Check Point

Firewall / VPN

RSA SecurID Ready Implementation Guide

Last Modified: July 31, 2012

Partner Information
Product Information
Partner Name
Web Site
Product Name
Version & Platform
Product Description

Check Point Software Technologies

www.checkpoint.com
Check Point Firewall / VPN
R75.40 Software Blades
Check Point Security Gateway Software Blades are a tightly integrated
software solution combining a firewall with sophisticated VPN technologies.
The Check Point architecture provides secure connectivity to corporate
networks, remote and mobile users, satellite offices, and key partners.
Check Point solutions are available on a range of open platforms and
security appliances meeting the performance requirements of any size
organization.

Check Point
Firewall / VPN

Solution Summary
The Check Point software solution is a comprehensive VPN and Firewall providing RSA SecurID two
factor authentication connectivity to corporate networks, remote and mobile users, and satellite offices.
RSA SecurID supported features
Check Point Software Blades R75.40
RSA SecurID Authentication via Native RSA SecurID Protocol
RSA SecurID Authentication via RADIUS Protocol
On-Demand Authentication via Native SecurID Protocol
On-Demand Authentication via RADIUS Protocol
RSA Authentication Manager Replica Support
Secondary RADIUS Server Support
RSA SecurID Software Token Automation
RSA SecurID SD800 Token Automation
RSA SecurID Protection of Administrative Interface

Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No

Important: The On Demand Authentication may not behave as expected

in this release. This release does not enforce authentication after a new
PIN is set via Native SecurID. This issue does not apply to RADIUS.
Therefore, the On Demand Authentication via Native SecurID when in New
PIN mode will authenticate a user without the user ever entering a
tokencode. This is effectively a single factor authentication. This is not an
issue once the user sets the PIN.

Check Point Remote Access Clients (see Appendix C)

-2-2-22

Check Point
Firewall / VPN

Authentication Agent Configuration

Authentication Agents are records in the RSA Authentication Manager database that contain information
about the systems for which RSA SecurID authentication is provided. All RSA SecurID-enabled systems
require corresponding Authentication Agents. Authentication Agents are managed using the RSA
Security Console.
The following information is required to create an Authentication Agent:

Hostname
IP Addresses for network interfaces

Set the Agent Type to Standard Agent when adding the Authentication Agent. This setting is used by
the RSA Authentication Manager to determine how communication with Check Point Software Blades will
occur.
A RADIUS client that corresponds to the Authentication Agent must be created in the RSA Authentication
Manager in order for Check Point Software Blades to communicate with RSA Authentication Manager.
RADIUS clients are managed using the RSA Security Console.
The following information is required to create a RADIUS client:

Hostname
IP Addresses for network interfaces
RADIUS Secret
Note: Hostnames within the RSA Authentication Manager / RSA SecurID
Appliance must resolve to valid IP addresses on the local network.

Please refer to the appropriate RSA documentation for additional information about creating, modifying
and managing Authentication Agents and RADIUS clients.

RSA SecurID files

RSA SecurID Authentication Files
Files
sdconf.rec
Node Secret
sdstatus.12
sdopts.rec

Location
/var/ace, %SystemRoot%\system32\
/var/ace, System Registry
/var/ace
Not implemented

Note: The appendix of this document contains more detailed

information regarding these files.

-3-

Check Point
Firewall / VPN

Partner Product Configuration

Before You Begin
This section provides instructions for configuring the Check Point Software Blades with RSA SecurID
Authentication. This document is not intended to suggest optimum installations or configurations.
It is assumed that the reader has both working knowledge of all products involved, and the ability to
perform the tasks outlined in this section. Administrators should have access to the product
documentation for all products in order to install the required components.
All Check Point Software Blades components must be installed and working prior to the integration.
Perform the necessary tests to confirm that this is true before proceeding.

Overview
This guide provides configuration information for RSA SecurID native as well as RSA RADIUS
Authentication to challenge users in a Check Point environment. The Firewall/VPN and Remote Access
Client require multiple configuration steps. The guide is organized as follows:

Configure RSA Authentication Servers

Create RSA Authentication servers information on the Check Point Firewall.

Configure RSA SecurID Authentication

Enable RSA SecurID or RADIUS Authentication.

Configure a User
Create the default external user profile to use RSA SecurID authentication.

