Solution
Check Point Security Gateway Configuration Guide
RSA IDR Host Object
1) Access to the SmartConsole application.
2) Add a new host object and configure the name and IP address of the local RSA IDR (further information about RSA IDR will be discussed under the RSA configuration part).
3) Repeat the step to add the secondary RSA IDR object if you have more than 1 IDR deployed in the environment. Click OK to finish.
RADIUS Server Object
4) Add a new RADIUS Server object and give it a name.
Select the host which has been configured in the 2nd step above.
Define the service as NEW-RADIUS.
Enter the shared secret configured in the SecurID web interface.
Configure the priority of the primary as 1 and the secondary as 2.
5) Repeat the step to add the secondary RSA RADIUS server object. Click OK to finish.
RADIUS Server Group
6) Add a new RADIUS group object and give it a name. Add all the RADIUS server object which has been configured in previous steps. Click OK to finish.
7) Add the gateway in the Remote Access VPN community and click OK.
Gateways & Servers
8) Navigate to Gateways & Servers tab.
General Properties
9) Double-click the Gateway Object and verify IPSec VPN blade was enabled.
Topology
10) Navigate to the topology menu and verify that the VPN domain is defined. These will be the IP addresses that will be accessible by the remote access VPN users.
IPSec VPN
11) Navigate to the IPSec VPN menu and verify that the internal_ca certificate is still valid.
Link Selection
12) Navigate to the IPSec VPN > Link Selection and verify that the external IP address of the security gateway is defined correctly in “IP Selection by Remote Peer”.
VPN Clients
13) Navigate to the VPN Clients menu and select the desired application that will be used for remote access connection. In my case, I am using Desktops/Laptops Endpoint Security VPN.
Authentication
14) Navigate to the Authentication menu and click the “Settings…” button
Single Authentication Clients Settings
15) Set the authentication method to RADIUS and select the RSA IDR RADIUS Group object.
Office Mode IP Address
16) Navigate to VPN Clients > Office Mode and set the mode on how will the remote VPN user’s IP addresses be assigned. I am using the manual IP pool method which is defined inside the SmartConsole. Click OK to finish.
We have now completed the Check Point Security Gateway configurations. Now we will continue with the RSA configuration.
RSA SecurID Configuration
Obtain Identity Router Template
1) Access your RSA SecurID Cloud Authentication Service (CAS) web portal and go to Platform > Obtain Identity Router Template to download the IDR image. I am using an OVA image for VMware for this testing.
RSA IDR
2) Deploy the OVA image into VMware and power up the RSA Identity Router (IDR) VM.
Configure the IP address, netmask, and default gateway.
Navigate to Commit to apply the configuration.
Identity Sources
3) From the CAS portal, navigate to Users > Identity Sources and click on the “Add an Identity Sources” button to add your authentication server. I am using Active Directory for this testing.
Identity Sources
4) From the CAS portal, navigate to Users > Identity Sources and click on the “Add an Identity Sources” button to add your authentication server. I am using Active Directory for this testing. Click the Next Step button to continue.
User Attributes
5) Click the Next Step button to continue.
Synchronize User Attributes
6) Click the Next Step button to continue.
Policies
7) Navigate to Access > Policies and click the “Add a Policy” button to create a custom policy.
8) Enter the policy name. Click the Next Step button to continue.
9) Tick the configured identity sources in the previous step. Click the Next Step button to continue.
10) Configure the rule sets as per your requirements. I am leaving the default value for this testing purposes.
11) Click the Save and Finish button to complete.
RADIUS Clients and Profiles
12) Navigate to Authentication Clients > RADIUS Clients and Profiles and click the “Add RADIUS Client and Profiles” button to create a new profile.
13) Enter the RADIUS Client name and IP address. This is the Check Point gateway IP address which in this case will be the RADIUS client.
Enter the shared secret. This shared secret will be used for RADIUS server host configuration in Check Point SmartConsole later on.
14) Select the access policy which has been configured in steps 8-11.
15) Click the “Save and Next Step” button to continue.
16) Click Finish to complete the operation.
Identity Routers
16) Navigate back to Platform > Identity Routers and then click on the “Add an Identity Router” button to add the previously deployed IDR image on the VMware.
17) Select VMware/Hyper-V from the drop-down button. Click Next Step to continue.
18) Click Next Step to continue or you may amend any of the Firewall Rules, Static Routes, or Static DNS Entries configuration.
19) Click the “Generate Code” button to generate a new code which will be used by the IDR to register into the CAS portal.
Connect Administration Console
20) Access to the IDR Setup Console using the address generated after you have clicked Commit during the VMware setup. Navigate to Connect Administration Console menu.
Enter the Registration Code displayed when adding the identity router in the Cloud Administration Console in the Registration Code field.
In the Authentication Service Domain field, enter the Authentication Service Domain displayed when adding the identity router in the Cloud Administration Console.
User Management
20) Access the CAS portal and navigate to Users > User Management. Search for the name of which the user so that we can generate the registration code that will be used for registration from the RSA SecurID Authenticate app.
21) Select the app name and click the “Generate Code” button to generate the registration code.
Connecting to the Remote Access VPN
RSA SecurID Authenticate App
1) Download the application from IOS App Store or Android Play Store and launch the application from your mobile phone.
Navigate to the Account tab and click on the “Add Account” button. Click the “Enter Details” hyperlink.
Enter the company ID, your email address, and the registration code which was generated in the previous step.
Click Submit to finish the registration.
Check Point Endpoint Security VPN Application
2) Download the Check Point Remote Access Application from the link below :
Remote Access VPN – Check Point Software
Install and launch the app. Navigate to VPN > VPN Options > New to add the new site.
3) Click Next to continue.
4) Enter the public IP of the security gateway and click Next to continue.
5) Click Finish to complete the operation.
6) Click Yes when prompted.
7) You will receive a notification on your phone for the 2-factor authentication approval.
8) Connection succeeded.
Troubleshooting
- For the newer Windows Server versions, the Active Directory might only support NTLMv2 authentication but the default authentication on the Check Point side is using NTLMv1 instead. Follow the guide here to change the NTLM version.