Check Point Endpoint Security Vpn

admin

Program Security Guard and DataScan Port Protection Standalone License including: Encryption Policy Manager and Port Protection Total Security Full Endpoint Security license including all Media Encryption features together with Full Disk Encryption, firewall, anti-virus, anti-malware and VPN client. Check Point Harmony is the industry’s first unified security solution for users devices and access. It protects devices and internet connections from the most sophisticated attacks while ensuring zero-trust access to corporate applications. TAKE A 5 MINUTE RISK ASSESSMENT.

  1. Check Point Endpoint Security Vpn Service Terminated Unexpectedly
  2. Check Point Endpoint Security Vpn Uninstall Stuck
-->

In this tutorial, you'll learn how to integrate Check Point Remote Secure Access VPN with Azure Active Directory (Azure AD). When you integrate Check Point Remote Secure Access VPN with Azure AD, you can:

  • Control in Azure AD who has access to Check Point Remote Secure Access VPN.
  • Enable your users to be automatically signed-in to Check Point Remote Secure Access VPN with their Azure AD accounts.
  • Manage your accounts in one central location - the Azure portal.
Point

Prerequisites

To get started, you need the following items:

  • An Azure AD subscription. If you don't have a subscription, you can get a free account.
  • Check Point Remote Secure Access VPN single sign-on (SSO) enabled subscription.

Scenario description

In this tutorial, you configure and test Azure AD SSO in a test environment.

  • Check Point Remote Secure Access VPN supports SP initiated SSO.

Adding Check Point Remote Secure Access VPN from the gallery

To configure the integration of Check Point Remote Secure Access VPN into Azure AD, you need to add Check Point Remote Secure Access VPN from the gallery to your list of managed SaaS apps.

  1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
  2. On the left navigation pane, select the Azure Active Directory service.
  3. Navigate to Enterprise Applications and then select All Applications.
  4. To add new application, select New application.
  5. In the Add from the gallery section, type Check Point Remote Secure Access VPN in the search box.
  6. Select Check Point Remote Secure Access VPN from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

Configure and test Azure AD SSO for Check Point Remote Secure Access VPN

Configure and test Azure AD SSO with Check Point Remote Secure Access VPN using a test user called B.Simon. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Check Point Remote Secure Access VPN.

To configure and test Azure AD SSO with Check Point Remote Secure Access VPN, perform the following steps:

  1. Configure Azure AD SSO - to enable your users to use this feature.

    1. Create an Azure AD test user - to test Azure AD single sign-on with B.Simon.
    2. Assign the Azure AD test user - to enable B.Simon to use Azure AD single sign-on.

  2. Configure Check Point Remote Secure Access VPN SSO - to enable your users to use this feature.

    1. Create Check Point Remote Secure Access VPN test user - to have a counterpart of B.Simon in Check Point Remote Secure Access VPN that is linked to the Azure AD representation of user.

  3. Test SSO - to verify whether the configuration works.

Configure Azure AD SSO

Follow these steps to enable Azure AD SSO in the Azure portal.

  1. In the Azure portal, on the Check Point Remote Secure Access VPN application integration page, find the Manage section and select single sign-on.

  2. On the Select a single sign-on method page, select SAML.

  3. On the Set up single sign-on with SAML page, click the pencil icon for Basic SAML Configuration to edit the settings.

  4. On the Basic SAML Configuration section, enter the values for the following fields:

    a. In the Identifier (Entity ID) text box, type a URL using the following pattern:https://<GATEWAY_IP>/saml-vpn/spPortal/ACS/ID/<IDENTIFIER_UID>

    b. In the Reply URL text box, type a URL using the following pattern:https://<GATEWAY_IP>/saml-vpn/spPortal/ACS/Login/<IDENTIFIER_UID>

    c. In the Sign on URL text box, type a URL using the following pattern:https://<GATEWAY_IP>/saml-vpn/

    Note

    These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact Check Point Remote Secure Access VPN Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.

  5. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find Federation Metadata XML and select Download to download the certificate and save it on your computer.

  6. On the Set up Check Point Remote Secure Access VPN section, copy the appropriate URL(s) based on your requirement.

Create an Azure AD test user

Check Point Endpoint Security Vpn Service Terminated Unexpectedly

In this section, you'll create a test user in the Azure portal called B.Simon.

  1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
  2. Select New user at the top of the screen.
  3. In the User properties, follow these steps:
    1. In the Name field, enter B.Simon.
    2. In the User name field, enter the username@companydomain.extension. For example, B.Simon@contoso.com.
    3. Select the Show password check box, and then write down the value that's displayed in the Password box.
    4. Click Create.

Assign the Azure AD test user

In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Check Point Remote Secure Access VPN.

  1. In the Azure portal, select Enterprise Applications, and then select All applications.
  2. In the applications list, select Check Point Remote Secure Access VPN.
  3. In the app's overview page, find the Manage section and select Users and groups.
  4. Select Add user, then select Users and groups in the Add Assignment dialog.
  5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the bottom of the screen.
  6. If you are expecting a role to be assigned to the users, you can select it from the Select a role dropdown. If no role has been set up for this app, you see 'Default Access' role selected.
  7. In the Add Assignment dialog, click the Assign button.

Configure Check Point Remote Secure Access VPN SSO

Configure an External User Profile object

Note

This section is needed only if you do not want to use an on-premises Active Directory (LDAP).

Configure a generic user profile in the Legacy SmartDashboard:

  1. In SmartConsole, go to Manage & Settings > Blades.

  2. In the Mobile Access section, click Configure in SmartDashboard. The Legacy SmartDashboard opens.

  3. In the Network Objects pane, and click Users.

  4. Right-click on an empty space and select New > External User Profile > Match all users.

  5. Configure the External User Profile properties:

    1. On the General Properties page:

      • In the External User Profile name field, leave the default name generic*
      • In the Expiration Date field, set the applicable date

    2. On the Authentication page:

      • From the Authentication Scheme drop-down list, select undefined

    3. On the Location, Time, and Encryption pages:

      • Configure other applicable settings

    4. Click OK.

  6. From the top toolbar, click Update (or press Ctrl + S).

  7. Close SmartDashboard.

  8. In SmartConsole, install the Access Control Policy.

Configure Remote Access VPN

  1. Open the object of the applicable Security Gateway.

  2. On the General Properties page, enable the IPSec VPN Software Blade.

  3. From the left tree, click the IPSec VPN page.

  4. In the section This Security Gateway participates in the following VPN communities, click Add and select Remote Access Community.

  5. From the left tree, click VPN clients > Remote Access.

  6. Enable Support Visitor Mode.

  7. From the left tree, click VPN clients > Office Mode.

  8. Select Allow Office Mode and select the applicable Office Mode Method.

  9. From the left tree, click VPN Clients > SAML Portal Settings.

  10. Make sure the Main URL contains the fully qualified domain name of the gateway.This domain name should end with a DNS suffix registered by your organization.For example:https://gateway1.company.com/saml-vpn

  11. Make sure the certificate is trusted by the end users’ browser.

  12. Click OK.

Configure an Identity Provider object

  1. Do the following steps for each Security Gateway that participates in Remote Access VPN.

  2. In SmartConsole > Gateways & Servers view, click New > More > User/Identity > Identity Provider.

  3. Perform the following steps in New Identity Provider window.

    a. In the Gateway field, select the Security Gateway, which needs to perform the SAML authentication.

    b. In the Service field, select Remote Access VPN from the dropdown.

    c. Copy Identifier(Entity ID) value, paste this value into the Identifier text box in the Basic SAML Configuration section in the Azure portal.

    d. Copy Reply URL value, paste this value into the Reply URL text box in the Basic SAML Configuration section in the Azure portal.

    e. Select Import Metadata File to upload the downloaded Federation Metadata XML from the Azure portal.

    Note

    Alternatively you can also select Insert Manually to paste manually the Entity ID and Login URL values into the corresponding fields, and to upload the Certificate File from the Azure portal.

    f. Click OK.

Configure the Identity Provider as an authentication method

  1. Open the object of the applicable Security Gateway.

  2. On the VPN Clients > Authentication page:

    a. Clear the checkbox Allow older clients to connect to this gateway.

    b. Add a new object or edit an existing realm.

  3. Enter a name and a display name, and add/edit an authentication method:In case the Login Option will be use on GWs who participate in MEP, in order to allow smooth user experience the Name should start with “SAMLVPN_” prefix.

  4. Select the option Identity Provider, click the green + button and select the applicable Identity Provider object.

  5. In the Multiple Logon Options window:From the left pane, click User Directories and then select Manual configuration.There are two options:

    1. If you do not want to use an on-premises Active Directory (LDAP), select only External User Profiles and click OK.
    2. If you do want to use an on-premises Active Directory (LDAP), select only LDAP users and in the LDAP Lookup Type select email. Then click OK.

  6. Configure the required settings in the management database:

    1. Close SmartConsole.

    2. Connect with the GuiDBEdit Tool to the Management Server (see sk13009).

    3. In the top left pane, go to Edit > Network Objects.

    4. In the top right pane, select the Security Gateway object.

    5. In the bottom pane, go to realms_for_blades > vpn.

    6. If you do not want to use an on-premises Active Directory (LDAP), set do_ldap_fetch to false and do_generic_fetch to true. Then click OK. If you do want to use an on-premises Active Directory (LDAP), set do_ldap_fetch to true and do_generic_fetch to false. Then click OK.

    7. Repeat the steps iv-vi for all applicable Security Gateways.

    8. Save all changes (click the File menu > Save All).

  7. Close the GuiDBEdit Tool.

  8. Each Security Gateway and each Software Blade have separate settings. Review the settings in each Security Gateway and each Software Blade that use authentication (VPN, Mobile Access, and Identity Awareness).

    • Make sure to select the option LDAP users only for Software Blades that use LDAP.

    • Make sure to select the option External user profiles only for Software Blades that do not use LDAP.

  9. Install the Access Control Policy on each Security Gateway.

VPN RA Client Installation and configuration

  1. Install the VPN client.

  2. Set the Identity Provider browser mode (optional)By default, the Windows client uses its embedded browser and the macOS client uses Safari to authenticate on the Identity Provider's portal.For Windows client to change this behavior to use Internet Explorer instead:

    1. On the client machine, open a plain-text editor as an Administrator.

    2. Open the trac.defaults file in the text editor.

      • On 32-bit Windows:%ProgramFiles%CheckPointEndpoint Connecttrac.defaults
      • On 64-bit Windows:%ProgramFiles(x86)%CheckPointEndpoint Connecttrac.defaults

    3. Change the idp_browser_mode attribute value from “embedded” to “IE”:

    4. Save the file.

    5. Restart the Check Point Endpoint Security VPN client service.Open the Windows Command Prompt as an Administrator and run these commands:

      # net stop TracSrvWrapper

      # net start TracSrvWrapper

  3. Start authentication with browser running in background:

    1. On the client machine, open a plain-text editor as an Administrator.

    2. Open the trac.defaults file in the text editor.

      • On 32-bit Windows: %ProgramFiles%CheckPointEndpoint Connecttrac.defaults

      • On 64-bit Windows: %ProgramFiles(x86)%CheckPointEndpoint Connecttrac.defaults

      • On macOS: /Library/Application Support/Checkpoint/Endpoint Security/Endpoint Connect/Trac.defaults

    3. Change the value of idp_show_browser_primary_auth_flow to false

    4. Save the file.

    5. Restart the Check Point Endpoint Security VPN client service

      • On Windows clientsOpen the Windows Command Prompt as an Administrator and run these commands:

        # net stop TracSrvWrapper

        # net start TracSrvWrapper

      • On macOS clients

        sudo launchctl stop com.checkpoint.epc.service

        sudo launchctl start com.checkpoint.epc.service

Create Check Point Remote Secure Access VPN test user

In this section, you create a user called Britta Simon in Check Point Remote Secure Access VPN. Work with Check Point Remote Secure Access VPN support team to add the users in the Check Point Remote Secure Access VPN platform. Users must be created and activated before you use single sign-on.

Test SSO

Security

  1. Open the VPN client and click Connect to….

  2. Select Site from the dropdown and click Connect.

  3. In Azure AD login pop up, sign in using Azure AD credentials which you have created in the Create an Azure AD test user section.

Check Point Endpoint Security Vpn Uninstall Stuck

Next steps

Once you configure Check Point Remote Secure Access VPN you can enforce session control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session control extends from Conditional Access. Learn how to enforce session control with Microsoft Cloud App Security.

I’m working for several customers, and one of our customers use the Check Point Endpoint Security VPN. This program starts up every time the PC starts, which is annoying because I’m also needing other VPN programs installed. There is no easy way to stop this program from starting up automatically. No options or anything available.

It runs as a service, so if you stop the two services the program relies upon, and set their startup mode to manual, the program does not start the next time you start your PC. However, if you then manually start the program, it is “smart” enough to repair the situation, and you have to remember to stop the processes and set them back to manual again.

I’ve created a simple .bat script that does all this for me, so when I’m finished using the VPN connection, I simple run my StopCheckPointVPN.bat file.

I’ve placed this in C:Scripts, and created a desktop shortcut to it. That way, I can check the “Run as Administrator” checkbox (found on Properties/Advanced on the shortcut), and all I have to do when I’m done using the VPN is to doubleclick my shortcut.

I’ve also created a script that starts the VPN again:

A final tip: set the icon for the two shortcuts to point to the C:Program Files (x86)CheckPointEndpoint ConnectTrGUI.exe file icon, and you’ll easily find them when you need them.