RSA Ready Implementation Guide for. Checkpoint Mobile VPN for ios v1.458

Similar documents
RSA Ready Implementation Guide for. GlobalSCAPE EFT Server 7.3

Barracuda Networks NG Firewall 7.0.0

RSA Ready Implementation Guide for

VMware Identity Manager vidm 2.7

Cyber Ark Software Ltd Sensitive Information Management Suite

Dell SonicWALL NSA 3600 vpn v

Caradigm Single Sign-On and Context Management RSA Ready Implementation Guide for. Caradigm Single Sign-On and Context Management 6.2.

Avocent DSView 4.5. RSA SecurID Ready Implementation Guide. Partner Information. Last Modified: June 9, Product Information Partner Name

HOB HOB RD VPN. RSA SecurID Ready Implementation Guide. Partner Information. Product Information Partner Name. Last Modified: March 3, 2014 HOB

Barracuda Networks SSL VPN

Microsoft Unified Access Gateway 2010

Citrix Systems, Inc. Web Interface

Vanguard Integrity Professionals ez/token

RSA Ready Implementation Guide for. VMware vsphere Management Assistant 6.0

<Partner Name> RSA SECURID ACCESS Standard Agent Implementation Guide. WALLIX WAB Suite 5.0. <Partner Product>

Cisco Systems, Inc. Aironet Access Point

Microsoft Forefront UAG 2010 SP1 DirectAccess

Security Access Manager 7.0

Attachmate Reflection for Secure IT 8.2 Server for Windows

RSA SecurID Ready Implementation Guide. Last Modified: March 27, Cisco Systems, Inc.

Cisco Systems, Inc. IOS Router

RSA SecurID Implementation

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x

SecureW2 Enterprise Client

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Cisco Adaptive Security Appliance 9.5(2)

RSA Ready Implementation Guide for. HelpSystems Safestone DetectIT Security Manager

Cisco Systems, Inc. Wireless LAN Controller

SSH Communications Tectia 6.4.5

Pulse Secure Policy Secure

Cisco Systems, Inc. Catalyst Switches

Infosys Limited Finacle e-banking

Rocket Software Strong Authentication Expert

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. PingIdentity PingFederate 8

Apple Computer, Inc. ios

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

<Partner Name> <Partner Product> RSA SECURID ACCESS. Pulse Secure Connect Secure 8.3. Standard Agent Client Implementation Guide

Barron McCann Technology X-Kryptor

RSA SecurID Ready Implementation Guide. Last Modified: November 19, 2009

<Partner Name> <Partner Product> RSA SECURID ACCESS. VMware Horizon View 7.2 Clients. Standard Agent Client Implementation Guide

<Partner Name> RSA SECURID ACCESS. VMware Horizon View Client 6.2. Standard Agent Implementation Guide. <Partner Product>

Open System Consultants Radiator RADIUS Server

RSA SecurID Ready Implementation Guide

RSA SECURID ACCESS PAM Agent Implementation Guide

RSA Ready Implementation Guide for

RSA SecurID Ready Implementation Guide

How to RSA SecureID with Clustered NATIVE

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Citrix NetScaler Gateway 12.0

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. CyberArk Enterprise Password Vault

<Partner Name> <Partner Product> RSA SECURID ACCESS. NetMove SaAT Secure Starter. Standard Agent Client Implementation Guide

Check Point Mobile VPN for ios

Integration Guide. LoginTC

RSA SecurID Ready Implementation Guide

Hitachi ID Systems Inc Identity Manager 8.2.6

How to Integrate RSA SecurID with the Barracuda Web Application Firewall

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

How to Configure the RSA Authentication Manager

Deploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3

External Authentication with Checkpoint R77.20 Authenticating Users Using SecurAccess Server by SecurEnvoy

Fischer International Identity Fischer Identity Suite 4.2

How to Configure Mobile VPN for Forcepoint NGFW TECHNICAL DOCUMENT

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

Configuring and Using Dynamic DNS in SmartCenter

050-v71x-CSESECURID RSA. RSA SecurID Certified Systems Engineer 7.1x

Integration Guide. SecureAuth

ActivIdentity 4TRESS AAA Web Tokens and F5 BIG-IP Access Policy Manager. Integration Handbook

Horizon DaaS Platform 6.1 Service Provider Installation - vcloud

Integration Guide. SafeNet Authentication Manager. SAM using RADIUS Protocol with Check Point Security Gateway

Remote Access User Guide for Mac OS (Citrix Instructions)

SecuRemote for Windows 32-bit/64-bit

Check Point R75 Management Essentials Part 2. Check Point Training Course. Section Heading Index. Module 1 Encryption... 3

Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM

Checkpoint Vpn Domain Manually Defined

MyFloridaNet-2 (MFN-2) Remote Access VPN Reference Guide

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

SailPoint IdentityIQ 6.4

QUESTION: 1 An RSA SecurID tokencode is unique for each successful authentication because

<Partner Name> <Partner Product> RSA SECURID ACCESS Authenticator Implementation Guide. Check Point SmartEndpoint Security

Configuring Cisco VPN Concentrator to Support Avaya 96xx Phones Issue 1.0. Issue th October 2009 ABSTRACT

RSA Exam 050-v71-CASECURID02 RSA SecurID Certified Administrator 7.1 Exam Version: 6.0 [ Total Questions: 140 ]

Instructions for Application Access via SecureCitrix

Integrate Check Point Firewall. EventTracker v8.x and above

STRS OHIO F5 Access Client Setup for ChromeBook Systems User Guide

mystanwell.com Accessing using Apple devices Information and Business Systems

Checkpoint SecureClient Integration

REMOTE ACCESS IPSEC. Course /14/2014 Global Technology Associates, Inc.

Remote Access Clients for Windows 32-bit/64-bit

3.1 Getting Software and Certificates

Checkpoint VPN-1 NG/FP3

VII. Corente Services SSL Client

SecurEnvoy Microsoft Server Agent

RSA SecurID Ready with Wireless LAN Controllers and Cisco Secure ACS Configuration Example

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

VMware AirWatch Integration with F5 Guide Enabling secure connections between mobile applications and your backend resources

Integration Guide. SafeNet Authentication Service (SAS)

Stonesoft VPN Client. for Windows Release Notes Revision A

UNT System Campus VPN Guide

VMware Horizon Client for Chrome Installation and Setup Guide. 15 JUNE 2018 VMware Horizon Client for Chrome 4.8

vshield Administration Guide

Load Balancing Microsoft Remote Desktop Services. Deployment Guide v Copyright Loadbalancer.org

Transcription:

<Partner Name> <Partner Product> RSA Ready Implementation Guide for v1.458 FAL, RSA Partner Engineering Last Modified: 7/22/16

Solution Summary The Check Point software solution is a comprehensive VPN and Firewall providing RSA SecurID two factor authentication connectivity to corporate networks, remote and mobile users, and satellite offices RSA Authentication Manager supported features Mobile Client for ios v1.458 RSA SecurID Authentication via Native RSA SecurIDUDP Protocol RSA SecurID Authentication via Native RSA SecurID TCP Protocol RSA SecurID Authentication via RADIUS Protocol RSA SecurID Authentication via IPv6 On-Demand Authentication via Native SecurIDUDP Protocol On-Demand Authentication via Native SecurID TCP Protocol On-Demand Authentication via RADIUS Protocol Risk-Based Authentication RSA Authentication Manager Replica Support Secondary RADIUS Server Support RSA SecurID Software Token Automation RSA SecurID SD800 Token Automation RSA SecurID Protection of Administrative Interface Yes No Yes No Yes No Yes No Yes Yes Yes Yes No Check Point Remote Access Clients (see Appendix C) -- 2 -

RSA Authentication Manager Configuration Agent Host Configuration To facilitate communication between the Check Point Firewall/VPN R77.30 and the RSA Authentication Manager / RSA SecurID Appliance, an Agent Host record must be added to the RSA Authentication Manager database. This can be done through the AM admin GUI. The Agent Host record identifies the Check Point Firewall/VPN R77.3 and contains information about communication and encryption. RSA Authentication Manager 8.0 introduced a new TCP-based authentication protocol and corresponding agent API. RSA Authentication Manager 8.0 and newer also maintains support for the existing UDPbased authentication protocol and agents. The agent host records for TCP and UDP agents are configured similarly, but there are some important differences. Include the following information when configuring a UDP-based agent host record. Hostname IP addresses for network interface. Important: The UDP-based authentication agent s hostname must resolve to the IP address specified. Include the following information when configuring a TCP-based agent host record. RSA agent name (in the hostname field) Important: The RSA agent name is specified in the rsa_ api. Properties file. -- 3 -