Check Point Rule Configuration

Build a Firewall rule that will allow for Authentication to pass.

Check Point IPSEC VPN Configuration

Create a VPN Community and add user authentication to the community along with a VPN rule.

Check Point Remote Access Client Configuration

Configure the remote client for RSA SecurID Authentication.

-4-

Check Point
Firewall / VPN

Configure RSA Authentication Servers

1.
2.
3.

4.
5.
6.

The Check Point Firewall/VPN uses the sdconf.rec file to locate the RSA Authentication Manager Servers.
Retrieve the sdconf.rec file from the RSA Security Console.
Launch the Check Point SmartDashboard application with an administrator account.
Navigate to Manage > Servers and OPSEC Applications > New > SecurID.

Select SecurID or RADIUS.

If you selected SecurID the SecurID Properties window will open. Fill in Name for the SecurID server and browse
to the sdconf.rec file you retrieved from the Authentication Manager Server.
Click OK.

-5-

Check Point
Firewall / VPN

7.

If you selected RADIUS the RADIUS Properties window will open. Add the Name, Host and Shared Secret.

8.

Repeat this to add any secondary RADIUS servers. Then from the Servers and OPSEC window select New >
RADIUS Group and create a RADIUS Group.
Note : Additional steps are needed to configure the Check Point for
RADIUS. Refer to Appendix B. of this document.

-6-

Check Point
Firewall / VPN

Configure RSA SecurID Authentication

1.

Select the Firewall tab in the main window panel. Go to the left tool bar and navigate to Network Objects >
Check Point > (your object) Right click on your object and select Edit.

2.
3.
4.

From the General Propertied screen select IPSec VPN > Authentication from the left tool bar.
Select the RADIUS group or the SecurID server from the pull down you previously defined.
Click OK to save changes.

5.
6.

After a user account is defined create a rule and install the Policy.
Save the setting and verify that a connection is successful.

-7-

Check Point
Firewall / VPN

Enable RSA Authentication for users

RSA SecurID or RADIUS Authentication may be configured on a defined User or an External User Profile.
Check Point users are defined on the Check Point management server while External Users are not. If
the system is configured to use an External Profile for user authentication it is not necessary to define
users on the Check Point management server unless there are users that are not challenged with RSA
Authentication.

Configure a User
In this section a user will be created that will authenticate to the RSA Authentication Manager Servers.
This user can be configured to authenticate via either SecurID or RADIUS.
1.
2.
3.
4.

Go to Manage > Users and Administrators > New > User By Template > Default.
Enter the username as it appears in the default login field within the RSA Authentication Manager database.
Select Authentication from the left hand tool bar.
From the drop down box choose either SecurID or RADIUS as the users Authentication Scheme.

5.

Click OK to save changes.

-8-

Check Point
Firewall / VPN

Configuring for External Users

In this section the Check Point security gateway will be configured to authenticate all external users to the
RSA Authentication Manager Servers. An External User Profile will be created that mandates RSA
SecurID or RADIUS Authentication for all users that do not have a Check Point user account.

External User Profiles

There are two different types of External User Profiles available in the Check Point product.

Match All Users

The Match all users profile with the profile name generic* is limited to only one property set.
Check Point applies the restrictions specified for an ordinary user in the User Properties tabs (for example
Groups). For authentication purposes Check Point uses the name typed in by the user instead of generic*.
The external authentication server receives the user name and authenticates them accordingly.

Match by Domain
The Match by domain profile allows for more granularity in the user definition than is available with generic*.
With this profile users are differentiated by their domain name. When implemented the user types a domain
name as well as the username where any domain name can be allowed.

The steps below will configure an External Profile of Match All Users.
1.
2.
3.
4.
5.

Go to Manage > Users and Administrators > New > External User Profile > Match All Users.
The user generic* is created and a new window opens.
Select Authentication from the left tool bar.
From the drop down box choose SecurID or RADIUS as the users Authentication Scheme.
Click OK to save changes.

Check Point Rule Configuration

Reference the Check Point documentation for more information on configuration of the Firewall rules and
policies. A security policy consists of rules that define access control to and from the networks protected
by Check Point Security Gateways.
In the Firewall tab you define the network traffic rules.

-9-

Check Point
Firewall / VPN

In the Desktop tab you define the Client rules.

Inbound Rules controls connections directed at the client machine
Outbound Rules control connections initiated by the client machine

Once a rule is added and the policy is installed a user must be authenticated before access is granted to
the service.
1.
2.
3.

To add a rule go to Rule > Add Rule > Top.

Right click each field and chose the desired values.
To apply the rule select Policy > Install.

- 10 -

Check Point
Firewall / VPN

Check Point IPSEC VPN Configuration

Remote Access Community Configuration
The Remote Access Community allows the global definition of gateways and encryption properties on the
Security Gateway to be distributed out to users. The RemoteA ccess Community is created by default.
The RSA SecurID Authentication user group will need to be added into the Remote Access Community.
1.
2.
3.

Go to Manage > VPN Communities and double-click on Remote Access.

Configure the list of gateways on the Participant Gateways page by clicking on Add and selecting the gateway.
On the Participant Users Group page, add the SecurID group by clicking on Add and selecting the group.

- 11 -

Check Point
Firewall / VPN

Create a VPN Community Rule

Please reference the Check Point documentation for detailed information on configuration of the Firewall
rules and policies.
Note: Check Point implied VPN rules include default rules for client-tosite remote access which can be viewed using View -> VPN rules. For
additional granularity create rules with VPN Communities.

The sample rule below will provide for RSA SecurID Authentication for VPN Community members.

Check Point Remote Access Client Configuration

1.
2.

Install the Check Point Endpoint client on your client PC.

On your client PC open the Check Point client. Select the SecurID option from the Site Wizard.

- 12 -

Check Point
Firewall / VPN

3.

Select the appropriate token type.

4.

Set the Username, PIN and enter the current Tokencode. If no PIN is assigned leave the field blank and you
will be prompted to enter a new PIN.

- 13 -

Check Point
Firewall / VPN

Change Check Point Endpoint client Token type

1.
2.

Open the Check Point client by right-clicking on the icon and select VPN Options.
Select the site and Properties then the Settings tab.

3.
4.

Use the Authentication pull down to change the token type.

Click OK to save and exit.
Note: To achieve Software Token automation both the RSA Software
Token and RSA Authentication Client (RAC) need to be installed. Please
refer to the appropriate RSA documentation for additional information.

- 14 -

Check Point
Firewall / VPN

Screens
Login screen:

User Defined New PIN:

- 15 -

Check Point
Firewall / VPN

System-generated New PIN:

Next Tokencode:

- 16 -

Check Point
Firewall / VPN

Certification Checklist for RSA Authentication Manager

Date Tested: July 31, 2012
Product Name
RSA Authentication Manager
RSA Software Token
RSA RAC
Check Point Firewall/VPN
Check Point Endpoint Security

Certification Environment
Version Information
7.1SP4
4.1.1
3.5
R75.40
E75.30 EA2

Operating System
Windows 2003 SP2
Windows XP Professional (SP3)
Windows XP Professional (SP3)
Gaia
Windows XP Professional (SP3)

Mandatory Functionality
RSA Native Protocol
New PIN Mode
Force Authentication After New PIN
System Generated PIN
User Defined (4-8 Alphanumeric)
User Defined (5-7 Numeric)
Deny 4 and 8 Digit PIN
Deny Alphanumeric PIN
Deny Numeric PIN
Deny PIN Reuse
Passcode
16-Digit Passcode
4-Digit Fixed Passcode
Next Tokencode Mode
Next Tokencode Mode
On-Demand Authentication
On-Demand Authentication
On-Demand New PIN
Load Balancing / Reliability Testing
Failover (3-10 Replicas)
No RSA Authentication Manager

RADIUS Protocol
Force Authentication After New PIN
System Generated PIN
User Defined (4-8 Alphanumeric)
User Defined (5-7 Numeric)
Deny 4 and 8 Digit PIN
Deny Alphanumeric PIN
Deny Numeric PIN
Deny PIN Reuse
16-Digit Passcode
4-Digit Fixed Passcode
Next Tokencode Mode
On-Demand Authentication
On-Demand New PIN
Failover
No RSA Authentication Manager

GLS

= Pass

= Fail N/A = Not Applicable to Integration

Important: The On Demand Authentication may not behave as expected

in this release. This release does not enforce authentication after a new
PIN is set via Native SecurID. This issue does not apply to RADIUS.
Therefore, the On Demand Authentication via Native SecurID when in New
PIN mode will authenticate a user without the user ever entering a
tokencode. This is effectively a single factor authentication. This is not an
issue once the user sets the PIN.

- 17 -

Check Point
Firewall / VPN

Certification Checklist for RSA Authentication Manager

RSA Software Token Automation Functionality
RSA Native Protocol
RADIUS Protocol
PINless Token
PINpad-style Token
Fob-style Token
16-Digit Passcode
Alphanumeric PIN
New PIN Mode
Next Tokencode Mode
Password-Protected Token

PINless Token
PINpad-style Token
Fob-style Token
16-Digit Passcode
Alphanumeric PIN
New PIN Mode
Next Tokencode Mode
Password-Protected Token

RSA SecurID 800 Token Automation Functionality

RSA Native Protocol
RADIUS Protocol
PINless Mode
14-Digit Passcode
New PIN Mode
Next Tokencode Mode

PINless Mode
14-Digit Passcode
New PIN Mode
Next Tokencode Mode

GLS

= Pass

- 18 -

= Fail N/A = Not Applicable to Integration

Check Point
Firewall / VPN

Known Issues
On Demand Authentication
On Demand Authentication may not behave as expected with Check Point. This release does not enforce
authentication after a new pin is set via Native SecurID. This issue does not apply to RADIUS.
Therefore, the On Demand feature via Native SecurID when in New Pin mode will authenticate a user
without the user ever entering a tokencode. This is effectively a single factor authentication. This is not
an issue once the user sets the pin.

Software Tokens
Check Point Remote Access Clients up to E75.20 does not work with RSA software token v4.1.
Resolution: Please download the Remote Access Client E75.30 (or E75.30 EA2 from the Early
Availability program) from Check Point Support site.

Appendix A
Node Secret:
1.
2.
3.
4.

To clear the node secret from a Window host launch regedit from the run utility.
Navigate the left hand tool bar to HKEY_LOCAL_MACHINE/Software/ACECLIENT.
Select Node Secret and delete it.
Reboot the PC.

Appendix B
RADIUS Configuration
To configure the Check Point for RADIUS perform the following steps from the Check Point SmartDashboard.
1. Select Manage > Servers and OPSEC Applications.
2. Select New > RADIUS.
3. Enter the Name of the RADIUS connection.
4. Enter the Host of the RADIUS Host.
5. Enter the Shared Secret to match the RSA Authentication Manager.
6. Select the service type of New-RADIUS to use port 1812
7. Click OK to close the RADIUS Properties window.
8. Click Close to exit the Servers and OPSEC Applications window.
9. Select Manage > User and Administrators
10. Edit the generic* user account.
11. Select Authentication from the left tool bar and change the Authentication Scheme to RADIUS.
12. Select the RADIUS Server or Group of Servers setting to the RADIUS Connection created in step 3.
13. Exit the User Profile Properties window.
13. Select Policy > Global Properties.
14. Select SmartDashboard Customization from the list of options.
15. Under the Advanced Configuration option select the Configure button.
16. Select FireWall-1 > Authentication>RADIUS from the left tool bar.
17. Modify the radius_ignore setting changing the default value of 0 to 76.
18. Save the settings and select Policy > Install from the SmartDashboard.
19. Complete the configuration by selecting OK to install the policy.

- 19 -

Check Point
Firewall / VPN

Appendix C
Check Point Remote Access Clients
(see Check Point SecureKnowledge solution sk61286)
Feature

Endpoint Security
VPN

Check Point Mobile for

Windows

SecuRemote

Client Purpose

Secure connectivity with

centrally managed
desktop firewall &
compliance checks

Secure connectivity &

compliance checks

Basic secure
connectivity

Replaces Client

SecureClient NGX R60

Endpoint Connect R73

SecuRemote NGX R60

Endpoint Connect R73

SSL Network Extender

To avoid the overhead of installing and maintaining client software, Check Point also provides the SSL
Network Extender, a simple-to-implement thin client installed on the user's machine via a web browser.
The browser connects to an SSL enabled Check Point Security Gateway and downloads the thin client as
an ActiveX component or Java Applet.
If the Mobile Access blade is active on a Security Gateway, SSL Network Extender works through Mobile
Access and not IPSec VPN. In this case, SSL Network Extender is configured through the Mobile Access
blade.

- 20 -