Checkpoint SecureClient Integration
From Swivel Knowledgebase Wiki
Version 1.1 March 2010
Introduction
This document outlines the steps required to integrate the Checkpoint SecureClient VPN software with PINsafe.
PINsafe users can use either PINsafe’s Single Channel or Dual Channel (SMS, J2ME) methods to retrieve Security Strings, which are applied against the user’s PIN to extract a One-Time Code (OTC) which represents the password for an authentication request.
With Single Channel methods, the user must be presented with a TURing or Pattern image at sign-in time (representing a single time-limited Security String), so they can extract their OTC.
The settings and software can be configured for larger deployments within an msi file to ease installation.
Prerequisites
Checkpoint SecureClient
PINsafe 3.x. Where the Single Channel image is to be used, this should be presented to the user through a Network Address Translation to the PINsafe server.
PINsafe SecureClient software
- The file extensions have been changed to prevent them being blocked by filters etc .dll files to .dlx, and .reg to .rex. These need to be renamed back again.
Baseline
Checkpoint SecureClient R60
PINsafe 3.6
Architecture
The user connects to the Checkpoint VPN by using the SecureClient software. The Checkpoint is configured to use a PINsafe server for radius authentication. Users are stored and maintained in PINsafe.
PINsafe Integration
There are three elements that require configuring on a PINsafe server:
Configure the PINsafe RADIUS server and host IP.
Set up the NAS (network Access Servers), which in this case is the Checkpoint VPN.
Enabling Session creation with Username.
Configuring the RADIUS mode and Host IP
Configure the RADIUS settings using the RADIUS configuration page in the PINsafe Administration console. In our example (see diagram below) the RADIUS Mode is set to ‘Enabled’ and the HOST IP (the PINsafe server) is set to 0.0.0.0. (leaving the field empty has the same result). This means that the server will answer all RADIUS requests received by the server regardless of the IP address that they were sent to.
Note: for appliances, the PINsafe VIP should not be used as the server IP address, see VIP on PINsafe Appliances
Figure 2 Extract from PINsafe RADIUS configuration page.
Setting up the NAS
Set up the NAS using the Network Access Servers page in the PINsafe Administration console. Enter a name for rthe Checkpoint VPN server. The IP address has been set to the IP of the VPN appliance, and the secret ‘secret’ assigned that will be used on both the PINsafe server and VPN RADIUS configuration.
Figure 3 Extract from PINsafe NAS setup page
You can specify an EAP protocol if required, others CHAP, PAP and MSCHAP will be supported. All users will be able to authenticate via this NAS unless to restrict authentication to a specific repository group.
Enabling Session creation with username
The PINsafe server can be configured so that it returns an image stream containing a TURing image by presenting the username via the XML API or the SCIMage servlet. It is this mechanism that is used to return the TURing image to the VPN sign in page.
Go to the ‘Single Channel’ Admin page and set ‘Allow Session creation with Username:’ to YES.
To test your configuration you can use the following URL using a valid PINsafe username:
Appliance
https://PINsafe_server_IP:8443/proxy/SCImage?username=testuser
Software install
https://PINsafe_server_IP:8080/pinsafe/SCImage?username=testuser
For further information see Single Channel How To Guide
Setting up PINsafe Dual Channel Transports
Configuring the Checkpoint VPN-1/Firewall-1
Checkpoint VPN-1/Firewall-1 configuration Overview
The steps for enabling SecureClient users on the Checkpoint VPN-1/Firewall-1 is outlined below. For further details refer to the VPN-1/Firewall-1 Administration Guides.
1. Install the SecureClient license.
2. Create SecureClient users.
3. Define a SecureClient authentication method using PINsafe as a RADIUS server
4. Create a SecureClient group.
5. Add SecureClient users to the SecureClient group.
6. Define a Remote Access Community and participants.
7. Create SecureClient rule for the Remote Access Community.
8. Create the Desktop Security Policy rules.
9. Install Security Policy.
Configure Checkpoint VPN-1/Firewall-1 to use the PINsafe RADIUS server
Create a RADIUS server entry on the Checkpoint Policy Editor
Select Manage/Network Objects' then Click on New then Workstation. In the Workstation Properties window, enter the, PINsafe server IP Address, choose 'Host' for Type. For the Comment enter enter "PINsafe authentication". When complete, click OK
Select Manage/Servers then click on New and from the menu select Radius. In the RADIUS Server Properties window enter the following:
Name RADIUS server name
Comment information e.g. PINsafe RADIUS server
Colour A colour for the object (we like orange!)
