Check Point

Mobile Access SSL-VPN

RSA SecurID Ready Implementation Guide

Last Modified: November 6, 2013

Partner Information
Product Information
Partner Name
Web Site
Product Name
Version & Platform
Product Description

Check Point Software Technologies

www.checkpoint.com
Check Point Mobile Access Software Blade
R77 Software Blades
Check Point Mobile Access Software Blade provides simple and secure
remote access to corporate applications over the Internet, via smartphones
or PCs. The solution provides enterprise-grade remote access via SSL
VPN for simple, safe and secure mobile connectivity to email, calendars,
contacts and corporate applications.

Check Point
Mobile Access SSL VPN

Solution Summary
The Check Point Mobile Access Software Blade uses SSL VPN technology to secure encrypted
communication from unmanaged smartphones, tablets, PCs and laptops. Both web-based and networklevel SSL-encrypted access can be delivered through most Internet browsers.
The SSL VPN portal can be configured for use with Risk-Based Authentication. When configured, a user
accessing the SSL VPN portal is redirected to the RSA Secure Logon page. The user logs in to the
system using their credentails. If the Authentication Manager determines the authentication attempt to be
low risk, the user is granted access immediately. If detected as high risk, the user is challenged with life
questions or On-Demand Authentication to provide stronger authentication.
RSA Authentication Manager supported features
Check Point Mobile Access R77
RSA SecurID Authentication via Native RSA SecurID Protocol
RSA SecurID Authentication via RADIUS Protocol
On-Demand Authentication via Native SecurID Protocol
On-Demand Authentication via RADIUS Protocol
Risk-Based Authentication
Risk-Based Authentication with Single Sign-On
RSA Authentication Manager Replica Support
Secondary RADIUS Server Support

Mobile Access

-2-

Yes
Yes
Yes
Yes
Yes
No
Yes
Yes

Check Point
Mobile Access SSL VPN

Authentication Agent Configuration

Authentication Agents are records in the RSA Authentication Manager database that contain information
about the systems for which RSA SecurID authentication is provided. All RSA SecurID-enabled systems
require corresponding Authentication Agents. Authentication Agents are managed using the RSA
Security Console.
The following information is required to create an Authentication Agent:

Hostname
IP Addresses for network interfaces

Set the Agent Type to Standard Agent when adding the Authentication Agent. This setting is used by
the RSA Authentication Manager to determine how communication with Check Point Software Blades will
occur.
A RADIUS client that corresponds to the Authentication Agent must be created in the RSA Authentication
Manager in order for Check Point Software Blades to communicate with RSA Authentication Manager.
RADIUS clients are managed using the RSA Security Console.
The following information is required to create a RADIUS client:

Hostname
IP Addresses for network interfaces
RADIUS Secret
Note: Hostnames within the RSA Authentication Manager / RSA SecurID
Appliance must resolve to valid IP addresses on the local network.

Please refer to the appropriate RSA documentation for additional information about creating, modifying
and managing Authentication Agents and RADIUS clients.

RSA SecurID files

RSA SecurID Authentication Files
Files
sdconf.rec
Node Secret
sdstatus.12
sdopts.rec

Location
/var/ace, %SystemRoot%\system32\
/var/ace,HKEY_LOCAL_MACHINE/Software/ACECLIENT
/var/ace
/var/ace

Note: The appendix of this document contains more detailed

information regarding these files.

Important: Modification to sdopts.rec are only read at bootup.

-3-

Check Point
Mobile Access SSL VPN

Risk-Based Authentication Integration Script

To protect a web-based application with risk-based authentication (RBA), you must generate an
integration script using the RSA Security Console, and deploy it to the applications default logon page.
The script redirects the user from the web-based application's default logon page to a customized logon
page that allows RSA Authentication Manager to authenticate the user with RBA.
The following steps should be taken prior to generating the integration script.

Download the integration script template for the Check Point Mobile Access from the following link:
https://sftp.rsa.com/human.aspx?Username=partner&password=rsasecured&arg01=881592907&arg1
2=downloaddirect&transaction=signon&quiet=true
Verify that the most recent RBA integration script template is installed on your Authentication Manager
system by comparing the header of the installed integration script template to the header of the downloaded
integration script template.
Install the downloaded integration script template if it is newer than the installed script template, or if the
script template for your agent is not installed.

Please refer to RSA documentation for more information on RBA integration scripts.

-4-

Check Point
Mobile Access SSL VPN

Partner Product Configuration

Before You Begin
This section provides instructions for configuring the Check Point Mobile Access Software Blade with
RSA SecurID Authentication. This document is not intended to suggest optimum installations or
configurations.
It is assumed that the reader has both working knowledge of all products involved, and the ability to
perform the tasks outlined in this section. Administrators should have access to the product
documentation for all products in order to install the required components.
All Check Point Mobile Access Software Blade components must be installed and working prior to the
integration. Perform the necessary tests to confirm that this is true before proceeding.

Configure the RSA Authentication Servers

1.
2.
3.

The Check Point Firewall/VPN uses the sdconf.rec file to locate the RSA Authentication Manager Servers.
Retrieve the sdconf.rec file from the Authentication Manager.
Launch the Check Point SmartDashboard application with an administrator account.
Navigate to Manage > Servers and OPSEC Applications

4.

Click New.

-5-

Check Point
Mobile Access SSL VPN

5.
6.
7.

8.

Select SecurID or RADIUS.

If you selected SecurID the SecurID Properties window will open. Create a name for the SecurID server and
browse to the sdconf.rec file you retrieved from the RSA Authentication Manager Server.
Click OK.

If you selected RADIUS the RADIUS Server Properties window will open. Add the Name, Host and Shared
Secret and leave the other settings at default.

-6-

Check Point
Mobile Access SSL VPN

9. Click OK.
10. Repeat this to add any secondary RADIUS servers. Then from the Servers and OPSEC window select New >
RADIUS Group and create a RADIUS Group.
Note : Additional Check Point steps are needed to configure RADIUS.
Refer to Appendix B. of this document.

Configure RSA SecurID Authentication

1.

Select the Firewall tab in the main window panel. Go to the left tool bar and navigate to Network Objects >
Check Point > (your object) Right click on your object and select Edit.

-7-

Check Point
Mobile Access SSL VPN

2.

The General Properties window will open. Check IPSec VPN and Policy Server.

3.
4.
5.

Select VPN Clients > Authentication from the left tool bar.
Select the RADIUS group or the SecurID server from the pull down you previously defined.
Click OK to save changes.

-8-

Check Point
Mobile Access SSL VPN

6.
7.

From the left tool bar navigate to Topology.

Under VPN Domain select Manually defined and choose CP_default_Office_Mode_address_pool.

8.

Return to General Properties and click OK.

Enable RSA Authentication for users

RSA SecurID or RADIUS Authentication may be configured on a defined User or an External User Profile.
Check Point users are defined on the Check Point management server while External Users are not. If

-9-

Check Point
Mobile Access SSL VPN

the system is configured to use an External Profile for user authentication it is not necessary to define
users on the Check Point management server unless there are users that are not challenged with RSA
Authentication.

Configure a User
In this section a user will be created that will authenticate to the RSA Authentication Manager Servers.
This user can be configured to authenticate via either SecurID or RADIUS.
1.
2.
3.
4.

Go to Manage > Users and Administrators > New > User By Template > Default.
Enter the username as it appears in the default login field within the RSA Authentication Manager database.
Select Authentication from the left hand tool bar.
From the drop down box choose either SecurID or RADIUS as the users Authentication Scheme.

5.

Click OK to save changes.

- 10 -

Check Point
Mobile Access SSL VPN

Configuring for External Users

In this section the Check Point security gateway will be configured to authenticate all external users to the
RSA Authentication Manager Servers. An External User Profile will be created that mandates RSA
SecurID or RADIUS Authentication for all users that do not have a Check Point user account.

External User Profiles

There are two different types of External User Profiles available in the Check Point product.

Match All Users

The Match All Users profile with the profile name generic* is limited to only one property set.
Check Point applies the restrictions specified for an ordinary user in the User Properties tabs (for example
Groups). For authentication purposes Check Point uses the name typed in by the user instead of generic*.
The external authentication server receives the user name and authenticates them accordingly.

Match by Domain
The Match by Domain profile allows for more granularity in the user definition than is available with
generic*. With this profile users are differentiated by their domain name. When implemented the user types
a domain name as well as the username where any domain name can be allowed.

The steps below will configure an External Profile of Match All Users.
1.
2.
3.
4.
5.

Go to Manage > Users and Administrators > New > External User Profile > Match All Users.
The user generic* is created and a new window opens.
Select Authentication from the left tool bar.
From the drop down box choose SecurID or RADIUS as the users Authentication Scheme.
Click OK to save changes.

- 11 -

Check Point
Mobile Access SSL VPN

Configuring Mobile Access

1.
2.

Enable the Mobile Access feature by navigating to Manage > Network Objects, selecting the gateway object
and clicking Edit. On the General Properties screen check Mobile Access.
A configuration wizard will launch. Select the access method for Mobile and click Next.

3.

Add the portal URL and click Next.

- 12 -

Check Point
Mobile Access SSL VPN

4.

Add a web site that you want your remote users to have access to and click Next.

5.

Choose the Active Directory Domain or check I dont want to use active directory now and click Next.

- 13 -

Check Point
Mobile Access SSL VPN

- 14 -

Check Point
Mobile Access SSL VPN

6.

Add a portal user and click Next. Additional users can be added later.

7.

Verify the information is correct and click Finish or use the Back button to correct any errors.

- 15 -

Check Point
Mobile Access SSL VPN

Mobile Access Authentication

1.
2.

Browse to Mobile Access > Authentication.

Select the gateway and click Edit.

3.

On the Authentication for Mobile Access screen select SecurID or RADIUS from the Authentication Scheme
drop down list.

4.

Click OK to save changes.

- 16 -

Check Point
Mobile Access SSL VPN

Configuring Mobile Access Policies

1.
2.

Browse to Mobile Access > Policy. The Mobile Access Wizard has already created your policy.
Verify the Users field is set to the Internal group you created that has the generic* External profile.

3.

From the main tool bar select Policy > Install.

You are now ready to access the portal. Launch a browser to https://<hostname>/sslvpn.

- 17 -

Check Point
Mobile Access SSL VPN

Configure Mobile Access for Risk-Based Authentication

Important: Configuring Risk-Based Authentication requires performing
configuration changes to the Check Point appliance file system in expert
mode. Take all necessary precautions to back up your system before
performing these steps in case you need to restore the system.
1.
2.

Log in to the Check Point appliance as an administrator and change to expert mode.
Download the RBA integration script from the RSA Security Console on your RSA Authentication Manager.
Copy the integration script to the following directory on the Check Point device:
/opt/CPcvpn-R77/htdocs/Login

3.

Set the permissions on am_integration.js so that everyone has read permissions.

chmod 644 am_integration.js

4.

Mobile Access R77 requires an additional support script, am_encrypt, that you can download

https://sftp.rsa.com/human.aspx?Username=partner&password=rsasecured&arg01=881799797&arg12=down
loaddirect&transaction=signon&quiet=true
5.
6.

Copy this PHP script to the same location as am_integration.js. The source for am_encrypt is also provided in
the Appendix at the end of this document.
Set the permissions on am_encrypt as follows:
chmod 774 am_encrypt

7.

Edit the /opt/CPcvpn-R77/phpincs/LoginPage.php file adding the following lines of code to the bottom:
<script src='../Login/am_integration.js' type="text/javascript"></script>
<script>window.onload=redirectToIdP;</script>

8.

Edit the /opt/CPcvpn-R77/conf/includes/Login.location.conf file and modify the file to include the
am_encrypt file. An example of the necessary addition is given below in red.
<Files ~
"^Login$|^Login\.css$|^CShellFrame$|^ActivateLogin$|^DifferentIpError$|^JS_RSA\
.js$|^MultiChallenge$|^getTimeoutValues$|^utilities\.js$|^PostLaunchSWS$|^Compo
nentFrame$|^TrustedSitesInstructions$|^scanPage$|^processScanResults$|^LoginWit
hCert$|^blank\.htm$|^blankowa\.htm$|^am_encrypt$">
SetHandler application/x-httpd-php
</Files>

9.

Finally, restart the Check Point services to allow the changes to take effect.ftp
cpstop && cpstart

Once the Check Point services restart, the Mobile Access portal will be configured for Risk-Based
Authentication. Users accessing the portal will be redirected to the RSA Secure Logon page, where they
must perform RBA before gaining access to the Mobile Access portal.
Use the RSA selfservice portal; https://<hostname>:7004/console-selfservice
to configure the users Risk-Based security questions.

- 18 -

Check Point
Mobile Access SSL VPN

RSA SecurID Login Screens

Login screen:

User Defined New PIN:

- 19 -

Check Point
Mobile Access SSL VPN

System-generated New PIN:

Next Tokencode:

- 20 -

Check Point
Mobile Access SSL VPN

Certification Checklist for RSA Authentication Manager

Date Tested: November 6, 2013
Product Name
RSA Authentication Manager
Check Point Firewall/VPN

Certification Environment
Version Information
8.0
R77

Operating System
Virtual Appliance
Gaia

Mandatory Functionality
RSA Native Protocol

RADIUS Protocol

New PIN Mode

Force Authentication After New PIN
System Generated PIN
User Defined (4-8 Alphanumeric)
User Defined (5-7 Numeric)
Deny 4 and 8 Digit PIN
Deny Alphanumeric PIN
Deny Numeric PIN
Deny PIN Reuse
Passcode
16-Digit Passcode
4-Digit Fixed Passcode
Next Tokencode Mode
Next Tokencode Mode
On-Demand Authentication
On-Demand Authentication
On-Demand New PIN
Load Balancing / Reliability Testing
Failover (3-10 Replicas)
No RSA Authentication Manager

Force Authentication After New PIN

System Generated PIN
User Defined (4-8 Alphanumeric)
User Defined (5-7 Numeric)
Deny 4 and 8 Digit PIN
Deny Alphanumeric PIN
Deny Numeric PIN
Deny PIN Reuse
16-Digit Passcode
4-Digit Fixed Passcode
Next Tokencode Mode
On-Demand Authentication
On-Demand New PIN
Failover
No RSA Authentication Manager

RSA Risk-Based Authentication Functionality

RSA Native Protocol
RADIUS Protocol
Risk-Based Authentication
Risk-Based Authentication
Risk-Based Authentication with SSO

N/A

Risk-Based Authentication
Risk-Based Authentication with SSO
= Pass

GLS

- 21 -

N/A

= Fail N/A = Not Applicable to Integration

Check Point
Mobile Access SSL VPN

Known Issues
On Demand Authentication
On Demand Authentication may not behave as expected with Check Point. This release does not enforce
authentication after a new pin is set via Native SecurID. This issue does not apply to RADIUS.
Therefore, the On Demand feature via Native SecurID when in New Pin mode will authenticate a user
without the user ever entering a tokencode. This is effectively a single factor authentication. This is not
an issue once the user sets the pin.

Appendix A
Node Secret:
1.
2.
3.
4.

To clear the node secret from a Window host launch regedit from the run utility prompt.
Navigate the left hand tool bar to HKEY_LOCAL_MACHINE/Software/ACECLIENT.
Select Node Secret and delete it.
Reboot the PC.

Appendix B
RADIUS Configuration
To configure the Check Point for RADIUS perform the following steps from the Check Point SmartDashboard.
1. Select Manage > Servers and OPSEC Applications.
2. Select New > RADIUS.
3. Enter the Name of the RADIUS connection.
4. Enter the Host of the RADIUS Host.
5. Enter the Shared Secret to match the RSA Authentication Manager.
6. Select the service type of New-RADIUS to use port 1812
7. Click OK to close the RADIUS Properties window.
8. Click Close to exit the Servers and OPSEC Applications window.
9. Select Manage > User and Administrators
10. Edit the generic* user account.
11. Select Authentication from the left tool bar and change the Authentication Scheme to RADIUS.
12. Select the RADIUS Server or Group of Servers setting to the RADIUS Connection created in step 3.
13. Exit the User Profile Properties window.
13. Select Policy > Global Properties.
14. Select SmartDashboard Customization from the list of options.
15. Under the Advanced Configuration option select the Configure button.
16. Select FireWall-1 > Authentication>RADIUS from the left tool bar.
17. Modify the radius_ignore setting changing the default value of 0 to 77.
18. Save the settings and select Policy > Install from the SmartDashboard.
19. Complete the configuration by selecting OK to install the policy.

- 22 -