CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 8 of 8

Thread: Can a Checkpoint R77.30 gateway enforce user authentication to a web server via RSA?

  1. #1
    Join Date
    2009-03-24
    Posts
    3
    Rep Power
    0

    Default Can a Checkpoint R77.30 gateway enforce user authentication to a web server via RSA?

    Hi guys

    We have a CP fw running R77.30 and it sits between the Corp and production networks.

    We have a web server that sits behind the fw in the production network, which a select band of Corp users are required to access.

    I want to be able to nail down access to only this select group, and hand off 2fa to an RSA server that we already have sitting in our Corp network.

    Is this possible on the CP, and if so, what software blade is required to enable these services?

    Thanks in advance



    James

  2. #2
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    223
    Rep Power
    12

    Default Re: Can a Checkpoint R77.30 gateway enforce user authentication to a web server via R

    Quote Originally Posted by jamesholley View Post
    Hi guys

    We have a CP fw running R77.30 and it sits between the Corp and production networks.

    We have a web server that sits behind the fw in the production network, which a select band of Corp users are required to access.

    I want to be able to nail down access to only this select group, and hand off 2fa to an RSA server that we already have sitting in our Corp network.

    Is this possible on the CP, and if so, what software blade is required to enable these services?

    Thanks in advance



    James
    You can make use of AD groups through Identity Awareness, but I don't think traffic will trigger additional authentication requirements. The whole point of that feature is to make the firewall aware of user identity with little to no interaction from the user. Of course, if you require those users provide token codes (or use a Smart Card, or whatever) to log in to their workstations, it could definitely work.

    I think the way I would do this is with remote access VPN and Office Mode. You should be able to set the remote access encryption domain to cover only the network in question, then only allow traffic to it from the Office Mode network.
    Zimmie

  3. #3
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,469
    Rep Power
    15

    Default Re: Can a Checkpoint R77.30 gateway enforce user authentication to a web server via R

    Mobile Access Blade should also work here.
    Depending on the nature of the website, it may work without installing a VPN client.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  4. #4
    Join Date
    2007-06-04
    Posts
    3,267
    Rep Power
    16

    Default Re: Can a Checkpoint R77.30 gateway enforce user authentication to a web server via R

    If this is all internal then what you want is to use Client Authentication.

    Requires that users HTTP or Telnet on 259 to the Gateway and Authenticate before they can pass through the rule ie

    Source = User Group
    Dest = Internal Web Server
    Service = Required Service
    Action - ClientAuth

    Is in the Security Gateway Tech Admin Guide

    Is now considered legacy in as much as is more expected that today that users would be identified with Identity Awareness so users are identified and that already authenticated to the Network.

    Would then have the 2FA Authentication done at the Website as opposed to the Check Point.

  5. #5
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,469
    Rep Power
    15

    Default Re: Can a Checkpoint R77.30 gateway enforce user authentication to a web server via R

    If you're not already using Client Authentication, I would not recommend you start now.
    R80.10 has some pretty significant limitations with regards to new features if you're using Client Auth.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  6. #6
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,618
    Rep Power
    8

    Default Re: Can a Checkpoint R77.30 gateway enforce user authentication to a web server via R

    Quote Originally Posted by PhoneBoy View Post
    If you're not already using Client Authentication, I would not recommend you start now.
    R80.10 has some pretty significant limitations with regards to new features if you're using Client Auth.
    Can you expand on that? Like the normal performance issues or something else?

  7. #7
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    223
    Rep Power
    12

    Default Re: Can a Checkpoint R77.30 gateway enforce user authentication to a web server via R

    Quote Originally Posted by PhoneBoy View Post
    Mobile Access Blade should also work here.
    Depending on the nature of the website, it may work without installing a VPN client.
    I missed that it was a website. Mobile Access should definitely work for that. It's essentially a "reverse proxy" (still seems like an unhelpful term to me) which allows you to wrap TLS and other authentication requirements around a website. I don't see mention of X-Forwarded-For in the documentation I've checked, so it may make your web server logs weird. Correlating the firewall logs with the web server logs should be easy enough as long as you have synchronized clocks.

    For arbitrary traffic (like SSH or MSRDP), I still think the remote access VPN method would be be better.
    Zimmie

  8. #8
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,469
    Rep Power
    15

    Default Re: Can a Checkpoint R77.30 gateway enforce user authentication to a web server via R

    Quote Originally Posted by jflemingeds View Post
    Can you expand on that? Like the normal performance issues or something else?
    https://supportcenter.checkpoint.com...ionid=sk115961

    TL;DR: Anything involving Security Servers doesn't support the new unified policies in R80.x.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

Similar Threads

  1. LDAP authentication of user groups in checkpoint R65
    By nazimbaksh in forum Authentication
    Replies: 11
    Last Post: 2010-05-22, 19:56
  2. Replies: 5
    Last Post: 2010-05-20, 06:11
  3. Gateway & Smartcenter Server Authentication
    By avilT in forum Miscellaneous
    Replies: 1
    Last Post: 2009-03-12, 00:02
  4. Replies: 3
    Last Post: 2007-11-02, 06:50
  5. OWA , SSL & User Authentication ?
    By linickx in forum Authentication
    Replies: 3
    Last Post: 2006-09-01, 02:14

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •