May The Fourth
CloudMates Live Show
days
hours
minutes
seconds
CPX 360 2021 Wrap Up
As the Cyber World Turns:
A Strategy to Increase Security Efficiency
Secure DevOps Access
to Cloud Workloads with Zero Trust
End of Support Policy Update
For R80.10 Release
Check Point Harmony
An In-Depth Look
Hi,
Recently, we enabled the user certificate authentication method, as long with username & password. The user certificates are pushed by the Active Directory via GPO, and come from the ADCS role within our network.
This is working fine, the username field is populated automatically in Check Point Endpoint Security, and it validates the user's certificate alright.
However, some of our users have several certificates in their user store. We need to find a way to force the VPN client to use a specific certificate, based on specific criteria (regex, or else).
I found no resource on how to control which certificate is being used by the client. It seems to picks it up automatically.
Anybody have an idea on how we can achieve our goal ?
Thanks in advance.
Regards,
Antoine.
PhoneBoy
Are you doing a user certificate or a machine certificate?
I know in the case of a machine certificate, we automatically choose one, I believe based on latest expiration date.
In that case, there is no mechanism to choose a different certificate.
Hi,
Thanks for your comment. We are only using user certificates, not machine certs.
The certificates we want to choose come from internal ADCS CA.
Thanks in advance.
AndreiR
Hi @AntoineDelrue ,
Assuming you use Check Point VPN client for Windows desktop.
At this moment VPN client does not provide capability to pre-define which certificate to use from CAPI store. But in the next release which is expected in October we are introducing a new feature which exactly fits you needs. Administrator will be able to define criteria to filter certificates which client display as available for user authentication. You will be able to specify, for example, pattern of DN or Extended Key Usage or Certificate Template and the client will display only those certificates which match your criteria.
Watch for updates of Endpoint Security Homepage:
Hi @AndreiR ,
Thanks, I'll be looking forward this new release ! Once it's tested and confirmed it works as expected, I'll close this topic.
Regards,
Antoine
Hi @AndreiR ,
Client E84.00 released a couple of days ago. I checked, and couldn't find any where that option to define how the cert will be chosen.
In the release note, only new feature listed is newer version of Windows 10 supported.
Could you please tell me how I can define how the VPN client might select the user cert ?
Thanks in advance.
Regards
Hi @AndreiR ,
Any news regarding the option to force the client to select a certificate based on a given pattern ? I don't find this option in R84.0.
Thanks in advance.
Regards,
Antoine
If the certificate in CAPI has a DN which can be distinguished from others, you can do the following, by script started through GPO or similar (here with a PowerShell example).
With this procedure it selects the string based on your pattern and connects. As the VPN client saves the last successfully used certificate for the next connect, afterwards you don't have to select it manually.
Here the parts of the script:
1. Get the list of certificates available to Check Point Client and select the right certificate by pattern:
cd C:\Program Files (x86)\CheckPoint\Endpoint Security\Endpoint Connect
$myvar=.\trac.exe list |Select-String -Pattern xyz
2. Fetch the DN String from this Output:
$dnstring = $myvar.ToString().Trim()
3. Connect to the Site using the DN and disconnect afterwards:
.\trac.exe connect -s "<sitename>" -d $dnstring
.\trac.exe disconnect
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY