Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
PhoneBoy
Admin
Admin
Jump to solution

SAML Support for Remote Access VPN

This question has come up a lot on the community.
We now have a formally supported solution that allows integration with ADFS and other SAML-based authentication.
This requires Check Point gateways running (at minimum) the following releases:

  • R80.40 JHF 114 or above (not supported with Maestro)
  • R81 JHF 42 or above (not supported with Maestro)
  • R81.10 JHF 9 or above (not supported with Maestro)
  • R81.20 (supported with Maestro) and above

The following VPN clients are supported (minimum versions listed):

  • E84.70 on Windows
  • E85.30 on macOS
  • Capsule VPN clients (see sk181494), which requires the following gateway versions:
    • R81.10 JHF 43 and above
    • R81.20 JHF 113 and above 

This solution is NOT currently supported with:

  • Capsule Workspace
  • Embedded Gaia/SMB Gasteways

If such support is needed, please open an RFE with your local Check Point office.

You can see the details in the R81.20 Remote Access VPN guide under SAML Support for Remote Access VPN and/or sk172909.

See also this video by @Peter_Elmer 

(Last edited April 2024)

125 Replies
anstelios
Collaborator

@PhoneBoy  

 

We need this integrated in R81.20.

I cannot imagine a customer would accept this solution without MFA prompting every time the user connects to the VPN!

0 Kudos
PhoneBoy
Admin
Admin

In the current public EA, at least, it's not integrated.
Hopefully a formal SK can be created for this issue.

0 Kudos
lrossi89
Contributor

Can you explain better ?

0 Kudos
rohmatcsi
Participant

@Hi  @nflnetwork29 

 

Could you share the file from tac? I have same issue, need to change ForceAuthn to be true.

Thank you

0 Kudos
PhoneBoy
Admin
Admin

Upon further investigation, the appropriate place to configure this is on the Azure AD side.
See: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access... 

 

0 Kudos
rohmatcsi
Participant

Hi @PhoneBoy 

 

already solved now by suggestion from TAC Support, with update authsource.php file with adding forceauthn ==> true inside. at this moment user always prompt username and password.

thank you

0 Kudos
PhoneBoy
Admin
Admin

Just to document this for other people, the location of this file is: /opt/CPSamlPortal/phpincs/simplesamlphp/config/authsources.php
However, you will still need to get the updated file from TAC.

0 Kudos
Erzhan
Explorer

Hello!

I confgured all as it mentinoned in guide, but stopped on last step where i should deploy script. I'm worried about deployment of script due to we have 4 GW clusters in our configuration and SmartConsole mgmt server.  Currently we have one GW that all users use VPN connection, but i am testing new features on another GW. I don't want donwtime for user that already use VPN with different authertification method. Will script affect all user authertification method or it just add values to database and won't affect current users?

I checked the script essentially it add some values in database, but i am not 100% sure. If you need any other infomation please let me know.

0 Kudos
Gaurav_Pandya
Advisor

Hi PhoneBoy,

We are planning to use SAML authentication for mobile access vpn. We are on R81.10 Take 66 and already using NPS server for authentication, switching from NPS to SAML. I am following sk172909, I have query regarding script. Do I need to run the script for this scenario because in the sk172909 it is not mentioned "mobile access" in product section.

0 Kudos
PhoneBoy
Admin
Admin

If you're using the regular VPN client (not SNX), this script applies, whether or not mobile access is involved.

0 Kudos
Gaurav_Pandya
Advisor

Thanks. We are using SNX so first I will test without applying script

0 Kudos
Carsten_R
Contributor

I've done a setup in my lab with R81.10 and it's working very well.

But I have a question for the VPN Community "RemoteAccess".

It's not possible to add a Azure AD group or Identity Tag to the "Participant User Groups".

But what if that VPN Community already contains existing local or LDAP groups?

Is it ok to remove them all (result is "All Users") and just trust only on the Access Role definitons?!

0 Kudos
PhoneBoy
Admin
Admin

Yes, that's the correct way to do it: use Access Roles in your access policy.

Carsten_R
Contributor

Ok, thanks, but I now run into an issue beond this. The authorization seems not to work.

I'm using the Microsoft Graph API access / permission to retrieve the group / role assignments. But the user is only getting the group "All Users" and no Role.

I've tried it in Access Role with the AAD group for my Remote Users and also tried it with the Identity Tag.

I'm using R81.10 for Management and Gateway.

I followed this guide: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_IdentityAwareness_AdminGuide...

0 Kudos
biskit
Advisor

How are you checking for Role?  #pdp monitor user xxx ?

I wonder if your legacy user group in SmartConsole is configured properly - with the correct naming convention?

Does the guide in this link help you?  Solved: Re: Access Role not working? - Check Point CheckMates

0 Kudos
Carsten_R
Contributor

Exactly, I check it with "pdp monitor user xxx"

I've also tested it with a legacy group (with and without the prefix) - no success.

Do I really need  legacy group? I run with R81.10 and that should be able to use Microsoft Graph.

 

I saw the mentioned guide earlier, but that also didn't fixed it.

0 Kudos
biskit
Advisor

My understanding of the way it currently works (and how I have mine working) is that you need to use an empty legacy user group with EXT_ID_ and then the exact name (and CaSe) of the Azure group.  Then you use that legacy group within an Access Role.  It's a bit convoluted but it does work.  

Does the authentication work properly when you log in?  Or does it fail with an error?

0 Kudos
Carsten_R
Contributor

Authentication is working as expected.

I've now tried it again with a local group. Tried it with the prefix EXT_ID_ and then the group name and another try with the role name.

pdp monitor shows in both cases this:

[...]

Groups: All Users
Roles: -
Client Type: Remote Access

0 Kudos
biskit
Advisor

Hmm, that sounds most likely to be a problem with the SmartConsole configuration where your user isn't being matched to the correct group/Access Role.  Did you check the Manifest bit in Azure, according to the guide?  Is that correct?

0 Kudos
Carsten_R
Contributor

The manifest file contains three roles. Two were pre-configured, and the role "VPN_Users" is my manual added role.

I have disabled the pre-configured role "msiam" and "Users" - but that didn't fixed it.

 

"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"description": "msiam_access",
"displayName": "msiam_access",
"id": "b9632174-c057-4f7e-951b-be3adc52bfe6",
"isEnabled": false,
"value": "msiam_access"
},
{
"allowedMemberTypes": [
"User"
],
"description": "User",
"displayName": "User",
"id": "18d14569-c3bd-439b-9a66-3a2aee01d14f",
"isEnabled": false,
"value": "User"
},
{
"allowedMemberTypes": [
"User"
],
"description": "VPN_Users",
"displayName": "VPN_Users",
"id": "cc5031b0-2ccd-4331-bb47-6ad6b053d098",
"isEnabled": true,
"value": "VPN_Users"
}
],

 

 

Could you please post here your group claim configuration. How do you exactly choose the attribut / Namespace, ...?

0 Kudos
lrossi89
Contributor

Also in our case:

- following the guide (all steps without step 6 optional)

- + this sk179788

Authentication is working as expected.

The reception of the groups works properly, but only for a short time (about 1 days)


Afterwards it is necessary to force an install policy to force the reception of access roles again (because the user ends up in "all user", seems that the Gw after some time start to recover the groups from local Active Directory groups no longer preferring Azure)

Has anyone had a  similar problem and resolved?

Our environment now: R81.10 Take 87

 

0 Kudos
Gaurav_Pandya
Advisor

Hi,

We have same behavior for endpoint client SAML authentication. Primarily we are using mobile access vpn with SAML authentication, It is working fine. We have enabled SAML with AAD for endpoint client as well and followed sk179788 for configuration. It worked fine but stopped after 1 day. Users are part of "All users" group and it is not enforcing proper group and hence it hits cleanup rule. Once we push policy, it starts working again.

We are on R81.10 take 66.

0 Kudos
lrossi89
Contributor

Can you share some examples about it?

0 Kudos
AK2
Collaborator

Hi PhoneBoy,

SK172909 lists EndPoint Security Client (specific versions) as a requirement for this. Ok.

Is Authentication via Azure Active Directory IDP supported for the Check Point Capsule VPN client for Windows 10 available in the Microsoft App Store? Our customer has deployed Capsule VPN client and now wishes to add MFA via AAD (and, use Identity Awareness on remote access policies via AAD). I can get VPN client authentication and Identity Awareness via AAD working when I use the Endpoint Security VPN client, but have been trying (and failing) for some time now when I use the Capsule VPN Client.

Thanks in advance for any info on this

0 Kudos
PhoneBoy
Admin
Admin

Azure AD authentication is not supported with the Caspule VPN clients (be it Windows, iOS, or Android).

0 Kudos
AK2
Collaborator

Thanks very much for confirming. We ended up using the Endpoint Security VPN client.

0 Kudos
Carsten_R
Contributor

I'm now able to do an Remote Access authentication with SAML to Azure AD and the authorization is now also possible through SAML.

That was for me the "trickiest" part, because the documentation from Checkpoint is specially for the authorization not really helpful.

I've added here a PDF file. It's based on the R81.20 Remote Access documentation with some additional information from me. I'm using R81.20, because I do not need any additional script installation.

 

I spent so much time in troubleshooting, because the documentation for the authorization is really bad. I was so dissapointed, that I have needed some time to "calm down".

 

Hint:

The downside of this implementation is, that you've to configure in your Access Role two "identical" groups, when you like to use Identity Awareness and Remote Access for the same users...

That means:

You can use for Identity Awareness (Browser Based Authentication) the native AAD groups (which are imported through the App Registration) and for Remote Access, you've to use internal user groups in the syntax "EXT_ID_" followed by the AAD role name.

AK2
Collaborator

Hi Carsten,

Congratulations and thanks for the document.

I agree, sometimes configuring something like this is not easy and takes significant persistence. 

Cheers,

Andrew

 

 

0 Kudos
Pbeau
Participant

Thanks Carsten_R! Your document in conjunction with the R81.20 Check Point VPN Admin Guide helped me a lot.

0 Kudos
CheckPointerXL
Advisor
Advisor

Is this script allow_VPN_RA_for_R8040_and_above_gateways_V2.sh still required in latest jhf?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events