Compiled By: Chris Presland v1.0. 29 th September. Revision History Phil Underwood v1.1



Similar documents
External Authentication with Checkpoint R75.40 Authenticating Users Using SecurAccess Server by SecurEnvoy

External Authentication with Windows 2003 Server with Routing and Remote Access service Authenticating Users Using SecurAccess Server by SecurEnvoy

External authentication with Fortinet Fortigate UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

External Authentication with Citrix Secure Gateway - Presentation server Authenticating Users Using SecurAccess Server by SecurEnvoy

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

External Authentication with Cisco VPN 3000 Concentrator Authenticating Users Using SecurAccess Server by SecurEnvoy

How To Integrate Watchguard Xtm With Secur Access With Watchguard And Safepower 2Factor Authentication On A Watchguard 2T (V2) On A 2Tv 2Tm (V1.2) With A 2F

External authentication with Astaro AG Astaro Security Gateway UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

External Authentication with Netscreen 25 Remote VPN Authenticating Users Using SecurAccess Server by SecurEnvoy

External Authentication with Citrix Access Gateway Advanced Edition

ipad or iphone with Junos Pulse and Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

Dell SonicWALL and SecurEnvoy Integration Guide. Authenticating Users Using SecurAccess Server by SecurEnvoy

External Authentication with Windows 2012 R2 Server with Remote Desktop Web Gateway Authenticating Users Using SecurAccess Server by SecurEnvoy

External Authentication with Cisco ASA Authenticating Users Using SecurAccess Server by SecurEnvoy

Full disk encryption with Sophos Safeguard Enterprise With Two-Factor authentication of Users Using SecurAccess by SecurEnvoy

Microsoft Office365 with Active Directory Federated Services (ADFS) Authenticating Users Using SecurAccess Server by SecurEnvoy

External Authentication with CiscoSecure ACS. Authenticating Users Using. SecurAccess Server. by SecurEnvoy

External Authentication with Windows 2008 Server with Routing and Remote Access Service Authenticating Users Using SecurAccess Server by SecurEnvoy

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

ESET SECURE AUTHENTICATION. Check Point Software SSL VPN Integration Guide

Check Point FW-1/VPN-1 NG/FP3

Microsoft Outlook Web Access 2013 Authenticating Users Using SecurAccess Server by SecurEnvoy

Product Guide Addendum. SafeWord Check Point User Management Console Version 2.1

External Authentication with Cisco Router with VPN and Cisco EZVpn client Authenticating Users Using SecurAccess Server by SecurEnvoy

Configuring Steel-Belted RADIUS Proxy to Send Group Attributes

Multi-factor Authentication using Radius

Defender EAP Agent Installation and Configuration Guide

Establishing two-factor authentication with Check Point and HOTPin authentication server from Celestix Networks

DIGIPASS Authentication for Check Point Security Gateways

DIGIPASS Authentication for Check Point Connectra

Using Microsoft Active Directory for Checkpoint NG AI SecureClient

SecurEnvoy Windows Login Agent

DIGIPASS Authentication for GajShield GS Series

1.6 HOW-TO GUIDELINES

Cloud Services ADM. Agent Deployment Guide

Immotec Systems, Inc. SQL Server 2005 Installation Document

NSi Mobile Installation Guide. Version 6.2

A brief on Two-Factor Authentication

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

RSA Authentication Manager 7.1 Basic Exercises

SSH to Ubuntu Server Authenticating Users Using SecurAccess Server by SecurEnvoy

Active Directory Management. Agent Deployment Guide

SecurEnvoy IIS Web Agent. Version 7.2

QUANTIFY INSTALLATION GUIDE

F-Secure Messaging Security Gateway. Deployment Guide

How To Configure Windows Server 2008 as a RADIUS Server with MS-CHAP v2 Authentication

DIGIPASS Authentication for Citrix Access Gateway VPN Connections

Palo Alto Networks GlobalProtect VPN configuration for SMS PASSCODE SMS PASSCODE 2015

Authentication Node Configuration. WatchGuard XTM

RSA SecurID Ready Implementation Guide

IIS, FTP Server and Windows

Preparing for GO!Enterprise MDM On-Demand Service

BlackShield ID Best Practice

How to Configure Web Authentication on a ProCurve Switch

ZyWALL OTP Co works with Active Directory Not Only Enhances Password Security but Also Simplifies Account Management

Defender Token Deployment System Quick Start Guide

TechNote. Contents. Introduction. System Requirements. SRA Two-factor Authentication with Quest Defender. Secure Remote Access.

Step by step guide to implement SMS authentication to Cisco ASA Clientless SSL VPN and Cisco VPN

HOTPin Integration Guide: DirectAccess

Server Software Installation Guide

Employee Active Directory Self-Service Quick Setup Guide

Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)

Creating Home Directories for Windows and Macintosh Computers

How To Connect Checkpoint To Gemalto Sa Server With A Checkpoint Vpn And Connect To A Check Point Wifi With A Cell Phone Or Ipvvv On A Pc Or Ipa (For A Pbv) On A Micro

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

DIGIPASS Authentication for SonicWALL SSL-VPN

DIGIPASS Authentication for Cisco ASA 5500 Series

ZyWALL OTPv2 Support Notes

Millbeck Communications. Secure Remote Access Service. Internet VPN Access to N3. VPN Client Set Up Guide Version 6.0

SecurEnvoy Security Server Installation Guide

Basic Exchange Setup Guide

ESET SECURE AUTHENTICATION. Cisco ASA SSL VPN Integration Guide

Load Balancing. Outlook Web Access. Web Mail Using Equalizer

How To Industrial Networking

Deployment for Network Proxy in Simpana Environment

Cox Managed CPE Services. RADIUS Authentication for AnyConnect VPN Version 1.3 [Draft]

Check Point FDE integration with Digipass Key devices

ESET SECURE AUTHENTICATION. Cisco ASA Internet Protocol Security (IPSec) VPN Integration Guide

Configuring Network Load Balancing with Cerberus FTP Server

Two-Factor Authentication

Endpoint Security VPN for Windows 32-bit/64-bit

Configuring Global Protect SSL VPN with a user-defined port

Undergraduate Academic Affairs \ Student Affairs IT Services. VPN and Remote Desktop Access from a Windows 7 PC

V Series Rapid Deployment Version 7.5

Digipass Plug-In for IAS troubleshooting guide. Creation date: 15/03/2007 Last Review: 24/09/2007 Revision number: 3

Training module 2 Installing VMware View

BlackBerry Enterprise Service 10. Version: Configuration Guide

Configuring User Identification via Active Directory

Basic Exchange Setup Guide

Integration Guide. SafeNet Authentication Service. SAS Using RADIUS Protocol with Microsoft DirectAccess

Creating a New Database and a Table Owner in SQL Server 2005 for exchange@pam

Setting up DCOM for Windows XP. Research

Knowledge Base Article: Article 218 Revision 2 How to connect BAI to a Remote SQL Server Database?

Configuring the Palo Alto Firewall for use with Juniper Steel-Belted RADIUS.

HOTPin Integration Guide: Microsoft Office 365 with Active Directory Federated Services

Integration Guide. Duo Security Authentication

How to Logon with Domain Credentials to a Server in a Workgroup

SecurEnvoy Security Server. SecurMail Solutions Guide

Configuring a Windows 2003 Server for IAS

Transcription:

Compiled By: Chris Presland v1.0 Date 29 th September Revision History Phil Underwood v1.1

This document describes how to integrate Checkpoint VPN with SecurEnvoy twofactor Authentication solution called SecurAccess Checkpoint VPN provides Client - Secure Remote Access to corporate network and application resources. SecurAccess provides two-factor, strong authentication for remote Access solutions (such as Checkpoint VPN) from any device, without the complication of deploying hardware tokens or smartcards. Two-Factor authentication is provided by the use of (your PIN and your Phone to receive the one time passcode) SecurAccess is designed as an easy to deploy and use technology. It integrates directly into Microsoft s Active Directory and negates the need for additional User Security databases. SecurAccess consists of two core elements: a Radius Server and Authentication server. The Authentication server is directly integrated with LDAP or Active Directory in real time. Checkpoint VPN can be configured in such a way that it can proxy the Authentication request of the users to an external directory (such as Radius). This is how the Checkpoint VPN was configured. All authentication requests were forwarded to SecurEnvoy Authentication server. Both Checkpoint and SecurEnvoy utilize a web GUI for configuration. All notes within this integration guide refer to this type of approach. The equipment used for the integration process is listed below Checkpoint Checkpoint NG software Software Revision Version 8.5.1 Microsoft Windows 2000 server SP4 IIS installed with SSL certificate (required for management and remote administration) Active Directory installed SecurEnvoy SecurAccess software release v2.7 0100 2

SecurEnvoy SecurAccess Server and Check Point NGX (VPN Client Secure Remote) The integration guide explains how to authenticate Remote Access VPN clients against SecurEnvoy authentication server. The Radius component of SecurEnvoy takes the authentication request from the Checkpoint firewall; it is then passed to the SecurEnvoy authentication server which in real time retrieves user account and encrypted passcode data from Microsoft s active directory. All configuration and testing was completed within a test environment. The deployment and topology design is outlined below. A Check Point Remote Access VPN client was setup and tested using static passwords. This was to facilitate the changes that would be required if deploying SecurEnvoy authentication from an existing traditional password model. These tests were carried out using Check Point NGX Enterprise/Pro with VPN, running on the latest version of IPSO, configured on a Nokia IP 380 Platform. The SecurEnvoy SecurAccess server was installed on a fully patched, Windows 2000 Server, acting as both the authentication server and a RADIUS server. 3

