5476 Gemalto SAServer With Checkpoint Integrate IPsec or SSL VPN Tcm120-57371

Application Note:
Integrate Check Point IPSec or

SSL VPN with Gemalto SA Server
SASolutions@gemalto.com
January 2008
www.gemalto.com
All information herein is either public information or is the property of and owned solely by Gemalto NV. and/or its
subsidiaries who shall have and keep the sole right to file patent applications or any other kind of intellectual property
protection in connection with such information.
Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise, under any
intellectual and/or industrial property rights of or concerning any of Gemaltos information.
This document can be used for informational, non-commercial, internal and personal use only provided that:
The copyright notice below, the confidentiality and proprietary legend and this full warning notice appear in all
copies.
This document shall not be posted on any network computer or broadcast in any media and no modification of any
part of this document shall be made.
Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities.
The information contained in this document is provided AS IS without any warranty of any kind. Unless otherwise
expressly agreed in writing, Gemalto makes no warranty as to the value or accuracy of information contained herein.
The document could include technical inaccuracies or typographical errors. Changes are periodically added to the
information herein. Furthermore, Gemalto reserves the right to make any change or improvement in the
specifications data, information, and the like described herein, at any time.
Gemalto hereby disclaims all warranties and conditions with regard to the information contained herein,
including all implied warranties of merchantability, fitness for a particular purpose, title and noninfringement. In no event shall Gemalto be liable, whether in contract, tort or otherwise, for any indirect,
special or consequential damages or any damages whatsoever including but not limited to damages
resulting from loss of use, data, profits, revenues, or customers, arising out of or in connection with the use
or performance of information contained in this document.
Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall not
incur, and disclaims, any liability in this respect. Even if each product is compliant with current security
standards in force on the date of their design, security mechanisms' resistance necessarily evolves
according to the state of the art in security and notably under the emergence of new attacks. Under no
circumstances, shall Gemalto be held liable for any third party actions and in particular in case of any
successful attack against systems or equipment incorporating Gemalto products. Gemalto disclaims any
liability with respect to security for direct, indirect, incidental or consequential damages that result from any
use of its products. It is further stressed that independent testing and verification by the person using the
product is particularly encouraged, especially in any application in which defective, incorrect or insecure
functioning could result in damage to persons or property, denial of service or loss of privacy.
Copyright 2008 Gemalto N.V. All rights reserved. Gemalto and the Gemalto logo are trademarks and service
marks of Gemalto N.V. and/or its subsidiaries and are registered in certain countries. All other trademarks and
service marks, whether registered or not in specific countries, are the property of their respective owners.
GEMALTO, B.P. 100, 13881 GEMENOS CEDEX, FRANCE.
Tel: +33 (0)4.42.36.50.00 Fax: +33 (0)4.42.36.50.90
Integrate CheckPoint IPSec or SSL VPN with Gemalto SA Server
200802-004-SASEP-00
Table of contents
Use case ................................................................................................................................... 4
Overview.................................................................................................................................. 5
Architecture ............................................................................................................................ 7
Configure Check Point FW.................................................................................................... 8
Configure Check Point IPSec VPN .................................................................................... 13
Configure Check Point SSL VPN ........................................................................................ 15
Configure RADIUS connection .......................................................................................... 18
Declare RADIUS resource .......................................................................................... 18
Configure RADIUS resource ...................................................................................... 19
Create users ................................................................................................................. 21
Create a security rule ................................................................................................. 29
Open the connection to the Intranet using SA Server ................................................. 33
IPSec VPN Client ......................................................................................................... 33
SSL VPN Client ............................................................................................................. 39
Appendix 1: Configure an IAS RADIUS Server with SA Server ............................... 43
IAS RADIUS prerequisites ......................................................................................... 43
Add a RADIUS Client................................................................................................... 44
Install and configure SA Server agent for IAS ...................................................... 50
Restart IAS ................................................................................................................... 53
Appendix 2: Configure Juniper Steel-Belted RADIUS Server .................................. 54
SBR pre-requisites ...................................................................................................... 54
Add RADIUS Client...................................................................................................... 55
Install and configure SA Server agent for SBR ..................................................... 56
Restart SBR .................................................................................................................. 59
Appendix 3: Configure Free RADIUS Server on Linux............................................... 61
Free RADIUS pre-requisites ...................................................................................... 61
Add RADIUS Client...................................................................................................... 61
Install and configure SA Server agent for Free RADIUS ..................................... 61
Restart Free RADIUS .................................................................................................. 62
Appendix 4:
Active Directory configuration ................................................................ 63
200802-004-SASEP-00
Use case
To provide Mobile Users an access to their Corporate Network, it is usual to install a VPN
Gateway.
As only recognized users should be entitled to access to the Intranet, the gateway should be
able to authenticate a Mobile Users. This is the main feature provided by the Gemalto SA
Server.
The link between the VPN Gateway and the SA Server is usually realized through the
standard RADIUS protocol implemented by an AAA server.
Mobile Users
Corporate Network
Internet
VPN Gateway
Authentication
Authentication
Radius Server
Gemalto SA Server
200802-004-SASEP-00
Overview
This document provides a deployment scenario to show you how it is possible to configure a
Check Point IPSec VPN or a Check Point SSL VPN to use Gemalto SA Server to
authenticate Mobile Users.
The deployment scenario describes an example that has been tested by Gemalto. It is
possible that other configurations will work equally well but you should bear in mind that these
have not been tested.
Caution:
Consequently, this document should not be considered as an instruction manual

