This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
flachance
Advisor
‎2024-04-16 07:34 AM

Machine cert authentication and local computer certificate store

Hi,

 

We’re trying to test Remote VPN access with machine cert authentication. It is not clear to me which authentication to select on the client when creating the site.

I selected Certificate – CAPI but when trying to connect it offers a choice of certificate it finds in the Current user\Personal\Certificates

We’ve setup automatic cert enrollment for our machines but it puts the certificate in the Local computer\Personal\Certificate

I feel like I’m missing something here. How do you get the CheckPoint client to look for a certificate in the Local computer certificate store?

 

Thanks

Francis

0 Kudos
12 Replies
PhoneBoy
Admin
Admin
‎2024-04-16 10:05 AM

What version of client?
What version/JHF of gateway?
I'm assuming you've followed all the instructions here: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C... 

0 Kudos
flachance
Advisor
‎2024-04-17 05:08 AM
In response to PhoneBoy

client is 87.50. Gateway is 81.20 JHF take 53. Yes we've followed the guide and the relevant part of the client guide.

I think we might not be understanding the authentication part correctly. Can you establish VPN with only the machine cert to authenticate or do you also require user authentication?

0 Kudos
the_rock
Legend
Legend
‎2024-04-17 05:32 AM
In response to flachance

I believe it is possible with just machine cert, but not 100% certain, you may want to confirm with TAC.

0 Kudos
emmap
Employee
Employee
‎2024-04-17 06:30 AM
In response to flachance

You can, the instructions are in the link that Phoneboy has there and then the Remote Access Guide that is linked from there.

https://sc1.checkpoint.com/documents/RemoteAccessClients_forWindows_AdminGuide/Content/Topics-RA-VPN...

flachance
Advisor
‎2024-04-17 07:58 AM
In response to emmap

I did use the instructions on these two links.

Something is missing or we’re missing something

 

From https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C...

 

The machine must be defined on a Microsoft AD server – Check

The Subject field of a machine certificate must not be empty – Check

The hostname must be the first value – Check

Machine-only authenticated tunnels require the Security Gateway authentication method to be “Defined on user record (Legacy authentication)” – Check

Adding the root CA on the LDAP Server to the Trusted CA in Management – Check

Creating LDAP Account Unit – Check

Setting up the Authentication enforcement as When Available – Check

 

From https://sc1.checkpoint.com/documents/RemoteAccessClients_forWindows_AdminGuide/Content/Topics-RA-VPN...

 

On the client. Trac.defaults has

Enable_machine_auth set to true

Machine_tunnel_site set to the created site name

Machine_tunnel_before_logon set to true

Machine_tunnel_after_logon set to false

 

As noted in the instructions the machine site was created before but there is no indications of the settings to use. We picked Certificate CAPI. When trying to connect, it offers certificates found in the user certificate store but the machine certificate is in the Local computer certificate store.

How do we get the client to use the certificate in the Local Computer certificate store?

the_rock
Legend
Legend
‎2024-04-17 08:12 AM
In response to flachance

Did you check 2 SKs I mentioned in the link from one of my posts? Not sure if they might be relevant in your case, but if not, then I would open TAC case to see what might be missing.

Best,

Andy

0 Kudos
flachance
Advisor
‎2024-04-17 08:14 AM
In response to the_rock

I did. But I'm not even at the point where I'm actually attempting to connect 😆

0 Kudos
the_rock
Legend
Legend
‎2024-04-17 08:15 AM
In response to flachance

Ok lol

In that case, I would open TAC ticket and see what gives.

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2024-04-17 08:45 AM
In response to flachance

Machine certificates are used only when a user is not logged in (i.e. Windows login screen).
This is mentioned in the documentation I linked previously.

As such, this is operating as expected.

0 Kudos
flachance
Advisor
‎2024-04-17 08:55 AM
In response to PhoneBoy

And I am now even more confused 😆 Or I just can't read properly. This is what I'm seeing in that doc. 

"Machine-only authentication - Authenticate with a machine certificate only. This mode is available before and after the user logs in to Windows"

PhoneBoy
Admin
Admin
‎2024-04-17 10:34 AM
In response to flachance

Clearly I misread the docs 🙂
However, you may need to adjust some settings here: https://sc1.checkpoint.com/documents/RemoteAccessClients_forWindows_AdminGuide/Content/Topics-RA-VPN...
Specifically setting machine_tunnel_after_logon to true.

Otherwise, you may want to get the TAC involved: https://help.checkpoint.com 

0 Kudos
the_rock
Legend
Legend
‎2024-04-16 11:55 AM

Had similar issue recently with a customer and TAC fixed it with below 2 SKs, might be worth checking and to answer your question, you most likely select certificate auth on the client, its one called personal cert I believe

Check out answer I gave in below post.

Andy

 

https://community.checkpoint.com/t5/Security-Gateways/Machine-certificate-auth/m-p/210437

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events