Step by Step Guide for Check Point Secure Client

Step by Step Guide to implement SMS authentication to Check Point Secure Client


Installation guide for securing the authentication to your Check Point Secure Client VPN-1 solution with Nordic Edge One Time Password Server, delivering strong authentication via SMS to your mobile phone.









1       Summary


This is the complete installation guide for securing the authentication to your Check Point Secure Client VPN-1 solution with Nordic Edge One Time Password Server, delivering two-factor authetication via SMS to your mobile phone. You will be able to test the product with your existing Check Point Secure Client VPN-1 solution with the and your LDAP user database, without making any changes that affect existing users. The guide will also allow you to make the complete installation effeciently, using a maximum of 1 hour. Nordic Edge provides several methods for delivering one time passwords, like e-mail, tokens, mobile clients, Pledge, prefetch, Yubikey etc. - however in this test we are only going to use SMS.

This is a step-by-step guide that covers the entire installation from A to Z. It is based on the scenario that you are running your SSL-VPN solution against Active Directory, and that you install the One Time Password Server on a Windows Server. The One Time Password Server is platform independent and works with all other LDAP user databases, like eDirectory, Sun One, Open LDAP etc. If you are not running Active Directory or Windows and if you have any questions regarding the slight differences in the installation process, you are most welcome to contact us at support@nordicedge.se and we will take you through the entire process.





Table of Contents






Definitions


In this Step by Step guide the Check Point Secure Client VPN-1 is referred as "SSL-VPN Solution / Server"


2 Prerequisites


You will need to have a server available, for example a VMware virtual machine with Windows Server 2003 or higher installed with Ethernet in bridge mode. The server needs to have an ip-address configured and must also be able to reach your DNS-servers, your SSL-VPN solution and the Active Directory. Since the software is quite small (315 mb) and easy to remove, you can also use any existing server in your network.


Important information regarding communication

The One Time Password Server is a software that you can place on any server in your internal network or DMZ.

- The One Time Password Server needs to be able to communicate (Outbound traffic) with your LDAP or JDBC User Database. Default port for LDAP and Secure LDAP is TCP port 389 / 636.

- SSL-VPN solution needs to be able to communicate (Outbound traffic) with the One Time Password Server with Radius, UDP port 1812 or 1645 (Outbound traffic)

- If you want to use the Nordic Edge SMS Gateway, the One Time Password Server needs to be able to communicate (Outbound traffic) with otp.nordicedge.net and otp.nordicedge.se with HTTPS on TCP port 443.


In this test-scenario you will want to communicate with RADIUS port 1812 or 1645 and use our Nordic Edge 

SMS Gateway.



3 Getting started

3.1 Register and download the software



 Go to www.nordicedge.net and click "PRODUCTS" and then "Downloads"




Type in your name and contact details to receive the software.




You will receive a link for downloading the software. A 30 days evaluation license will be sent via e-mail when you download the software.

Download the 32 or 64 bit version depending on your platform.

4       Installation

4.1      Start the installation


Start the installation on the server where you want to install the One Time Password Server


 

Please note that if you are installing on a Windows 2008 Server you need to right click on the otp3install.exe using explorer and click on “Run as Administrator”.

 

 


4.2      Installing license

Choose the license.dat that you have received via e-mail. 


    Leave it default on yes and click “Done”

5   Configuring the One Time Password Server

5.1  Start the OTP Configurator

Start the OTP Configurator by clicking on the left button - “Configuration”              


5.2   Configure the One Time Password Server

On the Server page you can set the length of the one time password and for how long it should be valid. Default is 5 minutes.

You can also set a default country prefix, which means that you will not need to state it in the mobile attribute. 

For more information regarding the optional setting please see One Time Password Server 3 – Administration manual


For now, leave this page as default and go on to the next part – Configure RADIUS.

5.3      Configure RADIUS

Change to the RADIUS tab and configure the RADIUS port you want to use to communicate with Check Point VPN-1 server. In this example we are using RADIUS port nb 1645.



 Click Save config.

5.4      Configure databases

In this setup we are going to use the LDAP database Microsoft Active Directory

Change to the Databases tab and click on the LDAP Database button.

5.5      Configure LDAP Host Settings

For our configuration we are going to use the active directory installed on the same server as the One Time Password Server. We will use the internal IP-address (127.0.0.1) as host address.

We will use the standard LDAP port nb (389) to communicate with Active Directory.

For Admin DN we are going to use the Administrator to search for users in the Active Directory. For now the user only need read rights to the user object but be aware that you later might want to use options like disable accounts and use the Pledge Enrollment concept for the Pledge Mobile Client. In examples like these the Admin DN need rights to modify the disable account attribute and to store oath-keys at optional user attributes.

