Embed Size (px)
Citation preview
Symantec™ Validation & ID Protection
Service
Integration Guide for Check Point® VPN
ii
Symantec VIP Integration Guide for Check Point VPN
The software described in this book is furnished under a license agreement and may be used only in accordance
with the terms of the agreement.
Last updated March 27, 2015
Legal Notice
Copyright © 2015 Symantec Corporation. All rights reserved
Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec
Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective
owners. The product described in this document is distributed under licenses restricting its use, copying,
distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form
by any means without prior written authorization of Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE
EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL
NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE
FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN
THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR
12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software -
Restricted Rights" and DFARS 227.7202, et seq. “Commercial Computer Software and Commercial Computer
Software Documentation”, as applicable, and any successor regulations. Any use, modification, reproduction
release, performance, display or disclosure of the Licensed Software and Documentation by the U.S.
Government shall be solely in accordance with the terms of this Agreement. This document may describe
features and/or functionality not present in your software or your service agreement. Contact your account
representative to learn more about what is available with this Symantec® product.
Symantec Corporation
350 Ellis Street Mountain View, CA 94043
http://www.symantec.com
https://www.symantec.com/contactsupport
Contents
Chapter 1 Introduction ...........................................................................................1
Partner Information ........................................................................................................................ 1
Integration Summary ..................................................................................................................... 1
Remote Access Integration Architecture ..................................................................................... 2
Authentication Method: User Name–Password–Security Code or
User Name–Password–Security Code (Access Challenge Mode) ................................. 2
Chapter 2 Installing and Configuring .....................................................................5
Installing and Configuring VIP Enterprise Gateway ................................................................. 5
Configuring Check Point VPN ....................................................................................................... 5
Task 1. Configuring Check Point Mobile Access/SSL VPN Blades .................................... 6
Task 2. Configuring Firewall Blade ...................................................................................... 13
Task 3. Configuring IPSec–VPN Blade for SecuRemote/SecureClient ........................... 14
Chapter 3 Integrating VIP Intelligent Authentication With Check Point VPN......19
Configuring Intelligent Authentication with VIP Components ............................................. 19
Configuring Check Point VPN Login Page with Intelligent Authentication Code ............... 19
Appendix A Customizing Login Page for the SSL VPN Portal .................................21
iv Contents
Chapter
1Introduction
VIP Integration Guide for Check Point VPN describes how to integrate Check Point VPN with VIP Enterprise
Gateway.
This chapter includes the following topics:
“Partner Information” on page 1
“Integration Summary” on page 1
“Remote Access Integration Architecture” on page 2
Partner Information
Integration Summary
Table 1-1 Partner Information
Partner Name Check Point®
Product Name Check Point VPN
Product Description SSL VPN/Mobile access Software Blade
Firewall Software Blade
IPSec VPN Software Blade
Table 1-2 Supported Features–Integration Summary
VIP Features Support
Multi-domain Yes
Anonymous user name Yes
Support for AD/LDAP password via VIP Enterprise Gateway Yes
Support for VIP PIN authentication No
Support for Push authentication Yes
Support for SMS authentication Yes
Support for Voice authentication Yes
End user based for selective strong authentication No
Risk based for selective strong authentication Yes
Legacy authentication provider integration (delegation) Yes
2 Introduction
Remote Access Integration Architecture
Authentication Method: User Name–Password–Security Code or User Name–Password–Security Code (Access Challenge Mode)
The following diagram illustrates how the User Name–Password–Security Code authentication method is
configured for Check Point VPN and VIP Enterprise Gateway.
VIP JavaScript Yes
VIP Login No
RADIUS – Native Yes
Table 1-2 Supported Features–Integration Summary
VIP Features Support
Figure 1-1 Authentication Process for User Name–Password–Security Code or
User Name–Password–Security Code (Access Challenge Mode)
3Introduction
1 The user enters a user name, password, and a security code.
2 As the first part of the two-factor authentication process, Check Point VPN sends the user name,
password, and the security code to the Validation Service.
3 The Validation Service authenticates the user name and the password against the user store that you
use. For example, if AD/LDAP is the user store, the Validation Service authenticates the user name and
the password against AD/LDAP.
4 If the Validation Service authenticates the user name and the password against the user store, the user
store returns the group permission details and the authentication response to Check Point VPN.
5 As the second part of the two-factor authentication process, the Validation Service authenticates the
user name and the security code with the VIP Authentication Service. If the user name and the security
code are successfully authenticated, the Validation Service returns an Access Accept Authentication
response to Check Point VPN.
6 Based on this Access Accept Authentication response, the user is authenticated.
4 Introduction
Chapter
2Installing and Configuring
This chapter describes how to configure Check Point VPN for two-factor authentication through VIP
Enterprise Gateway.
The installation and configuration process involves the following steps:
“Installing and Configuring VIP Enterprise Gateway” on page 5
“Configuring Check Point VPN” on page 5
Installing and Configuring VIP Enterprise GatewayTo install and configure VIP Enterprise Gateway, complete the following steps:
1 Install and configure VIP Enterprise Gateway. For more information, see VIP Enterprise Gateway Installation and Configuration Guide.
2 Add the Validation Server in one of the following modes, based on your requirement:
User Name–Password–Security Code
User Name–Password–Security Code (Access Challenge)
Configuring Check Point VPNTo configure Check Point VPN, complete the following tasks:
“Task 1. Configuring Check Point Mobile Access/SSL VPN Blades” on page 6.
“Task 2. Configuring Firewall Blade” on page 13.
“Task 3. Configuring IPSec–VPN Blade for SecuRemote/SecureClient” on page 14.
For additional information on configuring Check Point VPN, see Check Point Firewall Administrator Guide.
Note: The screen-shots in the procedures are from Check Point VPN Blade (Version R77.20) on the Gaia
operating system. For specific screen-shots and procedures, refer to the product documentation that
matches your version of the Check Point device.
6 Installing and Configuring
Task 1. Configuring Check Point Mobile Access/SSL VPN BladesTo configure Check Point Mobile Access/SSL VPN Blades, complete the following procedures:
“Adding the RADIUS Authentication Server” on page 6
“Authorizing Users Based on LDAP User Groups” on page 8
“Configuring Policies for Mobile Access/SSL VPN” on page 10
“Testing an End User” on page 11
Note: The procedures Adding the RADIUS Authentication Server and Authorizing Users Based on LDAP
User Groups are common for the configuration of SSL VPN/Firewall/IPSec VPN Blades. Therefore, any
changes for the Mobile Access configuration must also be made for the Firewall or the IPSec VPN
configurations.
For more information on configuring Check Point SSL VPN, see Check Point SSL VPN Administrator's Guide.
Adding the RADIUS Authentication Server
To add the RADIUS Authentication Server, complete the following steps:
1 In the Check Point SmartDashboard console, select Manage > Network Objects. The Network Objects
dialog box is displayed.
2 Select your gateway object and click Edit. The Check Point Gateway dialog box is displayed.
3 In the left pane, click Mobile Access > Authentication.
Figure 2-1 Enabling the RADIUS Authentication Option
7Installing and Configuring
4 In the right pane, in the Authentication for Mobile Access section, edit the following fields:
a Select the Authentication Method as RADIUS.
b Click the ... button next to RADIUS to select the RADIUS server.
c Click New and then select RADIUS to create the new RADIUS server properties. The RADIUS
Server Properties–VIP dialog box is displayed.
5 In the General tab, edit the following fields:
a In the Name field, enter the name of the server.
b In the Comment field, add a comment, if required.
c In the Host field, click New to create a host for the RADIUS server. The Host Node–
RADIUS_SERVER dialog box is displayed.
6 In the Machine section, edit the following fields:
a In the Name field, enter the name of the host.
b In the IP Address field, enter the IP address of the RADIUS server that is defined in the VIP
Enterprise Gateway and click OK. The Host Node-RADIUS_SERVER dialog box closes.
Figure 2-2 Adding the RADIUS Server
Figure 2-3 Adding the RADIUS Server Host Node
8 Installing and Configuring
7 In the RADIUS Server Properties–VIP dialog box (Figure 2-2), edit the remaining fields:
a In the Service field, select NEW-RADIUS if the RADIUS server is configured on port 1812 or
select RADIUS if the RADIUS server is configured on port 1645.
Note: To add a custom port, navigate to Manage > Services in the Check Point SmartDashboard
console. Then, select UDP services, and NEW-RADIUS/RADIUS service. Edit the port number as
required for the VIP Enterprise Gateway server.
b In the Shared Secret field, enter the Shared Secret password. Ensure that you enter the same
shared secret value which is used in VIP Enterprise Gateway Validation server.
c In the Version field, select RADIUS Ver. 2.0 Compatible.
d In the Protocol field, select PAP.
e In the Priority field, specify a number that indicates the priority that is assigned to the
RADIUS server and then click OK. The RADIUS Server Properties–VIP dialog box closes.
8 In the Check Point Gateway dialog box (Figure 2-1) click OK to complete the configuration of the
RADIUS authentication server.
Authorizing Users Based on LDAP User Groups
This section explains how you can authorize users based on LDAP user groups.
To add the external user groups, complete the following steps:
1 In the Check Point SmartDashboard console, select Manage > Users and Administrators. The Users
and Administrators dialog box is displayed.
2 Click New and from the list, select External User Profiles > Match all users.
A profile named Generic is automatically created. Add a comment to this profile, if required. The
External User Profile Properties dialog box is displayed.
3 In the left pane, select Authentication.
4 In the right pane, for the Authentication Scheme field, select RADIUS.
Figure 2-4 Adding the External User Profile
9Installing and Configuring
5 In the Select a RADIUS Server or Group of Servers field, select the RADIUS server that you have
created and click OK.
6 In the Check Point SmartDashboard console, select Manage > Users and Administrators. The Users
and Administrators dialog box is displayed.
7 Click New and then select User Group.
8 In the Group Properties dialog box, enter the name of the group as RAD_<Group Name>, where <Group
Name> must be the same as the name of the group that the Class Attribute of the RADIUS server
returns.
9 Ensure that the group that you have created is empty and then click OK.
By default, Check Point RADIUS servers return CLASS attribute (25). To use a different attribute
instead of the CLASS attribute, do the following:
On the Security Gateway, use GUIdbEdit to modify the value of the radius_groups_attr attribute
to the new RADIUS attribute.
On the RADIUS server, ensure that you use the same RADIUS attribute.
10 Configure the RADIUS–LDAP group mapping in the VIP Enterprise Gateway Validation Server to return
the LDAP groups to Check Point VPN. For more information on this task, see VIP Enterprise Gateway Installation and Configuration Guide.
11 In the GUIdbEdit (Check Point Database tool), navigate to Table > Global properties > Properties, select
firewall_properties in the right pane (Figure 2-6) and modify the value of the add_radius_groups field
to true. This setting enables the RADIUS-LDAP Group Mapping.
Figure 2-5 Creating User Groups
10 Installing and Configuring
Configuring Policies for Mobile Access/SSL VPN
To configure policies for Mobile Access/SSL VPN, complete the following steps:
1 In the Check Point SmartDashboard console, click the Mobile Access tab.
2 In the left pane, click Policy.
3 In the right pane, under the table that displays the policies, right-click and select New Rule.
4 Right-click on All users, and select the Group that you want to add in the policy (for example,
RAD_<Group Name>).
5 Select the remaining options based on your requirements.
6 Save the changes and click Install Policy to install the policy.
Figure 2-6 Enable the Adding of RADIUS Groups
Figure 2-7 Adding Policy to Each User Group
11Installing and Configuring
Testing an End User
This section explains how you can test an end user for both the authentication methods–
User Name – Password – Security Code and User Name – Password – Security Code (Access Challenge
Mode).
