Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sanjay_S
Advisor

MFA Configuration for MobileAccess blade with Client(Checkpoint Endpoint Security)

Jump to solution

Hi All,

Currently users are authenticating with Secure Envoy MFA and we are planning to move out of SecureEnvoy and use Azure MFA for the Mobile Access blade Client based VPN. May i know what all should be considered here for this change and as per my knowledge in Azure we use SAML authentication for MFA. So does our Checkpoint supports it? If yes, can you please share me any relavent docs that helps me in configuring it, as i did not find one.

Regards,

Sanjay S

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Given how SAML authentication works, don't believe that's possible.
For RADIUS, you can definitely do this (using a RADIUS Group object).

View solution in original post

0 Kudos
17 Replies
PhoneBoy
Admin
Admin
0 Kudos
Sanjay_S
Advisor

Thanks a lot PhoneBoy. This really helps.

0 Kudos
Sanjay_S
Advisor

Hi PhoneBoy,

Can i configure 2 servers simultaneously for authentication?

0 Kudos
PhoneBoy
Admin
Admin

Given how SAML authentication works, don't believe that's possible.
For RADIUS, you can definitely do this (using a RADIUS Group object).

View solution in original post

0 Kudos
Sanjay_S
Advisor

Hi All,

Is there any document that helps me in implementing the Azure SAML authentication for Mobile Access Remote Access VPN clients. 

We need to remove the legacy Radius Authentication and put in SAML authentication in place without impact. So please suggest the best way.

Regards,

Sanjay S

0 Kudos
PhoneBoy
Admin
Admin

Mobile Access has supported SAML authentication since R80.40 for the portal itself. 
For the SNX client, you must use the Unified Policy mode as described here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 
For other remote access clients, https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
Sanjay_S
Advisor

Thank you Phone Boy:)

Configuring the Intune complaince is compulsion for SAML Authentication?

Also if we have the Checkpoint Self-Signed certificate cant we get this working?

Regards,

Sanjay S

0 Kudos
PhoneBoy
Admin
Admin

I don't believe Intune is required here, but it can be used if desired.
As far as the SAML authentication piece goes, I don't believe the self-signed certificate is relevant to the flow.

Sanjay_S
Advisor

Hi PhoneBoy,

We have enabled Identity Awareness blade as well. Do we need to consider any changes to integrate while we setup SAML authentication? I have went through the configuration videos from the Youtube link that was updated in the SK. And now i have bit confidence on what to do, but just wanted to understand is there any config that needs to be considered for Identity Awareness Blade?

regards,

Sanjay S

0 Kudos
PhoneBoy
Admin
Admin

Make sure Remote Access is set as an Identity Source in the relevant gateway object(s).
Also, all gateways you are sharing identities with must be on the relevant version/JHF level in order to receive the acquired identities via Remote Access SAML. 

0 Kudos
Sanjay_S
Advisor

Hi PhoneBoy,

Is there any lab to test this?

Regards,

Sanjay S

0 Kudos
PhoneBoy
Admin
Admin

I would work with your local Check Point SE. 

0 Kudos
Sanjay_S
Advisor

Hi PhoneBoy,

I have another question here with this after going through the configuration guide below.

https://dl3.checkpoint.com/paid/d9/d99fd83a9b0028e2e6ecb42ac23c840b/CP_R80.40_and_R81_Jumbo_Hotfix_S...

In Page 5 do we need to follow these below steps at all for the Mobile Access Client Based remote Access VPN at all?

i) From the left tree, click VPN Clients > SAML Portal Settings.
j) Make sure the Main URL contains the fully qualified domain name of the
gateway.
This domain name should end with a DNS suffix registered by your organization.
For example:
https://gateway1.company.com/saml-vpn
k) Make sure the Certificate is trusted by the end users’ browser.

Because our customer uses the IP address to connect to the Remote access VPN.

0 Kudos
PhoneBoy
Admin
Admin

I guess you could use the IP here, but your users will likely encounter certificate errors doing so.

Sanjay_S
Advisor

Hi PhoneBoy,

Thanks for guiding me all over this thread. I have one more query. In the Youtube link in the SK there is nothing shown to make the changes in the GuiDBEdit tool. But in the config guide from page 14 we see changes in the GuiDBEdit. Is that necessary for those changes to get the SAML authentication working for Mobile Access Remote Access VPN clients?

Regards,

Sanjay S

0 Kudos
PhoneBoy
Admin
Admin

I assume these are required if they are in the written documentation.

0 Kudos
Sanjay_S
Advisor

Thanks PhoneBoy,

In case after making changes on GuiDBEdit Tool, User Machine changes and also running script on particular domain in the MDS. If it doesn't work and we need to revert the changes and use the Radius authentication itself. Then what will be the best way to revert the above changes. Changes in the dashboard are easy to revert but when it comes these above changes how we can revert and how we can get the Radius working again?

Regards,

Sanjay S

0 Kudos