Host hostname of the PINsafe server created above
Service select New Radius (Uses port 1812)
Shared secret enter the shared secret that is also entered on the PINsafe server
Version select the RADIUS version required
Protocol select the required RADIUS version
Priority The priority for authentication to multiple RADIUS devices
To configure External Checkpoint VPN-1/Firewall-1 users to authenticate by RADIUS
External User Profiles There are two different types of External User Profiles available in the Check Point VPN-1/Firewall-1 product, either match all users or match by domain, whereby users are differentiated by their domain name.
The steps below will configure an External Profile of Match All Users.
1. On the Checkpoint VPN-1/Firewall-1 configuration select Manage/Users and Administrators/New/Match All Users/Default.
2. The user generic* is created and greyed out.
3. Select the Authentication tab.
4. From the drop down box choose RADIUS as the user’s Authentication Method.
For further details on the available user authentication methods, configuration and setup, refer to the VPN-1/Firewall-1 Administration Guides.
The SecureClient is now ready for two factor authentication using standard SMS delivery or the Mobile Phone Client.
Modifying the Checkpoint SecureClient for Single Channel and Advanced SMS features
Note that all .dll files have been renamed to .dlx, and .reg files to .rex, to avoid problems with email filters. You will need to change the names back before deploying the files.
Stop the SecureClient or ensure it is not running.
Copy PINsafeAuthGUI.dll, and copy it to the SecuRemote\bin folder
Edit SecuRemote\database\userc.C. and add the below to the :options section
:guilibs (
: ("C:\Program Files\CheckPoint\SecuRemote\bin\PINsafeAuthGUI.dll")
)
Edit RegSettings.reg. to set the correct PINsafe server and possibly the port and context. Double-click RegSettings.reg to install the registry settings the DLL needs.
The options are:
PINsafeServer: The IP address of the PINsafe server. This should be a NAT address of the PINsafe server and accessible from the client.
PINsafeProtocol: 1 for https, or 0 for http
PINsafePort: The port used to retrieve single channel images from the PINsafe server, usually 8080 or 8443 for a PINsafe appliance
PINsafeContext: The installation instance of the pinsafe server, usually pinsafe or proxy for a INsafe appliance
PINsafeAllowSelfCert: 1 to allow self signed certificates on the PINsafe server, 0 to not allow them to be used
PINsafeSecret:
PINsafeUser: The user for authentication can be pre-configured. Do not set this value if this is a template to be used for deployment to multiple users.
PINsafeChannelType: single or dual channel communications. Setting dual, requests an SMS security string by the on demand method. The On Demand authentication must be enabled on the PINsafe server.
Default Values are:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Swivel Secure\PINsafe SecureClient] "PINsafeServer"="localhost" "PINsafeProtocol"="1" "PINsafePort"="8080" "PINsafeContext"="pinsafe" "PINsafeAllowSelfCert"="1" "PINsafeSecret"="secret" "PINsafeUser"="" "PINsafeChannelType"="single"
PINsafe Appliance Values:
Default Values are:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Swivel Secure\PINsafe SecureClient] "PINsafeServer"="External NAT IP of PINsafe server" "PINsafeProtocol"="1" "PINsafePort"="8443" "PINsafeContext"="proxy" "PINsafeAllowSelfCert"="1" "PINsafeSecret"="secret" "PINsafeUser"="" "PINsafeChannelType"="single"
Verify that winhttp.dll is present in C:\Windows\System32
Start SecureClient. Click connect. Under Options, Change Authentication to Secure Authentication API.
When you click Connect, you should now either see a dialog with a TURing on it, or "CONFIRMED" for dual channel, in which case a security string will be sent by the appropriate transport. I've left the password field in case you want a password as well as a PIN, but this can be removed if required. Enter the OTC, and hopefully it will authenticate.
Removing the PINsafe SecureClient
To remove the PINsafe authentication remove the earlier added content in Edit SecuRemote\database\userc.C.
then restart the client
Verifying the Installation
Login using the Turing or SMS.
Bulk delployment
With a tested deployment, it is possible to take these settings and create a msi file that will install the PINsafe SecureClient software.
For further information see [[1]]
Troubleshooting
Check the PINsafe logs for Turing images and RADIUS requests.
Known Issues and Limitations
None
Additional Information
For assistance in the PINsafe installation and configuration please firstly contact your reseller and then email Swivel Secure support at support@swivelsecure.com
