Re: Start VPN tunnel before Windows Logon?

Libin_Thomas · ‎2017-08-11

To start the tunnel BEFORE you login with domain-credtials to your windows pc.

Then, after the vpn tunnel is established, you can logon directly into your Active Directory domain

is it possible with Mobile access or IPsec vpn ?

Timothy_Hall · ‎2017-08-12

Definitely possible with Endpoint Security, check out the Secure Domain Logon (SDL) feature. I don't believe it is possible with the MAB if you are just doing a bare-bones SNX tunnel, client-side software is required for SDL.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

Dhansham_Khemra · ‎2018-04-18

Checkpoint Endpoint Security

Right click and go to "VPN Option" Select "Advanced"

Enable Secure Domain Logon - Window login

Regedit

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\TRAC

DWORD Value Name: SDLEnabled Value Data: 1 Base Hexadecimal

Siddharth_Sharm · ‎2018-04-19

Hello Dhansham ,

Thanks for the solution .We are looking for a way to present checkpoint at logon as a users choice , with the way you mentioned it to do comes up at logon but every time , even if a user is connected to corporate network via LAN , if these settings are configured , it will always pop up the Checkpoint window. Is there a known way to disable this behaviour , and to let it to user click the icon on logon screen and start it .

Any suggestion would be appreciated , we are testing this on windows 10 v1709.

Adi_Babai · ‎2018-04-23

Hi,

If ignore_sdl_in_encdomain is set to true (in the GW ttm file) the SDL window does not show when the client is inside the LAN or VPN domain.

Another solution you can use is machine authentication, this feature enables you to authenticate with a machine certificate and establish a VPN tunnel before the Windows Logon. The feature introduced in E80.71 and requires a hotfix on top of R77.30 jumbo 286. If you would like to read more information on this feature please refer to E80.71 (and above) Admin guide.

Thanks,

Adi

Siddharth_Sharm · ‎2018-04-24

Dear,

Thanks a lot for your quick response !!!

We have already Set ignore_sdl_in_encdomain as TRUE and it shows an ICON to

Connect to VPN that we need but when i am trying to login connecting LAN

cable to windows it still prompting for Checkpoint VPN credential and

everytime i need to cancle it to login with my Domain account without VPN.

Regards,

Siddharth

On Mon, Apr 23, 2018 at 7:25 AM, Adi Babai <donotreply@checkpoint.com>

Scott_Bily · ‎2019-09-16

Did you ever find a solution to these questions you were asking?

I would also like to know if it is possible to have the Check Point login credentials passed to the Windows login so that the end user doesn't have to login twice with the same credentials.

Daniel_Hainich · ‎2019-09-17

Hi,

i changed the NLA (Global Properties/RemoteAccess/EndpointConnect) from Default Settings to "Client connects from this Network or Group"
When Users are connected internal to company-lan SSO is working an no VPN-Popup is shown. Outside Company SDL pop-up for VPN-Connection.

hope it helps.
daniel

Are you a member of CheckMates?

Start VPN tunnel before Windows Logon?