on how to configure your system.
To provide SA Server authentication for Check Point IPSec VPN or Check Point SSL VPN,
your system requires the following pre-requisites:
A Check Point FW appliance,
We used the Check Point NGX R65 software version with this firewall.
The appliance hosts two physical interfaces and is able to act as a gateway from
the Internal Network to the External Network.
o <IP Check Point FW Internal Address> represents the IP address of the
physical interface visible from the Internal Network.
This network is seen as a trusted network.
In our laboratory <IP Check Point FW Internal Address> was
10.0.4.198/24
o <IP Check Point FW External Address> represents the IP address of the
physical interface visible from the External Network
The External Network is seen as an unsecured network.
In our laboratory <IP Check Point FW External Address> was
192.168.1.1/24
An AD Domain machine hosting an Active Directory LDAP and acting as domain
controller.
In our laboratory the domain hosted by AD Domain was gemalto.fr
We will use the term Mobile Users to refer to users who have an account in AD
Domain and who will access from the External Network to the Internal Network
through the Check Point FW. Their accounts must be configured to allow remote
access control.
A Gemalto SA Server,
The server must be installed in mixed mode and connected to the AD Domain. It is
supposed to be provisioned for devices and users.
<Base URL SA Server> will be used to refer to the URL that should be used to
access SA Server.
In our laboratory <Base URL SA Server> was http://10.0.4.216:8080
A RADIUS Server,
This server is the link between Check Point FW and Gemalto SA Server.
We have validated three configurations using
o IAS RADIUS for which <IP IAS address> will be used to refer to IAS
RADIUS server IP address.
In our laboratory, <IP IAS address> was 10.0.4.60
o Juniper Steel-Belted RADIUS for which <IP SBR address> will be used
to refer to Juniper Steel-Belted RADIUS server IP address.
In our laboratory, <IP SBR address> was 10.0.4.87
o Free RADIUS for which <IP FreeR address> will be used to refer to Free
RADIUS server IP address.
In our laboratory, <IP FreeR address> was 10.0.4.192
Each RADIUS configuration is described in the appendices of this document.
200802-004-SASEP-00
In order to demonstrate a successful authentication, we also need:

A client,
We used a standard XP SP2 machine.
200802-004-SASEP-00
Architecture
The following figure shows the architecture associated with the deployment scenarios
described in this document.
200802-004-SASEP-00
Configure Check Point FW

This chapter describes the needed configuration for integration and configuration of Check
Point IPSec VPN and Check Point SSL VPN with Gemalto SA Server.
Caution:
Check Point components have some restriction about the Password length: this
length could not be more than 16 characters!
As the OTP value is sent to SA Server through the Password field, this is the
concatenation OTP + LDAP Password which is limited to 16 characters.
Using 6 digits OTP token, the LDAP Password cannot be more than 10
characters!
To configure the Check Point FW for Check Point IPSEC VPN or Check Point SSL VPN, you
have to use the SmartDashboard tool. Installation is not part of this document; please refer to
the Check Point one.
Using SmartDashboard:
Select Network Objects tab by clicking on
200802-004-SASEP-00
Expand Network Objects tree
Expand Check Point sub-tree

Select the VPN Gateway object
In our laboratory, it was called CKP-IPSec-SSL
Right Click on this object
Select Edit
200802-004-SASEP-00
The Check point Gateway General Properties window is displayed.
In Check Point Products tick VPN choice.

Note: In our case, the Check Point object is defined with is external interface <IP Check Point
External Address> but it is also possible to use the internal interface <IP Check Point
FW Internal Address>.
Then select VPN in the tree displayed on the left
10
200802-004-SASEP-00
The VPN window is displayed
11
In This module participates in the following VPN communities: section,

Click on [Add]
This adds the RemoteAccess community.
Then expand Remote Access in the tree displayed on the left and
Select Office Mode
200802-004-SASEP-00
This display the Office Mode window
Select Allow Office Mode to all users choice and

Select Manual (using IP pool) choice
Note: Office Mode provides an IP address to the VPN virtual driver of client PC.
Note: The CP_default_Office_Mode_addresses_pool is a network automatically created by
Check Point. This pool will be used to attribute IP addresses.
12
200802-004-SASEP-00
Configure Check Point IPSec VPN

This section should be addressed only after the Check Point FW has been configured! See
Configure Check Point FW chapter.


Select Edit
Select Topology in the tree displayed on the left
13
200802-004-SASEP-00
The Topology window is displayed.
In VPN Domain select Manually defined

Click on [New]
Create the VPN_domain object
This group is the set of networks and hosts that will be available to Mobile Users
through the IPSec VPN.
In our laboratory, this was the Internal Network so we created a Network type object
called Internal-LAN using 10.0.4.0/24 definition and we added the VPN_domain
embedding Internal-LAN object.
14
200802-004-SASEP-00
Configure Check Point SSL VPN

This section should be addressed only after the Check Point FW has been configured! See
Configure Check Point FW chapter.


Select Edit
Select Remote Access in the tree displayed on the left
15
200802-004-SASEP-00
The Remote Access window is displayed
In Visitor Mode configuration tick Support Visitor Mode

This activates the https daemon for SSL client connections.
Note: If the https default port (tcp/443) is already used for administration, you have to
deactivate this feature launching the command webui disable in expert mode. This
operation doesnt trouble the configuration operations using SmartDashboard.
Select SSL Clients sub-tree
16
200802-004-SASEP-00
The SSL Clients window is displayed.
In SSL clients allowed to connect to this gateway tick SSL Network Extender choice
Note: SSL Network Extender is an ActiveX component that is downloaded on the client PC
during the first connection to VPN SSL gateway. It encapsulates all the traffic to the
Internal Network in an SSL tunnel.
17
200802-004-SASEP-00
Configure RADIUS connection

This chapter describes the creation of RADIUS resources that will be used to connect the
Check Point FW to the Gemalto SA Server.
In our laboratory, we used Microsoft IAS, Juniper Steel-Belted RADIUS and Free RADIUS.
Declare RADIUS resource

We started by creating a node for the each RADIUS Server we used.
18

Right Click on Nodes sub-tree
Select New
Select Host
In our laboratory, we created a node for server_IAS, for server_SBR and for
server_freeradius, one for each available RADIUS Server.
200802-004-SASEP-00
Configure RADIUS resource

Then we have to configure the created nodes.
Select Servers and OPSEC Applications tab by clicking on

Right Click on Servers sub tree
Select New
Select RADIUS
19
200802-004-SASEP-00
The RADIUS Server Properties window is displayed
Select the General tab

In Name: enter an arbitrary name for the RADIUS Server. This name will be used
during the user configuration (See pages 24/28).
In our laboratory, we used IAS, SBR and FreeRadius according to the used
RADIUS Server.
In Comment: enter an arbitrary comment if needed.
In Host: select the previously defined node object object (See page 18)
In Service: select NEW-RADIUS (udp/1812) rather than the default value RADIUS
(udp/1645). This selection allows compatibility with the current RADIUS standard.
Note: IAS and SBR RADIUS Servers can be used with both port 1645 (old standard) and
1812 (current standard). But Free RADIUS is only usable with the port 1812!
In Shared Secret: enter a value that will secure the communication with the RADIUS
Server.
You will have to enter the same value during the configuration of the selected RADIUS
Server (See Pages 44/56/61).
In Priority: you can change the default value (1) to select the order used to call many
RADIUS Servers implementing Mobile Users authentication.
Note: all other parameters are options set to their default values.
Click on [OK]
20
200802-004-SASEP-00
Create users
We can use different ways to manage Check Point users.
We can declare all users (i.e. define all login) in Check Point and associate each of them to a
selected RADIUS server. With that way, when an authentication request is sent, Check Point
validate the user (login) is present in the internal database and forward the request to the
associated RADIUS.
We can also forward all authentication requests to RADIUS servers when no user is define in
Check Point.
In our laboratory, we implemented both solutions taking advantage of the multiple RADIUS
servers.
Solution based on a user duplicated in Check Point internal base
For this solution, we created the Grp_Users_IAS group, the Grp_Users_SBR group and
the Grp_Users_FreeRadius group.
Select Users and Administrators tab by clicking on
21
200802-004-SASEP-00
Expand Users and Administrators tree

Right Click on User Groups sub tree
Select New Group

The Group Properties window is displayed
Create a group by filling

o Names: with an arbitrary name,
o Comment: with an arbitrary comment,
o Color: with a color associated to the group
o View: with the default value All
Click on [OK]
Right Click on Users sub tree
Select New User

Select Standard_User
22
200802-004-SASEP-00
The User Properties window is displayed

In Login Name: enter the name of an existing LDAP user.

Select the Groups tab
In Available Groups select the targeted group name

Click on [Add >]
23
200802-004-SASEP-00
Select the Authentication tab
In Authentication Scheme: select RADIUS

In Select a RADIUS Server of Group of Servers: from Settings: section select the
RADIUS server associated to this user.
You can choose a name you created during in the RADIUS server properties
configuration (See page 20).
Note: all other parameters are options set to their default values as they dont take part to the
authentication mechanism implemented by Gemalto SA Server.
Click on [OK]
24
200802-004-SASEP-00
Solution based on a generic user

The generic user has a reserved name: generic*. During its configuration, we can forward all
authentication requests using a login name not declared in Check Point base to a specific
RADIUS server.
Select Users and Administrators tab by clicking on

Expand Users and Administrators tree
Right Click on External User Profiles sub tree
Select New External User Profile

Select Match all users
25
200802-004-SASEP-00
The External User Profile Properties window is displayed

Nothing has to be modified in this first window
26
200802-004-SASEP-00
Select the Groups tab
In Available Groups select the targeted group name

Click on [Add >]
27
200802-004-SASEP-00
Select the Authentication tab
In Authentication Scheme: select RADIUS

In Select a RADIUS Server of Group of Servers: from Settings: section select the
RADIUS server associated to this user.
You can choose one name you created during in the RADIUS server properties (See
page 20).
Note: all other parameters are options set to their default values as they dont take part to the
authentication mechanism implemented by Gemalto SA Server.
Click on [OK]
28
200802-004-SASEP-00
Create a security rule

We now have to create a rule to define the privileges gained by authenticated users.
Select Rules in the menu

Select Add sub-menu
Right Click in Source column

Select Add Users Access
29
200802-004-SASEP-00
The User Access window is displayed
In User Group: select the user groups that are concerned by this rule
In Location: select No restriction choice
Note: The No restriction choice is used to avoid Check Point restrictions to the Client IP
addresses. When selected, the @any suffix is added to the User Group name.
Click on [OK]
Right Click in VPN column

Select Edit Cell
30
200802-004-SASEP-00
The VPN Match Conditions window is displayed
In Match conditions select Only connections encrypted in specific VPN Communities

Click on [Add]
Select RemoteAccess
Click on [OK]
Right Click in VPN column

Select Edit
31
200802-004-SASEP-00
The Remote Access Community Properties window is displayed
Validate All Users is available in Remote Access User Groups: from Participant User
Group entry in the tree presented on the left side.
32
200802-004-SASEP-00
Open the connection to the Intranet using SA Server

Here is how a Mobile User accesses to the Internal Network using the Check Point FW and
Gemalto SA Server.
We previously described two configurations: VPN IPSec and VPN SSL.
From the client side, we have also two different configurations.
IPSec VPN Client

To connect to IPSec VPN, you have to use the Check Point VPN Client version NGX R60
HFA02.
Note: Client installation is not described in this document. Please, refer to the Check Point
documentation.
When installed,
is available in the system tray.
Double-Click on [
] to launch the client
First connection
The first time you launch the client, the following message is displayed.
Click on [Yes]
The Site Wizard window is displayed
In Server Address or Name: enter <IP Check Point FW External Address>

This is the address that is visible from the client PC.
33
200802-004-SASEP-00
Click on [Next >]
Select User name and Password choice

Click on [Next >]
In User name: enter the name associated to a Mobile User as it is defined in the LDAP
(Active Directory).
In Password: enter a value made by the concatenation of the 6 OTP digits with the
LDAP Password.
34
200802-004-SASEP-00
Click on [Next >]
Select Standard choice

Click on [Next >]
If the following message is displayed
Click on [No]
Note: In our configuration we didnt implement this feature allowing downloading security
rules in the firewall embedded in the VPN Client.
35
200802-004-SASEP-00
The validation site window is displayed
If the network administrator has provided the Internal CA Certificate Fingerprint: then
the user can validate it. This allows to validate the client is connected to the expected
site.
Click on [Next >]
Click on [Finish]
36
200802-004-SASEP-00
The following message is displayed
Click on [No]. The connection will be presented in the following section.

After the first connection
Here is described the connections when the first time launch has been realized.
Double-Click on [
] in the system tray to launch the client
In User name: enter the name associated to a Mobile User as it is defined in the LDAP
(Active Directory).
LDAP Password.
37
200802-004-SASEP-00
Click on [Connect ]
Then, if the connection is successful
Then the following icon
is displayed in the system tray to recall the VPN is opened.
To close the tunnel,

Double-Click on
in the system tray
Click on [Disconnect]
38
200802-004-SASEP-00
SSL VPN Client

To connect to SSL VPN, you just need a WEB browser.
During the first connection, the SSL VPN gateway imposes the installation of Check Point
SSL Extender (Active X component). This is a virtual interface that encapsulates all the
communication inside an SSL tunnel.
Note: We used a standard computer with XP SP2. We also used an account with
administrator privileges as it was needed to install the Check Point SSL Extender.
First connection
The first time you connect to the SSL VPN, SSL Network Extender is installed.
To connect to the Check Point FW Gateway:
Launch your preferred WEB browser (IE, FireFox, etc.)
In the address field, enter https:// <IP Check Point FW External Address>
In User Name: enter the name associated to a Mobile User as it is defined in the LDAP
(Active Directory).
LDAP Password.
Click on [OK]
39
200802-004-SASEP-00
The Check Point FW gateway tries to install the SSL Network Extender on the client PC.
This installation can generate actions request like the following one:
This installation can generate warnings like the following one:
Those elements are dependent from the security parameters of the browser. You have to
acknowledge them.
When this component is installed, you can see the following window:
If the network administrator has provided the Internal CA Certificate Fingerprint: then
the user can validate it. This allows to validate the client is connected to the expected
site!
Click on [Yes]
40
200802-004-SASEP-00
After the first connection

Here is described the connections when the first time launch has been realized.
To connect to the Check Point FW Gateway:
Launch your preferred WEB browser (IE, FireFox, etc.)
In the address field, enter https:// <IP Check Point FW External Address>
In User Name: enter the name associated to a Mobile User as it is defined in the LDAP
(Active Directory).
LDAP Password.
Click on [OK]
41
200802-004-SASEP-00
If you are successfully authentication, the following window is displayed
Then, it is possible to access to resources from Internal Network, according to the security
policy.
Note: The Office Mode IP: displayed in the previous figure is used internally by the gateway.
Its value is arbitrary.
To close the SSL tunnel
Click on [Disconnect]
42
200802-004-SASEP-00
Appendix 1: Configure an IAS RADIUS Server with SA Server

We used the IAS server version embedded in Windows Server 2003 SP1.
IAS RADIUS prerequisites

The IAS RADIUS installation is not described in this document. It is presumed to be already
done.
Check IAS RADIUS Server domain
The IAS RADIUS server must be part of the AD Domain as IAS RADIUS has to check that
each Mobile User has an account in the directory.
You can check IAS RADIUS and AD Domain are part of the same domain using the following
process:
Right click on My Computer and Select Properties
Check in Computer Name tab that the computer is in a domain.
You can modify those parameters if needed.

