Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
adamspain
Participant

SDL with Azure AD Identity provider?

Is there a way to use SDL with Azure AD as an Identity Provider?

 

I saw this article from last year: https://community.checkpoint.com/t5/Mobile/VPN-clients-using-MFA-to-Azure-AD-IDP-Secure-Domain-Login... which said it was a known issue and wasn't supported.

 

We're seeing the exact same issue (sticking at 47% when connecting). Has anything changed in the last year to resolve this with a config setting?  

 

We're using client E86.5

 

Thanks!

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

It’s still not supported.
What is your precise goal in using SDL?
If you’re looking for an always-on VPN, you might try pairing with a Machine Certificate for authentication like: https://sc1.checkpoint.com/documents/RemoteAccessClients_forWindows_AdminGuide/Content/Topics-RA-VPN...

0 Kudos
adamspain
Participant

Hi,

The reason we need SDL is to allow a new device to on-board using Windows AutoPilot. 

We're using AP in Hybrid mode so it needs visibility of a domain controller to be able to authenticate the user. As its a new machine there are no locally stored profiles to use cached creds.

 

I wondered if a machine cert would do the trick. Once signed in the user could use 365 authentication which works fine post login.

 

I'll look into the machine cert. Do you think it would work for what we're looking to do?

Thanks

0 Kudos
PhoneBoy
Admin
Admin

I believe it will work better than SDL, which doesn’t bring up the tunnel until the user attempts to log in.

You can use a machine certificate to authenticate the machine before the user logs in.
When the user logs in, it can then re-establish the VPN tunnel based on a user login.
When the user logs out, the machine certificate is used to bring the VPN connection back up.
Using properly defined access roles, you can create rules that allow access to different resources when a user is logged in versus not.

0 Kudos
adamspain
Participant

That sounds ideal for what we need - as long as we can package the certificate with the MSI that is deployed to the AutoPilot device?

 

Is there a step by step on how to achieve what we're trying to do? Azure Auth is already in place so it would be the steps needed to add the machine cert and then deploy that with the MSI to the end user device.

 

Thanks again for your help

 

0 Kudos
PhoneBoy
Admin
Admin

I've not seen a step-by-step guide that assembles all this.
However, the documentation for the various pieces should be there.
You can start with the documentation I've already provided.
You'll need the VPN Configuration Utility for this: https://support.checkpoint.com/results/sk/sk122574
While this is for full Endpoint, I believe you can also use similar steps for deploying the VPN client via Intune: https://sc1.checkpoint.com/documents/HarmonyEndpoint/Harmony_Endpoint_Security_for_Windows_MDM_Deplo... 

The one part of this I'm not sure about is distributing the machine certificate.
However, I presume this is possible to do through Intune.

(1)
adamspain
Participant

That's excellent thanks for your help. I'll do some work on this and will post back the solution if I get it all working.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events