This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Help

Who rated this post

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
israelfds95
MVP Gold
MVP Gold
3 weeks ago

R82 DynamicID via Email (SMTP) – Configuration Tips and Key Considerations

Configuring MFA is something essential nowadays, and its setup should be intuitive. When I tried to find where to configure the email string for SMTP Relay, I noticed that in SmartConsole R82 it is extremely hidden, and placed in a section that, in my opinion, does not make much sense. It should be simpler and ideally located within the Gateway properties under Authentication > Dynamic ID.

Below, I’ll show where this configuration is located. This can serve as a useful reference for others trying to configure it, and also as a suggestion for the Check Point team to improve this in future SmartConsole versions, making MFA settings more intuitive.

The “SMS provider and email” option is locked under DynamicID Settings. Below I will show where this configuration is located.

israelfds95_0-1777408925061.png

 

Go to “Manage & Settings” > Blades > Mobile Access > Capsule Workspace Settings

NOTE: In my opinion, it does not make sense for this configuration to be so hidden, especially within Capsule Workspace settings, which are expected to be deprecated.

israelfds95_1-1777408925071.png

Go to “Multiple Authentication”

israelfds95_2-1777408925075.pngIn the “Client Authentication” window > DynamicID Settings, enable the option:
“Challenge users to provide the DynamicID one-time password sent to their email account or mobile device via SMS”

Add the SMTP information string in the “SMS provider and email” field.

israelfds95_3-1777408925094.png

NOTE: 

Regarding this string, it is important to validate the following SMTP information:

For email-based multi-factor authentication, you will need the following SMTP details:

  1. SMTP Server Address

Example:
smtp.office365.com

  1. Connection Type

You need to determine:

  • SMTP without TLS → smtp://
  • SMTP with TLS (STARTTLS) → smtp:// + SSL_REQUIRED
  • SMTP with direct SSL → smtps://
  1. Port
  • 25 → Relay / no TLS or STARTTLS
  • 587 → STARTTLS (most commonly used today)
  • 465 → SMTPS
  1. Authentication

Key question:

Does the SMTP server require a username and password?

If the SMTP server does not require authentication, you can use a string similar to the example below:

mail:TO=$EMAIL;SMTPSERVER=system.mail.com;FROM=no-reply@domain.com;BODY=$RAWMESSAGE

 

There is an older SK that can be used as a reference:
"sk144712 - How to enable SMTP authentication or TLS-SMTP for DynamicID", which mentions that:

"Dynamic ID with an SMTP server that requires username and password for authentication is supported."

 

Then go back to the Security Gateway or Cluster properties, navigate to VPN Clients or Mobile Access > Authentication, and configure Multiple Login Options, adding the first option and then DynamicID as the second.

israelfds95_4-1777408925101.png

 

Edit DynamicID as shown below if you want to use "Send Email" only.

israelfds95_5-1777408925112.png

Configure the “User Directories”

israelfds95_6-1777408925115.png

 

(1)
Who rated this post