client is 87.50. Gateway is 81.20 JHF take 53. Yes we've followed the guide and the relevant part of the client guide.

I think we might not be understanding the authentication part correctly. Can you establish VPN with only the machine cert to authenticate or do you also require user authentication?

I believe it is possible with just machine cert, but not 100% certain, you may want to confirm with TAC.

You can, the instructions are in the link that Phoneboy has there and then the Remote Access Guide that is linked from there.

https://sc1.checkpoint.com/documents/RemoteAccessClients_forWindows_AdminGuide/Content/Topics-RA-VPN...

I did use the instructions on these two links.

Something is missing or we’re missing something

From https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C...

The machine must be defined on a Microsoft AD server – Check

The Subject field of a machine certificate must not be empty – Check

The hostname must be the first value – Check

Machine-only authenticated tunnels require the Security Gateway authentication method to be “Defined on user record (Legacy authentication)” – Check

Adding the root CA on the LDAP Server to the Trusted CA in Management – Check

Creating LDAP Account Unit – Check

Setting up the Authentication enforcement as When Available – Check

From https://sc1.checkpoint.com/documents/RemoteAccessClients_forWindows_AdminGuide/Content/Topics-RA-VPN...

On the client. Trac.defaults has

Enable_machine_auth set to true

Machine_tunnel_site set to the created site name

Machine_tunnel_before_logon set to true

Machine_tunnel_after_logon set to false

As noted in the instructions the machine site was created before but there is no indications of the settings to use. We picked Certificate CAPI. When trying to connect, it offers certificates found in the user certificate store but the machine certificate is in the Local computer certificate store.

How do we get the client to use the certificate in the Local Computer certificate store?

Did you check 2 SKs I mentioned in the link from one of my posts? Not sure if they might be relevant in your case, but if not, then I would open TAC case to see what might be missing.

Best,

Andy

I did. But I'm not even at the point where I'm actually attempting to connect 😆

Ok lol

In that case, I would open TAC ticket and see what gives.

Andy

Machine certificates are used only when a user is not logged in (i.e. Windows login screen).
This is mentioned in the documentation I linked previously.

As such, this is operating as expected.

And I am now even more confused 😆 Or I just can't read properly. This is what I'm seeing in that doc. 

"Machine-only authentication - Authenticate with a machine certificate only. This mode is available before and after the user logs in to Windows"

Clearly I misread the docs 🙂
However, you may need to adjust some settings here: https://sc1.checkpoint.com/documents/RemoteAccessClients_forWindows_AdminGuide/Content/Topics-RA-VPN...
Specifically setting machine_tunnel_after_logon to true.

Otherwise, you may want to get the TAC involved: https://help.checkpoint.com