Checkpoint has a complete Certificate Authority infrastructure and I would use it for small and medium sized businesses where there is only some user for remote access. For large enterprises or for companies with existing CA infrasturcture it is worth to use their certificates, because it gives much more flexibility. In this example I illustrate how to use an external CA for remote access VPN with Checkpoint R75 Client.
The topology used for the test.
.
Lets start to configure the wholse stuff. In this example I have a certificate chain with a root CA and one subordinate CA. First import the root CA Certificate:
(Generate root ca and subordinate ca woth openssl is documented on other older posts)
The name is root_ca for the CA:
The root ca can be found now under the trusted CA list:
Before we import the certificate, we have to change here something.
We do not use CRL now, it can be disabled, but the client certificates should be checked on the CRL List in a live system. (You can generate one with openssl and put it on a http server):
and import the ca certificate for the root ca.
The root ca can be found now under the trusted CA list:
Next step is to import the subordinate CA:
Import the certificate for the sub ca:
Now we have a certificate authority under subordinate CA List too:
And now comes the firewall setup. We setup the basic settings for the firewall object and generate a Certificate Request.
Set the IP and enable the VPN Feature:
Set the VPN Community:
Set the topology and the VPN encryption domain.
If you have CA chain and the signing CA for the clients is not the same as the signing CA for the firewall and the clients do not know the firewalls CA, then you have to configure the firewall the way that is sends the complete chain of its certificate to the client and the client will find a matching certificate in the chain or will see that the root CA is the same as its own root CA and it accepts the firewall certificate. If the chain, that the firewall has, does not contain any CA that the client trusts, it will brake the VPN connection. In Checkpoint GUI you should choose the root CA as the signing CA and sign the CSR with the sub CA. The Checkpoint GUI will not check if really the choosen CA enrolled the CSR.
Before we generate a certificate request for the client we should know what field are mandatory for the CA, that will sign the certifiacte request. In my openssl configuration it is the following:
# A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_match # For the CA policy [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional |
If we do not follow the requirements we can run into this problem:
root@schlagmichtotgw:/tmp/mnt/subca# /opt/bin/openssl ca -in ../client_requests/myfirewall.csr -out myfirewall_cert.pem -config openssl.cnf Using configuration from openssl.cnf Enter pass phrase for ./private/cakey.pem: Check that the request matches the signature Signature ok The mandatory countryName field was missing root@schlagmichtotgw:/tmp/mnt/subca# |
I have tried to find the standard attribute identifiers, like OU is Organizational Unit, but I had no luck. One RFC I have found is the 4211, where there was a list of basic identifiers:
C (country)
L (locality)
ST (state or province)
O (organization)
OU (organizational unit)
CN (common name)
STREET (street address)
E (E-mail address).
|
If you check what the subca has as a DN, you will se the following:
Email=info@mycompany.hu,CN=subordinate,OU=Security,O=My Company,ST=Budapest,C=HU |
The mandatory fields should we copie and this will be the good one for the firewalls csr:
CN=myfirewall,C=HU,ST=Budapest,O=My Company |
The GUI should look like this:
I have added an IP Adress field as well. This is required for Ipads…
Copy it to the clipboard.
and paste it on the server where our openssl for CA installed:
root@schlagmichtotgw:/tmp/mnt/client_requests# vi myfirewall.csr |
And just send the CSR to the CA and sign it:
root@schlagmichtotgw:/tmp/mnt/subca# /opt/bin/openssl ca -in ../client_requests/myfirewall.csr -out myfirewall_cert.pem -config openssl.cnf
Using configuration from openssl.cnf
Enter pass phrase for ./private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 256 (0x100)
Validity
Not Before: Apr 21 09:43:16 2012 GMT
Not After : Apr 21 09:43:16 2013 GMT
Subject:
countryName = HU
stateOrProvinceName = Budapest
organizationName = My Company
commonName = myfirewall
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
E0:21:88:A2:41:19:E1:5B:32:60:7E:5C:53:96:17:99:22:A2:DC:A1
X509v3 Authority Key Identifier:
keyid:65:6A:7A:7A:94:E5:92:9F:68:F8:86:26:BE:C8:89:04:FA:D4:5C:26
Certificate is to be certified until Apr 21 09:43:16 2013 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
|
and convert it to DER format
root@schlagmichtotgw:/tmp/mnt/subca# /opt/bin/openssl x509 -outform der -in myfirewall_cert.pem -out myfirewall_cert.crt |
Import the signed certificate in the firewall:
Lets go on with the VPN setup and set the authentication method (I have not seen this setting before R75, but as we do not set the authentication on the user object, we should set it here. I have to test it if I leave it, would it still work?…):
Set the IP for VPN Service if we need vpn not from the main IP Adress that is in my case the internal IP (192.168.56.10):
Set Office mode IP for the remote access VPN:
Enable Policy server (I guess it is optional):
Create some basic rules for the client firewall policy:
Enable visitor mode, that is required for R75 client (AFAIK):
and change the webui port to something else (be careful to change the port to a not used port):
[myfirewall]# webui disable Shutting down cp_http_server_wd: [ OK ] [myfirewall]# webui enable 1443 Running cp_http_server_wd: [ OK ] [myfirewall]# |
Now we have to create a local user for authentication. I am not sure if it is possible with Checkpoint, but with Cisco you can disable the user-authentication completely, I mean it is enough to identify only the users certificate without any username (local or remote on LDAP).
We do not have to set anything for authentication:
and we do not have to set anything for certificate:
o not forget to install the policy.
VPN Client used for the test:
Endpoint Security VPN R75 (which replaces SecureClient) for Windows
Link:
https://supportcenter.checkpoint.com/supportcenter/portal/role/supportcenterUser/page/default.psml/media-type/html?action=portlets.DCFileAction&eventSubmit_doGetdcdetails=&fileid=11611
Create certificate for the windows client:
– generate a private key for the client
root@schlagmichtotgw:/tmp/mnt# mkdir client_cert root@schlagmichtotgw:/tmp/mnt# cd client_cert root@schlagmichtotgw:/tmp/mnt/client_cert# mkdir private root@schlagmichtotgw:/tmp/mnt/client_cert# /opt/bin/openssl rand -out ./private/.client_rand 1024 root@schlagmichtotgw:/tmp/mnt/client_cert# /opt/bin/openssl genrsa -des3 -out ./private/client.key -rand ./private/.client_rand 2048 1024 semi-random bytes loaded Generating RSA private key, 2048 bit long modulus .......+++ ................................................................................................................................+++ e is 65537 (0x10001) Enter pass phrase for ./private/client.key: Verifying - Enter pass phrase for ./private/client.key: root@schlagmichtotgw:/tmp/mnt/client_cert# |
– generate a request for the client
root@schlagmichtotgw:/tmp/mnt/client_cert# /opt/bin/openssl req -new -key ./private/client.key -out client.csr Enter pass phrase for ./private/client.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:HU State or Province Name (full name) [Some-State]:Budapest Locality Name (eg, city) []:Berlin Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company Organizational Unit Name (eg, section) []:Finance Common Name (eg, YOUR name) []:testuser1 Email Address []:testuser1@mycompany.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: root@schlagmichtotgw:/tmp/mnt/client_cert# |
– Sign the client cerftificate
root@schlagmichtotgw:/tmp/mnt/subca# /opt/bin/openssl ca -in ../client_cert/client.csr -config openssl.cnf
Using configuration from openssl.cnf
Enter pass phrase for ./private/cakey.pem:
DEBUG[load_index]: unique_subject = "yes"
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 257 (0x101)
Validity
Not Before: May 6 19:36:46 2012 GMT
Not After : May 6 19:36:46 2013 GMT
Subject:
countryName = HU
stateOrProvinceName = Budapest
organizationName = My Company
organizationalUnitName = Finance
commonName = testuser1
emailAddress = testuser1@mycompany.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
2B:6A:0E:53:69:BE:9C:00:6A:48:E5:CC:07:54:78:2C:27:CA:DB:C1
X509v3 Authority Key Identifier:
keyid:65:6A:7A:7A:94:E5:92:9F:68:F8:86:26:BE:C8:89:04:FA:D4:5C:26
Certificate is to be certified until May 6 19:36:46 2013 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 257 (0x101)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=HU, ST=Budapest, O=My Company, OU=Security, CN=subordinate/emailAddress=info@mycompany.hu
Validity
Not Before: May 6 19:36:46 2012 GMT
Not After : May 6 19:36:46 2013 GMT
Subject: C=HU, ST=Budapest, O=My Company, OU=Finance, CN=testuser1/emailAddress=testuser1@mycompany.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:a0:e0:03:43:b2:f1:e8:27:71:06:1f:a7:ec:22:
f8:ce:2d:f5:75:30:5a:ec:f0:e0:f1:57:4f:5d:19:
2b:d9:73:0e:67:27:b6:50:b3:78:fd:66:e5:3a:d3:
dd:29:c7:87:30:b3:99:2d:f3:b6:9f:4c:1f:13:c1:
d2:80:63:e2:c9:bc:a4:b1:02:da:35:a5:73:e9:ce:
3d:78:49:aa:26:3c:bf:eb:6f:91:6c:5b:b2:72:7a:
70:f4:4d:f8:16:7a:19:c5:1d:0c:90:1d:8d:1c:56:
28:81:02:62:43:74:2b:5f:41:ce:63:f6:21:8f:bd:
27:9f:5b:3a:10:8a:86:70:29:8e:7a:a3:05:09:00:
af:55:05:d7:68:30:34:c7:1a:7e:9e:59:a0:00:72:
58:2b:97:04:fc:ed:8a:8c:0d:8d:f0:e8:a4:d2:2b:
69:d8:43:e8:42:62:ad:ca:75:59:4b:ec:83:a3:dc:
b3:1a:dd:67:44:a6:9d:3b:af:5b:78:f3:67:f1:d6:
ee:19:22:54:da:f1:7f:ca:7c:d1:22:10:b5:bb:3a:
7d:65:b4:5e:54:f0:1b:70:71:5b:3d:a2:9a:02:01:
2d:c7:db:f0:6a:1c:d5:c2:b1:79:3a:82:78:a8:1d:
31:f7:7f:ea:4b:17:10:39:7e:06:56:fd:4d:b5:50:
d4:21
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
2B:6A:0E:53:69:BE:9C:00:6A:48:E5:CC:07:54:78:2C:27:CA:DB:C1
X509v3 Authority Key Identifier:
keyid:65:6A:7A:7A:94:E5:92:9F:68:F8:86:26:BE:C8:89:04:FA:D4:5C:26
Signature Algorithm: sha1WithRSAEncryption
b6:89:93:4b:99:67:28:9e:1c:d6:e9:4b:e7:de:ef:c8:bc:68:
94:b1:20:4d:80:47:df:41:ec:2a:d9:4f:10:e7:c6:24:c5:3b:
cd:fe:c5:16:f9:14:ec:36:3a:64:10:17:90:75:0c:4c:f3:b8:
3b:23:d4:19:57:3c:79:1b:de:1c:8e:70:5f:b6:01:b3:29:bc:
07:91:d4:a0:d8:3f:d3:a4:9c:13:71:c4:18:44:ed:65:fe:c9:
2a:66:39:18:be:bf:43:67:89:11:ad:f6:a2:8b:58:ab:0d:07:
45:d5:5f:3d:ac:a3:20:48:46:c4:c8:ae:c0:36:45:21:8e:20:
32:17:01:aa:ba:49:f4:5b:10:a8:cb:e7:11:f9:96:5e:5c:0f:
fa:aa:06:2c:79:22:cb:2a:aa:05:f6:6b:27:71:60:5a:f6:b4:
1f:17:7c:49:e4:f6:b9:43:d8:55:7a:9d:64:6c:bb:d0:96:86:
e9:cf:8c:07:9c:b9:e9:c4:2f:d1:8f:39:66:b4:6c:3b:2d:ee:
1c:35:85:a2:68:d1:db:a8:d3:40:55:f7:0c:58:85:80:62:c5:
3b:12:cb:80:fd:b1:18:66:81:e4:94:e1:b2:f4:c2:8c:b5:c7:
3b:f4:c9:46:3f:c5:d4:2c:99:5e:c1:fc:58:8f:29:a2:b6:ca:
08:21:20:64
-----BEGIN CERTIFICATE-----
MIID/DCCAuSgAwIBAgICAQEwDQYJKoZIhvcNAQEFBQAwgYAxCzAJBgNVBAYTAkhV
MREwDwYDVQQIEwhCdWRhcGVzdDETMBEGA1UEChMKTXkgQ29tcGFueTERMA8GA1UE
CxMIU2VjdXJpdHkxFDASBgNVBAMTC3N1Ym9yZGluYXRlMSAwHgYJKoZIhvcNAQkB
FhFpbmZvQG15Y29tcGFueS5odTAeFw0xMjA1MDYxOTM2NDZaFw0xMzA1MDYxOTM2
NDZaMIGDMQswCQYDVQQGEwJIVTERMA8GA1UECBMIQnVkYXBlc3QxEzARBgNVBAoT
Ck15IENvbXBhbnkxEDAOBgNVBAsTB0ZpbmFuY2UxEjAQBgNVBAMTCXRlc3R1c2Vy
MTEmMCQGCSqGSIb3DQEJARYXdGVzdHVzZXIxQG15Y29tcGFueS5jb20wggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCg4ANDsvHoJ3EGH6fsIvjOLfV1MFrs
8ODxV09dGSvZcw5nJ7ZQs3j9ZuU6090px4cws5kt87afTB8TwdKAY+LJvKSxAto1
pXPpzj14SaomPL/rb5FsW7JyenD0TfgWehnFHQyQHY0cViiBAmJDdCtfQc5j9iGP
vSefWzoQioZwKY56owUJAK9VBddoMDTHGn6eWaAAclgrlwT87YqMDY3w6KTSK2nY
Q+hCYq3KdVlL7IOj3LMa3WdEpp07r1t482fx1u4ZIlTa8X/KfNEiELW7On1ltF5U
8BtwcVs9opoCAS3H2/BqHNXCsXk6gnioHTH3f+pLFxA5fgZW/U21UNQhAgMBAAGj
ezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk
IENlcnRpZmljYXRlMB0GA1UdDgQWBBQrag5Tab6cAGpI5cwHVHgsJ8rbwTAfBgNV
HSMEGDAWgBRlanp6lOWSn2j4hia+yIkE+tRcJjANBgkqhkiG9w0BAQUFAAOCAQEA
tomTS5lnKJ4c1ulL597vyLxolLEgTYBH30HsKtlPEOfGJMU7zf7FFvkU7DY6ZBAX
kHUMTPO4OyPUGVc8eRveHI5wX7YBsym8B5HUoNg/06ScE3HEGETtZf7JKmY5GL6/
Q2eJEa32ootYqw0HRdVfPayjIEhGxMiuwDZFIY4gMhcBqrpJ9FsQqMvnEfmWXlwP
+qoGLHkiyyqqBfZrJ3FgWva0Hxd8SeT2uUPYVXqdZGy70JaG6c+MB5y56cQv0Y85
ZrRsOy3uHDWFomjR26jTQFX3DFiFgGLFOxLLgP2xGGaB5JThsvTCjLXHO/TJRj/F
1CyZXsH8WI8porbKCCEgZA==
-----END CERTIFICATE-----
Data Base Updated
root@schlagmichtotgw:/tmp/mnt/subca#
|
– Take out the passphrase from the client key
root@schlagmichtotgw:/tmp/mnt/client_cert# /opt/bin/openssl rsa -in ./private/client.key -out ./private/client_noph.key |
– Create the PKCS12 file
This file combines the person’s public key, private key, and root certificate into one file.
(source: http://www.flatmtn.com/article/creating-pkcs12-certificates)
root@schlagmichtotgw:/tmp/mnt/client_cert# /opt/bin/openssl pkcs12 -export -in 0101.pem -inkey ./private/client_noph.key -certfile ../subca/cacert.pem -name testuser1 -out testuser1.p12 Enter Export Password: Verifying - Enter Export Password: root@schlagmichtotgw:/tmp/mnt/client_cert# |
Copy the p12 file to the client machine and import it in the certificate store.
Run command: certmgr.msc
after the import it is not ready:
the root ca is missing and the certificate is not trusted. But if we add the root ca to the trusted list, it will be okay:
Lets try to connect with our newly install VPN client. First setup the site:
Set the IP of the gateway:
and the connection fails:
the logs in Smartview tracker shows the following:
and this:
at least we have a site now in the client (just to be a little bit possitive :-)):
The problem is that the user is with its DN identified but we use a username for our local user which is the same as the CN from the user certificate. They do not match and the firewall says unkown user.
The user is fetched according to the setting in the certificate in objects file. Lets see how to modify it with cli. For those who like the GUI can use the guidbedit. Login to the management server (in my case it is the same as the firewall.)
[Expert@myfirewall]# dbedit
Enter Server name (ENTER for 'localhost'):
Enter Administrator Name: fwadmin
Enter Administrator Password:
Please enter a command, -h for help or -q to quit:
dbedit> Commands:
create
modify
rename
update
update_all
delete
print
printxml
addelement
rmelement
rmbyindex
add_owned_remove_name
is_delete_allowed
quit [-update_all|-noupdate]
dbedit> print servers root_ca
Object Name: root_ca
Object UID: {F587A88D-1595-4A19-8A15-176FCC92D861}
Class Name: opsec_ca_server
Table Name: servers
Last Modified by: fwadmin
Last Modified from: test-laptop
Last Modification time: Mon May 7 17:37:24 2012
Fields Details
--------------
OCSP_servers:
OCSP_validation: false
additional_ca_sign_keys:
automatic_enrollment_protocol: (
)
ca_type: OPSEC PKI
cacertificate:
cacertsignkey: fcf28da110d19253486ecede
color: black
comments:
crl_cache_timeout: 86400
crl_cache_type: Timeout
crl_http: false
crl_ldap: false
dn: Email=info@mycompany.hu,CN=root,OU=Security,O=My Company,L=Budapest,ST=Budapest,C=HU
permissions_strings:
permissions_type: None
type: ca
use_auto_enrollment: false
use_cn_to_fetch_user: false
use_principal_name: false
dbedit> print servers subca
Object Name: subca
Object UID: {C5ED67BF-2FED-4429-8958-C9B9A49DD9D2}
Class Name: opsec_ca_server
Table Name: servers
Last Modified by: fwadmin
Last Modified from: test-laptop
Last Modification time: Mon May 7 17:37:24 2012
Fields Details
--------------
OCSP_servers:
OCSP_validation: false
additional_ca_sign_keys:
automatic_enrollment_protocol: (
)
ca_type: OPSEC PKI
cacertificate:
cacertsignkey: 4e25f88d447d2203750af375
color: black
comments:
crl_cache_timeout: 86400
crl_cache_type: Timeout
crl_http: true
crl_ldap: false
dn: Email=info@mycompany.hu,CN=subordinate,OU=Security,O=My Company,ST=Budapest,C=HU
permissions_strings:
permissions_type: None
type: sub_ca
use_auto_enrollment: false
use_cn_to_fetch_user: false
use_principal_name: false
dbedit> modify servers root_ca use_cn_to_fetch_user true
dbedit> modify servers subca use_cn_to_fetch_user true
dbedit> quit
servers::root_ca was not updated. update now ?[y/n] y
servers::root_ca Updated Successfully
servers::subca was not updated. update now ?[y/n] y
servers::subca Updated Successfully
[Expert@myfirewall]#
|
Check what is the policy name:
[Expert@myfirewall]# fw stat
HOST POLICY DATE
localhost Standard 7May2012 19:49:23 : [>eth0] [eth1] [
|
and install it without the gui (we do not have time for GUI and for the firewall name we use the object name):
[Expert@myfirewall]# fwm load Standard myfirewall Installing policy on R75 compatible targets: Standard.W: Security Policy Script generated into Standard.pf Standard: Compiled OK. Installing Security Gateway policy on: myfirewall ... Security Gateway policy installed successfully on myfirewall... Security Gateway policy installation complete Security Gateway policy installation succeeded for: myfirewall |
And here we go! After policy install we can log in with the testuser1.
Login
and the key install:
and we are in with office mode IP:
We are ready. But the opened points have to be cleared later. Those are the CRLs and the debug for the certificate chain and the next post about the ldap authentication with openldap. This will be hard, openldap and checkpoint integration..but for now it is:
itsecworks 
Ricardo
November 1, 2013
Thanks a LOT! Incredible post!
kriver
January 28, 2014
changing the port with webgui enable is not a good way since it will change back to it’s original. You have to change in in the dashboard.
itsecworks
January 30, 2014
Sorry, I have forgotten to mention the Software version in the post. it was an older Version, where the gui port could be changed only through webui.
I know the new setting is based on dashboard.
Marvin de Haas
February 24, 2014
Hello, Nice post forst of all! I would like to deploy a remote access solution with Check Point R75 combined with Microsoft CA and LDAP authentication (username and password). Is this possible to combine? Or is it only possible to verify the username in Active Directory (AD) using LDAP?
Marvin
February 25, 2014
Is there a way to combine LDAP authentication (username and password) in Active Directory and use PKI together.
marvin
February 25, 2014
is it possible to combine LDAP authentication (username and password) together with PKI for two factor authentication?
itsecworks
February 26, 2014
Yes to all. :-)
Darius
August 18, 2016
how to do that?
marvin
February 26, 2014
Hi, thanks for your reply, that looks good so we don’t have to buy remote access licenses.
We optionally would like to integrate with a newly deployed Network Policy Server (NPS) with Network Access Protection (NAP) included. This way we can verify if the client is compliant or not. We also will be able to use 802.1x with the NPS server for LAN and Wi-Fi access using EAP-(T)TLS. Do you have any experience combining the Check Point remote access IPsec VPN using RADIUS protocol with the Microsoft NPS server?
itsecworks
March 2, 2014
I just used PKI card for certificate authentication and ldap authorisation through LDAP (with active directory). Radius & Ms NPS is not in my experience till today :-)
marvin
March 7, 2014
I am trying to configure LDAP and certificate based authentication together but in de general properties of the gateway in the IPSec VPN authentication I can only select;
-Defined on user record (Legacy authentication)
-Username and Password
-RADIUS
-SecureID
-Personal certificate
Which one do I need to choose if I want to combine username and password via LDAP and external PKI certificate validation? I can only choose one so I personally believe that this can only be done when using an external RADIUS server, or not?
George
December 3, 2014
Possible to use BOTH PKI and LDAP for Authentication ?
Also thinking if possible to use computer certificates instead of user certificates ?
Thanks in advance.
itsecworks
December 16, 2014
Yes, its possible.
George
January 16, 2015
That is very useful, thank you.
What i am trying to accomplish is to somehow restrict VPN connection based on computer certificate.
So if the computer has a certificate installed on it then it can authenticate and if it does not have the certificate then the access to be denied.
I want to do this because I have some client machine in China and I want to make sure the connection is not made from a machine that does not have the specific certificate installed on it.
Strange fact is that I got an answer from Checkpoint that said is not possible, then I sent them your link and it was silence since ??? :)
itsecworks
January 17, 2015
You have to check which certificate store the vpn client checks. The microsoft windows systems has 2. I wrote a post about certificate types and stores. Maybe that gives you more info. :-)
https://itsecworks.com/2015/01/17/digital-certificate-types-faq/
Aleks
March 15, 2015
I tried …..but not successful , Checkpoint VPn Client (mobile/remotesec/endpoint ) say: No Valid certificate with acceptable DN in the CAPI store.
On SmartView if i select VPN blade i not see any error
I try generate Certificate on Mobile Access Blade and LocalUser
My PKI ( Windows 2008 r2 ) role CA +AD
Where can I see the details? maybe you have youtube video
Thanks
Aleks
March 15, 2015
Tried but failed. Client say: No valid certificate with acceptable in CAPI store. Certificate enroll by mobile access blade. Maybe you have youtube video ? or Prompt where to look…. when i sign certificate ( VPN Repo ) what Template Certificate need ? For Example WebServer, User,Computer ?
MY PKI ( Windows 2008 CA+AD )
itsecworks
April 6, 2015
Computer or User
CheckPoint Admin
May 14, 2015
Hello
It’s possible to use external AD PKI Certificate + AD authentication in CheckPoint endpoint VPN or mobile access ? If yes how to do it ?
I can use only certificate or only AD auth – not both :(