This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
MarcuzShinz
Contributor
Contributor
‎2025-02-14 01:14 AM

MFA VPN screen does not appear on Logon screen

Dear Guy!

Currently, we are facing an issue with remote access VPN connectivity on Check Point, specifically:

  1. We are deploying Check Point VPN with MFA via Azure. When we log in to Windows and initiate the VPN connection, an MFA popup appears for authentication, and the connection is successfully established.

  2. The issue we are encountering is that when we attempt to connect to the VPN from the Windows logon screen, the MFA popup does not appear, causing the VPN connection to fail.

=> Is there a way to configure the system to display the MFA popup outside the Windows logon screen?

 

Preview file
542 KB
Preview file
1447 KB
Preview file
1502 KB
Preview file
1538 KB
0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2025-02-14 12:02 PM

The ability to prompt for VPN connection before Windows login is a feature we call SDL (Secure Domain Logon).
Because there is no user at the Windows login screen and a browser is needed to perform the authentication, the browser runs with the only permissions it has: SYSTEM.
That's potentially dangerous and thus why we do not support SDL with SAML authentication.

Having said that, we've come up with a different authentication flow for this use case that is more secure.
Specifically, instead of authenticating on the local browser, a QR code is displayed which you can use to complete the authentication flow from a different device.
However, it is currently only available as a customer release tied to a specific version/JHF level and VPN client release.
Contact your local Check Point office for additional information.

0 Kudos
MarcuzShinz
Contributor
Contributor
3 weeks ago
In response to PhoneBoy

Dear PhoneBoy

You mean we have to drop authentication with SAML and move to QR code according to this SK?

sk102796 - Creating a QR Code using CPQRGen for Mobile applications

0 Kudos
PhoneBoy
Admin
Admin
3 weeks ago
In response to MarcuzShinz

The SK you referred to is relevant to creating a QR Code for adding a site to the Check Point Mobile (iOS and Android) app.
It's not relevant to the issue here. 

The issue is the SAML authentication must be done on a web browser.
The browser that runs at the Windows Login (where you perform SDL) runs with SYSTEM permissions, which is dangerous.
The QR code in question is to allow you complete the SAML authentication process on a different device (e.g. mobile phone). 

As stated previously, the functions that perform the above are not present in the product today.
They are only available in a specific customer release available from your local office.
I assume this will be added to the product in the future, but don't know the specific timeframe for this.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events