This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jan_Kleinhans
Advisor
‎2018-03-22 07:24 AM

Remote Access VPN and Identity Agent

Hello,

we have migrated our VPN Users to a Firewall which also is the host for Identity Agent using Active Directoy credentials.

In the inner network there is no problem with the Identity Agent. It Authenticates and the Identity Portal is working in the browser.

When you connect with Endpoint Security VPN the VPN Connection using Radius 2Factor authentication the Connections works as espected. But the Identity Agent does not work. If you open the Identity Portal with the browser you get redirected to the SNX Portal.

How can we change this behaviour?

We are using R80.10 Management with R77.30 Gateways.

Thanks,

Jan

5 Replies
PhoneBoy
Admin
Admin
‎2018-03-22 11:20 AM

I'm not sure I understand the use case for Identity Agent when your VPN client provides a source of identity the gateways can use.

Is there some use case I'm missing here?

0 Kudos
Paul_Hagyard
Advisor
‎2022-08-20 11:45 PM
In response to PhoneBoy

Replying to a very old post, but I am considering Identity Agents in conjunction with VPN RAS (SAML to Azure AD) to get machine identities. I don't think there's any way to get this at present with VPN RAS - even if the Azure AD conditional access policy first looks for a machine certificate, I don't think this is being passed to the gateway (or used?). We would like to be able to use roles with both user and machine identities in conjunction with VPN RAS (to allow use of the same roles on perimeter and back-end gateways).

0 Kudos
Jan_Kleinhans
Advisor
‎2018-03-22 11:51 PM

Hello,

for Identity Awareness we are using Active Directory. As we use 2 factor authentication for VPN, the users are not recognized as the AD-Users only as Users of a Radius Group. So the rules made for these Users are not matching.

I do not know how to match these Users.

Also if the user is also an Administrator and needs sometimes access to Systems that are not in his default user rule he has to Identify as another user on the IA Portal. But this would be a rare problem.

Apart from that I don't know how to put an explicit RADIUS User in a Rule without defining the User in the Checkpoint Firewall.

I have made a Service Request. So we will see if there is a better aproach.

Thanks,

Jan

Goldie
Explorer
Explorer
‎2018-07-17 11:49 PM
In response to Jan_Kleinhans

Jan,

Did you solve this problem? It is also problem of my customer ....

Best regards,

Tomasz

0 Kudos
Jan_Kleinhans
Advisor
‎2018-07-18 12:21 AM
In response to Goldie

Hello,

no we didn't solve the problem. We are redesigning our network at the moment. We will have a second firewall in the internal Network, that will run the Identity Portal. So we will not have the problem anymore.

The only option at the moment I see is, to bind the Portal to all Interfaces. But then the interface facing the Internet will also have the Identity Portal. I think this is a security concern, so that I will not do this.

Another option could be to duplicate the Identity Rules and  replace the Identity-Users with the VPN-Users.

As we are using the rules only for Administrators at the moment I decided to wait for the redesign.

Best regards,

Jan

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events