Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
PhoneBoy
Admin
Admin
Jump to solution

SAML Support for Remote Access VPN

This question has come up a lot on the community.
We now have a formally supported solution that allows integration with ADFS and other SAML-based authentication.
This requires Check Point gateways running (at minimum) the following releases:

  • R80.40 JHF 114 or above (not supported with Maestro)
  • R81 JHF 42 or above (not supported with Maestro)
  • R81.10 JHF 9 or above (not supported with Maestro)
  • R81.20 (supported with Maestro) and above

The following VPN clients are supported (minimum versions listed):

  • E84.70 on Windows
  • E85.30 on macOS
  • Capsule VPN clients (see sk181494), which requires the following gateway versions:
    • R81.10 JHF 43 and above
    • R81.20 JHF 113 and above 

This solution is NOT currently supported with:

  • Capsule Workspace
  • Embedded Gaia/SMB Gasteways

If such support is needed, please open an RFE with your local Check Point office.

You can see the details in the R81.20 Remote Access VPN guide under SAML Support for Remote Access VPN and/or sk172909.

See also this video by @Peter_Elmer 

(Last edited April 2024)

3 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin

Azure AD authentication is not supported with the Caspule VPN clients (be it Windows, iOS, or Android).

View solution in original post

0 Kudos
Carsten_R
Contributor

I'm now able to do an Remote Access authentication with SAML to Azure AD and the authorization is now also possible through SAML.

That was for me the "trickiest" part, because the documentation from Checkpoint is specially for the authorization not really helpful.

I've added here a PDF file. It's based on the R81.20 Remote Access documentation with some additional information from me. I'm using R81.20, because I do not need any additional script installation.

 

I spent so much time in troubleshooting, because the documentation for the authorization is really bad. I was so dissapointed, that I have needed some time to "calm down".

 

Hint:

The downside of this implementation is, that you've to configure in your Access Role two "identical" groups, when you like to use Identity Awareness and Remote Access for the same users...

That means:

You can use for Identity Awareness (Browser Based Authentication) the native AAD groups (which are imported through the App Registration) and for Remote Access, you've to use internal user groups in the syntax "EXT_ID_" followed by the AAD role name.

View solution in original post

PhoneBoy
Admin
Admin

idp_browser_mode is supported on Windows from E87.30 client version.
See: https://support.checkpoint.com/results/sk/sk180726 

View solution in original post

(1)
125 Replies
JustTesting
Participant

This is great news! I've been looking for a way to use Azure MFA, but the Windows NPS RADIUS had some caveats where each additional tunnel with secondary connect re-prompted for MFA.

I am curious how this will behave with secondary connect in my environment, where I have SMB firewalls that won't support the new SAML authentication method. The video says at the 5:20 mark that the identity awareness session can be shared with other gateways post-authentication, but does that apply to authentication itself?

0 Kudos
PhoneBoy
Admin
Admin

That’s a good question.
@AndreiR do you know?

0 Kudos
AndreiR
Employee
Employee

@PhoneBoy  I don't know for sure. Better check with gateway team.

PhoneBoy
Admin
Admin

We checked this and confirmed that this will only work where the gateway has exactly the same authentication factor/factors as the realm on the primary gateway.
This is by design. 

JustTesting
Participant

Understood, thank you for looking into it!

0 Kudos
lullejd
Contributor

Hi,

 

Has anyone managed to make this work? Although gateway is upgraded to R80.40 with JHF114 there is still no option on the gateway properties VPN Clients > SAML Portal Settings as stated in the Release notes.

 

Also on R81, is it yet available?

 

Thanks

 

Senior Information Security Engineer
Anat_Bar-Anan
Employee
Employee

Hi,

thanks for your question.

To be able to configure SAML for VPN RA, you'll need to also upgrade your MGMT to the JHF.

As for R81 - feature is planned to be available in next R81 JHF - currently scheduled for end of July. 

lullejd
Contributor

I have management with R81 latest jumbo hotfix and Gateway R80.40 take 141. I think the management is the problem then. will have to wait for the new JHF of R81

Senior Information Security Engineer
0 Kudos
Anat_Bar-Anan
Employee
Employee

updating that next R81 JHF scheduled to mid-end of August

0 Kudos
meeruji
Employee Alumnus
Employee Alumnus

Currently as per sk172909 for SAML Authentication Configuration you require the following: 

  1. Check Point Security Gateway running R80.40 Jumbo Hotfix Accumulator Take 114 or higher.
  2. Check Point Security Management running R80.40 Jumbo Hotfix Accumulator Take 114 or higher.
  3. Endpoint Security Client for Windows (starting from version E84.70 build 986102705), or  macOS Endpoint Security Client version that can be downloaded here: (Endpoint Security VPN).
  4. The latest Smartconsole Build for R80.40 Build 423 or higher. Without this the portal page won't be visible. Refer to sk165473 for more details. 
  5. If your MGMT server is on R81 or R81.10 the Portal Page will not be visible. Both the Gateway and Mgmt Server need to be on R80.40. Integration seems to be only for R80.40 Gateways, Cluster's and VSX currently. 
0 Kudos
Heath_H
Contributor

@meeruji  - any updates on the version of the VPN client for macOS?  Especially when SAML support will go mainstream for macOS like it has for Windows?

The version on that linked page is based on E84.30, which has a bug that causes the client to drop the tunnel after successful re-authentication.  It was fixed in the E84.70 release of the client.  So if I want SAML support to improve user experience, I have to negatively impact user experience by introducing a bug in the client.

The macOS version at the link you provided is almost 6 months old now.

0 Kudos
PhoneBoy
Admin
Admin

E85.30 should have this functionality.
At this writing, the clients are in Early Availability.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

0 Kudos
Paul_Hagyard
Advisor

This is much nicer than using the Microsoft NPS AzureAD plugin for MFA!

With reference to the PDF in the SK (SAML for Remote Access VPN, 6 June 2021), using UPN rather than email for LDAP matching (pg 12, Multiple Logon Option) is likely to be more successful. Organisations often have external users requiring access, and the UPN for such users will be the required firstname.surname@org.domain but their email address in AD is more often an external domain. In such a scenario uses cannot logon unless the lookup type is set to UPN.

0 Kudos
Paul_Hagyard
Advisor

I will review the client documentation and likely raise a SR, but is there any known way with Endpoint Security standalone to not perform a CRL check on the gateway VPN certificate?

At present we have got this working with the gateway using a default SmartCenter ICA issued VPN certificate. The SmartCenter CA certificate is loaded into the client trusted root certificate store. Everything works fine, but the client complains about being unable to reach the CRL. The SmartCenter uses an internal domain name, so the CA is not resolvable (and is not accessible from the Internet anyway).

0 Kudos
PhoneBoy
Admin
Admin

Without validating the CRL there is no way for the client to know if the remote certificate should be trusted as it could have been revoked.
Even if it is possible (don’t believe it is) it’s not recommended to disable this check.

0 Kudos
Paul_Hagyard
Advisor

Thanks, although it's only the new browser component for SAML doing the CRL check. For non-SAML VPN connections the Endpoint Security client does not complain about being unable to perform a CRL check on the same certificate (e.g. retrieving the site details/policy via HTTPS) - so presumably it is not checking beyond the certificate's CA trust.

Sounds like the easiest option is an external CA cert.

0 Kudos
PhoneBoy
Admin
Admin

That...could be a bug and might be worth a TAC case.

0 Kudos
Paul_Hagyard
Advisor

Hi,

For anyone implementing this with Azure AD and retaining local AD group matching via LDAP for Identity Awareness role-based access, we found it was necessary to modify $FWDIR/conf/identity_awareness_custom_settings.C on the SmartCenter server(see sk147417) and uncomment the line:

#\,

to be simply

\,

Otherwise Identity Awareness fails to match AD user DNs in the format "DN=surname\,firstname@domain" and role-based access does not work. A policy install is required to push the behaviour change to the gateway.

Cheers,

Paul

0 Kudos
Heath_H
Contributor

Any updates for this support in R81 (my lab is on R81 for testing purposes) and all the manual steps and specific version requirements make this very difficult for me to test on my production gateways.

 

Given that it’s been several months since this was first dropped, any updates on some of the limitations (specifically, Identity Sharing - I need to enforce Access Roles on gateways other than my VPN gateways).

 

And the SK makes a note about SDL doesn’t support SAML, which I completely understand, but does that mean that we can’t use SDL without SAML and still use SAML for user triggered VPN connections?

 

Finally, what happens if the client isn’t at a version that supports SAML?  Do they fallback to another supported mechanism (RADIUS) or do they just completely fail to authenticate?

0 Kudos
PhoneBoy
Admin
Admin

As far as I know, Remote Access SAML will be added to the R81/R81.10 JHF in the coming weeks.
@Royi_Priov can you speak to the Identity Sharing implications here as the release notes for this mention a planning session with pre-sales?

0 Kudos
Paul_Hagyard
Advisor

In regards to role-based access, if you have on-prem AD DCs then just continue using traditional IA for roles (ADQ / Identity Collector). We're matching UPN format SAML logins against ADQ for role-based access, so the same AD roles can be used on any gateway.

0 Kudos
PhoneBoy
Admin
Admin

As of R81.10 JHF 9, Remote Access VPN + SAML Auth is supported.
At this moment, it is not currently integrated into the R81 JHF, but is planned.
The original post has been updated with this information.

0 Kudos
Tim_Tielens
Contributor

Do you know if MAB SNX (ssl vpn) + SAML auth will be supported ?
(legacy portal)

 

0 Kudos
Heath_H
Contributor

Tim - that was already supported in R80.40.  I can't recall the specifics, but it works pretty well because it's already browser based to login to MAB.

 

h

0 Kudos
Tim_Tielens
Contributor

The only thing that I can find is this:
How to use SNX with SAML authentication method in Mobile Access (checkpoint.com)

And that is a confusing sk.

I'm using legacy policy, unified is not working for us, too much changes.
If it's supported I need to get TAC involved I guess.

0 Kudos
Heath_H
Contributor

It's basically the same setup method.  Set up the IdP as you normally would, just select "Mobile Access" for the service.  Then on the gateway in Mobile Access, under Authentication, create a new login option.  Select that IdP that you created and then set the rest of the options.  Set the priority of items if you want multiple login options.

That should be all you need to do.

 

Are you using Legacy policy or Unified Policy?  SNX with SAML requires that you be using Unified Policy (and anything to get off of SmartDashboard is a plus, in my book).

0 Kudos
Tim_Tielens
Contributor

Yeah I know, I did all that 😄
I've read all the sk's for IA and SAML and everything works , except snx wont connect.

When i'm connected to corporate network snx works, when i'm out of the office it wont connect.
Will do so browser debugs tomorrow.

0 Kudos
Tim_Tielens
Contributor

*UPDATE*

Did some browser debugs, and found nothing... just that the process stops, no errors or whatever.
Did cvpnd debug, found nothing....

Decided to delete the whole development domain and start from scratch (since I modified so much with every info I found in all the sk's) and start from scratch.

Setup a VS, created a saml identity provider (updated url's in azure application) and did the MAB setup.
Well what do you know... SNX works 🙄

Now for some stability testing 😏 since the DEV domain was rather new, only thing I also tried was getting Azure user groups to work in MAB.
That didn't work obviously 😁
(maybe that corrupted the mab snx config in some way)

0 Kudos
PhoneBoy
Admin
Admin

And now R81 JHF 42 has been released which includes support for SAML Authentication for Remote Access.
Original post has been updated.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events