Checkpoint SSL VPN Integration
Last updated
Last updated
This guide explains the configuration of multi-factor authentication (MFA) for Check Point appliance with Mirket. It also includes instructions to configure your Check Point appliance for integration with Mirket.
Prior configuration and deployment of Check Point appliance are required before setting up MFA with Mirket. Check Point appliance offers various MFA configuration modes. In this integration, we've configured RADIUS authentication with Mirket.
The integration was tested using R77.20.87 (990172929) on the Check Point 770 Appliance.
Before proceeding with these procedures, ensure the following:
You've completed the installation and configuration of the Mirket (go to Mirket Installation Steps).
Access the Check Point Appliance web UI using https://<IP address of Check Point appliance:4434>
Set up the Check Point interfaces. To configure the interfaces, check the Check Point documentation for instructions.
For RADIUS authentication in Check Point appliance, you'll need to configure the settings for a RADIUS server (the Mirket server ip address).
Access the Check Point Appliance web UI using https://<IP address of Check Point appliance:4434>.
Go to Users & Objects > Users Management > Authentication Servers. Then click on Configure to configure the RADIUS server.
Input the IP address of the Mirket (Radius Server) in the IPv4 Address field.
Input the port number for communication with the Mirket (Radius Server) in the Port field. The default ports are 1812 and 1645.
Input 60 in the Timeout (seconds) field. Then click on Apply to confirm settings.
Go to VPN > Remote Access > Blade Control. Then select the "On" option to activate Remote Access. Then click on Apply to confirm settings.
Go to VPN > Remote Access > Authentication Servers. Then click on the "permissions for RADIUS users" option.
Check the Enable RADIUS authentication for User Awareness, Remote Access and Hotspot checkboxes. Then click on Apply to confirm settings.
Go to VPN > Remote Access > Advanced.
Enter a network value or keep the default value in the Office Mode Network field. For this instance, we'll choose to keep the default value.
Enter a network subnet value or keep the default value in the Office Mode Subnet field. For this instance, we'll choose to keep the default value.
Click on Apply to confirm settings.
A policy should be configured for VPN remote access, allowing users to access the VPN.
Go to Access Policy > Firewall > Policy.
Check that the system has generated a VPN Remote Access policy within the Incoming, Internal and VPN traffic list.
To enable Mirket to receive authentication requests from Check Point, follow these steps:
Define Check Point appliance as a RADIUS client resource within Mirket.
Create an authentication policy for the Check Point RADIUS client resource or include it in an existing authentication policy.
Attach the Check Point resource to the Mirket Radius.
Before starting, ensure that you have installed NPS (Network Policy Server) from Server Manager. Once installed, open the Network Policy Server. To add a Radius Client to the NPS, follow these steps:
Click on the 'Radius Clients and Server' folder and select the 'Configure Radius Clients' option.
Hover over the 'Radius Clients' option, right-click using the mouse, and select New.
In the window that appears, assign a name to your Radius Client in the Friendly Name section.
Enter the IP address of your firewall in the Address (IP or DNS) section.
Select either the 'Manual' or 'Generate' option to enter your secret key in the Secret Key section.
Click OK to confirm settings.
To set up multifactor authentication, make sure you have at least one user group in Mirket.
If it is preferred to use a local user, first create a local group and then create a local user and make the user a member of the group.
If it is preferred to use LDAP users, the priority LDAP group is created by pulling users from Active Directory or OpenLDAP in Mirket.
Radius Rules define user access to resources and the authentication methods available (such as SMS, Approve / Deny, OTP etc.).
First, you should follow these steps:
Select Rules > Radius Rules.
Click on Add New.
Enter a rule name in the Name field.
Enter the rule description in the Description field.
Select the group to which the rule applies from the Group dropdown list.
Select the provider to which the rule applies from the Provider dropdown list.
Select the authorization profile to which the rule applies from the Authorization dropdown list.
Click on Save to confirm settings.
To validate the integration between Mirket MFA and your Check Point appliance, perform authentication using a mobile token on your mobile device. For RADIUS resources, available authentication methods include Approve/Deny authentication.
In this example, we illustrate the use of the Approve/Deny authentication method.
Launch the Check Point Endpoint Security client application. Then click on the VPN client icon in the taskbar and select Connect to.
Choose the public IP address of the Check Point appliance from the Site dropdown list.
Enter your Mirket username in the Username field.
Input your password in the Password field.
Click on Connect. Then, select the 'Approve' option(found in the Mirket mobile app) immediately and make sure it doesn't time out.
Input a shared secret key to communicate with the RADIUS server (Mirket Radius) in the Shared Secret field. In Mirket use this same secret key when .