For the User Name – Password – Security Code Authentication Method:
To test an end user for the User Name – Password – Security Code authentication method, complete the
following steps:
1 Access the Check Point SSL VPN portal. The Check Point sign-in page is displayed.
2 In the User name field, enter your user name.
3 In the Password field, enter your password along with the security code, and then click Sign In.
Note: In the Login page, you can change the Password label name to Password + Security Code. To
customize the login label, see “Customizing Login Page for the SSL VPN Portal” on page 21.
For the User Name – Password – Security Code (Access Challenge Mode) Authentication Method:
To test an end user for the User Name – Password – Security Code (Access Challenge Mode) authentication
method, complete the following steps:
1 Access the Check Point SSL VPN portal. The Check Point sign-in page is displayed.
Figure 2-8 SSL VPN Portal Sign-in Page for the User Name–Password–Security Code Authentication Method
12 Installing and Configuring
2 In the User name field, enter your user name.
3 In the Password field, enter your password, and then click Sign In.
If the credentials are correct, you are directed to Access Challenge Mode.
4 In the Enter Your Security Code field, enter the security code and then click Submit.
Figure 2-9 SSL VPN Portal Sign-in Page for the User Name - Password - Security Code (Access Challenge
Mode) Authentication Method
Figure 2-10 Enter the RADIUS Response for the User Name–Password–Security Code (Access Challenge
Mode) Authentication Method
13Installing and Configuring
Task 2. Configuring Firewall BladeThe Check Point firewall has three types of Authentication Rules as an Action:
User Authentication
Client Authentication
Session Authentication.
User Authentication
The protection is based on a user attempting access. This type of protection does not rely on a source IP
address. A sample rule for User Authentication is displayed in the following figure.
Client Authentication
The protection is based on the client attempting access. This type of protection relies on a source IP
address. A sample rule for Client Authentication is displayed in the following figure.
Session Authentication
The protection is based on a client session. This type of protection requires additional software to be
installed on the client system. A sample rule for Session Authentication is displayed in the following figure.
1 In the Check Point SmartDashboard console, under the Firewall tab, select the appropriate action and
create the policy.
2 Select Policy > Install to save and install the policy.
3 In Windows, open the command prompt and telnet to the Gateway IP address to verify the
implementation of the authentication rule.
Figure 2-11 Adding the Firewall Rule for User Authentication
Figure 2-12 Adding the Firewall Rule for Client Authentication
Figure 2-13 Adding the Firewall Rule for Session Authentication
14 Installing and Configuring
Task 3. Configuring IPSec–VPN Blade for SecuRemote/SecureClientTo configure IPSec–VPN Blade for SecuRemote/SecureClient, complete the following steps:
1 In the Check Point SmartDashboard console, click the IPSec VPN tab.
2 In the left pane, click Gateways and in the right pane, double-click the gateway to open it. The Check
Point Gateway dialog box is displayed.
3 In the left pane, select VPN Clients > Authentication.
4 For the Authentication Method, select RADIUS and then select the Symantec VIP validation server.
5 Configure the remaining options as per your requirements.
6 Save the changes and apply the policy.
Figure 2-14 Testing Firewall Rule (Client Authentication)
Figure 2-15 Add the Policy Server to the Users
15Installing and Configuring
Client Configuration and Testing the End User Using SecuRemote/SecureClient
1 Install the Check Point SecuRemote/SecureClient NGX client on your system.
2 In the Site Wizard, in the Server Address/Name field, provide the IP address or the host name of the
Gateway and click Next. The Authentication Method dialog box is displayed.
3 Select User name and Password and then click Next. The User Details dialog box is displayed.
4 Provide the user name and the password and then click Next.
If the credentials are correct, the site is configured. The users can use the site now.
