Check Point SAML Auth for Remote Access VPN

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everybody how's it going hope everybody's having a great day today we're going to be looking at how to set up saml authentication for remote access vpn uh in a checkpoint environment and so a quick note this has been available for a bit of time now on r80.40 for this demonstration i'll be doing the configuration on r81 as we have had uh further azure ad integrations uh in r81 and so it actually makes it significantly easier and you don't have to do a couple of kind of work around steps that were required in 80.40 and before we get started i'll be go ahead and drop i'll be going ahead and dropping the relevant sks uh in the comments below um and without further ado let's go ahead and jump into it so the first things first for us to set up the azure ad um to pull in the azure id environment into the checkpoint smart console we're gonna have to go ahead and create ourselves an enterprise application and so to do that let's go ahead and excuse me navigate to azure active directory from within your azure environment and go ahead and navigate to enterprise applications over here on the left okay i have a couple of stuff here already created just doing some testing but let's go ahead and create a new application all right and for from this section here let's go to create your own application and we're going to do non-gallery which by default is the radio button that's selected i'm just going to call this azure cp you can name it really anything you want doesn't matter all right the application has been added successfully so the first thing we want to do really quick is we want to go ahead and grant it some additional api permissions and so to do that let's go ahead and navigate to back to our azure id default directory and we're going to change from enterprise applications now to app registrations okay and so but by default you're not the owner of the application that you just created so you're going to have to navigate to all applications here and we can see azure cp has now popped up and if you guys for whatever reason want to have it in that owner's section you can simply navigate over to this left hand side here and just add yourself as an owner and then uh it'll show up there okay and so let's go ahead and configure the api permissions so let's go ahead and add this permission here it's going to be microsoft graph and it's going to be an application permission and it's going to be three specific ones that we need it's going to be device dot read all so scroll down here okay it's going to be group read all so let's go to group read all and the last one is going to be user read all all right add these three permissions looks good and then we also have to grant admin consent for your azure id so go ahead and click on yes and there we go it's granted okay so while we're here also we're going to go ahead and configure certificates in secret let's go ahead and give it a description for you want to call it azure cp again give it whatever expiration date you'd like go ahead and click on add and the application key that we're going to use i believe is this first value i'll copy the second one just in case but go ahead and pop open a notepad and just take down these values here so again this is referred to as the application key in checkpoint i'll take this one just in case all right so now we actually just need to go ahead and grab the information back from the enterprise environment enterprise application section so let's go back here and navigate to azure cp and what we're going to need here is the application id i'm sorry uh why are we here oh i'm sorry i think i have to go back to that registration yeah sorry about that so we're going to want the directory id for the tenant id and we also need the application id we don't need the object id here so let's go ahead and grab this okay and the directory tenant id all right so we got those and then we have the application key the api permissions have been set up and that should be pretty much good to go so let's go ahead and pop over to smart console okay i'm gonna go ahead and split this into two here for you guys and we can see here i already have this one set up but we'll go ahead and configure a new one go to um it's going to be azure id so you can go new more and then user slash identity and then azure id i call this azure cp and we'll go ahead and take that app id okay we're going to use the application key which is that certificate token that we set up and then of course the directory id okay so let's go ahead and test the connection we can see that it worked okay so let's go ahead and click on ok and it says it's going to give you this little pop-up azure ad currently only supports youth user authorization to allow user authentication as well as through azure create a dedicated saml identity provider object and configure it in the gateway's browser-based authentication settings so that's what the second part of the video pretty much will be so go ahead and click on ok and now you can see that you have the azure cp uh essentially the identity provider object so this is what hooks in via api into your azure environment to be able to read the uh the user directory those are the api permissions that we set up okay um and just remove any conflicts i'm just going to remove this one that we just created and just use the existing one that i already had all right now let's go ahead and move on so for the second part we're going to have to create the saml authentication object which is going to be located here under identity provider under the user and identity section you can see i have a couple he already created but we'll walk through of course creating a new one as well all right so now let's go ahead and pop back over to our azure ad environment and we're going to go ahead and pop back over to enterprise applications and we're going to go ahead and create a new application we want to change single sign-on from all to saml and then from here just essentially you can pretty much use any of them but let's go ahead and use the correct one here which is checkpoint remote secure access vpn okay go ahead and click on create all right the application has been created successfully and so from this section what you want to do is you want to navigate over to single sign-on go to saml and from here we're going to go ahead and grab these from smart console okay so let's go going to create a new identity provider i'm just going to call it azure underscore vpn it has to be a one word you can't do any spaces or anything okay we have the gateway and then the service is going to be remote access vpn okay and this section shows only if you have the proper jumbo hotfix applied for r81 which is ongoing take 42 i believe all right so we're going to go ahead and grab these um identity identifier entity id as well as the reply url okay so this first one's going to go here you can go ahead and just replace this let's go ahead and do this too late for that let's go ahead and just click on that one and this is going to be the reply url okay so same as it shows here so it's easy to locate that and then sign on url as you can see here the pattern is basically um what we've been putting except without the stuff at the end so you can just pretty much just copy this and put it there all right so now that the sso sign on configuration was saved successfully now let's go ahead and close this and what we're going to want to do is uh and don't be aware so it's not going to show the update here just go you can refresh your page if you'd like all right now what we want to go ahead and do is download this federation metadata xml click download all right and what you're going to want to do is we're going to pop back over here and you're going to import that file here okay all right get the green check marks go ahead and click on ok let's go ahead and proceed with some additional configurations here users and groups let's go ahead and add this this test group i have is just a group that contains my user user here [Music] so of course typically most case scenarios are going to use a group and not individually scope out each user so let's go ahead and add that go ahead and assign it let's go ahead and pop back over here what we want to do now is double click on the gateway object all right let's go ahead and navigate so of course first make sure you have ipsec vpn enabled i'm going to click on that let's go to oh i'm sorry let's go to vpn clients authentication and so from here you can go ahead and just add i already have this created but you can just click add new okay you can just call this azure vpn you wanna go ahead and click on add identity provider we're gonna do azure vpn so azure vpn as you can see is the object that we created here okay go ahead and click on ok and you want to move over here to user directories on the left hand side and you want to make sure that this is set to manual configuration and enable external user external user profiles okay so go ahead and remove this we'll use this new object that we just created go ahead and click on ok and last thing that we need to do is go ahead and navigate to security policies of course if you're not using a wide-open rule like i am this is just a demo environment that i have you would have to go ahead and actually create a rule that will allow the access to the uh the vpn community right so it would look something like this so specific vpn communities we could do remote access and then for the source what we would need to do is actually create an access role that is using a user that is essentially able to be authenticated right so for that we could click on here we can go to sorry access role you can call it azure underscore access something like that pop over to users specific users and groups then you want to use your azure idp object that you created which uh which i which one we created in the beginning of the video is azure cp and you can just add you know whichever group or users you want to add click on ok and then have that as the source and just call it azure access or something like that okay and then the now the last thing we have to do is go to the mobile access shared policy okay you want to navigate to this section over here the little green users icon and you want to make sure you have a generic user profile here if you don't that's fine just go ahead and right click on this go to next external user sorry new external user profile and you could do match all users and i already have one but essentially it's going to pop up a box and you just have to click on ok there's no other additional configuration that needs to be done and then you'll have it this generic user profile created just click on save and and then close it all right and i know i've said uh two times already that's the last thing that we had to do but i can assure you this is the actual last thing i did forget we do have to go ahead and copy over the script that will be located in one of the sks that i linked below onto the management server and execute it and so i have when sap already loaded up here and i have my script already downloaded locally to my machine so i'm going to go ahead and start a new session here with the sap protocol over to my management server all right and since i've already done this before i have this script located over here in my slash home slash admin but we'll go ahead and just redo this it looks like that once you do run it actually generates a log file as well but we'll go ahead and delete that and go ahead and do this again so at this point i'll go ahead and launch putty since we already have the file transferred over let's go to same thing okay and now you actually have to go ahead and run these uh commands uh the the chmod command to make it executable uh let me actually go ahead and pull that up really quick so it's going to be located right here mod u plus x go ahead and run that okay and then we want to run this script uh with the argument of number one so let's go ahead and do that all right go ahead and use your smart console credentials and if you're not using an mdm just press enter here all right and that's it and you can go ahead and exit and close winscp all right and now all we need to do is just go ahead and install policy perfect all right and that should be all the configuration that's required so let's go ahead and try to use the vpn there we go authenticated by your identity provider and now i'm connected to vpn so um let's go ahead and just show you that i didn't i didn't show you the ip that i connected to so it looked like it just automatically connected let me go ahead and do that for you really quickly just go connect to 13.66.22.182. as you can see that's our external ip of this gateway being hosted and the authentication is using an identity provider as that's what's configured on the gateway object itself you can see that when you connect it takes you to this same authentication page and then you can go ahead and authenticate with your azure id credentials um that's pretty much it if anybody has any questions feel free to reach out be more than happy to help you guys out but i really hope that this video kind of sheds some light on how to get this set up thanks and have a good one take care
Info
Channel: Chris Martel
Views: 717
Rating: undefined out of 5
Keywords:
Id: yZVB3sJ3fZ8
Channel Id: undefined
Length: 18min 44sec (1124 seconds)
Published: Thu Sep 02 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.