Set the Agent Type to Standard Agent when adding the Authentication Agent. This setting is used by the RSA Authentication Manager to determine how communication with Check Point R77.3 will occur. If Check Point Firewall/VPN R77.3 will be communicating with RSA Authentication Manager via RADIUS, then a RADIUS client that corresponds to the agent host record must be created in the RSA Authentication Manager. RADIUS clients are managed using the RSA Security Console The following information is required to create a RADIUS client: Hostname IP Addresses for network interfaces RADIUS Secret Important: The RADIUS client s hostname must resolve to the IP address specified. Please refer to the appropriate RSA documentation for additional information about creating, modifying and managing Authentication Agents and RADIUS clients. -- 4 -

Partner Product Configuration Before You Begin This section provides instructions for configuring the Check Point Firewall/VPN R77.3 with RSA SecurID Authentication. This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. All Check Point R77.3 components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding. Configure checkpoint for the RSA Authentication Servers 1. The Check Point Firewall/VPN uses the sdconf.rec file to locate the RSA Authentication Manager Servers. Retrieve the sdconf.rec file from the Authentication Manager. 2. Launch the Check Point SmartDashboard application with an administrator account and make sure it is in write mode.. 3. Navigate to Manage > Servers and OPSEC Applications. -- 5 -

4. Click New, Select SecurID or RADIUS. 5. If you selected SecurID the SecurID Properties window will open. Create a name for the SecurID server and browse to the sdconf.rec file you retrieved from the RSA Authentication Manager Server. 6. Click OK. -- 6 -

7. If you selected RADIUS the RADIUS Server Properties window will open. Add the Name, Host and Shared Secret and leave the other settings at default. 8. Click OK. 1. Repeat this to add any secondary RADIUS servers. Then from the Servers and OPSEC window select New > RADIUS Group and create a RADIUS Group. 2. Select Manage>Policy>Global Properties. 3. Select SmartDashboard Customization from the list of options. 4. Under the Advanced Configuration option select the Configure button. 5. SelectFireWall-1 >Authentication>RADIUS from the left tool bar. 6. Modify the radius_ignore setting changing the default value of 0 to 76. 7. Save the settings by selecting the Install Policy 8. Complete the configuration by selecting OK to install the policy. -- 7 -

Configure for SecurID Authentication 1. Select the Firewall tab in the main window panel. Go to the left tool bar and navigate to Network Objects > Check Point > (your object) Right click on your object and select Edit. 2. The General Properties window will open. Select the check boxes for IPSec VPN and Policy Server. -- 8 -

3. Select VPN Clients > Authentication from the left tool bar. 4. Select RADIUS or SecurID then select the RADIUS group or the SecurID server from the pull down. 5. Click OK to save changes. 6. From the left tool bar navigate to Topology. 7. Under VPN Domain select manually defined and choose CP_default_Office_Mode_address_pool. 8. Return to General Properties and click OK and install the Policy on top left. -- 9 -

. -- 10 -

Enable RSA Authentication for users RSA SecurID or RADIUS Authentication may be configured on a defined User or an External User Profile. Check Point users are defined on the Check Point management server while External Users are not. If the system is configured to use an External Profile for user authentication it is not necessary to define users on the Check Point management server unless there are users that are not challenged with RSA Authentication. Configure a User In this section a user will be created that will authenticate to the RSA Authentication Manager Servers. This user can be configured to authenticate via either SecurID or RADIUS. 1. Go to Manage > Users and Administrators > New > User By Template > Default. 2. Enter the username as it appears in the default login field within the RSA Authentication Manager database. 3. Select Authentication from the left hand tool bar. 4. From the drop down box choose either SecurID or RADIUS as the user s Authentication Scheme. 5. Click OK then Close Configuring for External Users In this section the Check Point security gateway will be configured to authenticate all external users to the RSA Authentication Manager Servers. An External User Profile will be created that mandates RSA SecurID or RADIUS Authentication for all users that do not have a Check Point user account. -- 11 -

External User Profiles There are two different types of External User Profiles available in the Check Point product. Match All Users The Match All Users profile with the profile name generic* is limited to only one property set. Check Point applies the restrictions specified for an ordinary user in the User Properties tabs (for example Groups). For authentication purposes Check Point uses the name typed in by the user instead of generic*. The external authentication server receives the user name and authenticates them accordingly. Match by Domain The Match by Domain profile allows for more granularity in the user definition than is available with generic*. With this profile users are differentiated by their domain name. When implemented the user types a domain name as well as the username where any domain name can be allowed. The steps below will configure an External Profile of Match All Users. 1. Go to Manage > Users and Administrators > New > External User Profile > Match All Users. 2. The user generic* is created and a new window opens. 3. Select Authentication from the left tool bar. 4. From the drop down box choose SecurID or RADIUS as the user s Authentication Scheme. 5. Click OK then Close. Check Point Rule Configuration Reference the Check Point documentation for more information on configuration of the Firewall rules and policies. A security policy consists of rules that define access control to and from the networks protected by Check Point Security Gateways. In the Desktop tab you define the Client rules. Inbound Rules controls connections directed at the client machine Outbound Rules control connections initiated by the client machine -- 12 -

Once a rule is added and the policy is installed a user must be authenticated before access is granted to the service. 1. To add a rule click Add Rule at the Bottom icon. 2. Right click each field and chose the desired values 3. To apply the rule, select Install Policy from the top menu bar. In the Firewall tab you define the network traffic rules. Right click to add a object -- 13 -

Configuring Mobile Access 1. Navigating to Manage > Network Objects, selecting the gateway object and clicking Edit. On the General Properties screen check Mobile Access. 2. A configuration wizard will launch. Select the access method for Mobile and click Next. 2. Add the portal URL(GAIA Gateway Appliance) and click Next. -- 14 -

4. Add a web site that you want your remote users to have access to and click Next. 5. Choose the Active Directory Domain or check I don t want to use active directory now and click Next. -- 15 -

6. Click Next and Add a portal user. Additional users can be added later. 7. Verify the information is correct and click Finish or use the Back button to correct any errors. -- 16 -

Mobile Access Authentication 1. Go to the Mobile Access > Authentication. 2. Select the gateway and click Edit. 3. On the Authentication for Mobile Access screen select SecurID or RADIUS from the Authentication Scheme drop down list. -- 17 -

4. Double click on peo67 (gateway Appliance) -- 18 -

5. Select IPsec VPN > VPN Advanced. 6. Make sure that Support NAT transversal is selected. -- 19 -

6. Select VPN Clients. 7. Check the client types you want to allow. 8. Select VPN Clients > Remote Access and make sure these settings are selected. a) Support NAT with Allocated port, selected VPN1_IPSEC_encapsulation. b) Select Support Visitor Mode. From Service, select https. -- 20 -

9. Select VPN Clients > Office Mode and configure these settings. a) Ensure Allow Office Mode to all users or a group is selected. -- 21 -

7. Click Optional Parameters. The IP Pool Optional Parameters window opens. 8. Configure the Primary DNS Server, DNS suffixes, IP lease duration for 15. 9. Click OK. Configuring Mobile Access Policies 1. Select the Mobile Access tab> Policy. The Mobile Access Wizard has already created your policy. 2. Verify the Users field is set to the Internal group you created that has the generic* External profile. 3. From the main tool bar select Install Policy > ok. -- 22 -

Configure VPN Client on ios devices 1. Download the Check Point Mobile VPN application from the Apple App Store. 2. Tap the Check Point Mobile VPN icon. 3. Tap Sites in the upper right hand corner. 4. Tap + to add a site. 5. The New Site screen opens. 6. Configure the VPN site Name and Server IP address. 7. Tap Create. 8. The Verify Server message opens. 9. Tap Yes to accept the certificate and fingerprint. 10. The Authentication screen opens. 11. Select RSA SecurID from the Authentication Method choices. -- 23 -

12. Select the token type. Note: To achieve Software Token automation both the RSA Software Token and RSA Authentication Client (RAC) is required. Please refer to the appropriate RSA documentation for additional information. -- 24 -

RSA RSASecurID Mobile Login Screens 13. Type in the user credential. 14. Click Connect. -- 25 -

User Defined New PIN: System-generated New PIN: -- 26 -

Next Tokencode: -- 27 -

Certification Checklist for RSA Authentication Manager Date Tested: 7/24/16 Certification Environment Product Name Version Information Operating System RSA Authentication Manager 8.2 Virtual Appliance Check Point Firewall R77.30 Gaia Check Point Mobile VPN 1.458.251 ios v9.3.2 RSA SecurID Authentication Date Tested: 7/24/16 Mandatory Functionality Native Native RADIUS UDP TCP Client New PIN Mode Force Authentication After New PIN System Generated PIN User Defined (4-8 Alphanumeric) User Defined (5-7 Numeric) Deny 4 and 8 Digit PIN Deny Alphanumeric PIN Deny PIN Reuse Passcode 16 Digit Passcode 4 Digit Fixed Passcode Next Tokencode Mode Next Tokencode Mode On-Demand Authentication On-Demand Authentication On-Demand New PIN Load Balancing / Reliability Testing Failover (3-10 Replicas) No RSA Authentication Manager RSA Risk-Based Authentication Functionality RSA Native Protocol RADIUS Protocol Risk-Based Authentication Risk-Based Authentication Risk-Based Authentication Risk-Based Authentication with SSO Risk-Based Authentication with SSO = Pass = Fail = Non-Available Function -- 28 -

Known Issues Important: The On Demand Authentication may not behave as expected in this release. This release does not enforce authentication after a new PIN is set via Native SecurID. This issue does not apply to RADIUS. Therefore, the On Demand Authentication via Native SecurID when in New PIN mode will authenticate a user without the user ever entering a tokencode. This is effectivelya single factor authentication. This is not an issue once the user sets the PIN. Appendix A RSA SecurID Authentication Files RSA SecurID Authentication Files UDP Agent Files sdconf.rec sdopts.rec Node secret sdstatus.12 / jastatus.12 Location /var/ace, %SystemRoot%\system32\ Not tested /var/ace, System Registry /var/ace TCP Agent Files rsa_api.properties sdconf.rec sdopts.rec Node secret Location Partner Integration Details Partner Integration Details RSA SecurIDUDP API RSA SecurID TCP API RSA Authentication Agent Type RSA SecurID User Specification Display RSA Server Info Perform Test Authentication Agent Tracing Standard Agent All Users No No No -- 29 -

Node Secret Removal: Windows Platform 1. To clear the node secret from a Window host launch regedit from the run utility. 2. Navigate the left hand tool bar to HKEY_LOCAL_MACHINE/Software/ACECLIENT. 3. Select Node Secret and delete it. 4. Reboot the PC. Gaia Platform 5. Login to the CLI console and change to expert mode. 6. Change directory to /var/ace. 7. Delete the file secruid; rmsecurid. 8. Stop the Check Point services; cpstop. 9. Start the Check Point services; cpstart. AppendixB RADIUS Configuration To configure the Check Point for RADIUS perform thefollowing steps from the Check Point SmartDashboard. 9. Select Manage > ServersandOPSECApplications. 10. Select New>RADIUS. 11. Enter the Name, Host andsharedsecret of the RADIUSconnection. 12. Select the service type of New-RADIUS to use port 1812 13. Click OK thenclose. 14. Select Manage>User andadministrators 15. Edit the generic* user account. 16. SelectAuthenticationfromthe left tool bar and change theauthenticationscheme to RADIUS. 17. Select the RADIUS Server orgroup of Serverssetting to the RADIUS Connection created in step3. 18. Exit the User Profile Propertieswindow. 19. Select Manage>Policy>Global Properties. 20. Select SmartDashboardCustomizationfrom the list of options. 21. Under the Advanced Configuration option select the Configure button. 22. SelectFireWall-1 >Authentication>RADIUS from the left tool bar. 23. Modifythe radius_ignore setting changing the default value of 0 to 76. 24. Save the settings and selectpolicy>installfrom the SmartDashboard. 25. Complete the configuration by selecting OK to install the policy. -- 30 -

Appendix C Check Point RemoteAccess Clients Feature Endpoint Security VPN Check Point Mobile for Windows SecuRemote Client Purpose Secure connectivity with centrally managed desktop firewall &compliance checks Secureconnectivity& compliance checks Basicsecure connectivity Replaces Client SecureClientNGXR60 Endpoint Connect R73 SecuRemoteNGX R60 Endpoint Connect R73 SSL Network Extender To avoid the overhead of installing and maintaining client software, Check Point also provides the SSL Network Extender, a simple-to-implement thin client installed on the user's machine via a web browser. The browser connects to an SSL enabled Check Point Security Gateway and downloads the thin client as an ActiveX component or Java Applet. If the Mobile Access blade is active on a Security Gateway, SSL Network Extender works through Mobile Access and not IPSecVPN. In this case, SSL Network Extender is configured through the Mobile Accessblade. -- 31 -

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback