<Partner Name> <Partner Product> RSA Ready Implementation Guide for v1.458 FAL, RSA Partner Engineering Last Modified: 7/22/16
Solution Summary The Check Point software solution is a comprehensive VPN and Firewall providing RSA SecurID two factor authentication connectivity to corporate networks, remote and mobile users, and satellite offices RSA Authentication Manager supported features Mobile Client for ios v1.458 RSA SecurID Authentication via Native RSA SecurIDUDP Protocol RSA SecurID Authentication via Native RSA SecurID TCP Protocol RSA SecurID Authentication via RADIUS Protocol RSA SecurID Authentication via IPv6 On-Demand Authentication via Native SecurIDUDP Protocol On-Demand Authentication via Native SecurID TCP Protocol On-Demand Authentication via RADIUS Protocol Risk-Based Authentication RSA Authentication Manager Replica Support Secondary RADIUS Server Support RSA SecurID Software Token Automation RSA SecurID SD800 Token Automation RSA SecurID Protection of Administrative Interface Yes No Yes No Yes No Yes No Yes Yes Yes Yes No Check Point Remote Access Clients (see Appendix C) -- 2 -
RSA Authentication Manager Configuration Agent Host Configuration To facilitate communication between the Check Point Firewall/VPN R77.30 and the RSA Authentication Manager / RSA SecurID Appliance, an Agent Host record must be added to the RSA Authentication Manager database. This can be done through the AM admin GUI. The Agent Host record identifies the Check Point Firewall/VPN R77.3 and contains information about communication and encryption. RSA Authentication Manager 8.0 introduced a new TCP-based authentication protocol and corresponding agent API. RSA Authentication Manager 8.0 and newer also maintains support for the existing UDPbased authentication protocol and agents. The agent host records for TCP and UDP agents are configured similarly, but there are some important differences. Include the following information when configuring a UDP-based agent host record. Hostname IP addresses for network interface. Important: The UDP-based authentication agent s hostname must resolve to the IP address specified. Include the following information when configuring a TCP-based agent host record. RSA agent name (in the hostname field) Important: The RSA agent name is specified in the rsa_ api. Properties file. -- 3 -
Set the Agent Type to Standard Agent when adding the Authentication Agent. This setting is used by the RSA Authentication Manager to determine how communication with Check Point R77.3 will occur. If Check Point Firewall/VPN R77.3 will be communicating with RSA Authentication Manager via RADIUS, then a RADIUS client that corresponds to the agent host record must be created in the RSA Authentication Manager. RADIUS clients are managed using the RSA Security Console The following information is required to create a RADIUS client: Hostname IP Addresses for network interfaces RADIUS Secret Important: The RADIUS client s hostname must resolve to the IP address specified. Please refer to the appropriate RSA documentation for additional information about creating, modifying and managing Authentication Agents and RADIUS clients. -- 4 -
Partner Product Configuration Before You Begin This section provides instructions for configuring the Check Point Firewall/VPN R77.3 with RSA SecurID Authentication. This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. All Check Point R77.3 components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding. Configure checkpoint for the RSA Authentication Servers 1. The Check Point Firewall/VPN uses the sdconf.rec file to locate the RSA Authentication Manager Servers. Retrieve the sdconf.rec file from the Authentication Manager. 2. Launch the Check Point SmartDashboard application with an administrator account and make sure it is in write mode.. 3. Navigate to Manage > Servers and OPSEC Applications. -- 5 -
4. Click New, Select SecurID or RADIUS. 5. If you selected SecurID the SecurID Properties window will open. Create a name for the SecurID server and browse to the sdconf.rec file you retrieved from the RSA Authentication Manager Server. 6. Click OK. -- 6 -
7. If you selected RADIUS the RADIUS Server Properties window will open. Add the Name, Host and Shared Secret and leave the other settings at default. 8. Click OK. 1. Repeat this to add any secondary RADIUS servers. Then from the Servers and OPSEC window select New > RADIUS Group and create a RADIUS Group. 2. Select Manage>Policy>Global Properties. 3. Select SmartDashboard Customization from the list of options. 4. Under the Advanced Configuration option select the Configure button. 5. SelectFireWall-1 >Authentication>RADIUS from the left tool bar. 6. Modify the radius_ignore setting changing the default value of 0 to 76. 7. Save the settings by selecting the Install Policy 8. Complete the configuration by selecting OK to install the policy. -- 7 -
Configure for SecurID Authentication 1. Select the Firewall tab in the main window panel. Go to the left tool bar and navigate to Network Objects > Check Point > (your object) Right click on your object and select Edit. 2. The General Properties window will open. Select the check boxes for IPSec VPN and Policy Server. -- 8 -
3. Select VPN Clients > Authentication from the left tool bar. 4. Select RADIUS or SecurID then select the RADIUS group or the SecurID server from the pull down. 5. Click OK to save changes. 6. From the left tool bar navigate to Topology. 7. Under VPN Domain select manually defined and choose CP_default_Office_Mode_address_pool. 8. Return to General Properties and click OK and install the Policy on top left. -- 9 -
