Many thanks.

Hi Dameon,

Sorry two more clarifications:

-Can you confirm if the AD Query feature fully supports an Active Directory on-premise in Hybrid Connect Mode and also Azure AD in the cloud only? I don't believe it matters where the AD is located? On-premise or in the cloud?

- Can you confirm if MFA and SSO via MS Azure AD are fully supported by the AD Query feature on the SMB appliances? I can't find any documentation to show what MFA and SSO features the AD Query feature supports? Are these the correct links? ie on the SMB appliances do you get the full features of the Identity Awareness blade or is AD Query just a subset of the full Identity Awareness blade and MFA and SSO is not supported? In my mind as long as you can connect to the AD both MFA and SSO support should be seamless? 

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/check-point-identity-awareness-tut...

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_IdentityAwareness_AdminGuide/Topic...

Many thanks for any extra insights? 

Keep in mind AD Query does two things:

• Gets events from the AD server over WMI for login events
• Queries LDAP for the relevant groups 

Which means it’s not directly processing the MFA at all, nor does it really care where AD sits provided it is accessible.
Whether this works with Hybrid Connect Mode or not is a different matter.
I’m assuming the LDAP piece will fail since SMB appliances do not currently support LDAP over SSL, which presumably will be required for any hosted AD.

Hello, thank you so can the SMB appliances support MS MFA with Azure AD and the Authenticator App out of the box and if so how is it done? This link below seems to imply yes but what are the pre-requisites? Can you show me an SK or some documentation in the MS Azure AD App Gallery that advises this for the SMB appliances? 

https://blog.checkpoint.com/2021/05/17/check-point-software-announces-new-microsoft-integrations-at-... 

Check Point Remote Access VPN with Azure Active Directory

The Check Point VPN is a tried-and-true solution which is now available in the Azure Active Directory (Azure AD) app gallery. Check Point VPN customers can now quickly enable single sign-on and manage access to the Check Point VPN with Azure AD.

By integrating with Azure AD, organizations can leverage capabilities such as Conditional Access and passwordless authentication to provide secure and seamless access to Check Point VPN.

• Conditional Access allows admins to enforce specific requirements (multi-factor authentication, access from a compliance device, have an approved client app, and more) for a user to act on before granting access into the Check Point VPN.
• Passwordless authentication is a more convenient and secure method of authentication that replaces easily compromised simple passwords. Passwordless authentication methods that integrate with Azure AD include FIDO2 security keys, Windows Hello for Business and Microsoft Authenticator app. Customers can now use passwordless authentication to sign into the Check Point VPN.

By integrating with Azure AD, Check Point’s VPN solution can support advanced security capabilities that can help organizations on their Zero Trust journey.

Many thanks.

In that context, the answer is no, this will definitely not work on SMB appliances.
We only recently added this to our regular appliances running R80.40 and above in the recent JHFs. 
More details here: https://community.checkpoint.com/t5/Remote-Access-VPN/SAML-Support-for-Remote-Access-VPN/m-p/117199 

Many thanks. If a radius server and NPS was used would it work around this issue on the OS? https://sc1.checkpoint.com/documents/SMB_R80.20.30/AdminGuides/Centrally_Managed/EN/Topics/Managing-... 

Solution design would be like this:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension