Documente Academic
Documente Profesional
Documente Cultură
Partner Information
Product Information
Partner Name
Web Site
Product Name
Version & Platform
Product Description
Check Point
Mobile Access SSL VPN
Solution Summary
The Check Point Mobile Access Software Blade uses SSL VPN technology to secure encrypted
communication from unmanaged smartphones, tablets, PCs and laptops. Both web-based and networklevel SSL-encrypted access can be delivered through most Internet browsers.
The SSL VPN portal can be configured for use with Risk-Based Authentication. When configured, a user
accessing the SSL VPN portal is redirected to the RSA Secure Logon page. The user logs in to the
system using their credentails. If the Authentication Manager determines the authentication attempt to be
low risk, the user is granted access immediately. If detected as high risk, the user is challenged with life
questions or On-Demand Authentication to provide stronger authentication.
RSA Authentication Manager supported features
Check Point Mobile Access R77
RSA SecurID Authentication via Native RSA SecurID Protocol
RSA SecurID Authentication via RADIUS Protocol
On-Demand Authentication via Native SecurID Protocol
On-Demand Authentication via RADIUS Protocol
Risk-Based Authentication
Risk-Based Authentication with Single Sign-On
RSA Authentication Manager Replica Support
Secondary RADIUS Server Support
Mobile Access
-2-
Yes
Yes
Yes
Yes
Yes
No
Yes
Yes
Check Point
Mobile Access SSL VPN
Hostname
IP Addresses for network interfaces
Set the Agent Type to Standard Agent when adding the Authentication Agent. This setting is used by
the RSA Authentication Manager to determine how communication with Check Point Software Blades will
occur.
A RADIUS client that corresponds to the Authentication Agent must be created in the RSA Authentication
Manager in order for Check Point Software Blades to communicate with RSA Authentication Manager.
RADIUS clients are managed using the RSA Security Console.
The following information is required to create a RADIUS client:
Hostname
IP Addresses for network interfaces
RADIUS Secret
Note: Hostnames within the RSA Authentication Manager / RSA SecurID
Appliance must resolve to valid IP addresses on the local network.
Please refer to the appropriate RSA documentation for additional information about creating, modifying
and managing Authentication Agents and RADIUS clients.
Location
/var/ace, %SystemRoot%\system32\
/var/ace,HKEY_LOCAL_MACHINE/Software/ACECLIENT
/var/ace
/var/ace
-3-
Check Point
Mobile Access SSL VPN
Download the integration script template for the Check Point Mobile Access from the following link:
https://sftp.rsa.com/human.aspx?Username=partner&password=rsasecured&arg01=881592907&arg1
2=downloaddirect&transaction=signon&quiet=true
Verify that the most recent RBA integration script template is installed on your Authentication Manager
system by comparing the header of the installed integration script template to the header of the downloaded
integration script template.
Install the downloaded integration script template if it is newer than the installed script template, or if the
script template for your agent is not installed.
Please refer to RSA documentation for more information on RBA integration scripts.
-4-
Check Point
Mobile Access SSL VPN
The Check Point Firewall/VPN uses the sdconf.rec file to locate the RSA Authentication Manager Servers.
Retrieve the sdconf.rec file from the Authentication Manager.
Launch the Check Point SmartDashboard application with an administrator account.
Navigate to Manage > Servers and OPSEC Applications
4.
Click New.
-5-
Check Point
Mobile Access SSL VPN
5.
6.
7.
8.
If you selected RADIUS the RADIUS Server Properties window will open. Add the Name, Host and Shared
Secret and leave the other settings at default.
-6-
Check Point
Mobile Access SSL VPN
9. Click OK.
10. Repeat this to add any secondary RADIUS servers. Then from the Servers and OPSEC window select New >
RADIUS Group and create a RADIUS Group.
Note : Additional Check Point steps are needed to configure RADIUS.
Refer to Appendix B. of this document.
Select the Firewall tab in the main window panel. Go to the left tool bar and navigate to Network Objects >
Check Point > (your object) Right click on your object and select Edit.
-7-
Check Point
Mobile Access SSL VPN
2.
The General Properties window will open. Check IPSec VPN and Policy Server.
3.
4.
5.
Select VPN Clients > Authentication from the left tool bar.
Select the RADIUS group or the SecurID server from the pull down you previously defined.
Click OK to save changes.
-8-
Check Point
Mobile Access SSL VPN
6.
7.
8.
-9-
Check Point
Mobile Access SSL VPN
the system is configured to use an External Profile for user authentication it is not necessary to define
users on the Check Point management server unless there are users that are not challenged with RSA
Authentication.
Configure a User
In this section a user will be created that will authenticate to the RSA Authentication Manager Servers.
This user can be configured to authenticate via either SecurID or RADIUS.
1.
2.
3.
4.
Go to Manage > Users and Administrators > New > User By Template > Default.
Enter the username as it appears in the default login field within the RSA Authentication Manager database.
Select Authentication from the left hand tool bar.
From the drop down box choose either SecurID or RADIUS as the users Authentication Scheme.
5.
- 10 -
Check Point
Mobile Access SSL VPN
Match by Domain
The Match by Domain profile allows for more granularity in the user definition than is available with
generic*. With this profile users are differentiated by their domain name. When implemented the user types
a domain name as well as the username where any domain name can be allowed.
The steps below will configure an External Profile of Match All Users.
1.
2.
3.
4.
5.
Go to Manage > Users and Administrators > New > External User Profile > Match All Users.
The user generic* is created and a new window opens.
Select Authentication from the left tool bar.
From the drop down box choose SecurID or RADIUS as the users Authentication Scheme.
Click OK to save changes.
- 11 -
Check Point
Mobile Access SSL VPN
Enable the Mobile Access feature by navigating to Manage > Network Objects, selecting the gateway object
and clicking Edit. On the General Properties screen check Mobile Access.