. -- 10 -
Enable RSA Authentication for users RSA SecurID or RADIUS Authentication may be configured on a defined User or an External User Profile. Check Point users are defined on the Check Point management server while External Users are not. If the system is configured to use an External Profile for user authentication it is not necessary to define users on the Check Point management server unless there are users that are not challenged with RSA Authentication. Configure a User In this section a user will be created that will authenticate to the RSA Authentication Manager Servers. This user can be configured to authenticate via either SecurID or RADIUS. 1. Go to Manage > Users and Administrators > New > User By Template > Default. 2. Enter the username as it appears in the default login field within the RSA Authentication Manager database. 3. Select Authentication from the left hand tool bar. 4. From the drop down box choose either SecurID or RADIUS as the user s Authentication Scheme. 5. Click OK then Close Configuring for External Users In this section the Check Point security gateway will be configured to authenticate all external users to the RSA Authentication Manager Servers. An External User Profile will be created that mandates RSA SecurID or RADIUS Authentication for all users that do not have a Check Point user account. -- 11 -
External User Profiles There are two different types of External User Profiles available in the Check Point product. Match All Users The Match All Users profile with the profile name generic* is limited to only one property set. Check Point applies the restrictions specified for an ordinary user in the User Properties tabs (for example Groups). For authentication purposes Check Point uses the name typed in by the user instead of generic*. The external authentication server receives the user name and authenticates them accordingly. Match by Domain The Match by Domain profile allows for more granularity in the user definition than is available with generic*. With this profile users are differentiated by their domain name. When implemented the user types a domain name as well as the username where any domain name can be allowed. The steps below will configure an External Profile of Match All Users. 1. Go to Manage > Users and Administrators > New > External User Profile > Match All Users. 2. The user generic* is created and a new window opens. 3. Select Authentication from the left tool bar. 4. From the drop down box choose SecurID or RADIUS as the user s Authentication Scheme. 5. Click OK then Close. Check Point Rule Configuration Reference the Check Point documentation for more information on configuration of the Firewall rules and policies. A security policy consists of rules that define access control to and from the networks protected by Check Point Security Gateways. In the Desktop tab you define the Client rules. Inbound Rules controls connections directed at the client machine Outbound Rules control connections initiated by the client machine -- 12 -
Once a rule is added and the policy is installed a user must be authenticated before access is granted to the service. 1. To add a rule click Add Rule at the Bottom icon. 2. Right click each field and chose the desired values 3. To apply the rule, select Install Policy from the top menu bar. In the Firewall tab you define the network traffic rules. Right click to add a object -- 13 -
Configuring Mobile Access 1. Navigating to Manage > Network Objects, selecting the gateway object and clicking Edit. On the General Properties screen check Mobile Access. 2. A configuration wizard will launch. Select the access method for Mobile and click Next. 2. Add the portal URL(GAIA Gateway Appliance) and click Next. -- 14 -
4. Add a web site that you want your remote users to have access to and click Next. 5. Choose the Active Directory Domain or check I don t want to use active directory now and click Next. -- 15 -
6. Click Next and Add a portal user. Additional users can be added later. 7. Verify the information is correct and click Finish or use the Back button to correct any errors. -- 16 -
Mobile Access Authentication 1. Go to the Mobile Access > Authentication. 2. Select the gateway and click Edit. 3. On the Authentication for Mobile Access screen select SecurID or RADIUS from the Authentication Scheme drop down list. -- 17 -
4. Double click on peo67 (gateway Appliance) -- 18 -
5. Select IPsec VPN > VPN Advanced. 6. Make sure that Support NAT transversal is selected. -- 19 -
6. Select VPN Clients. 7. Check the client types you want to allow. 8. Select VPN Clients > Remote Access and make sure these settings are selected. a) Support NAT with Allocated port, selected VPN1_IPSEC_encapsulation. b) Select Support Visitor Mode. From Service, select https. -- 20 -
9. Select VPN Clients > Office Mode and configure these settings. a) Ensure Allow Office Mode to all users or a group is selected. -- 21 -
7. Click Optional Parameters. The IP Pool Optional Parameters window opens. 8. Configure the Primary DNS Server, DNS suffixes, IP lease duration for 15. 9. Click OK. Configuring Mobile Access Policies 1. Select the Mobile Access tab> Policy. The Mobile Access Wizard has already created your policy. 2. Verify the Users field is set to the Internal group you created that has the generic* External profile. 3. From the main tool bar select Install Policy > ok. -- 22 -
