

Hello,

I would like to know if you found the answer to your questions. I also need to know where the certificate is installed on the client side.

Thank you

0 Kudos