Verify that the Check Point firewall is currently VPN Enabled ; this is accomplished by checking that the VPN module is installed. Launch the Checkpoint management interface. Go to Network Objects Check Point and selecting the Checkpoint firewall you wish to configure. Properties The VPN check box should be enabled. 4

The next step is to add the SecurEnvoy RADIUS Server as a host object, define it as a valid machine on the network. Go to Network Objects Right-Click Node New node to add. Populate the required information. See diagram below. Click ok and Save to complete. 5

Check that the Check Point firewall uses the correct RADIUS Protocol details for communication between itself and the SecurEnvoy RADIUS Server. The SecurEnvoy RADIUS Server is configured by default to communicate on Port 1812, using Protocol UDP. It can be configured to use another port by running regedit on the SecurEnvoy server. Go to HKLM\SOFTWARE\SecurEnvoy\Radius Server select port and change this port to reflect your network design, typically this will be port 1645 UDP. Stop and restart the SecurEnvoy Radius service to make the new changes valid. Under the Services tab, select UDP as the Protocol type, and browse to New-RADIUS. On the properties of New-RADIUS, make sure that it is set to Port 1812. See diagram below. Select the Advanced tab and make sure that the Source port is set to 1812. Also make sure that the Accept Replies check-box has been enabled. See the following diagram. 6

Advanced UDP Service properties Select ok to save and ok again to exit. Then select Save. Now specify the specific SecurEnvoy RADIUS server and the details regarding version and protocol types supported. Under the Servers and OPSEC Applications tab, select Radius New RADIUS and then add in the new RADIUS server details. Select the SecurEnvoy-Radius host you created earlier, set the Service type to use udp NEW-RADIUS, and specify the common Shared Secret key to be used. (The Share Secret key is configured on both the Check Point firewall and SecurEnvoy RADIUS Server). Make sure the Protocol type is set to PAP. 7

Radius Server Properties Select ok and then Save to complete. From the Users and Administrators tab, Right-Click User Groups New User Group create a Remote_Access_VPN_Group for external users. This group is used as a Global Authentication Group for Check Point Secure/Remote Client Remote Access VPN users. See following diagram 8

Group Properties_VPN_Group Select ok and Save to complete. There are many ways of setting up VPN users in Check Point NGX. In this example, we are going to create a local user account, add it to the Remote_Access_VPN_Group, and set it to authenticate against the external SecurEnvoy-Radius server. 9

Select Users New User Create a VPN user account securenvoy, which we can then associate with the Remote Access VPN Group. Set the Login name details for the user. Typically this would be the same as the Active-Directory Domain user account. 10

On the Groups tab, Select the Remote_Access_VPN_Group As the group you want the account to become a member of. 11

On the Authentication tab, set the Authentication Scheme to RADIUS and below that select the RADIUS Server SecurEnvoy as the chosen RADIUS Authenticator for this user. Select ok and then Save to complete. 12

Select the VPN Communities tab, Then Right-Click Remote Access, New Remote Access Community, and configure. On the Participating Gateways tab, select your Check Point NGX node. 13

Then, on the Participating User Groups, select the Remote_Access_VPN_Group you created earlier, And add this group into the Check Point VPN Communities properties. Select ok and Save to complete. 14

Depending on your current Check Point firewall rule-base configuration, you may need to add in a rule Permitting NEW-RADIUS communication between the SecurEnvoy-RADIUS server and the Check Point NGX firewall. Once the above details have been configured, and the policy has been saved, it can be pushed to the relevant Check Point Enforcement Modules. 15

Next step is to configure the Check Point NGX Firewall as an Agent RADIUS Server within the SecurEnvoy Administration interface. Launch the SecurEnvoy Admin GUI, from the shortcut or remote web admin connection. Once logged-in to the SecurEnvoy Admin GUI, Select RADIUS, and then enter in the details of the Check Point Firewall, including the Shared Secret key, which is identical on both the Check Point Firewall, and the SecurEnvoy RADIUS Server itself. Select Update to complete the changes. 16

Test the RADIUS Authentication setup against SecurEnvoy by connecting to the Check Point NGX Gateway using the Check Point Secure/Remote VPN client installed on a Company Laptop of a Remote User. Begin by starting up your NGX VPN client. Then supply the correct credentials for your login. The securenvoy user credentials have been successfully passed against our internal RADIUS server, And the VPN connection is setup, allowing me local access to the internal company network. 17