Access to IAS administration
You have to:
Click on Start and Select Administrative Tools
Select Internet Authentication Service
43
200802-004-SASEP-00
Add a RADIUS Client

You now have to add the Check Point FW as a RADIUS client:
Right click on RADIUS Clients and Select New RADIUS Client
In Friendly name enter a name for Check Point FW,

In Client address (IP or DNS) enter <IP Check Point FW Internal Address>.
Click on [Next >]
Select RADIUS Standard for Client-Vendor:

Enter the chosen shared secret in Shared secret: and in Confirm shared secret:.
This must be the same value as the one you entered when you configured the
Check Point FW (Shared Secret Page 20).
Click on [Finish] to validate those parameters.
44
200802-004-SASEP-00
Configure Access Policies

You have to add a new remote access policy:
Right click on Remote Access Policies and Select New Remote Access Policy
Click on [Next >] in the wizard windows
45
Select Set up a custom policy choice in How do you want to set up this policy and
add a friendly name in Policy name.
Click on [Next >]
Click on [Add] in Policy Conditions window
200802-004-SASEP-00
46
Select Client-IP-Address in Attribute types: and click on [Add]
Enter <IP Check Point FW Internal Address> in Type a word or a wild card (for
example, abc.*): and click on [OK]
Click on [Next >]
200802-004-SASEP-00
Select Grant remote access permission in If a connection request matches the

specified conditions: and click on [Next >].
Click on [Edit Profile] in the profile window

Select Authentication tab and uncheck all boxes except Unencrypted
authentication (PAP, SPAP)
Select Encryption tab
47
200802-004-SASEP-00
Check only the No encryption box. Then click on [OK]

In the Profile window, click on [Next >]
In the New Remote Access Policy Wizard window, click on [Finish]
The new policy is now available.
48
200802-004-SASEP-00
Configure Connection Request Policies

You have to add a new connection request policy:
In Connection Request Processing,
Right click on Connection Request and
Select New Connection Request Policy
Click on [Next >] in the wizard window
Select A custom policy,
Enter a name in Policy name and
Click on [Next >]
In the Policy conditions windows, click on [Add],
Select Client-IP-Address,
Click on [Add],
Enter <IP Check Point FW Internal Address>,
Click on [OK] and
Click on [Next >]
In the Request Processing Method, click on [Edit Profile]
49
In the Authentication tab, select Authenticate requests on this server and

Click on [OK]
In the Request Processing Method window, click on [Next >]
In the New Connection Request Policy Wizard window, click on [Finish]
200802-004-SASEP-00
The new policy is now available.
Install and configure SA Server agent for IAS

You now have to install the SA Server IAS agent on the IAS RADIUS server. This component
will forward all authentication requests received by IAS to SA Server.
50
Double-click on IAS_AgentSetup.exe on the IAS RADIUS server,
Click on [Next >]
200802-004-SASEP-00
Select I accept the terms in the license agreement and click on [Next >]
You now have to enter

<Base URL SA Server>/saserver/servlet/UserRequestServlet
in Protiva Authentication Servlet URL:
Caution:
During the installation, you have to replace localhost by the real IP address of
SA Server. You also have to set the port if this is not the standard port 80.
Dont forget to replace the proposed protiva path by saserver as it is now the
default choice used during SA Server installation.
51
Click on [Next >]
200802-004-SASEP-00
52
Click on [Install]
Click on [Finish]
200802-004-SASEP-00
Restart IAS
To launch the installed agent, you now have to re-start IAS.
53
In Internet Authentication Service window, click on
Then, click on the green arrow in the same toolbar to restart the server and take
the changes into account.
in the toolbar to stop IAS.
200802-004-SASEP-00
Appendix 2: Configure Juniper Steel-Belted RADIUS Server

We used the Juniper Steel-Belted RADIUS V6.01 on a Windows Server 2003 SP1.
SBR pre-requisites
Juniper Steel-Belted RADIUS installation is not described in this document.
Launch SBR admin portal
To open Juniper Steel-Belted RADIUS admin portal:
Start a browser on the following URL: https:// <IP SBR address>:1812
Click on Launch link. A login window is displayed.
You have to fill User Name and Password using an account with administrator
privileges on the Juniper Steel-Belted RADIUS server.
Port is automatically filled with the default 1813 value.
Click on [Login]
54
200802-004-SASEP-00
Add RADIUS Client

55
Right click on RADIUS Clients
200802-004-SASEP-00
and Select Add:
Complete the following fields:

o In Name: enter a friendly name for Check Point FW,
o In IP Address: enter <IP Check Point FW Internal Address> ,
o In Shared secret: enter the same value you entered when you configured the
Check Point FW (Share Secret Page 20).
o Make sure you select - Standard Radius in Make or model:
Click on [OK]
Install and configure SA Server agent for SBR

You now have to install the SA Server SBR agent on the Juniper Steel-Belted RADIUS
server. This component will forward all authentication requests received by the SBR to SA
Server.
56
200802-004-SASEP-00
57
Double-click on SBR_AgentSetup.exe on Juniper Steel-Belted RADIUS server,
Click on [Next >]
Select I accept the terms in the license agreement and click on [Next >]
200802-004-SASEP-00
Select the Service folder in the SBR installation directory so that it appears in
Folder name:
Usually, this is under \Program Files\Juniper Networks\Steel-Belted Radius
Click on [Next >]
Enter
<Base URL SA Server>/saserver/servlet/UserRequestServlet
in Protiva Authentication Servlet URL:
Caution:
During the installation, you have to replace localhost by the real IP address of
SA Server. You also have to set the port if this is not the standard port 80.
Dont forget to replace the proposed protiva path by saserver as it is now the
default choice used during SA Server installation.
58
200802-004-SASEP-00
Click on [Next >]
Click on [Install]
Click on [Finish]
Restart SBR
To launch the installed agent, you now have to re-start SBR service.
Select Start,
Select Control Panel,
Select Administrative Tools
Select Services
59
200802-004-SASEP-00
Then, Right Click on Steel-Belted Radius

And choose Restart
Check agent integration

To check the installed agent is running,
Start the Steel-Belted Radius Administrator (as presented in the Launch SBR
admin portal section)
Select Authentication Policies then Order of Methods
Check that Protiva SBR Agent is in Active Authentication Methods:

Note: Other authentication methods can be present in both columns according to the
SBR configuration.
60
200802-004-SASEP-00
Appendix 3: Configure Free RADIUS Server on Linux

We used the Free RADIUS V1.1.0-19.2 on a Suse Linux Enterprise 10.
Free RADIUS pre-requisites

Free RADIUS installation is not described in this document. It is already pre-installed on this
distribution and configured for some pre-defined RADIUS clients.
Add RADIUS Client

Log on to the Linux server as root

Open clients.conf usually located in /etc/raddb/ directory with a text editor
Add a new section:
client <IP Check Point FW Internal Address> {
secret
=
xxxxxxxxx
shortname
=
CheckPointFW
}
and give secret the same value as the one you entered when you configured the
Check Point FW (Shared Secret Page 20) and give shortname a label; this is an
optional field.
Install and configure SA Server agent for Free RADIUS

You now have to install the SA Server Free RADIUS agent on the Free RADIUS Server. This
component will forward all authentication requests received by Free RADIUS to SA Server.
Log on to the Linux server as root

Open a Terminal console
Move to the directory where SA Server agent .rpm is located
Stop Free RADIUS using the command:
radiusd stop
Here is a screen shot from our laboratory machine
If needed, install openssl library to use an HTTPS link with SA Server.

Start agent installation using the command :

rpm ivh rlm_protiva-1.2.0-1.586.rpm
Note: On a 64-bit system, you have to use rlm_protiva-1.2.0-1.x86_64.rpm.
61
200802-004-SASEP-00
Open radiusd.conf usually located in /etc/raddb/ directory with a text editor

Look for the modules section and add the following elements:
#SA Server authentication module
protiva {
# host: the host port to connect to
host = <Base URL SA Server>
# url: path to the servlet on the host machine
url = /saserver/servlet/UserRequestServlet
#securityLevel: security level to be used
# 1 = no SSL
# 2 = with SSL
securityLevel = 1
# certFile: certivicat file to be used
#you must specify a certFile if using SSL
certFile = /usr/local/etc/raddb/tomcat.pem
# openssl time out in seconds
opensslTimeOut = 5
}
Look for the authenticate section and add the following element:
Auth-Type protiva {
protiva
}
Save radiusd.conf
Open users usually located in /etc/raddb/ directory with a text editor
Look for the following section:
DEFAULT Auth-Type = System
Fall-Through = 1
Add an additional Auth-Type before those line to obtain:
DEFAULT Auth-Type = protiva
Fall-Through = Yes
DEFAULT Auth-Type = System

