Check point

Needed configuration to integrate Check Point with Ironchip.

Check Point base architecture 

base-scenario-diagram

Ironchip Integration proposal 

base-scenario-diagram

For domain users (Active Directory) 

For this configuration it is needed to have a NPS server configured with Ironchip NPS Plugin

NPS plugin installation

For Check Point users 

For this configuration it is needed to have the Ironchip RADIUS server configured into a server, request more information through the contact form.

Integration mechanisms 

For domain users (Active Directory) 

Once the previous configurations are ready, (i.e.: NPS server installed and an HTTP MFA integration properly configured.), go to Check Point’s Smart-Console as shown:ón.

smart-console

The first step is to create a Host, in order to do so, on the upper right part of the Smart-Console click on New and select Host

smart-console

Once clicked, in the shown screen, configure the Name and IP parameters of the Host in which the NPS server is running. Press Ok when configured.

smart-console

Once the configuration has been properly done, we should have a Host created, as shown:

smart-console

The next step is to configure the RADIUS connection properties. In order to do so, in the search bar at the upper right corner, search for RADIUS. Clone the protocol under the Services section, more precisely in the UDP service section. Once cloned, configure the just cloned UDP service in the following manner:

Under general tab, we should give it a proper name, (i.e.: Ironchip_Protected_NPS_Protocol), then check that the port and protocol matches our NPS configuration:

smart-console

In the advanced configuration, configure the Virtual session timeout to be 60 seconds and disable the Aggressive aging.

smart-console

Once both the Host and the Protocol properties are correctly set, create new RADIUS server, to do so:

smart-console

The configuration itself is made into the following configuration modal:

smart-console

In this case, give it a descriptive name (i.e.: “NPS_IRONCHIP_RADIUS”), you should also configure:

  • Host: the host in which the NPS server resides.
  • Servicio: the service created in the second step.
  • Secreto compartido: a secure string matching the one configured in the NPS
  • Protocolo: the most secure protocol supported by your NPS server once finished we press OK.

The third step is to create an external user needed for the authentication of users not registered internally in Check Point.

To complete this step, in the Smart-Console, at the left menu, select Security Policies, then Mobile Access and click on it.

smart-console

In the lower left menu, click on the user icon on top, create a new External User Profile configuring the needed parameters according to your Domain configuration. Click OK once finished.

smart-console

Once the External User Profile is done, the fourth step is to generate a new Authentication Policy, to do so, on the main Smart-Console screen, click on the gateway that has the VPN configured and navigate VPN Clients > Authentication on the left menu. In the appearing modal, we click on Add and then New:

smart-console

In the next modal, set the a new name, (i.e.: NPS_IRONCHIP_ACCESS), configure the Comment and Display Name as desired.

smart-console

In the User Directories tab, select the Manual configuration option and activate the authentication only for External user profiles:

smart-console

Add a new Authentication factor, selecting RADIUS as the factor and setting the server to the one created before, click OK when ready:

smart-console

Once this last step is completed, then the VPN client can use the recently added authentication method:

smart-console

For Check Point users 

Once the previous configurations are ready, (i.e.: Ironchip RADIUS server installed and an API KEY integration properly configured.), go to Check Point’s Smart-Console as shown:ón.

smart-console

The first step is to create a Host, in order to do so, on the upper right part of the Smart-Console click on New and select Host

smart-console

Once clicked, in the shown screen, configure the Name and IP parameters of the Host in which the Ironchip RADIUS server is running. Press OK when configured.

smart-console

Once the configuration has been properly done, we should have a Host created, as shown:

smart-console

The next step is to configure the RADIUS connection properties. In order to do so, in the search bar at the upper right corner, search for RADIUS. Clone the protocol under the Services section, more precisely in the UDP service section. Once cloned, configure the just cloned UDP service in the following manner:

Under general tab, we should give it a proper name, (i.e.: Ironchip_Protected_Protocol), then check that the port and protocol matches your Ironchip RADIUS server configuration:

smart-console

In the advanced configuration, configure the Virtual session timeout to be 60 seconds and disable the Aggressive aging.

smart-console

Once both the Host and the Protocol properties are correctly set, create new RADIUS server, to do so:

smart-console

The configuration itself is made into the following configuration modal:

smart-console

In this case, give it a descriptive name (i.e.: “IRONCHIP_RADIUS”), you should also configure:

  • Host: the host in which the Ironchip RADIUS server resides.
  • Servicio: the service created in the second step.
  • Secreto compartido: a secure string matching the one configured in the Ironchip RADIUS server
  • Protocolo: select PAP once finished we press OK.

The third step is to generate a new Authentication Policy, to do so, on the main Smart-Console screen, click on the gateway that has the VPN configured and navigate VPN Clients > Authentication on the left menu. In the appearing modal, we click on Add and then New:

smart-console

In the next modal, set the a new name, (i.e.: RADIUS_IRONCHIP_ACCESS), configure the Comment and Display Name as desired.

smart-console

In the User Directories tab, select the Manual configuration option and activate the authentication only for External user profiles:

smart-console

Add a new Authentication factor, selecting RADIUS as the factor and setting the server to the one created before, click OK when ready:

smart-console

Once this last step is completed, then the VPN client can use the recently added authentication method:

smart-console