Configure VPN Client on ios devices 1. Download the Check Point Mobile VPN application from the Apple App Store. 2. Tap the Check Point Mobile VPN icon. 3. Tap Sites in the upper right hand corner. 4. Tap + to add a site. 5. The New Site screen opens. 6. Configure the VPN site Name and Server IP address. 7. Tap Create. 8. The Verify Server message opens. 9. Tap Yes to accept the certificate and fingerprint. 10. The Authentication screen opens. 11. Select RSA SecurID from the Authentication Method choices. -- 23 -
12. Select the token type. Note: To achieve Software Token automation both the RSA Software Token and RSA Authentication Client (RAC) is required. Please refer to the appropriate RSA documentation for additional information. -- 24 -
RSA RSASecurID Mobile Login Screens 13. Type in the user credential. 14. Click Connect. -- 25 -
User Defined New PIN: System-generated New PIN: -- 26 -
Next Tokencode: -- 27 -
Certification Checklist for RSA Authentication Manager Date Tested: 7/24/16 Certification Environment Product Name Version Information Operating System RSA Authentication Manager 8.2 Virtual Appliance Check Point Firewall R77.30 Gaia Check Point Mobile VPN 1.458.251 ios v9.3.2 RSA SecurID Authentication Date Tested: 7/24/16 Mandatory Functionality Native Native RADIUS UDP TCP Client New PIN Mode Force Authentication After New PIN System Generated PIN User Defined (4-8 Alphanumeric) User Defined (5-7 Numeric) Deny 4 and 8 Digit PIN Deny Alphanumeric PIN Deny PIN Reuse Passcode 16 Digit Passcode 4 Digit Fixed Passcode Next Tokencode Mode Next Tokencode Mode On-Demand Authentication On-Demand Authentication On-Demand New PIN Load Balancing / Reliability Testing Failover (3-10 Replicas) No RSA Authentication Manager RSA Risk-Based Authentication Functionality RSA Native Protocol RADIUS Protocol Risk-Based Authentication Risk-Based Authentication Risk-Based Authentication Risk-Based Authentication with SSO Risk-Based Authentication with SSO = Pass = Fail = Non-Available Function -- 28 -
Known Issues Important: The On Demand Authentication may not behave as expected in this release. This release does not enforce authentication after a new PIN is set via Native SecurID. This issue does not apply to RADIUS. Therefore, the On Demand Authentication via Native SecurID when in New PIN mode will authenticate a user without the user ever entering a tokencode. This is effectivelya single factor authentication. This is not an issue once the user sets the PIN. Appendix A RSA SecurID Authentication Files RSA SecurID Authentication Files UDP Agent Files sdconf.rec sdopts.rec Node secret sdstatus.12 / jastatus.12 Location /var/ace, %SystemRoot%\system32\ Not tested /var/ace, System Registry /var/ace TCP Agent Files rsa_api.properties sdconf.rec sdopts.rec Node secret Location Partner Integration Details Partner Integration Details RSA SecurIDUDP API RSA SecurID TCP API RSA Authentication Agent Type RSA SecurID User Specification Display RSA Server Info Perform Test Authentication Agent Tracing Standard Agent All Users No No No -- 29 -
Node Secret Removal: Windows Platform 1. To clear the node secret from a Window host launch regedit from the run utility. 2. Navigate the left hand tool bar to HKEY_LOCAL_MACHINE/Software/ACECLIENT. 3. Select Node Secret and delete it. 4. Reboot the PC. Gaia Platform 5. Login to the CLI console and change to expert mode. 6. Change directory to /var/ace. 7. Delete the file secruid; rmsecurid. 8. Stop the Check Point services; cpstop. 9. Start the Check Point services; cpstart. AppendixB RADIUS Configuration To configure the Check Point for RADIUS perform thefollowing steps from the Check Point SmartDashboard. 9. Select Manage > ServersandOPSECApplications. 10. Select New>RADIUS. 11. Enter the Name, Host andsharedsecret of the RADIUSconnection. 12. Select the service type of New-RADIUS to use port 1812 13. Click OK thenclose. 14. Select Manage>User andadministrators 15. Edit the generic* user account. 16. SelectAuthenticationfromthe left tool bar and change theauthenticationscheme to RADIUS. 17. Select the RADIUS Server orgroup of Serverssetting to the RADIUS Connection created in step3. 18. Exit the User Profile Propertieswindow. 19. Select Manage>Policy>Global Properties. 20. Select SmartDashboardCustomizationfrom the list of options. 21. Under the Advanced Configuration option select the Configure button. 22. SelectFireWall-1 >Authentication>RADIUS from the left tool bar. 23. Modifythe radius_ignore setting changing the default value of 0 to 76. 24. Save the settings and selectpolicy>installfrom the SmartDashboard. 25. Complete the configuration by selecting OK to install the policy. -- 30 -
Appendix C Check Point RemoteAccess Clients Feature Endpoint Security VPN Check Point Mobile for Windows SecuRemote Client Purpose Secure connectivity with centrally managed desktop firewall &compliance checks Secureconnectivity& compliance checks Basicsecure connectivity Replaces Client SecureClientNGXR60 Endpoint Connect R73 SecuRemoteNGX R60 Endpoint Connect R73 SSL Network Extender To avoid the overhead of installing and maintaining client software, Check Point also provides the SSL Network Extender, a simple-to-implement thin client installed on the user's machine via a web browser. The browser connects to an SSL enabled Check Point Security Gateway and downloads the thin client as an ActiveX component or Java Applet. If the Mobile Access blade is active on a Security Gateway, SSL Network Extender works through Mobile Access and not IPSecVPN. In this case, SSL Network Extender is configured through the Mobile Accessblade. -- 31 -