Fall-Through = 1
Restart Free RADIUS
62
Then restart Free RADIUS using the command:

radiusd start
200802-004-SASEP-00
Appendix 4: Active Directory configuration

Mobile Users must be part of the AD Domain. You can check this is done using the following
process:
Click on Start, Select Control Panel and Select Administrative Tools
Select Active Directory Users and Computers
Mobile Users must also have the Remote Access Permission. You can check this is done
using the following process:
Click on Users, right click on the target user and select Properties
63
Select Dial-in tab and check the box Allow access in Remote Access Permission
section.
200802-004-SASEP-00

5476 Gemalto SAServer With Checkpoint Integrate IPsec or SSL VPN Tcm120-57371

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

5476 Gemalto SAServer With Checkpoint Integrate IPsec or SSL VPN Tcm120-57371

Uploaded by

Copyright:

Available Formats

Application Note:

Integrate Check Point IPSec or

Integrate CheckPoint IPSec or SSL VPN with Gemalto SA Server

Active Directory configuration ................................................................ 63

Integrate CheckPoint IPSec or SSL VPN with Gemalto SA Server

Integrate CheckPoint IPSec or SSL VPN with Gemalto SA Server

Consequently, this document should not be considered as an instruction manual

Integrate CheckPoint IPSec or SSL VPN with Gemalto SA Server

In order to demonstrate a successful authentication, we also need:

Integrate CheckPoint IPSec or SSL VPN with Gemalto SA Server

Integrate CheckPoint IPSec or SSL VPN with Gemalto SA Server

Configure Check Point FW

Select Network Objects tab by clicking on

Integrate CheckPoint IPSec or SSL VPN with Gemalto SA Server

Expand Network Objects tree

Expand Check Point sub-tree

Integrate CheckPoint IPSec or SSL VPN with Gemalto SA Server

The Check point Gateway General Properties window is displayed.

In Check Point Products tick VPN choice.

Integrate CheckPoint IPSec or SSL VPN with Gemalto SA Server

The VPN window is displayed

In This module participates in the following VPN communities: section,

Integrate CheckPoint IPSec or SSL VPN with Gemalto SA Server

This display the Office Mode window

Select Allow Office Mode to all users choice and

Integrate CheckPoint IPSec or SSL VPN with Gemalto SA Server

Configure Check Point IPSec VPN

Select Network Objects tab by clicking on

Expand Check Point sub-tree

Integrate CheckPoint IPSec or SSL VPN with Gemalto SA Server

The Topology window is displayed.

In VPN Domain select Manually defined

Integrate CheckPoint IPSec or SSL VPN with Gemalto SA Server

Configure Check Point SSL VPN

Select Network Objects tab by clicking on

Expand Check Point sub-tree

Integrate CheckPoint IPSec or SSL VPN with Gemalto SA Server

The Remote Access window is displayed

In Visitor Mode configuration tick Support Visitor Mode

Integrate CheckPoint IPSec or SSL VPN with Gemalto SA Server

The SSL Clients window is displayed.

Integrate CheckPoint IPSec or SSL VPN with Gemalto SA Server

Configure RADIUS connection

Declare RADIUS resource

Select Network Objects tab by clicking on

Integrate CheckPoint IPSec or SSL VPN with Gemalto SA Server

Configure RADIUS resource

Select Servers and OPSEC Applications tab by clicking on

Integrate CheckPoint IPSec or SSL VPN with Gemalto SA Server

The RADIUS Server Properties window is displayed

Select the General tab

Integrate CheckPoint IPSec or SSL VPN with Gemalto SA Server

Select Users and Administrators tab by clicking on

Integrate CheckPoint IPSec or SSL VPN with Gemalto SA Server

Expand Users and Administrators tree

Select New Group

Create a group by filling

Select New User

Integrate CheckPoint IPSec or SSL VPN with Gemalto SA Server

The User Properties window is displayed

In Login Name: enter the name of an existing LDAP user.

In Available Groups select the targeted group name

Integrate CheckPoint IPSec or SSL VPN with Gemalto SA Server

Select the Authentication tab