A configuration wizard will launch. Select the access method for Mobile and click Next.
3.
- 12 -
Check Point
Mobile Access SSL VPN
4.
Add a web site that you want your remote users to have access to and click Next.
5.
Choose the Active Directory Domain or check I dont want to use active directory now and click Next.
- 13 -
Check Point
Mobile Access SSL VPN
- 14 -
Check Point
Mobile Access SSL VPN
6.
Add a portal user and click Next. Additional users can be added later.
7.
Verify the information is correct and click Finish or use the Back button to correct any errors.
- 15 -
Check Point
Mobile Access SSL VPN
3.
On the Authentication for Mobile Access screen select SecurID or RADIUS from the Authentication Scheme
drop down list.
4.
- 16 -
Check Point
Mobile Access SSL VPN
Browse to Mobile Access > Policy. The Mobile Access Wizard has already created your policy.
Verify the Users field is set to the Internal group you created that has the generic* External profile.
3.
You are now ready to access the portal. Launch a browser to https://<hostname>/sslvpn.
- 17 -
Check Point
Mobile Access SSL VPN
Log in to the Check Point appliance as an administrator and change to expert mode.
Download the RBA integration script from the RSA Security Console on your RSA Authentication Manager.
Copy the integration script to the following directory on the Check Point device:
/opt/CPcvpn-R77/htdocs/Login
3.
4.
Mobile Access R77 requires an additional support script, am_encrypt, that you can download
https://sftp.rsa.com/human.aspx?Username=partner&password=rsasecured&arg01=881799797&arg12=down
loaddirect&transaction=signon&quiet=true
5.
6.
Copy this PHP script to the same location as am_integration.js. The source for am_encrypt is also provided in
the Appendix at the end of this document.
Set the permissions on am_encrypt as follows:
chmod 774 am_encrypt
7.
Edit the /opt/CPcvpn-R77/phpincs/LoginPage.php file adding the following lines of code to the bottom:
<script src='../Login/am_integration.js' type="text/javascript"></script>
<script>window.onload=redirectToIdP;</script>
8.
Edit the /opt/CPcvpn-R77/conf/includes/Login.location.conf file and modify the file to include the
am_encrypt file. An example of the necessary addition is given below in red.
<Files ~
"^Login$|^Login\.css$|^CShellFrame$|^ActivateLogin$|^DifferentIpError$|^JS_RSA\
.js$|^MultiChallenge$|^getTimeoutValues$|^utilities\.js$|^PostLaunchSWS$|^Compo
nentFrame$|^TrustedSitesInstructions$|^scanPage$|^processScanResults$|^LoginWit
hCert$|^blank\.htm$|^blankowa\.htm$|^am_encrypt$">
SetHandler application/x-httpd-php
</Files>
9.
Finally, restart the Check Point services to allow the changes to take effect.ftp
cpstop && cpstart
Once the Check Point services restart, the Mobile Access portal will be configured for Risk-Based
Authentication. Users accessing the portal will be redirected to the RSA Secure Logon page, where they
must perform RBA before gaining access to the Mobile Access portal.
Use the RSA selfservice portal; https://<hostname>:7004/console-selfservice
to configure the users Risk-Based security questions.
- 18 -
Check Point
Mobile Access SSL VPN
- 19 -
Check Point
Mobile Access SSL VPN
Next Tokencode:
- 20 -
Check Point
Mobile Access SSL VPN
Certification Environment
Version Information
8.0
R77
Operating System
Virtual Appliance
Gaia
Mandatory Functionality
RSA Native Protocol
RADIUS Protocol
N/A
Risk-Based Authentication
Risk-Based Authentication with SSO
= Pass
GLS
- 21 -
N/A
Check Point
Mobile Access SSL VPN
Known Issues
On Demand Authentication
On Demand Authentication may not behave as expected with Check Point. This release does not enforce
authentication after a new pin is set via Native SecurID. This issue does not apply to RADIUS.
Therefore, the On Demand feature via Native SecurID when in New Pin mode will authenticate a user
without the user ever entering a tokencode. This is effectively a single factor authentication. This is not
an issue once the user sets the pin.
Appendix A
Node Secret:
1.
2.
3.
4.
To clear the node secret from a Window host launch regedit from the run utility prompt.
Navigate the left hand tool bar to HKEY_LOCAL_MACHINE/Software/ACECLIENT.
Select Node Secret and delete it.
Reboot the PC.
Appendix B
RADIUS Configuration
To configure the Check Point for RADIUS perform the following steps from the Check Point SmartDashboard.
1. Select Manage > Servers and OPSEC Applications.
2. Select New > RADIUS.
3. Enter the Name of the RADIUS connection.
4. Enter the Host of the RADIUS Host.
5. Enter the Shared Secret to match the RSA Authentication Manager.
6. Select the service type of New-RADIUS to use port 1812
7. Click OK to close the RADIUS Properties window.
8. Click Close to exit the Servers and OPSEC Applications window.
9. Select Manage > User and Administrators
10. Edit the generic* user account.
11. Select Authentication from the left tool bar and change the Authentication Scheme to RADIUS.
12. Select the RADIUS Server or Group of Servers setting to the RADIUS Connection created in step 3.
13. Exit the User Profile Properties window.
13. Select Policy > Global Properties.
14. Select SmartDashboard Customization from the list of options.
15. Under the Advanced Configuration option select the Configure button.
16. Select FireWall-1 > Authentication>RADIUS from the left tool bar.
17. Modify the radius_ignore setting changing the default value of 0 to 77.
18. Save the settings and select Policy > Install from the SmartDashboard.
19. Complete the configuration by selecting OK to install the policy.
- 22 -