For the User Name – Password – Security Code Authentication Method:
In the Check Point VPN SecureClient Connection dialog box, perform the following steps:
1 In the User name field, enter the user name.
2 In the Password field, enter the password along with the security code and then click Connect.
The user is authenticated through RADIUS authentication. If the credentials are correct, the user is
successfully authenticated (Figure 2-20).
Figure 2-16 Selecting the Authentication Method
Figure 2-17 SecureClient Login Page for the User Name - Password - Security Code Authentication Method
16 Installing and Configuring
For the User Name – Password – Security Code (Access Challenge Mode) Authentication Method:
In the Check Point VPN SecureClient Connection dialog box, perform the following steps:
1 In the User name field, enter the user name.
2 In the Password field, enter the password and then click Connect.
If the credentials are correct, the user is directed to Access Challenge Mode.
3 In the Response field, enter the security code and then click Connect.
The user is authenticated.
Figure 2-18 SecureClient Login dialog box for the User Name–Password–Security Code (Access Challenge
Mode) Authentication Method
Figure 2-19 SecureClient Access Challenge dialog box
17Installing and Configuring
Figure 2-20 Successful SecureClient Connection
18 Installing and Configuring
Chapter
3Integrating VIP Intelligent
Authentication With Check Point VPN
This chapter describes how to integrate VIP Intelligent Authentication (IA) with Check Point VPN.
This chapter includes the following topics:
“Configuring Intelligent Authentication with VIP Components” on page 19
“Configuring Check Point VPN Login Page with Intelligent Authentication Code” on page 19
Note: Before starting the IA integration, you must complete the Check Point integration with VIP
Enterprise Gateway.
User Name–Password–Security Code (Access Challenge Mode) does not support IA JavaScript integration.
Configuring Intelligent Authentication with VIP ComponentsYou must configure Intelligent Authentication with VIP Manager.
For more information on configuring IA with VIP Manager, see Symantec VIP Intelligent Authentication Enterprise Integration Guide (IA_Enterprise_Integration.pdf) in VIP Manager.
Configuring Check Point VPN Login Page with Intelligent Authentication Code
This section describes the process to include VIP IA JavaScript functions into Check Point VPN login page
using the authentication method User Name – Password – Security Code.
1 Log in to your account in VIP Manager.
2 Under the Links column on the right side of the VIP Manager page, select VIP Policy Configuration.
3 Select the Account tab.
4 Select the Edit link.
5 In the VIP Integration Code for JavaScript section, click the VIP Integration Code for JavaScript link.
6 In the VIP Integration Code for JavaScript page do the following:
In the Method field, select Simplified.
In the SSP IDP proxy URL field, enter the Self Service Portal IDP Proxy URL or SSP IDP URL. This
URL authenticates the first factor and provides additional out-of-band authentication options.
Examples: https://<Your_SSP_IDP_Prpxy_URL>/dmzssp/DmzListener
https://<Your_SSP_IDP:Port>/vipssp/login
7 Click Generate VIP Integration Code to generate the VIP IA integration JavaScript.
20 Integrating VIP Intelligent Authentication With Check Point VPN
8 Copy the VIP integration code that is generated to Check Point LoginPage.php file. The Login Page is
typically located at /opt/CPcvpn-<Check Point_version>/phpincs/LoginPage.php
9 Save the changes.
10 Restart the Check Point service.
Appendix
ACustomizing Login Page for the SSL
VPN Portal
This appendix describes how you can customize the Password field label name for the SSL VPN Portal, as
displayed in Figure 2-8.
To customize the Password field label name, complete the following steps:
1 SSH to the Gateway IP, or go to the Command Line Interface (CLI) through the console.
2 Navigate to /opt/CPcvpn-<Check Point_version>/phpincs/
3 Open the Strings.en_US.php (English version) file using the VI Editor.
4 Navigate to the //MailSettings +EditMail Settings section, check for the line "PASSWORD" =>
"Password", and modify it to "PASSWORD" => "Password + Security Code".
5 Save the file.
22 Customizing Login Page for the SSL VPN Portal