Configure your LDAP host settings and click test. You should now get a messages saying “LDAP connection success”


Click OK and Save

 

Next step is to configure the LDAP database settings.

5.6   Configure the LDAP database settings

The BASE DN is the search base for where your users contains. Click on the button with three dots at the right side of the Base DN field to browse your LDAP Database.

Click on the Organization Unit or Organization where your store your users objects and click OK.



5.7      Configure search filter

Next step is to configure the search filter for letting the One Time Password search for the right object classes and attribute according to Microsoft Active Directory.

Click on the “Sample Button” and choose the filter template for MS Active Directory and click OK twice.



5.8    Test LDAP Authentication

Click on the Test LDAP Authentication button and type in the userid for a user you want to try to authenticate. 


Type in the password


If everything is correctly configured you will get a success message.


6 Configure the SSL-VPN client settings.

Since we are configuring the One Time Password Server to act as RADIUS-server, the Check Point VPN-1 is considered a client to the One Time Password Server.

In this step we are going to configure the settings for the Check Point VPN-1.

In the left pane click on ”Clients” 



Type in a name and a ipaddress for your Check Point VPN-1 server.

Type in the RADIUS shared secret.

Choose the Active Directory you configured earlier as User Database.

Click Save




7    Configure Delivery Method

The Delivery Methods object category is used to enable and configure one or more delivery methods that the OTP Server can use to send the one-time passwords.

 

One Time Password Server offers various methods like SMS, Oath Tokens, Instant Messaging, HTTP, Yubikey.

In this example we will use SMS as Method and the Nordic Edge SMS-service as SMS-provider.

In the evaluating phase we offer customer to use our Nordic Edge SMS-service free of charge in 30 days from the activation of the Demo Account.

In the left Pane, click “Deliver Methods” and then Nordic Edge SMS. In the right pane enable Nordic Edge SMS Gateway.

To Request a demo account click “Request a demo account”.


Click “Yes”


You should now get a success message and the Username and Password for the Nordic Edge SMS-gateway has automatically been filled in. Click OK and Save Config.





Restart the One Time Password Server as Windows Service

In the server panel for click “Shutdown”


In Windows Control Panel, open Administrative Tools / Services

Find the NordicEdge OTPServer Service, right click on that service and click “Start”.





9  Add mobile phone number with Microsoft Management Console

Add mobile phone number to your test users mobile phone attribute by starting the Microsoft MMC and select the user that you want to use for testing and enter the mobile phone number in the Mobile attribute.



10 configuring Check Point Secure Client, VPN-1

10.1     Add a new RADIUS Server


Open Check Point SmardDashboard

Go to the Servers and OPSEC applications page

Right click on Servers and choose new radius..



Radius Server Properties name it for example to OTP

At the Host line click new



In the General Properties page add a name for the One Time Password Server.

Please note that the name cannot be the same as the RADIUS Server object.

Type in the IP address for the One Time Password Server


Click OK

Now in the Service field choose the same Radius protocol as you have configured the OTP-server to run with. In this test scenario we are using 1645 which is RADIUS. If you would have used 1812 on
the One Time Password Side you would have been choosing New Radius.

Type in same shared secret as you have set in the One Time Password Server

Use Version 1.0 Compatible Radius protocol

 

In the Protocol field make sure you use Protocol PAP

 

Priority shall be set to 1.



Click OK

10.2 Add test user

Go to the User tab

Right click on users and choose new user. (default)



In the User properties select the user name for your test user. Note, this should be the same name as the User Id in Active Directory.



Go to the Authentication tab

IN the Authentication Scheme

Select the Authentication Scheme “ RADIUS”

Select the One Time Password Server as RADIUS Server.




Click OK

11       Test the authentication.

Open the SecureClient login and type in your Active Directory User ID and password as usual.



Click Connect.

You will now receive a one-time password to your cell phone.


Enter your one-time password and in the response field and click connect.




12     Purchase

If you want to purchase the product, you are more than welcome to contact us at e-mail sales: sales@nordicedge.se. phone: +46 8 122 07 500 fax: +46 8 122 07 508.


13     Technical questions

If you have any technical questions, please contact us at support@nordicedge.se 


 

Thank you for showing interest in our product!

The Nordic Edge One Time Password Server Team



  • Share/Save

AWARDS

Nordic Edge is one of Sweden’s fastest growing companies – identified as a Gazelle Company by Dagens Industri

DI Gazell Award
  • NORDIC EDGE AB
  • Augustendalstorget 9, 131 26 Nacka Strand, SWEDEN
  • +46(8) 122 07 500
  • info@nordicedge.se