Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sanjay_S
Advisor

MFA Configuration for MobileAccess blade with Client(Checkpoint Endpoint Security)

Jump to solution

Hi All,

Currently users are authenticating with Secure Envoy MFA and we are planning to move out of SecureEnvoy and use Azure MFA for the Mobile Access blade Client based VPN. May i know what all should be considered here for this change and as per my knowledge in Azure we use SAML authentication for MFA. So does our Checkpoint supports it? If yes, can you please share me any relavent docs that helps me in configuring it, as i did not find one.

Regards,

Sanjay S

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Given how SAML authentication works, don't believe that's possible.
For RADIUS, you can definitely do this (using a RADIUS Group object).

View solution in original post

0 Kudos
12 Replies
PhoneBoy
Admin
Admin
0 Kudos
Sanjay_S
Advisor

Thanks a lot PhoneBoy. This really helps.

0 Kudos
Sanjay_S
Advisor

Hi PhoneBoy,

Can i configure 2 servers simultaneously for authentication?

0 Kudos
PhoneBoy
Admin
Admin

Given how SAML authentication works, don't believe that's possible.
For RADIUS, you can definitely do this (using a RADIUS Group object).

View solution in original post

0 Kudos
Sanjay_S
Advisor

Hi All,

Is there any document that helps me in implementing the Azure SAML authentication for Mobile Access Remote Access VPN clients. 

We need to remove the legacy Radius Authentication and put in SAML authentication in place without impact. So please suggest the best way.

Regards,

Sanjay S

0 Kudos
PhoneBoy
Admin
Admin

Mobile Access has supported SAML authentication since R80.40 for the portal itself. 
For the SNX client, you must use the Unified Policy mode as described here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 
For other remote access clients, https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
Sanjay_S
Advisor

Thank you Phone Boy:)

Configuring the Intune complaince is compulsion for SAML Authentication?

Also if we have the Checkpoint Self-Signed certificate cant we get this working?

Regards,

Sanjay S

0 Kudos
PhoneBoy
Admin
Admin

I don't believe Intune is required here, but it can be used if desired.
As far as the SAML authentication piece goes, I don't believe the self-signed certificate is relevant to the flow.

Sanjay_S
Advisor

Hi PhoneBoy,

We have enabled Identity Awareness blade as well. Do we need to consider any changes to integrate while we setup SAML authentication? I have went through the configuration videos from the Youtube link that was updated in the SK. And now i have bit confidence on what to do, but just wanted to understand is there any config that needs to be considered for Identity Awareness Blade?

regards,

Sanjay S

0 Kudos
PhoneBoy
Admin
Admin

Make sure Remote Access is set as an Identity Source in the relevant gateway object(s).
Also, all gateways you are sharing identities with must be on the relevant version/JHF level in order to receive the acquired identities via Remote Access SAML. 

0 Kudos
Sanjay_S
Advisor

Hi PhoneBoy,

Is there any lab to test this?

Regards,

Sanjay S

0 Kudos
PhoneBoy
Admin
Admin

I would work with your local Check Point SE. 

0 Kudos