This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AaronCP
Advisor
‎2022-07-13 12:04 PM

External access to internal RDS gateway

Good evening,

 

Firstly, apologies if I've attached this to the wrong board!

 

We are looking at how we can use our R80.40 cluster to control external 3rd party access to our internal RDS gateway.

 

We would like to integrate the solution to AAD for authentication/MFA using SAML. Browser Based Authentication seems like a good way to go with this, but I'm not sure how the gateway would handle the traffic. For example, if user A authenticates to the gateway from IP x.x.x.x, is user B also forced to authenticate if they connect to our gateway from the same IP? Our concern is if two users happen to connect to the gateway from the same remote location which is being NAT'd behind the same public IP, are both users forced to authenticate? Or does one authentication request from that source IP consequently allow traffic from any other hosts NAT'd behind the same IP?

 

Also, are there any other solutions for this remote access that can integrate with AAD using SAML on an R80.40 gateway?

 

As always, any advice would be greatly appreciated!

 

Thanks,

 

Aaron.

0 Kudos
1 Reply
PhoneBoy
Admin
Admin
‎2022-07-13 07:04 PM

Browser Based Authentication is really only for internal hosts, not necessarily external ones.
And, in your case, if one person authenticates from a specific IP, all users who appear to be coming from that IP would also be allowed.

A better solution from a remote site would be something like Mobile Access Blade, which would authenticate each user.
This should be able to integrate with AAD via SAML authentication.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events