Configuring the - Check Point Software Technologies, Ltd.
Contents
1. mgcp_log_per_conn boolean mgmtha_active_management_check_period number 60 mgmtha_alert_type string alert mobile_remote_access preferences owned object mobile_remote access properties neo_allow_clear_while_disconnected string client_decide false true client_decide i neo_allow_client_db_export string false false true client_decide neo_allow_client_debug_logs string dient_decide false true dient_decide neo_allow_site_creation string true false true dient_decide neo_always_connected dient_decide false true client_decide ad gt Ready 172 16 8 130 Readvrite NoM 4 The security policy is configured using the properties described in e Table 19 1 VPN Properties Table 19 2 Gateway Properties e Table 19 3 Firewall Properties e Table 19 4 General Properties 456 Advanced Configuration Table 19 1 VPN Properties Property Description Valid Values Default value in bold neo remember user passwor Remembers the user false true d password PIN password client_decide caching So long as the password is cached the user should not be prompted to enter a password when the client connects reconnects or re authenticates neo remember user passwor_ The password PIN caching 1 infinite 1 d timeout timeout in minutes since the MAX_INT 1440 user has entered their credentials An authentication attempt after this timeout expires requires2. Parameter Description jipkgname Install x pkg_name Uninstall q Quiet installation I v log_file_name Collect logs Spl it Installation To activate l E PPS Set SplitKernelInstall 0 in the product ini file Install the product except for the kernel An automatic reboot initiated by the end user will occur After the reboot the automatic kernel installation takes place A second automatic reboot will occur Debug In order to debug the MSI installation run the 1 v log file name parameter log file name and install securemote elg are used for troubleshooting Chapter 20 Packaging SecureClient 487 Configuring MSI Packaging 488 Zone Labs Endpoint Security Client When installing the SecureClient MSI package with Zone Labs integration use the following syntax msiexec i lt package name gt ZL 1 INSTALLDIR lt install dir gt qr qb qb e package_name the SecureClient msi package name e ZL 1 install with Zone Labs configuration e INSTALLDIR lt install_dir gt the folder where the package is installed e qrl qbl qb standard MSI UlLevel support used for silent installation Using this command the product ini file is automatically modified Chapter 21 Desktop Security In This Chapter The Need for Desktop Security page 490 Desktop Security Solution page 491 Desktop Security Considerations page 496 Configuring Desktop Security page 498 489 The N
3. Parameters read from command line RIM PEER_GATEWAY 1 RIM NEW STATE 2 RIM HA STATE 3 RIM FIRST TIME 4 RIM PEER ENC _NET 5 case S RIM NEW STATE in up Place your action for tunnels that came up down Place your action for tunnel that went down esac For Windows platforms the script takes the form of a batch file Chapter 8 Route Injection Mechanism 181 Custom Scripts 182 Figure 8 3 Sample customized script for Windows echo off rem This script is invoked each time a tunnel is configured with the RIM option rem and the tunnel changed state rem rem You may add your custom commands to be invoked here rem Parameters read from command line set RIM PEER_GATEWAY 1 set RIM NEW STATE set RIM HA STATI set RIM _FIRST TIME set RIM PEER ENC NET goto RIM _ RIM NEW STATE RIM_up rem Place your action for tunnels that came up goto end RIM_down rem Place your action for tunnel that went down goto end send Where RIM_PEER_GATEWAY Peer gateway RIM_NEW_STATE Change in the gateways s state i e up or down RIM_HA_STATE State of a single gateway in a cluster i e standby or active RIM_FIRST_TIME The script is executed separately for each network within the peers encryption domain Although the script might be ex
4. Chapter 23 Secure Configuration Verification 537 Configuring SCV internet options mismatch message Your Internet browser settings do not meet policy requir ments nPlease check the following settings nl In your browser go to Tools gt Internet Options gt Security n2 For each Web content zone select custom level and disable the following items DownLoad signed ActiveX Run ActiveX Controls Download Files and Java Permissions OsMonitor type plugin parameters os version mismatchmessage Please upgrade your operating system enforce screen saver minutes to activate 3 screen saver mismatchmessage Your screen saver settings do not meet policy requir ments nPlease check the following settings nl Right click on your desktop and select properties n2 Select the Screen Saver tab n3 Under Wait choose 3 minutes and check the Password Protection box send log log major os version number 9x 4 minor os version number 9x 10 0s_ version operand 9x gt service pack major version number 9x 0 service pack minor version number 9x 0 service pack version operand 9x gt major os version number nt 4 minor os version number nt 0 0s_ version operand nt service pack major version number nt 5 service pack minor version number nt 0 service pack version operand nt gt major os version number 2k 5 minor os version number 2k 0 0S version operand 2
5. Configuring SCV Time in hours for which the desktop policy remains valid After 168 hours the desktop policy is not considered valid and the user is no longer SCVed If this parameter is not specified the policy is not checked for freshness mismatchmessage Place a message here The message displayed when the user policy scv check fails dont_enforce while connecting If this parameter is present the user is considered SCVed while connecting to the gateway The user is considered SCVed only for the duration of the connect process 13 SCVGlobalParams Parameters For all boolean parameters true or false the values should not be enclosed in quotation marks enable status notifications true false If true SecureClient displays a balloon window when the Desktop is not SCVed On windows 9x and NT where balloons are not supported popups appear status notifications timeout The number of seconds the balloon window see previous parameter will be displayed disconnect_when not verified true false If true SecureClient will disconnect from the site when the Desktop is not SCVed block connections on unverified tru false If true SecureClient will drop all open connections when the Desktop is not SCVed Note This parameter if true blocks all connections to the machine not just those connections to and from the VPN site scv_ policy timeout hours The
6. iter in the iterator arg in the argument TrNotificationSetintArg This function sets the argument in the given position to int argument and overrides the current argument that exists in the given position Prototype TRAPI CPAPI TrStatus TrNotificationSetIntArg TrNotification notification int pos int val char default txt 416 Functions from Service to Client Arguments Argument IN OUT Meaning notification in the given notification pos in position of the notification val in the value of the notification default_text in notification text TrNotificationSetStrArg This function sets the argument in the given position to str argument and overrides the current argument that exists in the given position Prototype TRAPI CPAPI TrStatus TrNotificationSetStrArg TrNotification notification int pos const char val char default txt Arguments Argument IN OUT Meaning notification in the given notification pos in position of the notification val in value of the notification default_text in notification text TrNotificationSetDoubleArg This function sets the argument in the given position to double argument and overrides the current argument that exists in the given position Prototype TRAPI CPAPI TrStatus TrNotificationSetDoubleArg TrNotification notification int pos double val char default txt Chapter 18 Endpoint Connect A
7. 3 Select the Apply SCV on Simplified Mode Security Policies checkbox and click the Exceptions button The Hosts available without passing SCV verification appears 4 Click Add to set the hosts and services to be excluded from SCV verification Configuring block_scv_client_connections To block a user that becomes unverified set the attribute block _scv_client_connections to true in the in the local scv file For more information see The local scv Sets on page 534 340 Configuring SecureClient Configuring Selective Routing From SmartDashboard proceed as follows 1 In the Network Objects Tree highlight and right click the gateway to be edited 2 Select Edit The Check Point Gateway properties page appears 3 Select Topology to display the topology window Figure 16 5 Check Point Gateway Topology Window Check Point Gateway TestServer xi General Properties Topology Topology NAT Get is a Name IPAddress Network Mask __ IP Addresses behi illest E10080 192 168 4181 255 255 255 0 This Network Authentication SmartView Monitor Logs and Masters Capacity Optimization E Advanced Add Edit Remove Show VPN Domain All IP Addresses behind Gateway based on Topology information Manually defined New Show YPN Domain Set domain for Remote Access Community 4 C
8. cccccccsssccessseeeeeeeeseeeeseeeeeneees 596 The Check Point Solution for Multiple Entry Points c cccccseeceeeeeeeseeeeeaeeees 597 SecureClient Connect Profiles and MEP ccccccseeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeees 597 16 Preferred Backup Gateway cccccceccseecceeceeeceeceeseceeeseeeeeeeseeeeeeeaeeseeeseeesaees 598 Visitor Mode and MEP csccht ch tuctoi Bs dc eee aa e natant ania abiete ce often as 599 Routing Return Packets erraren n te hee aS ee eth 599 Disabling MEP 22 ce2eciss ne tana sds lev tdetens aha ciueauact a a Saat ne saetdal aetees beetiadens 600 Configuring MEP acct ah in cate Soares os oe oar dade Ma Staal ansetnn treet Teeghacane nes 601 Firstto RESPON dA atirina a ae a eaaa aaa sacboteancsduthedtemtmantntanhs 601 Primary BaCkuU pi smi aiiiar reaa ade Maden een AEE E a aay 602 Load DisStribttio Mier nenen an ea ena anan ar an ae alae ee e te AN 603 Configuring Return Packets icvsicsicincevicuceeess acest val cen vil iidas ol ecetioe nib bandeebees 603 Configuring Preferred Backup Gateway ccccccccseccccsecceeseeeseeeeseeeeeeeceseeeeseeees 604 Disabling MEP siahccsweedsesstedieis tothe Soave e i Morell Masel ee E NEE NEEL ks 605 Chapter 29 Userc C and Product ini Configuration Files Introduction to Userc C and Product ini ccccccccceeccesecceceeeceeeeceeeeeeeaeeeeseeeeeas 608 The Userc C File vcscccnstec hac tethy cwesas aa aeaa dated cidatetectelagecieiaedd tan 608 The Produ
9. 3 Tap Yes to reboot Upgrade To upgrade the CAB package 1 From the File Explorer window select the cab file Chapter 19 SecureClient Mobile 439 Client Side Installation The Installation window opens Installation The previous version of Check Point Secureclient Mobile will be removed before the new one is installed Select CK to continue or Cancel to quit 2 Tap OK to install the new version Existing configuration settings are not lost during upgrade they are transferred to the new version 3 If prompted to select an installation location Select Device Installing on storage cards is not supported 4 Tap Yes to reboot Uninstall To uninstall the CAB package 1 Select Start gt Settings gt System Tab gt Remove Programs 2 Highlight Check Point SecureClient Mobile and then tap Remove MSI Package The msi file package is provided by the administrator and may be stored anywhere on the PC The installation can be automated using tools such as Microsoft SMS Server Installation To install the MSI package 1 On the Windows PC machine run the msi file provided by your administrator 440 Client Side Installation 2 Follow the instructions in the wizard to complete the installation During installation the ActiveSync service prompts users to install the software on the device Upgrade To upgrade the MSI package 1 Run the msi file provided by your administrator 2 F
10. Attributes server sslport username certificate calist reauth debug cipher proxy name proxy port proxy user proxy pass Description Specify server IP or hostname Change the HTTPS port default port is TCP 443 Specify a valid user Specify which certificate is used to authenticate Define the directory where CA s certificates are stored Enable reauthentication Valid values yes no Enable debugging snx elg log file is created Valid values yes no To activate debugging when running java create a snxrc file with the line debug yes in the home directory Force a specific encryption algorithm Valid values RC4 and 3DES Define a Proxy hostname Define a proxy port Define a proxy user Define a password for proxy authentication Note Proxy information can only be configured in the configuration file and not directly from the command line Chapter 30 SSL Network Extender 669 SSL Network Extender User Experience Removing an Imported Certificate If you imported a certificate to the browser it will remain in storage until you manually remove it It is strongly recommended that you remove the certificate from a browser that is not yours To remove the imported certificate 1 In the Internet Options window shown in the following figure access the Content tab Figure 30 22Internet Options window 2x General Security Privacy Content Connections Programs A
11. For tracking options see Tracking Options on page 188 4 If a customized script is run edit custom rim sh or bat script in the SFWDIR Scripts directory on each of the gateways Enabling the RIM_inject_peer_interfaces flag To enable the RIM inject peer interfaces flag 1 In SmartDashboard click Policy gt Global Properties 2 Go to SmartDashboard Customization gt Configure gt VPN Advanced Properties gt Tunnel Management 3 Select RIM inject peer interfaces 4 Click OK Tracking Options Several types of alerts can be configured to keep administrators up to date on the status of gateways The Tracking settings can be configured on the Route Injection Mechanism Settings page The different options are Log Popup Alert Mail Alert SNMP Trap Alert and User Defined Alert 188 Chapter 9 Wire Mode In This Chapter The Need for Wire Mode page 190 The Check Point Solution page 191 Wire Mode Scenarios page 192 Configuring Wire Mode page 197 189 The Need for Wire Mode The Need for Wire Mode 190 The overall increase in VPN usage has made the need for reliable uninterrupted connections more important than ever When a connection fails vital information can potentially be lost A new connection needs to be immediately established to resend the information By avoiding stateful inspection Wire Mode enables VPN connections to successfully failover thus improving performance and reducing do
12. S Note You must configure each gateway that will be using the SSL Network Extender 638 Configuring the SSL Network Extender 1 Select Remote Access gt SSL Network Extender The SSL Network Extender window is displayed Check Point Gateway Corporate qw Activate Support SSL Network Extender Select the server side certificate with which the gateway will authenticate from the drop down list 4 Click OK Chapter 30 SSL Network Extender 639 Configuring the SSL Network Extender Configuring the SSL Network Extender 1 Select Policy gt Global Properties gt Remote Access gt SSL Network Extender The SSL Network Extender Global Properties window is displayed 2 Select the user authentication method employed by the SSL Network Extender from the drop down list The options are e Certificate The system will authenticate the user only via a certificate Enrollment is not allowed e Certificate with enrollment The system will authenticate the user only via a certificate Enrollment is allowed If the user does not have a certificate he she can enroll using a registration key received previously from the system administrator e Legacy Default The system authenticates the user via his her Username and Password e Mixed The system attempts to authenticate the user via a certificate If the user does not have a valid certificate the system attempts to authenticate the user via his her Username and P
13. gt interface add numbered 10 0 1 22 10 0 0 3 GWc Interface vt GWc was added successfully to the system SSea Sees Verify configuration VPN shell gt show interface detailed all vt GWb Type numbered MTU 1500 inet addr 10 0 1 12 P t P 10 0 0 2 Mask 255 255 255 255 Peer GWb Peer 1D 180 180 1 1 Status attached vt GWe Type numbered MTU 1500 inet addr 10 0 1 22 P t P 10 0 0 3 Mask 255 255 255 255 Peer GWc Peer 1D 190 190 1 1 Status attached VPN shell gt quit member GWa2 ifconfig vt GWb vt GWb Link encap IPIP Tunnel HWaddr inet addr 10 0 1 12 P t P 10 0 0 2 Mask 255 255 255 255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU 1500 Metric 1 RX packets 0 errors 0 dropped 0 overruns 0 frame 0 TX packets 1 errors 0 dropped 0 overruns 0 carrier 0 collisions 0 txqueuelen 0 RX bytes 0 0 0 b TX bytes 36 36 0 b member GWa2 ifconfig vt GWc vt GWc Link encap IPIP Tunnel HWaddr inet addr 10 0 1 22 P t P 10 0 0 3 Mask 255 255 255 255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU 1500 Metric 1 RX packets 0 errors 0 dropped 0 overruns 0 frame 0 TX packets 1 errors 0 dropped 0 overruns 0 carrier 0 collisions 0 txqueuelen 0 RX bytes 0 0 0 b TX bytes 36 36 0 b When configuring a VTI in a clustered environment and an interface name is not specified a name is provided The default name for a VTI is vt peer gateway name For example if the peer gateway s name is Server_2 the default name of 142 Co
14. Chapter 14 Introduction to Remote Access VPN Description Introduction to VPN connections between gateways and remote users Chapter 15 Office Mode Office Mode enables a Check Point Security Gateway to assign a remote client an IP address Chapter 16 SecuRemote SecureClient SecuRemote SecureClient is a method that allows you to connect to your organization in a secure manner while at the same time protecting your machine from attacks that originate on the Internet Chapter 17 Endpoint Covers Endpoint connect client server side Connect configuration Chapter 18 Endpoint Covers the Endpoint Application Programming Connect API Interface API Chapter 19 SecureClient SecureClient Mobile is a client for mobile Mobile devices that includes a VPN and a firewall SecureClient Mobile s VPN is based on SSL HTTPS tunneling and enables handheld devices to securely access resources behind Check Point gateways Chapter 20 Packaging SecureClient Using one of the two available packaging tools enables the administrator to create pre configured SecureClient and SecuRemote packages Users can then install the package without being required to specify configuration details ensuring that users cannot inadvertently misconfigure their SecureClient and SecuRemote software Chapter 21 Desktop Security Description of how SecureClient protects remot
15. In SmartDashboard click Policy gt Global Properties gt Remote Access gt SecureClient Mobile Select an authentication scheme from the User authentication method drop down menu Configure the authentication method using the neo_user_auth_methods property described in Table 19 2 Configuring SecureClient Mobile Re authenticate Users There are two methods used to configure the re authenticate user value l In SmartDashboard click Policy gt Global Properties gt Remote Access gt SecureClient Mobile gt Advanced Enter a value in the Re authenticate user every field Configure the re authenicate user value using the neo user re auth timeout property described in Table 19 2 Configuring Encryption Methods There are two encryption methods available 3DES only Default The SecureClient Mobile client only supports 3DES 3DES or RC4 The SecureClient Mobile client supports both the RC4 and the 3DES encryption methods RC4 is a faster encryption method There are two methods to configure the encryption method l In SmartDashboard click Policy gt Global Properties gt Remote Access gt SecureClient Mobile Select an encryption method from the Supported encryption methods drop down menu To determine whether the SecureClient Mobile client supports the RC4 or the 3DES encryption method use the neo encryption methods property listed in Table 19 2 Certificates The Security Management server uses t
16. This setting is found on the Community Properties gt VPN Advanced gt VPN Routing page Primary Backup Gateways Backup gateways provide redundancy for primary gateways If the primary gateway fails connections go through the backup In Figure 12 8 the first gateway is configured as the primary and the second gateway as the backup If the primary gateway fails for whatever reason the remote VPN peer detects that the link has gone down and works through the backup gateway The backup gateway inherits the complete VPN domain of the primary Failover within an existing connection is not supported the current connection is lost When the primary gateway is restored new connections go through the primary gateway while connections that already exist will continue to work through the backup gateway Note When using the Primary Backup gateways method the encryption domains should not overlap Implicit MEP Figure 12 8 MEP configuration with Primary Gateway defined Primary Gateway Remote Peer Target Host Backup Gateway Load Distribution To prevent any one gateway from being flooded with connections the connections can be evenly shared amongst all the gateways to distribute the load When all gateways share equal priority no primary and are MEPed to the same VPN domain it is possible to enable load distribution between the gateways The gateways are probed with RDP packets as in all other MEP conf
17. TrConnNameAlreadyExisted 998 Connect function failed because a site with this name already exists TrConnAddrAlreadyExisted 997 Connect function failed because a site with this IP address already exists TrParamsFAIL 996 Function failed because a wrong parameter was passed to it TrAllocFAIL 995 Function failed because of a memory shortage TrComSendFAIL 994 Function failed to establish communication with the service TrAPIInitFAIL 993 Function failed to communicate with the service Chapter 18 Endpoint Connect API 389 Client Functions Communicating with Service 390 Function Return Code Equivalent Meaning TriICSNoCompliance 992 Function failed because the user failed the end point compliance test TrProxyAuthFailed 991 Function failed because proxy authentication failed TrProxyAuthRequired 990 Function failed because proxy authentication credentials were not presented In This Section TrAPIInit TrAPIInitDebug TrAPIDebug TrStart TrStop TrisTracActive TrConnEnum TrConnGetInfo TrConnConnect TrConnCancelConnect TrConnCreate TrConnDelete TrGetInformation TrGetConfiguration TrSetConfiguration TrAP GetVersion TrSendNotification TrRegisterErrorCallback Client Functions Communicating with Service page 391 page 391 page 391 page 392 page 392 page 392 page 392 page 393 page 394 page 395 page 395 page 395 page 396 page 396 page 397 page 397 page 398
18. User s Machine A In Figure 15 1 The remote host uses the Office mode address in the encapsulated packet and 10 0 0 1 in the encapsulating header The packet is NATed to the new source address 192 168 17 5 The gateway decapsulates the NATed IP address and decrypts the packet The source IP address is the Office Mode address The packet is forwarded to the internal server which replies correctly Chapter 15 Office Mode 303 Office Mode Solution 304 Office Mode and Static Routes in a Non flat Network A flat network is one in which all stations can reach each other without going through a bridge or a router One segment of a network is a flat network A static route is a route that is manually assigned by the system administrator to a router and needs to be manually updated to reflect changes in the network If the LAN is non flat stations reach each other via routers and bridges then the OM address of the remote client must be statically assigned to the routers so that packets on the LAN destined for the remote client are correctly routed to the gateway Assigning IP Addresses The internal IP addresses assigned by the gateway to the remote user can be allocated using one of the following methods e P Pool e DHCP Server IP Pool The System Administrator designates a range of IP addresses to be utilized for remote client machines Each client requesting to connect in Office Mode is provided with a uni
19. e Configuration is done separately in two distinct systems e All details must be agreed and coordinated between the administrators Details such as the IP address or the VPN domain topology cannot be detected automatically but have to be supplied manually by the administrator of the peer VPN gateways e The gateways are likely to be using different Certificate Authorities CAs Even if the peer VPN gateways use the Internal CA ICA it is still a different CA There are various scenarios when dealing with externally managed gateways The following description tries to address typical cases and assumes that the peers work with certificates If this is not the case refer to Configuring a VPN with External Gateways Using a Pre Shared Secret on page 85 Note Configuring a VPN using PKI and certificates is considered more secure than using pre shared secrets Although an administrator may choose which community type to use the Star Community is more natural for a VPN with externally managed gateways The Internal gateways will be defined as the central gateways while the external ones will be defined as the satellites The decision whether to mesh the central internal gateways or not depends on the requirements of the organization The diagram below shows this typical topology Note that this is the Topology from the point of view of the administrator of gateways Al and A2 The Administrator of gateways B1 and B2 may well also defi
20. page 164 page 164 page 167 page 168 163 Overview Overview A Virtual Private Network VPN provides a secure connection typically over the Internet VPNs accomplish this by creating an encrypted tunnel that provides the same security available as in a private network This allows workers who are in the field or working at home to securely connect to a remote corporate server and also allows companies to securely connect to branch offices and other companies over the Internet The VPN tunnel guarantees e authenticity by using standard authentication methods e privacy by encrypting data e integrity by using standard integrity assurance methods Types of tunnels and the number of tunnels can be managed with the following features e Permanent Tunnels This feature keeps VPN tunnels active allowing real time monitoring capabilities e VPN Tunnel Sharing This feature provides greater interoperability and scalability between gateways It also controls the number of VPN tunnels created between peer gateways The status of all VPN tunnels can be viewed in SmartView Monitor For more information on monitoring see the Monitoring Tunnels chapter in the SmartView Monitor User Guide Permanent Tunnels 164 As companies have become more dependent on VPNs for communication to other sites uninterrupted connectivity has become more crucial than ever before Therefore it is essential to make sure that the VPN tunnels are kept u
21. 1 On the User properties window Encryption tab click Edit The IKE phase 2 properties window opens On the Authentication tab select Public key 2 Define the third party Certificate Authority as an object in SmartDashboard See Enrolling with a Certificate Authority 3 Generate a certificate for your security gateway from the third party CA For more information see Enrolling with a Certificate Authority 4 Generate a certificate for the remote user from the third party CA Refer to relevant third party documentation for details Transfer the certificate to the user 5 In Global Properties Authentication window add or disable suffix matching VPN for Remote Access Configuration For users with certificates it is possible to specify that only certificates with a specified suffix in their DN are accepted This feature is enabled by default and is required only if e Users are defined in the internal database and e The user names are not the full DN All certificates DN s are checked against this suffix Note If an hierarchy of Certificate Authorities is used the chain certificate of the user must reach the same root CA that the gateway trusts Enabling Hybrid Mode and Methods of Authentication Hybrid mode allows the gateway and remote access client to use different methods of authentication To enable Hybrid Mode From Policy gt Global Properties gt Remote Access gt VPN Basic select Hybrid
22. Configuration o o amp u Interface Configuration H Interfaces ARP STransparent Mode Link Aggregation o o o u 4 On the Interface Configuration page click loopO Interface Configuration meEewon 2m Maximum number of Ylans for this system Maximum number of vlans allowed 0 1015 Q Physical Up Logical Vlan Id Active Up Type IP Address Destination Comments ethl lethlcO On C Of Fast Ethemet 172 16 8 83 172 16 8 024 eth2 eth2c0 COn Of Fast Ethemet Do eth3 eth3c0 COn COF Ethemet Doo eth4 leth4c0 On C Off Ethernet 55583 555024 loop loop0cd Loopback 127 0 0 1 a pppoed PPP over Ethemet Tunnels Tunnel O ooo 2m 154 Configuring a Loopback Interface 5 On the Physical Interface loopO page enter an IP address in the Create a new loopback interface with IP address field and the value 30 in the Reference mask length field Physical Interface loop0 e 0 Physical Status Interface Active Up Type loop0 On Loopback Logical interfaces Interface Active Logical Name IP Address Delete loop c On loop0c0 127 0 0 1 Create a new loopback interface with IP address Reference mask length 6 Click Apply The Physical Interface loopO page refreshes and displays the newly confi
23. Global Setting this attribute to true enables clients using Connect Mode to log on to a Domain Controller via SDL The user should do the following in order to logon to the Domain Controller 1 Log on to the local Windows machine 2 Connect to the organization 3 Logoff and log back on within five minutes after logoff to the protected Domain Controller using the encrypted connection Note 1 Enabling this setting will keep the client Connected to the organization for five minutes after the user logs off Windows 2 This feature was introduced before SDL in connect mode in was supported in NG FP2 HF2 In versions where SDL is supported this property is used only for domain roaming profile support sdl main timeout 60000 In connect mode this property specifies the amount of time to wait for user to successfully connect or cancel the connect dialog Global Chapter 29 Userc C and Product ini Configuration Files 619 Userc C File Parameters 620 Miscellaneous Ss Note Bold indicates the default value Global Managers or Gateway indicates the location in Userc C See Structure of Userc cC on page 608 Do not manually edit Global properties enable kill true false Specifies whether the user can Stop SecuRemote SecureClient If this option is set to false Stop VPN 1 SecuRemote or Stop VPN 1 SecureClient does not appear in the File menu or when right clicking on the system tray icon Global
24. In some instances more than one gateway is available in the center with no obvious priority between them For example as shown in Figure 12 6 more than one gateway is assigned second priority In this scenario Advanced options are used to decide which gateway is chosen First to Respond or Random Selection Choose Random selection to enable load balancing between the gateways When manually set priority list is the MEP selection mechanism R M is supported RIM can be configured with manually set priority list because the random selection mechanism available on the Advanced button is different from the random selection mechanism used for MEP For the random selection mechanism employed for MEP a different gateway is selected for each IP source destination pair For the random selection mechanism available from the Advanced button a single MEP entry point is randomly selected and then used for all connections and does not change according to source destination pair Load distribution is therefore achieved since every satellite gateway is randomly assigned a gateway as its entry point This makes it possible to enable RIM at the same time Tracking If the tracking option is enabled for MEP the following information is logged by each satellite gateway e The resolved peer gateway a gateway in the MEP e The priority of the resolved gateway primary secondary tertiary e Whether the resolved gat
25. NAT and Load Sharing Clusters In Figure 31 4 the remote client is behind a NATing device and connecting to a load sharing cluster Chapter 31 Resolving Connectivity Issues 683 Overcoming NAT Related Issues 684 Figure 31 4 NAT amp Load Sharing Clusters Internal Switch Gateway Cluster External Switch NATing Device mient p I SecureClient For the connection to survive a failover between cluster members the keep alive feature must be enabled in Global Properties gt Remote Access gt Enable Back connections from gateway to client This is also true if the NATing is performed on the gateway cluster side Overcoming Restricted Internet Access Overcoming Restricted Internet Access When a user connects to the organization from a remote location such as hotel or the offices of a customer Internet connectivity may be limited to web browsing using the standard ports designated for HTTP typically port 80 for HTTP and port 443 for HTTPS Since the remote client needs to perform an IKE negotiation on port 500 or send IPSec packets which are not the expected TCP packets IPSec is a different protocol a VPN tunnel cannot be established in the usual way This issue is resolved using Visitor Mode formally known as TCP Tunneling Visitor Mode Ss Visitor Mode tunnels a client to gateway communication through a regular TCP connection on port 443 Figure 31 5 Visitor Mode eg Using port 443
26. The Certificate Authority Properties window opens 3 Enter a Name for the CA object and in the Certificate Authority Type drop down box select the External Check Point CA Go to the External Check Point CA tab and click Get Browse to where you saved the peer CA certificate and select it VPN reads the certificate and displays its details Verify the certificate s details Display and validate the SHA 1 and MD5 fingerprints of the CA certificate 6 Click OK Trusting an OPSEC Certified CA The CA certificate has to be supplied and saved to the disk in advance Note In case of SCEP automatic enrollment you can skip this stage and fetch the CA certificate automatically after configuring the SCEP parameters The CA s Certificate must be retrieved either by downloading it using the CA options on the Servers and OSPEC Applications tab or by obtaining the CA s certificate from the peer administrator in advance Then define the CA object according to the following steps 1 Open Manage gt Servers and OPSEC Applications The Servers and OPSEC Application window opens 2 Choose New gt CA Select Trusted or Subordinate The Certificate Authority Properties window opens Configuration of PKI Operations Enter a Name for the CA object in the Certificate Authority Type drop down box select the OPSEC PKI On the OPSEC PKI tab e For automatic enrollment select automatically enroll certificate e
27. TrMsgCreate This function creates an array of parameters included in the message Prototype TRAPI CPAPI TrMsg TrMsgCreate int version char ID char def msg unsigned int arguments num Arguments Argument IN OUT Meaning version in version number of the message ID in ID of the message def msg in The message text arguments num in Number of parameters Currently these arguments should be zero or empty strings TrMsgConstruct This function creates a message without arguments Prototype TRAPI CPAPI TrMsg TrMsgConstruct int version char ID char def msg unsigned int arguments num Functions from Service to Client Arguments Argument IN OUT Meaning version in Version number of the message ID in ID of the message def msg in The message text arguments num in Number of parameters Currently these arguments should be zero or empty strings TrMsgDestroy This function destroys a given message Prototype TRAPI CPAPI void TrMsgDestroy TrMsg message Arguments Argument IN OUT Meaning message in the message to destroy TrMsgGetVersion This function gets the version of a given message Prototype TRAPI CPAPI TrStatus TrMsgGetVersion TrMsg message int version Arguments Argument IN OUT Meaning message in the message to destroy version out version number of the message Currently t
28. cccccceeeeeceeeeeeeeeeceaeeeeeeeseeeeeeesaeaeeeeeeaneeeeesaaeeees 698 The Check Point Solution for Clientless VPN ccccceceeeeeceeeeeeeeeeeeeeeeeeeesaeeeees 699 How it Work Seada aian aaa tabs ts tabodeisagicdi teuchds ieee ted addy aE A i 699 Special considerations for Clientless VPN cccccsecccceeceeeeceeseeeseeeeeeeeeesneeesnaes 702 Certificate Presented by the Gateway c cccccssccecececceeeeeaeecesueeesaeeeeaeeeeeas 702 Number of Security Servers to RUN cccccceccesececceeceeeseceeeeceeeeeeeseeeeeaneeesnes 702 Level of ENGHY DEON secsccus cb etectee tei devevandddeiesd ddensedd cotindddubs adem a a gana aket 703 GContiguring Clientless V PNiveicse etde eye ioe ced eer otal tase na Mowtloteevebenecvehes 704 Configuring the Gateway cccccsccccsseecesseccsseeceseeceueessaseesaeeseuseesegeessusenes 704 Gontiguring the Clientwesiac ack own wien el ied lh ae 707 Appendix Appendix A VPN Command Line Interface VPIN Command EAE EAE E AEA E E E ET 712 S c reClient Command Sasana a a a aae belies ioe a aN 714 Desktop Policy Comman dS seare e a a a a a ai EEE 716 18 Appendix B Appendix C Converting a Traditional Policy to a Community Based Policy Introduction to Converting to Simplified VPN Mode cccccceeecsseeeeseeeeeseeeeees 718 How Traditional VPN Mode Differs from a Simplified VPN Mode c0ccceeeee 719 How an Encrypt Rule Works in Traditional Mode cccc
29. ccccceccceeeeeesseeeseeeeeaeeeanes 92 Supporting a Wide Variety of PKI Solutions ccccceecceeeeeeseeeeeeeeeeeeeseseeeeeeeees 93 PKI and Remote Access Users cccececeeeeceeeeeeee tessa eeeeeeesaeeeseaeeeeneeeeaeeees 93 PKI Deployments and VPN cccccsecceeececececceeeeeeeseceaeeeeeeeaeeseeeseesaeeeaeeeeeeegs 93 Trusting An External CAn ei seicacc cehc ceeds sates coos sve dadeeis ettbinga elisa te leaders ietee sites 96 Enrolling a Managed Entity ccccccsecccesececeeeeeeeeeeceseeeeeeeeeeeseeeseeeesaeees 97 Validation ofa Certificate s s ei aiae enaa ae aaa aE e 98 Special Considerations fon PK heeds inne e inha paa dra aa dryadi saddens 101 Using the Internal CA vs Deploying a Third Party CA ccccccecccceeeeeeeeeeeaees 101 Distributed Key Management and Storage ccccccecccceeceeeeeeeseeeeeaeeeeeeeeeaes 101 Configuration of PK IOperations antiin aan aana ea n ienai 103 Trusting a CA Step By Step 2 aisiaaieaecaikiu n Seaciece ition tents ok aes 103 Enrolling with a Certificate AUtHOTity ccccccccccseecceeeeeeeeeeeeeeseeeesaeeeeaees 107 Certificate Revocation All CA Types cccccceccccceceessseneeeeseseeeeeeeeeeeeeaaeneees 111 Certificate Recovery and RemeWal c ccccccsecceseeceseeeececceseeeesneeeseeeesaeeeees 112 Adding Matching Criteria to the Validation ProCe ss ccccsscccseeeeeseeeeseeeeeas 113 CRE Cache Usage siinne a sn MR beaten 113 Modifying the C
30. e SecureClient users connect to gateway 1 e Gateway 1 has an encrypted domain that includes an external resource e Gateway 1 offers the SecureClient users access to external resources such as the Internet in addition to the VPN domain In the scenario depicted in Figure 16 3 an external resource is a part of the RA Encryption domain Therefore whenever the external resource is accessed by a remote host the connection to that resource will be initiated by gateway 1 The gateway also has the ability to transfer traffic from the SecureClient users to servers on the DMZ Chapter 16 SecuRemote SecureClient 331 Selective Routing 332 Providing Remote Access VPN to an External Encryption Domain Figure 16 4 Accessing External Encryption Domain Encryption Domain for RA 2 Gateway 1 Server 2 FileServer 2 relays the connection through a VPN tunnel to Gateway 2 Server 1 FileServer 1 Encryption Domain for RA e V amp Server3 FileServer 3 is opened between a SecureClient user and Gateway 1 Encryption Domain for Peer to Peer 1 A VPN tunnel In this scenario e Gateways 1 amp 2 are connected via a site to site VPN e Each gateway has its own encryption domain e Gateway 1 is used by SecureClient users In this case the encryption domain for remote users extends beyond one gateway Gateway 1 relays SecureClients encrypted traffic destined to Server 2 and FileServer 2 which
31. e Spokes Al and A2 also need to route all traffic to one another through Hub A the center of their star community e Spoke B needs to route all traffic outside of its star community through Hub B A_community is the VPN community of A plus the spokes belonging to A B community is the VPN community Hubs_community is the VPN community of Hub_A and Hub_B Configuring VPN Routing and Access Control on Security Management server A The vpn_route conf file on Security Management server 1 looks like this Table 5 2 Destination Next hop router interface Install On Spoke_B_VPN_Dom Hub_A A_Spokes Spoke_Al_VPN_Dom Hub_A Spoke_A2 Spoke_A2_VPN_Dom Hub_A Spoke _Al Spoke_B_VPN_Dom Hub_B Hub_A Spokes Al and A2 are combined into the network group object A_spokes The appropriate rule in the Security Policy Rule Base looks like this Table 5 3 Source Destination VPN Service Action Any Any A_Community Any Accept B_Community Hubs_ Community Configuring Domain Based VPN Configuring VPN Routing and Access Control on Security Management server B The vpn_route conf file on Security Management server 2 looks like this Table 5 4 Destination Next hop router interface Install On Spoke_Al_VPN_Dom Hub B Spoke B Spoke_A2_VPN_Dom Hub_B Spoke_B Spoke_Al_VPN_Dom Hub_A Hub_B Spoke_A2_VPN_Dom Hub_A Hub_B The appropriate rule in the Security Policy Rule Base looks lik
32. s configuration determines the IP lease duration When a user disconnects and reconnects to the gateway within a short period of time it is likely that the user will get the same IP address as before Using Name Resolution WINS and DNS To facilitate access of a remote user to resources on the internal network the administrator can specify WINS and DNS servers for the remote user This information is sent to the remote user during IKE config mode along with the IP address allocation information and is used by the remote user s operating system for name to IP resolution when the user is trying to access the organization s internal resources 306 Office Mode Solution Anti Spoofing With Anti Spoofing a network administrator configures which IP addresses are expected on each interface of the security gateway Anti spoofing ensures IP addresses are only received or transmitted in the context of their respective gateway interfaces Office Mode poses a problem to the anti spoofing feature since a client machine can connect and authenticate through several interfaces e g the external interface to the Internet or the wireless LAN interface thus an Office Mode IP address may be encountered on more than one interface Office Mode enhances Anti Spoofing by making sure an encountered Office Mode IP address is indeed assigned to the user authenticated on the source IP address on the IPSec encapsulating packet i e the external IP Us
33. s version intranet _ download signed activex enable The maximum permission level that IE should have for downloading signed ActiveX controls from within the local Intranet intranet_run_ activex enable The maximum permission level that IE should have for running signed ActiveX controls from within the local Intranet intranet download files enable The maximum permission level that IE should have for downloading files from within the local Intranet intranet java_permissions low The maximum security level that IE Explorer should have for running java applets from within the local Intranet low means a low security level trusted download signed activex enable The maximum permission level that IE should have for downloading signed ActiveX controls from trusted zones trusted _run_activex enable The maximum permission level that IE should have for running signed ActiveX controls from trusted zones trusted download files enable The maximum permission level that IE should have for downloading files from trusted zones trusted java permissions medium The maximum security level that IE should have for running java applets from trusted zones internet download_signed activex disable The maximum permission level that IE should have for downloading signed ActiveX controls from the Internet Internet run activex disable Chapter 23 Secure Configuration Verification 543 Configuring SCV T
34. 470 F Client Deployment Overview e Inthe conf section add the name s of the file s starting on the line immediately after startup c e Inthe SourceDisksFiles section add the name s of the file s starting on the line immediately after startup c Every file in this section ends with an equal sign and a number for example startup c 7 Add an equal sign and a number to the end of each file name that is added The number represents the folder the file is placed in and corresponds to the SourceDisksNames section numbers Save the file 8 Continue to Creating a CAB Package on page 473 Deleting a File from a CAB Package To delete a file from a CAB package l Obtain the SecureClent Mobile distribution zip file from the Check Point Download Center site or from the CD Save the distribution zip file to your local machine and extract its contents One of the files is the SecureClient Mobile Setup lt build number gt zip file Extract SecureClient Mobile Setup lt build number gt zip to a folder for example scm This creates a number of subfolders In the SCM folder open the SecureClient Mobile Setup lt build number gt inf file using a text editor In the SecureClient Mobile Setup lt build number gt inf file delete references to the file s to be deleted in the following sections e In the conf section delete the name s of the unwanted file s e Inthe SourceDisksFiles secti
35. 540 send admin sc_ver scv type plugin tparameters Configuring SCV Default_SecureClientBuildNumber 52032 Maa Default_EnforceBuildOperand MismatchMessage Pleas EnforceBuild_9X Operand gt SecureClient 9X BuildNumber 52030 EnforceBuild NT Operand SecureClient NT BuildNumber 52032 EnforceBuild_ 2K Operand gt SecureClient 2K BuildNumber 52032 EnforceBuild_ XP Operand gt SecureClient XP BuildNumber 52032 SCVPolicy BrowserMonitor HWMonitor AntiVirus onitor SCVGlobalParams enable status notifications false status_ notifications timeout 10 disconnect_ when not verified false block_ connections on_ scv policy timeout hours 24 enforce ip forwarding true not_verified_script not_verified_ script _run show false not_verified_ script run admin false not_verified_script_run always false not verified script run always false allow non scv clients false unverified false upgrade your SecureClient When using this file it is important to format Chapter 23 maintain the same indentation nesting Secure Configuration Verification 541 Configuring SCV 542 Common Attributes Typically an administrator might need to change only a few of the common parameters SCV checks contained in the SCV policy file SCV Checks 1 Anti Virus monitor
36. Advanced IKE Dos Attack Protection Settings Advanced IKE DoS attack protection can be configured on the Security Management server using the Dbedit command line or using the graphical Database Tool Configure the protection by means of the following Global Properties ike_dos_ threshold Values 0 100 Default 70 Determines the percentage of maximum concurrent ongoing negotiations above which the gateway will request DoS protection If the threshold is set to O the gateway will always request DoS protection ike_dos_puzzle_level_identified_initiator Values 0 32 Default 19 Determines the level of the puzzles sent to known peer gateways This attribute also determines the maximum puzzle level a gateway is willing to solve ike_dos_puzzle_level_unidentified_initiator Values 0 32 Default 19 Determines the level of the puzzles sent to unknown peers such as SecuRemote SecureClients and DAIP gateways This attribute also determines the maximum puzzle level that DAIP gateways and SecuRemote SecureClients are willing to solve ike_dos_max_puzzle_time_gw Values O 30000 Default 500 Determines the maximum time in milliseconds a gateway is willing to spend solving a DoS protection puzzle ike_dos_max_puzzle_time_daip Values O 30000 Default 500 Determines the maximum time in milliseconds a DAIP gateway is willing to spend solving a DoS protection puzzle ike_dos_max_puzzle_time_sr Values 0 30000 Default 5000 Deter
37. Download ing HEAS aa a a ea E iba Aman es 435 Security Management Server Support ccccesecceceeeeeaseeseeeeseeeeeaeeeeaeeeeees 436 Downloading SCM Management Patch cccccccsseeccseceeeeeceseeeeeeeseeaeeesnees 436 Management Patch Installation cccceccseecsecceeeeeeeeeseeeeeseeeaeseeeeeseeseeeseees 436 Gateway Pathirana ia aeaa Malo aae adaa a aaae AAAA eaa labial abae 437 Client Side Installation iseen a aaee ie i A adi idie i 438 Hardware and Software RequireMents ccccecccceecceseceeeeeeeaeeeeseeseeaeeeesnees 438 Check Point Certificates and Locked DeVICES ccccceeeeeeeeeeeeeeeeeaeeeeeeeeeaes 438 CAB Package aii vineden n elit soos dete e daar a diay a eciii ideas MSI RaCk ages rererere ae eiia iea Configuring SecureClient Mobile Configuring a Gateway to Support SecureClient Mobile ccccseeceeeeeeeeeee 443 Configuring the Gateway as a Member of a Remote Access Community 443 Load Sharing Cluster SUDPOMt cccccccccseeecceeeeeeeeceseeceseeeeeseeeeeeeeeeaeeesnees Authentication Sehem S ea aaa Taaa aeaa Eea beevesk eas tan ss Configuring the Authentication Method ccccccccssecccaeeeeeeeeseeeesaeeeeaeeeeens Re authenticate USES isodon sania i ei aiaia Configuring Encryption Methods cccccsccccssececeeeeceeeeeeeseeeeeceseeeesseeeeseeeeeas Certificates etan ae e e a Srccetta tn deaea te teedadu Seudahades a aaar ader ot heise Certificate Nickname seise
38. For example if you want the DLL version to be at least 54 1 0 220 the syntax should be scv_version gt 541000220 SCVMonitor does not support the begin or and the begin and syntax See also Expressions and Labels with Special Meanings 10 ScriptRun Parameters exe VerifyScript bat Runs an executable Supply the name of the executable and the full path to the executable run_as_admin no Determines whether the verification script is run with administrator privileges The default is no The only other value is yes run_timeout 10 Time in seconds to wait for the executable to finish If the executable does not finish within the set time the process is considered as a failure and the machine categorized as not verified The default value is zero which is the same as no timeout ScriptRun does not support the begin or and the begin and syntax See also Expressions and Labels with Special Meanings 11 sc_ver_scv Parameters Default SecureClientBuildNumber 52032 Build number for SecureClient This build number is checked with the specified operator only if no specific build number is to be checked for a particular platform Default _EnforceBuildOperand Operator for comparing the local scv s build number with the client build number MismatchMessage Please upgrade your SecureClient Chapter 23 Secure C
39. Gateway jertek n Security Security Gateway Gateway In a Star community only gateways defined as Satellites or spokes are allowed to communicate with a central gateway or Hub but not with each other Figure 1 2 Check Point Security Gateways in a Star community Satellite Gateway Satellite a Gateway Satellite Gateway E A As shown in Figure 1 2 it is possible to further enhance connectivity by meshing central gateways This kind of topology is suitable for deployments involving Extranets that include networks belonging to business partners 40 The Basic Check Point VPN Solution Remote Access VPN Whenever users access the organization from remote locations it is essential that the usual requirements of secure connectivity be met but also the special demands of remote clients SecuRemote SecureClient extends VPN functionality to remote users enabling users to securely communicate sensitive information to networks and servers over the VPN tunnel using both dial up including broadband connections and LAN and wireless LAN connections Users are managed either in the internal database of the Check Point Security Gateway or via an external LDAP server Figure 1 3 Remote Client to Host behind Gateway Internet Remote Client In Figure 1 3 the remote user initiates a connection to the gateway Authentication takes place during the IKE negotiation Once the user
40. Install policy k32210 SecureClient Mobile cannot be centrally managed using OS Note A separate patch is available for installation on a Provider 1 Please refer to Provider 1 SiteManager 1 436 Installing SecureClient Mobile Gateway Patch This patch is required only for R60 HFA_O2 To install the gateway patch for each gateway 1 At the command prompt type fwl HOTFIX DAL HF HAQ2 129 591129NNN_N 2 When prompted type y to continue with the installation After the installation is complete reboot the machine Chapter 19 SecureClient Mobile 437 Client Side Installation Client Side Installation There are two ways to install SecureClient Mobile e 6Self installing CAB Package This file is installed directly on the mobile device e 6Self installing MSI Package This file is installed on the user s personal computer During installation the installer extracts a CAB file package from within the MSI package and installs it on a connected mobile device using ActiveSync services Hardware and Software Requirements Operating System e Windows Mobile 2003 SE PocketPC e Windows Mobile 5 0 PocketPC Smartphone Processor e Intel ARM StrongARM XScale PXA Series Processor family e Texas Instrument OMAP Processor family Check Point Certificates and Locked Devices To install the client on a Widows Mobile device that is One Two Tier Mobile2Maket Locked you have to first install Check Point certificates into
41. Local 10 0 0 3 Remote 10 0 0 2 VTls in a Clustered Environment VTIs in a Clustered Environment When configuring numbered VTIs in a clustered environment a number of issues need to be considered e Each member must have a unique source IP address e Every interface on each member requires a unique IP address e All VTls going to the same remote peer must have the same name e Cluster IP addresses are required Chapter6 Route Based VPN 139 Configuring VTIs in a Clustered Environment Configuring VTIs in a Clustered Environment The following sample configurations use the same gateway names and IP addresses used in Figure 6 3 on page 137 140 Configuring VTIs in a Clustered Environment Table 6 1 Configuring member_GWA1 SSS sS 5 Access the VPN shell Command Line Interface member GWal vpn shell This help sa Go up one level quit Quit interface Manipulate tunnel interfaces show Show internal data tunnels Manipulate tunnel data RE Add vt GWb VPN shell gt interface add numbered 10 0 1 11 10 0 0 2 GWb nterface vt GWb was added successfully to the system SS SesS Add vt GWc VPN shell gt interface add numbered 10 0 1 21 10 0 0 3 GWc nterface vt GWc was added successfully to the system SaaS SAS Verify configuration VPN shell gt show interface detailed all vt GWb Type numbered MTU 1500 inet addr 10 0 1 11 P t P 10 0 0 2 Mask 255 255 255 255 Peer GWb Peer ID
42. New gt Address Range The Address Range Properties window opens e On the General tab enter the first IP and last IP of the address range e Click OK In the network objects tree Address Ranges branch the new address range appears 4 On the gateway object where IP pool NAT translation is performed Gateway Properties window NAT gt IP Pool NAT page select either e Allocate IP Addresses from and select the address range you created OR e Define IP Pool addresses on gateway interfaces If you choose this option you need to define the IP Pool on each required interface in the Interface Properties window IP Pool NAT tab 5 In the IP Pool NAT page select either or all e Use IP Pool NAT for VPN clients connections e Use IP Pool NAT for gateway to gateway connections e Prefer IP Pool NAT over Hide NAT 6 Click Advanced e Decide after how many minutes unused addressees are returned to the IP pool e Click OK twice 7 Edit the routing table of each internal router so that packets with an a IP address assigned from the NAT pool are routed to the appropriate gateway 250 Chapter Traditional Mode VPNs In This Chapter Introduction to Traditional Mode VPNs VPN Domains and Encryption Rules Defining VPN Properties Internally and Externally Managed Gateways Considerations for VPN Creation Configuring Traditional Mode VPNs 13 page 252 page 253 page 255 page 256 page 257 page 258 251 Introduct
43. Note Aggressive mode is provided for backwards compatibility with pre NG remote access clients Also use aggressive mode when a Check Point Security Gateway needs to negotiate with third party VPN solutions that do not support main mode When dealing with remote access IKE has additional modes 48 Hybrid mode Hybrid mode provides an alternative to IKE phase where the gateway is allowed to authenticate using certificates and the client via some other means such as SecurlD For more information on Hybrid mode see Introduction to Remote Access VPN on page 269 Office mode Office mode is an extension to the IKE protocol Office Mode is used to resolve routing issues between remote access clients and the VPN domain During the IKE negotiation a special mode called config mode is inserted between phases and Il During config mode the remote access client requests an IP address from the gateway After the gateway assigns the IP address the client creates a virtual adapter in the Operating System The virtual adapter uses the assigned IP address For further information see Office Mode on page 299 Overview Renegotiating IKE amp IPSec Lifetimes IKE phase is more processor intensive than IKE phase II since the Diffie Hellman keys have to be produced and the peers authenticated each time For this reason IKE phase is performed less frequently However the IKE SA is only valid for a certain period after which
44. On the Advanced tab select Enable Logging and click Save Logs Wait until the following message appears PN 1 SecureClient i xj Log files were collected successfully Clicking OK will open the relevant Folder Configuring SecureClient 3 Save the logs to the default location A See Type Modhed collect log 11KB Text Document 1 315KB WinZip File 813KB Winzip File 813KB WinZip File 696KB WinZip File 1 471 KB WinZip File 03 25 2004 1 31 PM 03 21 2004 11 56 AM 03 22 2004 11 27 AM 03 22 2004 11 28 AM 03 22 2004 8 01 AM 03 25 2004 1 30 PM NOTE The default location is a hidden folder in windows If you need to locate this folder then in Control panel gt Folder Options gt View select Show hidden files and folders 4 Close the location window The file has been saved automatically Including Enabling Logging in a Prepackaged Policy In the install section of the product ini file add one of the following commands to either enable or disable the Enable Logging feature in a prepackaged policy e logging bat enable e logging bat disable Configuring NAT Traversal In SmartDashboard 1 Click Manage gt Remote Access gt Connection Profiles The Connection Profiles window appears Select Connection Profile and click Edit 3 In the Advanced tab click Connectivity Enhancements Chapter 16 SecuRemote SecureClient 345 Configuring SecureClient Figure 16 6 Connection Profile Properties
45. Open server Version Nex RES 05 windows z Ge Software Blades Nework Security Blades Other r Management Blades Other Z Network Security 3 Management 0 l I Firewall Advanced Networking Anti Spam amp Email Security M IPSec VPN Tao Comprehensive and multidimensional F Policy Server aer ti o protection for organizations email T iPS onneciconial infrastructure Updates are included Acceleration amp Clustering E URL Filtering ne SecureXxL r A More f I AntiSpam I Firewall GX f a ae Email Security I Userduthority Server IT Monitoring IT UserAuthority WebAccess me if More Info gt 4 Cancel Help 3 On the Topology page create a VPN domain 358 Check Point Gateway Corporate gw General Properties SmartDefense VPN Remote Access Authentication SmartView Monitor UserAuthority Server Logs and Masters Capacity Optimization Cooperative Enforceme Advanced General Properties Topology NAT SmartDefense VPN VPN Advanced Link Selection Remote Access Authentication SmartView Monitor UserAuthority Server Logs and Masters Capacity Optimization Cooperative Enforceme Advanced Obligatory Settings xl Topology Name IP Address Network Mask Topology eth0 143 100 75 1 255 255 255 0 External eth1 172 16 2 1 255 255 255 0 This Network eth2 172 186 1 1 255 255 2
46. Password The user is challenged to enter his or her password held on the gateway e OS Password The user is challenged to enter his or her Operating System password e RADIUS The user is challenged for the correct response as defined by the RADIUS server e TACACS The user is challenged for the correct response as defined by the TACACS or TACACS server e SAA SAA is an OPSEC API extension to SecuRemote SecureClient that enables third party authentication methods such as biometrics to be used with SecuRemote SecureClient The Check Point Solution for Remote Access For additional information regarding authentication methods that are not based on certificates or pre shared secrets see The Authentication chapter in the FireWall Administration guide Advanced Features Remote Access VPN supports other advanced features such as e Resolving connectivity and routing issues See Office Mode on page 299 and Resolving Connectivity Issues on page 675 e P per user group e L2TP clients Alternatives to SecuRemote SecureClient To avoid the overhead of installing and maintaining client software Check Point also provides the SSL Network Extender a simple to implement thin client installed on the user s machine via a web browser The browser connects to an SSL enabled web server and downloads the thin client as an ActiveX component Installation is automatic Chapter 14 Introduction to Remote Acc
47. Revocation Lists CRLs from the cache vpn criview This command retrieves the Certificate Revocation List CRL from various distribution points and displays it for the user vpn debug This command instructs the VPN daemon to write debug messages to the log file SFWDIR log vpnd elg vpn drv This command installs the VPN kernel vpnk and connects it to the FireWall kernel fwk attaching the VPN driver to the FireWall driver vpn export pl2 This command exports information contained in the network objects database and writes it in the PKCS 12 format to a file with the p12 extension vpn macutil This command is related to Remote Access VPN specifically Office mode generating a MAC address per remote user This command is relevant only when allocating IP addresses via DHCP 712 Table A 1 VPN Command Line interface Command vpn mep_refresh Description This command causes all MEP tunnels to fail back to the best available gateway providing that backup stickiness has been configured vpn nssm_toplogy This command generates and uploads a topology in NSSM format to a Nokia NSSM server for use by Nokia clients vpn overlap _encdom This command displays all overlapping VPN domains Some IP addresses might belong to two or more VPN domains The command alerts for overlapping encryption domains if one or both of the following conditions exist e The same VPN domain is defined
48. SCV Checks Check Point SCV Checks A number of SCV checks are provided as part of the SecureClient installation including e SC _VER_SCV a version check that verifies that the SecureClient version is up to date according to the administrator s specification e Network Configuration Monitor verifies that e the Desktop Policy is enforced by SecureClient on all network interface cards e non IP protocols are not enabled on any interface e OS Monitor verifies the remote user s Operating System version Service Pack and Screen Saver configuration activation time password protection etc e HotFix Monitor verifies that operating system security patches are installed or not installed e Group Monitor verifies whether the user had logged on the machine and that the user is a member of certain Domain User Groups specified by the administrator The Secure Configuration Verification Solution e Process Monitor checks whether a specified process is running on the client machine e g that a file sharing application is not running or that Anti Virus software is running Process Monitor may also check whether a process is not running e user_policy_scv checks the state of the desktop policy i e whether the user is logged on to a policy server and whether the desktop policy is recent e Browser Monitor verifies the Internet Explorer version and specific IE configuration settings such as vario
49. Select this option to eliminate all popups except those in the Errors category from appearing e None Select this option to prevent all popups from appearing Show Today Item Select this option to display SecureClient Mobile in the Today Item menu Show Taskbar icon Select this option to display the SecureClient Mobile icon on the taskbar when the client is running Flash icon on encrypting Select this option to display the iin the icon on the taskbar which flashes when information is sending or receiving Flash icon on firewall packet drop Select this option to display the lock in the icon on the taskbar which flashes when packets are dropped Status Page The status page has two views basic details and more details Basic details view contains Status Displays whether the client is connected to a gateway Server ID Displays the gateway name or IP address of the current connection Firewall policy Displays whether the firewall policy is enabled or disabled More details view contains Status Displays whether the client is connected to a gateway Server ID Displays the gateway name or IP address of the current connection Office mode IP Displays the office mode IP address that was assigned by the gateway Duration Displays the duration of the current session Firewall policy Displays whether the firewall policy is enabled or disabled ActiveSync policy Displays whether the ActiveSync policy is enab
50. Table 11 3 Configuring ODL Property use on demand links Description Enables on demand links default FALSE on demand metric min Defines the minimum metric level for an on demand link A link is considered on demand only if its metric is equal or higher than the configured minimum metric on demand initial script This property contains the name of the on demand script This script is run when all not on demand routes stop responding Place the script in the SFWDIR conf directory on_demand_shutdown_script This script is run when the failed links become available Place the script in the SFWDIR conf directory The On Demand Links commands are configured by changing a property using the database tool DBedit The commands use_on demand links and on demand metric min may also be configured as follows 1 In SmartDashboard click Policy gt Global Properties gt SmartDashboard Customization gt Configure Expand the VPN Advanced Properties tree and click on the Link Selection page Click the use_on_demand_links checkbox to enable On Demand Links Set the minimum metric level for an On Demand Link next to the on_demand_metric_min command Chapter 11 Link Selection 227 Configuring Link Selection Outgoing Link Tracking 228 In SmartDashboard Configuring the Early Version Compatibility Resolving Mechanism 1 Click Policy gt Global Properties gt VPN gt E
51. The Selective Routing feature was designed to offer flexibility to define different encryption domains per VPN site to site communities and Remote Access RA Communities Remote Access VPN Dedicated Encryption Domain Figure 16 2 Accessing Encryption domain for RA Server 1 FileServer 1 Encryption g S Domain for RA f Encryption Domain for RA Server 2 FileServer 2 SecureClient Users Gateway 1 Server3 FileServer 3 Encryption Domain for Peer to Peer In this scenario e Gateways 1 amp 2 are connected via a site to site VPN e Each gateway has its own encryption domain e Gateway 1 is also used by SecuRemote SecureClient users e Using Selective Routing a Remote Access RA encryption domain is configured on gateway 1 that will grant access only to Server 1 and FileServer l 330 Selective Routing In this case the remote hosts are granted access to part of the encryption domain SecuRemote SecureClient users will only be able to access servers within the encryption domain that is permitted to them The users will be denied access to Server 2 and FileServer 2 Including External Resources in a Remote Access Encryption Domain Figure 16 3 Accessing External Resources SecureClient Users _ pted to fic is enc 4 Traffic way External Resource 24 Gateway 1 2 Gateway 1 redirects the traffic to an external resource In this scenario
52. X 509 Smartcards etc e One Time Password RSA SecurelD SoftID etc e User Password combinations and multi challenge response legacy A connectivity policy downloaded to the device enables the administrator to define the amount of user interaction required to carry out the authentication process Some of these schemes can be configured to achieve seamless authentication no user prompt for credentials A Connectivity Features e Certificates through CAPI e User Pass with credential caching As long as the password cached the user is not prompted to re enter it when the client authenticates e OTP with SoftID and credential caching The client reads the token code from the SoftID application transparently and the PIN can be cached Warning When credential caching is enabled the password PIN is stored locally on the device This poses a security threat because the password can be retrieved if the device is lost stolen or hacked Some of these schemes can be configured to provide 2 factor authentication Certificates with device login authenticate user to device login first then use CAPI installed certificates to authenticate the device to CA OTP Tokens including SoftlD SecureClient Mobile supports a secure authentication SAA OPSEC interface that allows third party extensions to the standard authentication schemes This includes 3 factor biometrics and authentication Configure this feature using the
53. address pool an IP address pool specified by the user group using a configuration file A DHCP server or a RADIUS server Office Mode is required for a correct configuration of SecureClient Mobile gateway Visitor Mode SSL Tunnel Visitor mode enables the tunneling of all client to gateway communication through a SSL TLS connection on port 443 Visitor mode is designed to traverse firewalls and proxy servers servers and NAT devices when the client needs to bypass the server to get out to the Internet and be able to reach the corporate gateway Visitor Mode is required for a correct configuration of SecureClient Mobile gateway Chapter 19 SecureClient Mobile 429 Security Policies and Client Decide Security Policies and Client Decide SecureClient Mobile supports several centrally managed policies that define the behavior of the client through sets of properties When the client connects to the organization s gateway to establish a VPN tunnel the policies are downloaded to the device and enforced by the client The policies that are actually enforced by the client are those downloaded from the last connected gateway and they are enforced regardless if the client is currently connected or not The administrator may wish to enforce on the clients some of the properties while others may be left for the end user to define This is enabled by the client_decide option available in most of the properties that can be applied to the client Th
54. are removed during the product uninstall Note The Check Point SSL Network Extender service is dependent on both the virtual network adapter and the DHCP client service Therefore the DHCP client service must not be disabled on the user s computer There is no need to reboot the client machine after the installation upgrade or uninstall of the product 11 When you finish working click Disconnect to terminate the session or when the window is minimized right click the icon and click Disconnect The window closes SSL Network Extender User Experience Uninstall on Disconnect If the administrator has configured Uninstall on Disconnect to ask the user whether or not to uninstall the user can configure Uninstall on Disconnect as follows To set Uninstall on Disconnect 1 Click Disconnect The Uninstall on Disconnect window is displayed as shown in the following figure Figure 30 20Uninstall on Disconnect Microsoft Internet Explorer x 2 jJ Would you also like to completely remove SSL Network Extender from this computer Cancel 2 Click Ok to Uninstall If you select Cancel in Figure 30 20 the SSL Network Extender will not be uninstalled and the following message appears Microsoft Internet Explorer x 2 j Would you like to be asked again whether to remove SSL Network Extender Cancel If you click OK the Uninstall on Disconnect window will be displayed the next time the user connects to the SSL N
55. default_text NULL 2 Authentication type TrAuthType type eTrArgTypelnt32 val an integer represents the authentication type default_text NULL 3 Number of values type eTrArgTypelnt32 val an integer represents the number of values e g 2 for username password 1 for certificate dn 3 for username pin passcode default_text NULL Value number type eTrArgTypeStr val a string representing the value e g the username value the pin code value etc default_text NULL 402 Notification Identifiers NotificationID Meaning and Format TR_NOTIFICATION_CONNECTION_ Progress of the connection operation Takes six PROGRESS arguments 1 Flow s type type eTrArgTypelnt32 val an integer indicating the flow type PRIMARY_CONN_FLOW O RECONNECT_FLOW 1 DISCONNECT_FLOW 2 DOWNLOAD_CL_SETTINGS_FLOW 3 default_text NULL 2 Step s status val an integer indicating the TrStatus of the step default_text NULL 3 Step s name type eTrArgTypeStr val a string representing the step s name default_text NULL 4 Step s reason for error type eTrArgTypeStr val a string representing the reason for the step s failure This value is only relevant when the step fails If the step s status is success this value equals to the empty string default_text NULL Chapter 18 Endpoint Connect API 403 Notification Identifiers Not
56. endpoint_vpn_ipsec_transport endpoint_vpn_keep_alive_timeout endpoint_vpn_la_preferences la_cache_external_networks la_defined_dns_suffixes la_detect_wlan_as_external la_internal_network la_prefer_dc_over_internal_network la_undefined_dns_suffixes_are_external la_wlan_networks_exceptions location_awareness_enabled endpoint_vpn_remember_user_password Ready 6 Change the value of the property to TRUE 7 Save and close 8 Install a policy Security Settings topology to identify location Last Modif Ejfirewall _properties Firewall_properties Mon 4ug 1 string client_decide false true client_decide string auto_detect auto_detect visitor_mode nat_t number 20 10 int_max E owned object endpoint_vpn_la_properties endpoint_vpn_la_properties NULL string client_decide false true client_decide container string client_decide false true client_decide reference network_object_group network group_with_ string client_decide false true client_decide string client_decide false true client_decide false ifalse true client_decide container string client_decide false true client_decide string true false true client_decide X gt 192 168 186 1 Read Write Ui Use the settings in this section to determine whether or not traffic to and from Endpoint Connect is routed through the gateway and therefore subject to content inspection e f the system
57. false If true when default_ps x x x x is set it will go to a random Policy Server in the same site found by examining topology Managers no policy true false Indicates disable policy state Global policy expire 60 Timeout of policy in minutes This property can also be controlled in SmartDashboard Managers retry frequency 30 If logged in to a Policy Server but failed to re logon after half the expiry time this parameter in seconds specifies the amount of time before retrying logon On each attempt all Policy Servers are tried Managers automaic policy update frequency 10080 Controls how frequently in seconds SecureClient should update policy files Managers suppress all balloons true false which controls all balloon messages If the flag is set to true no message balloons are displays If false all balloons are displayed Note that the balloon s messages will still appear in the tde files and will be logged in the Status Dialog s MessageViewer sdl browse cert true false When set to false the browse certificate in change authentication is disabled When set to true the browse dialog in SDL mode is restricted you can only browse files not create change or lanuch applications disconnect when in enc domain true false If the client is connected to a site and an interface appears with an IP address located within one of the gateway s VPN domains the clien
58. or through the center to other satellites to internet and other VPN targets This allows connectivity between the gateways as well as the ability to inspect all communication passing through the Hub to the Internet 122 Configuring Domain Based VPN Figure 5 2 Satellites communicating through the center General YPN Routing Center Gateways Satellite Gateways VPN Properties Tunnel Management El Advanced Settings VPN Routing MEP Multiple Entry Excluded Services Shared Secret Advanced VPN Prc Wire Mode Enable VPN routing for satellites e C To center or through the center to other satellites to intenet and other VPN targets Cancel Help 4 Create an appropriate access control rule in the Security Policy Rule Base Remember one rule must cover traffic in both directions 5 NAT the satellite gateways on the Hub if the Hub is used to route connections from Satellites to the Internet Advanced VPN Properties tab is not supported if one of the internally managed members S Note Disabling NAT in the community available in Star and Meshed communities in the is of version earlier than NG FP3 The two DAIP gateways can securely route communication through the gateway with the static IP address To configure the VPN routing option To center and to other satellites through center with SmartLSM security gateways 1 Create a network object that contains the VPN domains of all the gateways managed by Sma
59. os_ version operand nt gt Operator for checking the operating system s version on Windows NT service pack major version number nt 0 Major service pack version required for Windows NT operating systems to be verified service pack minor version number nt 0 Minor service pack version required for Windows NT operating systems to be verified service pack version operand nt gt Operator for checking the operating system s service pack on Windows NT major os version number 2k 4 Specifies the major version required for Windows 2000 operating systems to be verified minor os version number 2k 10 Chapter 23 Secure Configuration Verification 547 Configuring SCV 548 Specifies the minor version required for Windows 2000 operating systems to be verified os_ version operand 2k gt Operator for checking the operating system s version on Windows 2000 service pack major version number 2k 0 Specifies major service pack version required for Windows 2000 operating systems to be verified service pack minor version number 2k 0 Specifies minor service pack version required for Windows 2000 operating systems to be verified service pack version operand 2k gt Operator for checking the operating system s service pack on Windows 2000 major os version number xp 4 Specifies the major version required for Windows XP operating systems to be verified minor os version numb
60. page 398 Client Functions Communicating with Service TrAPIInit The first function called after loading TrAPI dll Only run once and before calling any other function If the service goes down the function needs to be initialized again Prototype TRAPI CPAPI TrStatus TrAPIInit TrAPlinitDebug This function creates logs Prototype TRAPI CPAPI TrStatus TrAPIInitDebug TrString filename int max size int max files int TopicLevel Arguments Argument IN OUT Meaning filename in The name of the log file max size in Maximum size of log in Bytes max files in Maximum number of files TopicLevel in The number of topics the logs should contain TrAPiDebug This function writes a text message to the log file Prototype TRAPI CPAPI void TrAPIDebug const char TopicNames int TopicLevel int err const char fmt Chapter 18 Endpoint Connect API 391 Client Functions Communicating with Service 392 Arguments Argument IN OUT Meaning TopicNames in the names of topics used in the logs TopicLevel in the number of topics err in Error level number for example fatal error 1 informative error message 5 fmt in The text message to be inserted in the log file TrStart Starts the service Prototype TRAPI CPAPI TrStatus TrStart TrStop Stops the service Prototype TRAPI CPAPI TrStatus TrStop TrlsTracActive Checks whether the trac servi
61. s existence is verified the gateway then authenticates the user for example by validating the user s certificate Once IKE is successfully completed a tunnel is created the remote client connects to Host 1 Chapter1 Overview 41 The Basic Check Point VPN Solution 42 Chapter IPSEC amp IKE In This Chapter Overview IKE DOS Protection Configuring Advanced IKE Properties page 44 page 54 page 59 43 Overview Overview 44 In symmetric cryptographic systems both communicating parties use the same key for encryption and decryption The material used to build these keys must be exchanged in a secure fashion Information can be securely exchanged only if the key belongs exclusively to the communicating parties The goal of the nternet Key Exchange IKE is for both sides to independently produce the same symmetrical key This key then encrypts and decrypts the regular IP packets used in the bulk transfer of data between VPN peers IKE builds the VPN tunnel by authenticating both sides and reaching an agreement on methods of encryption and integrity The outcome of an IKE negotiation is a Security Association SA This agreement upon keys and methods of encryption must also be performed securely For this reason IKE is composed of two phases The first phase lays the foundations for the second Diffie Hellman DH is that part of the IKE protocol used for exchanging the material from which the symmetrical keys are
62. service_pack_minor_version_number_2003 0 Specifies the minor service pack version required for Windows 2003 operating systems to be verified e service_pack_version_operand_2003 gt Operator for checking the operating system s service pack on Windows 2003 OsMonitor can be configured to check only the screen saver s configuration or only the operating system s version and service pack For example if none of the following parameters appear i major_os version number xp ii minor os version number xp iii os version operand xp iv service pack major version number xp v service pack minor version number xp vi service pack version operand xp then OsMonitor will not check the system s version and service pack on Windows XP platforms Chapter 23 Secure Configuration Verification 549 Configuring SCV In similar fashion if the parameter enforce screen saver minutes to activate does not appear then the screen saver s configuration is not checked OSMonitor does not support the begin or and the begin and syntax See also Expressions and Labels with Special Meanings 7 ProcessMonitor Parameters e 6ProcessName exe true A process the administrator would like to check If the value is true the process needs to be running for the machine to be verified If the value is false the process should not be running for the machine to be verified ProcessMonitor ca
63. when working with servers that do not pass the property per site This property can also be controlled in SmartDashboard Global Managers silent_update on connect true false Tries to perform an update with the gateway to which a connection is being attempted before connecting applies to Nokia clients Global update topo at start true false If the timeout expires update the topology upon start up of the SecuRemote SecureClient GUI application Global Managers Userc C File Parameters NT Domain Support Ss Note Bold indicates the default value Global Managers or Gateway indicates the location in Userc C See Structure of Userc C on page 608 Do not manually edit Global properties no clear tables true false Setting this property to true will enable the opening of new encrypted connections with the Encryption Domain after SecuRemote SecureClient has been closed by logoff or shutdown as long as encryption keys have been exchanged and are still valid This may be necessary when using a Roaming Profile with NT domains since the PC tries to save the user s profile on the Domain Controller during logoff and shutdown after SecuRemote SecureClient has been closed by Windows This feature should be used in conjunction with keep_alive see Encrypted Back Connections on page 618 to ensure that valid encryption keys exist at all times Global connect_domain logon true false
64. 10 11 12 13 14 15 Log in to the client machine with administrator permissions Run the Microsoft Management Console Click Start gt Run Type MMC and press Enter Select Console gt Add Remove Snap in In the Standalone tab click Add In the Add Standalone Snap in window select Certificates In the Certificates snap in window select Computer account In the Select Computer window select the computer whether local or not where the new certificates have been saved Click Finish to complete the process and click Close to close the Add Remove Snap in window The MMC Console window is displayed where a new certificates branch has been added to the Console root Right click on the Personal entry of the Certificates branch and select All Tasks gt Import A Certificate Import Wizard is displayed In the Certificate Import Wizard browse to the location of the certificate Enter the certificate file password In the Certificate Store window make sure that the certificate store is selected automatically based on the certificate type Select Finish to complete the Import operation Using the MMC the certificate can be seen in the certificate store for the Local Computer Chapter 22 Layer Two Tunneling Protocol L2TP Clients 513 Configuring Remote Access for Microsoft IPSec L2TP Clients 514 Placing the User Certificate in the User Certificate Store l 4 On the client machine double
65. 180 180 1 1 Status attached ka H vt GWe Type numbered MTU 1500 inet addr 10 0 1 21 P t P 10 0 0 3 Mask 255 255 255 255 Peer GWc Peer 1D 190 190 1 1 Status attached VPN shell gt quit member GWal ifconfig vt GWb vt GWb Link encap IPIP Tunnel HWaddr inet addr 10 0 1 11 P t P 10 0 0 2 Mask 255 255 255 255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU 1500 Metric 1 RX packets 0 errors 0 dropped 0 overruns 0 frame 0 TX packets 1 errors 0 dropped 0 overruns 0 carrier 0 collisions 0 txqueuelen 0 RX bytes 0 0 0 b TX bytes 36 36 0 b member GWal ifconfig vt GWc vt GWc Link encap IPIP Tunnel HWaddr inet addr 10 0 1 21 P t P 10 0 0 3 Mask 255 255 255 255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU 1500 Metric 1 RX packets 0 errors 0 dropped 0 overruns 0 frame 0 TX packets 1 errors 0 dropped 0 overruns 0 carrier 0 collisions 0 txqueuelen 0 RX bytes 0 0 0 b TX bytes 36 36 0 b Chapter6 Route Based VPN 141 Configuring VTIs in a Clustered Environment Table 6 2 Configuring member_GWA2 SSeS Access the VPN shell Command Line Interface member GWa2 vpn shell This help a Go up one level quit Quit interface Manipulate tunnel interfaces show Show internal data tunnels Manipulate tunnel data SSS SSS SaaS Add vt GWb VPN shell gt interface add numbered 10 0 1 12 10 0 0 2 GWb Interface vt GWb was added successfully to the system S S2eSs Add vt GWc VPN shell
66. 192 168 21 0 255 255 255 0 172 16 10 2 1 192 168 11 0 255 255 255 0 192 168 10 1 1 Chapter 8 Route Injection Mechanism 179 Automatic RIM 180 Gateway 2 Network Destination Netmask Gateway Metric 0 0 0 0 0 0 0 0 172 16 20 2 1 192 168 11 0 255 255 255 0 172 16 20 2 1 192 168 21 0 255 255 255 0 192 168 20 1 1 R1 behind gateway 1 Network Destination Netmask Gateway Metric 0 0 0 0 0 0 0 0 192 168 10 2 1 192 168 21 0 255 255 255 0 192 168 10 2 1 192 168 21 0 255 255 255 0 10 10 10 2 2 R4 behind gateway 2 Network Destination Netmask Gateway Metric 0 0 0 0 0 0 0 0 192 168 20 2 1 192 168 11 0 255 255 255 0 192 168 20 2 1 192 168 11 0 255 255 255 0 10 10 10 1 2 Custom Scripts Custom Scripts Custom scripts can be run on any gateway in the community These scripts are executed whenever a tunnel changes its state i e goes up or down Such an event for example can be the trigger that initiates a dial up connection A script template custom rim with a sh or bat extension depending on the operating system is provided in the SFWDIR Scripts directory The basic script for SecurePlatform IPSO or Linux only is shown in Figure 8 2 Figure 8 2 Sample customized script for SecurePlatform IPSO or Linux bin sh This script is invoked each time a tunnel is configured with the RIM option and the tunnel changed state You may add your custom commands to be invoked her
67. 302 Assigning IP Addresses page 304 IP Address Lease duration page 306 Using Name Resolution WINS and DNS page 306 Anti Spoofing page 307 Using Office Mode with Multiple External Interfaces page 307 Introducing Office Mode Office Mode enables a security gateway to assign a remote client an IP address The assignment takes place once the user connects and authenticates The assignment lease is renewed as long as the user is connected The address may be taken either from a general IP address pool or from an IP address pool specified per user group The address can be specified per user or via a DHCP server enabling the use of a name resolution service With DNS name resolution it is easier to access the client from within the corporate network It is possible to allow all your users to use Office Mode or to enable the feature for a specific group of users This can be used for example to allow privileged access to a certain group of users e g administrators accessing the LAN from remote stations It is also useful in early integration stages of Office Mode allowing you time to pilot this feature on a specific group of users while the rest of the users continue to work in the traditional way Office Mode is supported with the following e SecureClient e SSL Network Extender e Crypto e L2TP Chapter 15 Office Mode 301 Office Mode Solution 302 How Office Mode Works When you connect to the organization an IK
68. 5 1 Two gateways managed by different Security Management servers Security Management Server ICA Mp A e Certificate Security Gateway Security Gateway A Internet Certificate a Security Management Server ICA _ B BR In Figure 5 1 Security Management server A issues certificates for security gateway A while Security Management server B issues certificates for security gateway B Security Gateway B CA Services Over the Internet If a Check Point Security Gateway s certificate is issued by a third party CA accessible over the Internet CA operations such as registration or revocation are usually performed through HTTP forms CRLs are retrieved from an HTTP server functioning as a CRL repository Figure 5 2 depicts a CA and CRL repository accessible over the Internet Supporting a Wide Variety of PKI Solutions Figure 5 2 CA services are on the Internet Certificate Certificate Security Gateway A Security Gateway B HTTP Server PKI Service In Figure 5 3 gateways A and B receive their certificates from a PKI service provider accessible via the web Certificates issued by external CA s may be used by gateways managed by the same Security Management server to verification CA is Located on the LAN If the peer VPN gateway s certificate is issued by a third party CA on the LAN the CRL is usually retrieved from an internal LDAP server as shown in Figure 5 3 Figure 5 3 Third
69. Advanced Tab General Advanced JV Support Office Mode IV Connectivity enhancements Use NAT traversal tunneling IV Support IKE over TCP Visitor Mode Hub Mode configuration T Route all traffic through gateway 4 Select Use NAT traversal tunneling 5 Select Support IKE over TCP and or Force UDP Encapsulation 6 Click OK 346 Enable Disable Switching Modes Enable Disable Switching Modes In the userc c file set the flag enable mode switching to true Chapter 16 SecuRemote SecureClient 347 Add HTML Help to Package Add HTML Help to Package 1 Open the tgz distribution of SecuRemote SecureClient 2 Add SR_HELP TGZ to the directory in which you have opened the tgz 3 Specify sc help install bat in the install section of product ini and product ini simp 4 Re package using packaging tool See Creating a Preconfigured Package on page 483 348 Configuring Idle Detection Configuring Idle Detection Configuring the idleness_detection Property Traffic Idleness Detection is configured with the idleness detection property using DBedit Table 16 2 Property Definition Property Default Valid Values Name Value active Used to enable or disable true true false the feature timeout Defines the time in 30 any positive integer value minutes that will pass by without traffic until the VPN tunnel is considered as to have been idled out excluded Defines a list of se
70. Assigned IP Gateways cccccseccccesceeseeeeeeeeeseeeeeeeeeeseeseeneeesaeeees 72 Routing Traffic within a VPN Community ccccceeceeseeceeeeeeceeeeeseeseeaeeeseees 73 Access Control and VPN Communities 0cccccceeeeeeeeceeeeeeeeseeeeeeeseeeeeseaaees 74 Excluded SPICES eiee ia eenaa E aia oE iai aaa 75 Special Considerations for Planning a VPN Topology cccccsseecceeeceeeeeeeeseeeeeeees 76 Config ring Site to Site VPNS iasence edn adisi taa a eaaa doen a edie 77 Migrating from Traditional Mode to Simplified Mode cccccseeeeeseeeeeaeeeees 77 Configuring a Meshed Community Between Internally Managed Gateways 78 Configuring a Star VPN Community cccccceecccseccececeeeeeseeeeeeseeeeeseeeeseeeeeaes 79 Confirming a VPN Tunnel Successfully Op ns cccccccceecceeeseeseeeeseeeeeaeeeeees 80 Configuring a VPN with External Gateways Using PK cccccssecesseeeeeeeeeseeeeees 81 Configuring a VPN with External Gateways Using a Pre Shared Secret 008 85 How to Authorize Firewall Control Connections in VPN Communities 88 Why Turning off FireWall Implied Rules Blocks Control Connections 88 Allowing Firewall Control Connections Inside a VPN ccccceeeceeeeeeeeeeeesneees 89 Discovering Which Services are Used for Control Connections 0cccseeeees 89 Public Key Infrastructure Need for Integration with Different PKI SolUtions
71. Assignment Based on Source IP Address Example all module1 om_per_src_range lt 10 10 5 0 10 10 5 129 1 1 1 5 1 1 1 87 gt lt 10 10 9 0 10 10 9 255 1 1 1 88 1 1 1 95 gt all module2 om_per_src_range lt 70 70 70 4 70 70 70 90 8 8 8 6 8 8 8 86 gt In this scenario e 10 10 5 0 10 10 5 129 10 10 9 0 10 10 9 255 and 70 70 70 4 70 70 70 90 are the VPN remote clients source IP address ranges e 1 1 1 5 1 1 1 87 1 1 1 88 1 1 1 95 and 8 8 8 6 8 8 8 68 are the Office Mode IP addresses that will be assigned to the remote users whose source IP falls in the range defined on the same line e For example A user with a source IP address between 10 10 10 5 0 and 10 10 5 129 will receive an Office Mode address between 1 1 1 5 and 1 1 1 87 IP Assignment Based on Source IP Address is enabled using a flag in the FWDIR conf objects_ 5 0 C file Add the following flag om use ip per src range followed by value One of the following values should be applied to the flag e Exclusively If the remote hosts IP is not found in the source range remote user does not get an Office Mode IP address e True If the remote hosts IP is not found in the source IP range the user will get an Office Mode IP address using another method e False default The flag is not used Chapter 15 Office Mode 317 Configuring Office Mode Office Mode via ipassignment conf File It is possible to over ride the O
72. Before configuring Office Mode the assumption is that standard VPN Remote Access has already been configured For more details on how to configure VPN Remote Access see Introduction to Remote Access VPN on page 269 Before starting the Office Mode configuration you must select an internal address space designated for remote users using Office Mode This can be any IP address space as long as the addresses in this space do not conflict with addresses used within the enterprise domain It is possible to choose address spaces which are not routable on the Internet such as 10 x x x The basic configuration of Office Mode is using IP pools The configuration of Office Mode using DHCP for address allocation can be found in Office Mode DHCP Configuration on page 320 Office Mode IP Pool Configuration To deploy the basic Office Mode using IP pools 1 Create a network object to represent the IP Pool by selecting Manage gt Network Objects gt New gt Network In the Network Properties General tab set the IP pool range of addresses as follows e In Network Address specify the first address to be used e g 10 130 56 0 e In Net Mask enter the subnet mask according to the amount of addresses you wish to use entering 255 255 255 0 for example this will designate all 254 IP addresses from 10 130 56 1 till 10 130 56 254 for Office Mode addresses e Changes to the Broadcast Address section and the Network Prope
73. Both parties agree upon a password before establishing the VPN The password is exchanged out of band and reused multiple times During the authentication process both the client and gateway verify that the other party knows the agreed upon password Note Passwords configured in the pre shared secret tab are used in hybrid mode IKE and not in pre shared secret mode Pre shared secret IKE mode is used for working with 4 1 Clients Other Authentication Methods Available via Hybrid Mode Different organizations employing various means of user authentication may wish to utilize these means for remote access Hybrid mode is an IKE mode that supports an asymmetrical way of authentication to address this requirement Using Hybrid mode the user employs one of the methods listed below to authenticate to the gateway In return the gateway authenticates itself to the client using strong certificate based authentication Authentication methods which can be used in Hybrid mode are all those supported for normal user authentication in VPN namely e One Time Password The user is challenged to enter the number displayed on the Security Dynamics SecurlD card There are no scheme specific parameters for the SecurlD authentication scheme The VPN module acts as an ACE Agent 5 0 For agent configuration SoftID a software version of RSA s SecurlD and various other One Time Password cards and USB tokens are also supported e Security Gateway
74. CPVP SCM NNN or eval license SKU CPVP EVAL SCM 25 30 1 Note When a gateway is configured for both SecureClient Mobile support and for SSL Network Extender support and a matching property is configured with different settings the SSL Network Extender settings are applied e g user authentication method gateway certificate SSL encryption method etc Note In some of the following configuration points specific Security Management server database flags properties are mentioned These can be edited using the R65 SmartDashboard and or GuiDBEdit Please refer to the Advanced Configuration on page 455 for details about GuiDbEdit Configuring SecureClient Mobile Configuring a Gateway to Support SecureClient Mobile There are two ways to configure a gateway to enable SCM support 1 Using SmartDashboad R65 and above On the gateway object navigate to Remote Access gt SSL Clients check the SecureClient Mobile checkbox 2 Enabling the neo enable property on each gateway object using the GuiDBedit tool This method is available on R65 management or if the SCM management patch was installed A Go to Network Object gt network_objects B Select a gateway and search for the ss1_ne set within the VPN set If the ssl_ne properties such aS neo enable and ssl_enable are not displayed set the value of ssl_ne to ssl_network extender These properties are then displayed C Within the set change the value of neo_enab
75. Chapter 13 Traditional Mode VPNs 261 Configuring Traditional Mode VPNs 262 10 e n the Support authentication methods area select Public Key Signatures To specify that the gateway will only use certificates issued by the CA specified in step 1 click Specify and select the CA e Select IKE Phase 1 encryption and data integrity methods or accept the checked defaults Repeat step 3 to step 9 for each internally managed gateway Defining the Externally Managed Gateways 11 12 13 14 15 16 Create the externally managed gateway object e fitis a Check Point gateway in the Network Objects tree right click and select New gt Check Point gt Externally Managed Gateway e fitis not a Check Point gateway select Manage gt Network Objects gt New gt Interoperable Device For an external Check Point gateway only In the General Properties page select VPN Using the topology information supplied by the peer administrator in the Topology page manually define the IP address and network mask for every gateway interface Using the VPN Domain information supplied by the peer administrator define the VPN domain in the VPN Domain section of the Topology page Either select All IP Addresses behind gateway based on Topology information or manually define a group of machines or a network and set them as the VPN domain On the VPN page click Traditional mode configuration The Traditional mode I
76. Connection Profile Properties Connection P B General Advanced Name Connection Profile 1 Client Side Description sample Comment Color Connection Settings Connect to Gateway B Corporate gw Backup Gateway B Remote 1 gw Early versions compatibility for clients prior to NG AI R56 IV Logon to Policy Server JV Support Policy Server High Availability High Availability among all Policy Servers trying selected first C High Availability only among selected Policy Servers Policy Server s pa 3 In the Connect to Gateway and Backup Gateway fields use the drop down menu to select the gateways that will function as the primary and backup gateways for this profile 4 Click OK 604 Disabling MEP Disabling MEP Disabling MEP is configured by setting the following Dbedit command to true e desktop_disable_mep Chapter 28 Multiple Entry Point for Remote Access VPNs 605 Disabling MEP 606 Chapter Userc C and Product ini Configuration Files In This Chapter Introduction to Userc C and Product ini Userc C File Parameters Product ini Parameters 29 page 608 page 610 page 623 Introduction to Userc C and Product ini Introduction to Userc C and Product ini 608 The VPN administrator can use the Packaging Tool to produce customized SecuRemote SecureClient packages for distribution to end users The Packaging Tool changes the behavior of SecuRemote SecureCl
77. Domain does not contain all the IP addresses behind the gateway define the VPN domain manually by defining a group or network of machines and setting them as the VPN Domain e In the VPN page define the Matching Criteria specify that the peer must present a certificate signed by its own CA If feasible enforce details that appear in the certificate as well Define the Community The following details assume that a Star Community was chosen but a Meshed Community is an option as well If working with a Meshed community ignore the difference between the Central gateways and the Satellite gateways e Agree with the peer administrator about the various IKE properties and set them in the VPN Properties page and the Advanced Properties page of the community object e Define the Central gateways These will usually be the internally managed ones If there is no another Community defined for them decide whether or not to mesh the central gateways If they are already in a Community do not mesh the central gateways e Define the Satellite gateways These will usually be the external ones Chapter 4 Introduction to Site to Site VPN 83 Configuring a VPN with External Gateways Using PKI 9 Define the relevant access rules in the Security Policy Add the Community in the VPN column the services in the Service column the desired Action and the appropriate Track option 10 Install the Security Policy 84 Configuring a VPN with Exter
78. Feedback TABLE P 1 Check Point Documentation continued Title Eventia Reporter Administration Guide Description Explains how to monitor and audit traffic and generate detailed or summarized reports in the format of your choice list vertical bar pie chart etc for all events logged by Check Point Security Gateways SecureClient and IPS SecurePlatform SecurePlatform Pro Administration Guide Explains how to install and configure SecurePlatform This guide will also teach you how to manage your SecurePlatform machine and explains Dynamic Routing Unicast and Multicast protocols Provider 1 SiteManager 1 Administration Guide Explains the Provider 1 security management solution This guide provides details about a three tier multi policy management architecture and a host of Network Operating Center oriented features that automate time consuming repetitive tasks common in Network Operating Center environments More Information e For additional technical information about Check Point products consult Check Point s SecureKnowledge at http support checkpoint com e To view the latest version of this document in the Check Point User Center go to http support checkpoint com Feedback Check Point is engaged in a continuous effort to improve its documentation Please help us by sending your comments to cp_techpub_feedback checkpoint com Preface 29 Feedback 30 Feedback Pre
79. IP address of the DAIP gateway cannot be known in advance If using this method for a non DAIP gateway the IP address must be defined in the Topology tab Without DNS resolving a DAIP gateway can only initiate the first connection between two peers The second connection can be initiated by the peer gateway as long as the IP address of the DAIP gateway has not changed Chapter 11 Link Selection 209 Using Link Selection e Full hostname Enter the full Fully Qualified Domain Name FQDN The DNS host name that is used is gateway_name domain_name For example if the object name is john and the domain name is smith com then the FQDN will be john smith com e Gateways name and domain name Specified in global properties The gateway name is derived from the General Properties page of the gateway and the domain name is derived from the Global Properties page e Use a probing method e Using ongoing probing When a session is initiated all possible destination IP addresses continuously receive RDP packets The VPN tunnel uses the first IP to respond or to a primary IP if a primary IP is configured and active and stays with this IP until the IP stops responding The RDP probing is activated when a connection is opened and continues as a background process e Using one time probing When a session is initiated all possible destination IP addresses receive an RDP session to test the route The first IP to respond is chosen an
80. IV prefetch_crls_on_install T trust_all_capi_trusted_root_cas Details Trust CAPI root store CAs user_certs_key_size 1024 wamcertexpiry 2592000 4 Cancel Help Configuring CRL Grace Period Set the CRL Grace Period values by selecting Policy gt Global Properties gt VPN gt Advanced The Grace Period can be defined for both the periods before and after the specified CRL validity period 114 Configuring OCSP Configuring OCSP In order to use OCSP the CA object must be configured to the OCSP revocation checking method instead of CRL s Using Dbedit modify the field oscp validation to true Set to true this CA will check the validation of the certificate using OCSP This is configured on the root CA and is inherited by the subordinate CA s To configure a trusted OCSP server using Dbedit of objectc c 1 Create a new server object of the type oscp_server 2 Configure the OCSP servers URL and the certificate 3 In the CA object configure oscp_server Add a reference to the OCSP server object created and install policy Chapter 5 Public Key Infrastructure 115 Configuring OCSP 116 Site to Site VPN Chapter Domain Based VPN In This Chapter Overview VPN Routing and Access Control Configuring Domain Based VPN Configuring Domain Based VPN page 120 page 121 page 122 page 122 119 Overview Overview 120 Domain Based VPN is a method of controlling how VPN traffic is routed
81. Internet Encrypted Not encrypted Host 4 Host 5 Host 6 Vy Security Gateway After a VPN tunnel has been established Figure 4 2 packets are dealt with in the following way e A packet leaves the source host and reaches the gateway e The gateway encrypts the packet e The packet goes down the VPN tunnel to the second gateway In actual fact the packets are standard IP packets passing through the Internet However because the packets are encrypted they can be considered as passing through a private virtual tunnel e The second gateway decrypts the packet e The packet is delivered in the clear to the destination host From the hosts perspective they are connecting directly For more information regarding the IKE negotiation see IPSEC amp IKE The Check Point Solution for VPN VPN Communities Creating VPN tunnels between gateways is made easier through the configuration of VPN communities A VPN community is a collection of VPN enabled gateways capable of communicating via VPN tunnels To understand VPN Communities a number of terms need to be defined e VPN Community member Refers to the gateway that resides at one end of a VPN tunnel e VPN domain Refers to the hosts behind the gateway The VPN domain can be the whole network that lies behind the gateway or just a section of that network For example a gateway might protect the corporate LAN and the DMZ Only the corporate LAN needs t
82. Mode Defining User Authentication Methods in Hybrid Mode 1 On the User Properties window Authentication tab select an appropriate authentication scheme 2 Enter authentication credentials for the user 3 Supply the user out of band with these credentials For information regarding authentication methods for users authentication servers and enabling authentication methods on the gateway see the chapter on Authentication in the FireWall Administration Guide Chapter 14 Introduction to Remote Access VPN 289 VPN for Remote Access Configuration Configuring Authentication for NT groups and RADIUS Classes To enable this group authentication feature 1 Set the add_radius_ groups property in objects C to true 2 Define a generic profile with RADIUS as the authentication method 3 Create a rule in the Policy rule base whose source is this group of remote users that authenticate using NT Server or RADIUS Office Mode IP assignment file This method also works for Office Mode The group listed in the ipassignment conf file points to the group that authenticates using NT group authentication or RADIUS classes See Office Mode via ipassignment conf File on page 318 Using a Pre Shared Secret When using pre shared secrets the remote user and security gateway authenticate each other by verifying that the other party knows the shared secret the user s password To enable the use of pre shared sec
83. N f eho 1 Imember_GWAT membet_GWA2 170 170 1 1 L i i a etho etho 1 ra 170 170 1 2 49019049 Sscces lt WN ia GWe GWe vteluster et a 10 0 1 20 10 0 0 3 In Figure 6 3 e There is a VTI connecting Cluster GWA and GWb e There is a VTI connecting Cluster GWA and GWc e There is a VTI connecting GWb and GWc The devices in this scenario are ClusterXL e Cluster GWA e member_GWA1 e member_GWA2 VPN Modules e GWb e GWc IP Configurations e Cluster GWA e member_GWA1 e External Unique IP ethO 170 170 1 1 24 e External VIP ethO 170 170 1 10 24 e Sync Interface ethl 5 5 5 1 24 Chapter 6 Route Based VPN 137 Configuring Numbered VTIs 138 e P of VTI vt GWb Local 10 0 1 11 Remote 10 0 0 2 e VIP of VTI vt GWb 10 0 1 10 e P of VTI vt GWe Local 10 0 1 21 Remote 10 0 0 3 e VIP of VTI vt GWce 10 0 1 20 member_GWA2 e External Unique IP ethO 170 170 1 2 24 e External VIP ethO 170 170 1 10 24 e Sync Interface ethl 5 5 5 1 24 e IP of VTI vt GWb Local 10 0 1 12 Remote 10 0 0 2 e VIP of VTI vt GWb 10 0 1 10 e P of VTI vt GWe Local 10 0 1 22 Remote 10 0 0 3 e VIP of VTI vt GWc 10 0 1 20 GWb e External Unique IP ethO 180 180 1 1 24 e P of VTI vt ClusterGWa Local 10 0 0 2 Remote 10 0 1 10 e P of VTI vt GWce Local 10 0 0 2 Remote 10 0 0 3 GWc e External Unique IP ethO 190 190 1 1 24 e P of VTI vt ClusterGWa Local 10 0 0 3 Remote 10 0 1 20 e P of VTI vt GWb
84. Note Office Mode is supported only in Connect Mode Office Mode Using a RADIUS Server To configure the RADIUS server to allocate IP addresses proceed as follows In SmartDashboard l 2 3 4 5 Click Manage gt Servers and OPSEC Applications Select RADIUS server and click Edit The RADIUS Server Properties window appears Click the RADIUS Accounting tab Select Enable IP Pool Management Select the service the RADIUS server uses to communicate with remote users To configure the RADIUS server to perform authentication for remote users proceed as follows In SmartDashboard Chapter 15 Office Mode 321 Configuring Office Mode 1 Click Manage gt Network Objects 2 Select gateway and click Edit 3 In gateway properties select Remote Access gt Office Mode Figure 15 5 Office Mode Properties Window Check Point Gateway Reaote 1 g Es General Properties Office Mode Topology Do not offer Office Mode cs He Offer Office Mode to group ES L2TP vpn user New Remote Access C Allow Office Mode to all users Office Moris Office Mode Method Clientless VPN SSL Network Exter Authentication IV From ipassignment conf located in FWDIR conf always tried first SmartView Monitor UserAuthority Server Logs and Masters IV Using one of the following methods Capacity Optimization Advanced Manual using IP pool Allocate IP from network m Remote 1 dmz New Automatic us
85. PP that tests gateway availability The MEPed gateways do not have to be in the same location they can be widely spaced geographically Ss Note In a MEPed gateway environment the only remote client supported is the Check Point SecuRemote SecureClient SecureClient Connect Profiles and MEP There are three methods used to choose which gateway will be used as the entry point for any given connection First to reply In a First to Reply MEP environment SecureClient attempts to connect to the gateway configured in the profile If the configured gateway does not reply the first gateway to respond is chosen Primary Backup With this method SecureClient attempts to connect to the Primary gateway first If the Primary gateway does not reply SecureClient attempts to connect to the Backup gateway If the Backup gateway does not reply there are no further attempts to connect Random Selection In a Load Sharing MEP environment SecureClient randomly selects a gateway and assigns the gateway priority The remote peer stays with this chosen gateway for all subsequent connections to host machines within the VPN domain Load distribution takes place on the level of different clients rather than the level of endpoints in a connection In addition SecureClient ignores whatever gateway is configured as the connect to gateway in the profile Chapter 28 Multiple Entry Point for Remote Access VPNs 597 The Check Point Solutio
86. Packag inex mros aa aaa saoget Mmscas snqaten aoa eens ne 486 Add and Remove Files in Package ccccccccseccceseeeseceeeeeseeseeeeseeeeseeeeesneeees 487 Installation Command Line Options cc cccccseeccesceeceeeeeeeeeeseeeeeseeeesneeeeas 487 Split MStallatiOn Sea Ales RE a a D E a 487 DIEI DUG crite E EEE E T EE ESE A E N AES 487 Zone Labs Endpoint Security Client c cccccecceceeeceseceeeeeeeeseeeseeeesaeeeeas 488 Chapter 21 Desktop Security The Need for Desktop Security cccccceeccceeececeeeeeeeeeeseeeeeseeeeseeseeeeeeeseeeesneeees 490 Desktop Security Solutii iiba heseeti coeeuta gabe vas adeeb a otecstvel osdelalesvehue 491 Introducing Desktop Security ccceccccseecceeecceeeeeeeeeeeeeeeeeeeeeeeseeeesneeetaneeees 491 The Desktop Security PoliCyis cccccculecccadescaesietvas ees eadi aiae anank a aana 492 Policy SS CIV OR seated de adden eddad 3 Aas AE Wud dadverd fees hdd oles 494 Policy Downloadi a a Pete a e E easel ease ae ae 494 Logs and Alerts iaies ict yatearnes az E ns tighiedete aise EE wade ahs 495 Desktop Security Considerations irssi eroien a lack teu iaeedesacs toes got heaters 496 Planning the Desktop Security Policy cccccsecccceecceeeeeeseeeeeeeeeeseeeeeaeeeaees 496 Avoiding Double Authentication for Policy Server c cccccseeceeeeeeeeeeeseeeeees 497 Configuring Desktop Security cccccecccceececeeeesseeceseeeeeseeeesaeeeeaeeseeneseseneeeseeees 498 Server Side
87. Parameters Type av_type Type of Anti Virus For example Norton VirusScan OfficeScan or ZoneLabs Signature x Required Virus definition file signature The signature s format depends on the AntiVirus type For example on Norton Antivirus the signature maybe be gt 20031020 The format for Norton s AV signature is yyyymmdd For TrendMicro Officescan the signature maybe lt 650 For McAfee s VirusScan use signature gt 404291 for a signature greater than 4 0 4291 For Zone Labs use signature gt X Y Z where X Major Version Y Minor Version and Z Build Number of the dat signature file AntiVirusMonitor does not support begin_or and the begin_and syntax See Expressions and Labels with Special Meanings 2 BrowserMonitor Parameters browser major version 5 Major version number of Internet Explorer If this field does not exist in the local scv file or if this value is O the IE S version will not be checked as part of the BrowserMonitor check browser minor version 0 Internet Explorer s minor version number browser version operand gt The operator used for checking the Internet Explorer s version number Configuring SCV browser version mismatchmessage Please upgrade your Internet Browser Message to be displayed in case of a non verified configuration for the Internet Explorer
88. Party CA deployed locally CA LDAP Server y o Certificate Security Gateway LDAP Server Replica Chapter 5 Public Key Infrastructure 95 Supporting a Wide Variety of PKI Solutions 96 Trusting An External CA A trust relationship is a crucial prerequisite for establishing a VPN tunnel However a trust relationship is possible only if the CA that signs the peer s certificate is trusted Trusting a CA means obtaining and validating the CA s own certificate Once the CA s Certificate has been validated the details on the CA s certificate and its public key can be used to both obtain and validate other certificates issued by the CA The Internal CA ICA is automatically trusted by all modules managed by the Security Management server that employs it External CAs even the ICA of another Check Point Security Management server are not automatically trusted so a module must first obtain and validate an external CA s certificate The external CA must provide a way for its certificate to be imported into the Security Management server If the external CA is e The ICA of an external Security Management server see the Security Management Server Administration Guide for further information e An OPSEC Certified CA use the CA options on the Servers and OSPEC Applications tab to define the CA and obtain its certificate Subordinate Certificate Authorities A subordinate CA is a Certificate Authority ce
89. Recovery and Renewal with Internal CA Removal of a compromised or expired certificate automatically triggers creation of a new certificate with no intervention required by the administrator To manually renew a certificate use the Renew button on the VPN page of the gateway object Note A module can have only one certificate signed by a particular CA Thus when the new certificate is issued you will be asked whether to replace any existing certificate signed by the same CA Configuration of PKI Operations Adding Matching Criteria to the Validation Process While certificates of an externally managed VPN entity are not handled by the local Security Management server you can still configure a peer to present a particular certificate when creating a VPN tunnel 1 Open the VPN page of the externally managed VPN entity 2 Click Matching Criteria 3 Choose the desired characteristics of the certificate the peer is expected to present including e The CA that issued it e The exact DN of the certificate e The IP address that appears in the Subject Alternate Name extension of the certificate This IP address is compared to the IP address of the VPN peer itself as it appears to the VPN module during the IKE negotiation e The e mail address appearing in the Subject Alternate Name extension of the certificate CRL Cache Usage To cancel or modify the behavior of the CRL Cache 1 Open the Advanced Tab of the Certificate Aut
90. Related Documentation This release includes the following documentation TABLE P 1 Check Point Documentation Title Internet Security Installation and Upgrade Guide Description Contains detailed installation instructions for Check Point network security products Explains the available upgrade paths from versions R60 65 to the current version High End Installation and Upgrade Guide Contains detailed installation instructions for the Provider 1 and VSX products including hardware and software requirements and licensing requirements Explains all upgrade paths for Check Point products specifically geared towards upgrading to the current version Security Management Server Administration Guide Explains Security Management solutions This guide provides solutions for control over configuring managing and monitoring security deployments Firewall Administration Guide Describes how to control and secure network access and VoIP traffic how to use integrated web security capabilities and how to optimize Application Intelligence with capabilities such as Content Vectoring Protocol CVP applications URL Filtering UFP applications IPS Administration Guide Describes how to use IPS to protect against attacks Virtual Private Networks Administration Guide Describes the basic components of a VPN and provides the background for the technology that comprises the VPN infrastructure
91. SecureClient SSL clients or third party IPSec clients The security gateway provides a Remote Access Service to the remote clients Remote Access Community A Remote Access Community a Check Point concept is a type of VPN community created specifically for users that usually work from remote locations outside of the corporate LAN Office Mode Office Mode is a Check Point remote access VPN solution feature It enables a security gateway to assign a remote client an IP address This IP address is used only internally for secure encapsulated communication with the home network and therefore is not visible in the public network The assignment takes place once the user connects and authenticates The assignment lease is renewed as long as the user is connected The address may be taken either from a general IP address pool or from an IP address pool specified per user group using a configuration file 630 Commonly Used Concepts Visitor Mode Visitor Mode is a Check Point remote access VPN solution feature It enables tunneling of all client to gateway communication through a regular TCP connection on port 443 Visitor mode is designed as a solution for firewalls and Proxy servers that are configured to block IPsec connectivity Endpoint Security on Demand Endpoint Security on demand ESOD may be used to scan endpoint computers for potentially harmful software before allowing them to access the internal application When end use
92. The SCV Policy can be configured to display a popup notification on non securely configured clients and or send a log to the Security Management server Making the Organizational Security Policy SCV Aware SecureClient is now able to determine whether the client is securely configured Once all the organization s clients have been configured according to the previous steps the administrator specifies the actions to be taken on the security gateway based on the client s SCV status For example the administrator can specify that non securely configured clients cannot access some or all of the resources on the corporate LAN protecting the organization from the dangers associated with the client s poor security configuration The administrator can choose whether to enforce SCV for remote clients If SCV is enforced only securely configured clients are allowed access under the rule If SCV is not enforced all clients are allowed access under the rule In simplified mode this is configured globally In traditional mode this is configured individually for each rule See Server Side Configuration on page 529 for more information When the client connects to a security gateway an IKE negotiation takes place between SecureClient and the gateway If the gateway s Security Policy requires an SCV check to be made the gateway holds the connection while it checks if the client is securely configured SCVed If the gateway already knows t
93. This prefix is optional range and net specify a range of addresses These prefixes ar required The third item is the IP address or addresses In the case of a single address it is specified in standard dotted decimal format ranges can be specified either by the first and last IP address or using a net specification In either case you need to also specify the subnet mask length 24 means 255 255 255 0 With a range this is the subnet mask With a net it is both the subnet mask and it also determines the addresses in the range The last item is the user name This can be a common name if the user authenticates with some username password method like hybrid or MD5 Challenge or a DN if the user authenticates with a certificate Office Mode Considerations Office Mode Considerations In This Section IP pool Versus DHCP page 313 Routing Table Modifications page 313 Using the Multiple External Interfaces Feature page 313 IP pool Versus DHCP The question of whether IP addresses should be assigned by the Firewall using IP pools or by a DHCP server is a network administration and financial issue Some network administrators may prefer to manage all of their dynamic IP addresses from the same location For them a central DHCP server might be preferable Moreover DHCP allows a cluster to assign all the addresses from a single pool rather than have a different pool per cluster member as you have
94. To connect to a gateway 1 On the toolbar tap Menu gt Connect gt New The Connect to a new Server window opens 2 In the Server address or name field enter the gateway information If you are using Visitor mode to connect to a port other than the default enter lt gateway information gt lt port gt 3 Tap oK The first time you connect to a server the credentials need to be verified 4 When prompted enter your credentials Note If you connected to a gateway then tap Connect on the toolbar to connect to the most recently connected gateway To connect to the most recently connected gateway 1 On the toolbar tap Connect 2 Select the server name or IP address of the gateway or tap Connect on the toolbar to connect to the most recently connected gateway Configuring Display Settings To configure display settings on the mobile device 1 Select Menu gt Options 2 Scroll down to Display Settings and configure the following e Notification Level Select from the drop down menu one of the following options e All All popups from all categories information progress warnings and errors sent by the client are allowed e Progress Warnings and Errors Select this option to eliminate Information popups from appearing Chapter 19 SecureClient Mobile 453 Client Side Configuration 454 e Warnings and Errors Select this option to allow only Warnings and Errors popups to appear e Errors only
95. UserAuthority Server T UserAuthority WebAccess More Info o Cancel Help Verify that VPN is selected Select VPN from the menu on the left Verify that the gateway participates in the remote access community If not add the gateway to the remote access community Ss Ss Ss Configuring SecureClient Mobile 5 From the Gateway Properties page in the Topology tab configure the VPN domain for SecureClient Mobile in the same way that it was configured for SecureClient Note The VPN domain can be used to configure SecureClient Mobile to work in hub mode where all traffic is directed through a central hub The Set domain for Remote Access Community button on the Topology tab can also be used to create a different encryption domain for remote access clients that connect to the gateway Configure visitor mode as described in the Resolving Connectivity Issues chapter in the VPN Guide Configuring visitor mode does not interfere with regular SecureClient user functionality but permits SecureClient users to enable visitor mode Note The SecureClient Mobile uses TCP 443 SSL to establish a secure connection with the VPN SecurePlatform and the Nokia platform and for remote administration purposes Another port may be assigned to the SecureClient Mobile however this is not recommended as most proxies do not allow ports other than 80 and 443 Instead it is recommended that you assign SecurePlatform or
96. When client is detected within the internal network terminate the vpn connection and re establish it when the client leaves Note The connection will be reestablish if the client is in always connect mode Clients are considered to be within the internal site if The client can access it s defined domain controller Client connection arrives from the following networks 7 Manage Advanced OK Cancel b Select Client connection arrives from within the following network c Click Manage and select or create a group that contains the relevant IP range d Click Advanced Chapter 17 Endpoint Connect 365 Endpoint Connect Advanced Settings The Location Awareness Fast Detection of External Locations window opens Location Awareness Fast Detection of External Locations H x Use these options to identify external sites and thereby enhance the performance of location awareness Fast Detection of external locations IV Regard wireless networks as external Except for the following network names SSIDs Wireless Network Names New Edit Delete IV Consider DNS suffixes which do not appear in the following list as external DNS Suffix New Edit Client Side Caching J Remember previously detected external networks OK Cancel Use these options to identify external networks For example create a list of wireless networks or DNS suffixes that are known to be external Or cache on the
97. a Hub connectivity with other clients is possible as well as the ability to inspect the subsequent traffic for content When using Hub mode enable Office mode If the remote client is using an IP address supplied by an ISP this address might not be fully routable When Office mode is used rules can be created that relate directly to Office mode connections Note Office mode is only supported in SecureClient not SecuRemote Allowing SecureClient to Route all Traffic Through a Gateway In Figure 24 2 the remote client needs to connect with a server behind security gateway 2 Company policy states that all connections to this server must be inspected for content For whatever reason security gateway 2cannot perform the required content inspection When all the traffic is routed through security gateway 1 connections between the remote client and the server can be inspected Figure 24 2 Monitoring traffic to a Remote Client Security Gateway 1 Security Gateway 2 pen nternet Re Remote Client 560 Check Point Solution for Greater Connectivity and Security Suppose the same remote client needs to access an HTTP server on the Internet The same company policy regarding security still applies Figure 24 3 Remote client to Internet OPSEC Certified UFP server ot Remote Client Security Gateway j Ag Internet Ba HTTP Server The remote client s traffic is directed to the security gateway where
98. aa ae A O a 23 Section 3 Remote Access VPN suis siescevaiscadevaseediatedsviah stcuawanacdeesa cede veae dina yani 25 Appendices drene estat ak weeny Mk cent aa emanate stares bones Sea tere aati A nde 27 Related DOCUMENTATION s senna aaa Sav cae can dude teavega td deeded a TiN 28 FECA BACK cos E ETE ETAS ATE A E E E sgosaiaenaeeana lei 29 Introduction to VPN Technology Chapter 1 Overview Th Connectivity Ghallenge ann aai a ara Races Ave 36 The Basic Check Point VPN Solution ccccccceeeeeeeeeeeeeeeeeaeeeeeeeeseeeeeeeeeeeeeeeeeas 37 Understanding the Terminology cccccccsccceeccecceseceeeceeceeeeeeeeseeeeeeeeeeeaeeeaeeees 38 Site to Site VPN is aise tha a an ee dant a vind avandia pa Aa ee Wied 39 VPN COMMUNES aede ee a Suostan aiaa pdea erda eri i eiai e E a 39 Remote Access VPN enrera neat htt aaa i dena a naana aie 41 Chapter 2 IPSEC amp IKE OVEWIEW inan niu meie a a a E A Male ates ee ee teal ss 44 Methods of Encryption and Integrity ccccccccccseecesseeeeeeeeeeeseeseeeeseeeesaeeees 47 Phase l modes av iee Aa ea ed eee een ev ie 48 Renegotiating IKE amp IPSec Lifetimes cccccccccccseeceseeeeeeseeeeeseseeeeeseeeesaeeees 49 Perfect Forward Secrecy lt i scctes occcaycovcttvselevariedsvialeteviotocets el onclewesteweseeateoe ses 49 IP COMPRESSION E EE EEEE A EEA 50 Subnets and Security Associations cccecccceeeceseeecaeeeeaeeceeeeeeeseeeesueeeaeeeeens 51 IKE DOS Protect lon aa
99. administrator decides to Route all traffic through gateway all outbound traffic on the client is encrypted and sent to the gateway but only traffic directed at site resources is passed through all other traffic is dropped e If this option is not selected only traffic directed at site resources is encrypted and sent to the gateway All other outbound client traffic passes in the clear Endpoint Connect Advanced Settings e For the gateway to act as a hub for content inspection of all inbound and outbound client traffic regardless of destination the administrator needs to a define a network application that includes the range 0 0 0 1 gt 255 255 255 254 If you do not open this window then default values apply Table 17 6 Default Security Settings Option Route all traffic through gateway SmartDashboard Endpoint Connect default value default value No No Configuration and Version Settings Use the settings in this section to configure how the client is upgraded The upgrade procedure remains transparent to the user and does not require administrator privileges on the endpoint or a reboot after the upgrade is complete If you do not open this window then default values apply Table 17 7 Default configuration and version settings Option SmartDashboard Endpoint Connect Client upgrade mode ask user default value default value do not upgrade 9 Save the policy Chapter 17 End
100. and Load Balancing on page 494 SecureClient will try to reconnect to the Policy Server from which it last successfully downloaded a policy If it cannot connect to that Policy Server it will try the others If SecureClient cannot download a new policy from any Policy Server it will try again after a fixed interval default is 5 minutes If SecureClient fails to download a new policy after the timeout expires it will revert to the default policy Logs and Alerts Logs and alert specified Desktop Security Policy can be viewed using the SecureClient Diagnostics In addition all alerts are saved and uploaded to the Security Management server When the client connects to a Policy Server it uploads the alerts to a spooling process which passes the alerts to the Security Management server where they can be viewed by the SmartView Tracker Chapter 21 Desktop Security 495 Desktop Security Considerations Desktop Security Considerations In This Section Planning the Desktop Security Policy page 496 Avoiding Double Authentication for Policy Server page 497 Planning the Desktop Security Policy You should carefully plan your users policy properly balancing considerations of security and convenience The policy should allow the desktop users to work as freely as possible but at the same time make it hard to attack the remote user s desktop Here are some points to consider 496 You should not explicitly allow any service to be o
101. and NY can only communicate with the central Paris gateway Since the London and New York satellite gateways cannot open a VPN link between them this is a valid configuration Authentication Between Community Members Before gateways can exchange encryption keys and build VPN tunnels they first need to authenticate to each other Gateways authenticate to each other by presenting one of two types of credentials e Certificates Each gateway presents a certificate which contains identifying information of the gateway itself and the gateway s public key both of which are signed by the trusted CA For convenience the Check Point product suite installs its own Internal CA that automatically issues certificates for all internally managed gateways requiring no configuration by the user In addition the Check Point Product Suite supports other PKI solutions For more information see Public Key Infrastructure on page 91 e Pre shared secret A pre shared is defined for a pair of gateways Each gateway proves that it knows the agreed upon pre shared secret The pre shared secret can be a mixture of letters and numbers a password of some kind Considered more secure certificates are the preferred means In addition since the Internal CA on the Security Management server automatically provides a certificate to each Check Point Security Gateway it manages it is more convenient to use this type of authentication Chapter 4 Intro
102. arg char str Arguments Argument IN OUT Meaning arg in the argument str out the value of the string TrArgGetDefText This function fills the TrArg default text and returns the status of the operation Chapter 18 Endpoint Connect API 419 Functions from Service to Client Prototype TRAPI CPAPI TrStatus TrArgGetDefText TrArg arg char def text Arguments Argument IN OUT Meaning arg in the argument def text out the default text 420 Chapter 19 SecureClient Mobile In This Chapter Overview of SecureClient Mobile page 422 Connectivity Features page 423 Topology and Split Tunneling page 428 Hub Mode VPN Routing for Remote Access page 429 Security Policies and Client Decide page 430 IP Firewall Policy page 431 Connectivity Policy page 432 General GUI Policy page 433 Client Deployment Repackaging and Upgrade page 434 Installing SecureClient Mobile page 435 Client Side Installation page 438 Configuring SecureClient Mobile page 442 Client Side Configuration page 453 Advanced Configuration page 455 Client Deployment Overview page 469 Troubleshooting page 476 421 Overview of SecureClient Mobile Overview of SecureClient Mobile SecureClient Mobile is a client for mobile devices that includes a VPN and a firewall It replaces SecureClient for PocketPCs The client works on various platforms and enables easy deployment and upgrade SecureClient Mobile s VPN is base
103. be traced at any time in the Certificates tab of the user s Properties window The status is shown in the Certificate state field If the certificate has not been generated by the user by the date specified in the Pending until field the registration key is deleted If the user is defined in LDAP then tracing is performed by the ICA management tool Automatically Renewing a Users Certificate ICA certificates for users can be automatically renewed a number of days before they expire The client initiates a certificate renewal operation with the CA before the expiration date is reached If successful the client receives an updated certificates To configure automatic certificate renewal 1 Select Policy gt Global Properties gt Remote Access gt Certificates VPN for Remote Access Configuration 2 Select Renew users internal CA certificates and specify a time period The time period is the number of days before the user s certificate is about to expire in which the client will attempt to renew the certificate Install the Security Policy Instruct the user to update the site s topology Revoking Certificates The way in which certificates are revoked depends on whether they are managed internally or externally via LDAP For internally managed Users When a user is deleted their certificate is automatically revoked Certificates can be disabled or revoked at any time If you initiated a certificate generation
104. between gateway modules and remote access clients within a community To route traffic to a host behind a gateway an encryption domain must be configured for that gateway Configuration for VPN routing is performed either directly through SmartDashboard or by editing the VPN routing configuration files on the gateways In Figure 5 1 one of the host machines behind gateway A initiates a connection with a host machine behind gateway B For either technical or policy reasons gateway A cannot establish a VPN tunnel with gateway B Using VPN Routing both gateways A and B can establish VPN tunnels with gateway C so the connection is routed through gateway C Figure 5 1 Simple VPN routing Security Gateway A Security Gateway B VPN Routing and Access Control VPN Routing and Access Control VPN routing connections are subject to the same access control rules as any other connection If VPN routing is correctly configured but a Security Policy rule exists that does not allow the connection the connection is dropped For example a gateway has a rule which forbids all FTP traffic from inside the internal network to anywhere outside When a peer gateway opens an FTP connection with this gateway the connection is dropped For VPN routing to succeed a single rule in the Security Policy Rule base must cover traffic in both directions inbound and outbound and on the central gateway To configure this rule see Configuring the Acc
105. bit on the packet is set If a packet is longer than any router s MTU the router drops the packet and sends an ICMP error message to the remote client From the largest packet not fragmented the remote client resolves an appropriate PMTU This PMTU is not conveyed directly to the OS Unknown to the operating system during the TCP three way handshake the Maximum Segment Size MSS on the SYN and SYN ACK packets are changed to reflect the PMTU This is known as Active IPSec PMTU Overcoming NAT Related Issues Figure 31 3 IPSec discover packets soe a ot ae oe Remote location s NATing device Gateway IPSec Discovery packet with DF bit set gt I ICMP eror message Passive IPSec PMTU Passive IPSec PMTU solves the problem of dynamic Internet routing Passive IPSec PTMU is a process that occurs when either side receives an ICMP error message resulting from a change in the routing path Since routes change dynamically on the Internet if a different router needs to fragment the packet that has the DF bit set the router discards the packet and generates an ICMP cannot fragment error message The error message is sent to the VPN peer that sent the packet When the peer receives this error message the peer decreases the PMTU and retransmits Note From the system administrator s perspective there is nothing to configure for PMTU the IPSec PMTU discovery mechanism both active and passive runs automatically
106. browser s settings for a certain zone For example if none of the following parameters appear 544 i restricted download signed activex Configuring SCV ii restricted run activex iii restricted download files iv restricted java permissions then BrowserMonitor will not check the restricted zones security settings In similar fashion if the parameter browser major version does not appear or is equal to zero then IE s version number is not checked BrowserMonitor does not support the begin or and the begin and syntax and does not support the admin parameters See also Expressions and Labels with Special Meanings For the script for checking Internet Explorer Service Pack see Script for Internet Explorer Service Pack on page 552 3 Groupmonitor Parameters e builtin administrator false A name of a user group The user has to belong to this group in order for the machine configuration to be verified e securely configured no active user true Specifies whether the machine s configuration may be considered verified when no user is logged on The default value is false 4 HotFixMonitor Parameters e HotFix Number true A number of a system HotFix to be checked In order for the machine to be verified the HotFix should be installed for example 823980 true verifies that Microsoft s RPC patch is installed on the operating system e HotFix Name true T
107. client side names of networks that were previously determined to be external Selecting one or more of these options enhances the performance of location awareness Interface based Location Awareness In this kind of location awareness when the firewall receives a request from the remote client the firewall uses the IP address and port number of the client together with the IP address and port of the gateway along with the protocol type to determine via the connection table on the gateway whether the interface is internal or external If the firewall is unable determine this or if the interface is listed as both internal and external the connection is encrypted To configure Interface based location awareness 1 In SmartDashboard open Global Properties gt Remote Access gt Endpoint Connect 366 Endpoint Connect Advanced Settings Global Properties x Firewall Endpoint Connect NAT Network Add Op F Authentication Authentication Settings VPN VPN 1 UTM Edge Enable password caching No iv Remote Access Cache word for fi 440 3 minutes VPN Basic 4 VPN Advance Re authenticate user every 480 minutes VPN IKE Pha VPN IPSEC P Connectivity Settings Certificates Secure Configui Connect mode Configured on endpoint client x SSL Network E i oe 7 7 SecureClient Mc Location Aware Connectivity ke O x Configure Endpoin
108. client works with a profile that enables IKE over TCP Chapter 31 Resolving Connectivity Issues 689 Configuring Remote Access Connectivity Configuring Small IKE phase II Proposals Small phase II IKE proposals always include AES 256 but not AES 128 Suppose you want to include AES 128 in the small proposals l Open the command line database editing tool DBedit There are two properties that control whether small proposals are used or not one for pre NG with Application Intelligence the other for NG with Application Intelligence e phase2_proposal determines whether an old client pre NG with Application Intelligence will try small proposals default false e phase2_proposal_size determines whether a new client for NG with Application Intelligence will try small proposals default true In Global Properties gt Remote Access page gt VPN Advanced subpage gt User Encryption Properties section select AES 128 This configures remote users to offer AES 128 as a small proposal Configuring NAT Traversal UDP Encapsulation On the gateway network object enable UDP encapsulation and decide on a port to handle UDP encapsulation 1 General Properties gt Remote Access page gt NAT Traversal section select Support NAT traversal mechanism UDP encapsulation From the Allocated port drop down box select a port VPN1_IPSec_encapsulation is the default IKE phase II proposals are offered both with
109. configuration In This Section Configuring the Gateway as a Member of the Remote Access Community page 637 Configuring the Gateway to Support the SSL Network Extender page 638 Configuring the SSL Network Extender page 640 Configuring the Gateway as a Member of the Remote Access Community 1 Fi Open SmartDashboard select the gateway object on the Network Object tab of the Objects Tree The General Properties window is displayed Verify that VPN is selected and click OK Select vPN in the objects tree on the left hand side Verify that the module participates in the Remote Access Community If not add the module to the Remote Access Community In the Topology Tab of the Gateway Properties page configure the VPN Domain for SSL Network Extender in the same way that you configure it for SecureClient Note You can use the VPN Domain to configure SSL Network Extender to work in Hub Mode All traffic is then directed through a central Hub You can also use the Set domain for Remote Access Community button on the same tab to create different encryption domain for Remote Access clients that connect to the gateway see Configuring Selective Routing on page 341 Configure Visitor Mode as described in the Resolving Connectivity Issues chapter Configuring Visitor Mode doesn t interfere with regular SecureClient users functionality It merely allows SecureClient users to enable Visitor Mode For a descriptio
110. connection continues In a MEPed configuration if a gateway fails the current connection is lost and one of the backup gateways picks up the next connection In a MEPed environment the decision which gateway to use is taken on the remote side in a cluster the decision is taken on the gateway side Overview How It Works MEP is implemented via a proprietary Probing Protocol PP that sends special UDP RDP packets to port 259 to discover whether an IP is reachable This protocol is proprietary to Check Point and does not conform to RDP as specified in RFC 908 1151 Note These UDP RDP packets are not encrypted and only test the availability of a peer The peer continuously probes or polls all MEPed gateways in order to discover which of the gateways are up and chooses a gateway according to the configured selection mechanism Since RDP packets are constantly being sent the status of all gateways is known and updated when changes occur As a result all gateways that are up are known There are two available methods to implement MEP e Explicit MEP Only Star communities with more than one central gateway can enable explicit MEP providing multiple entry points to the network behind the gateways When available Explicit MEP is the recommended method e Implicit MEP Implicit MEP is supported in all scenarios where fully or partially overlapping encryption domains exist or where Primary Backup Gateways are co
111. connection or to Accept it and send a log about the event Basic configuration verification on client s machine specifies whether SecureClient should perform SCV checks to determine whether the policy is installed on all network interfaces cards on the client s desktop and whether only TCP IP protocols are installed on these interfaces Configurations Violation Notification on client s machine specifies whether a log record should be saved on the Security Management server machine indicating that a remote user is not SCVed this is a general indication without a specification of a certain SCV check the user s desktop had failed To configure whether earlier clients prior to NG are considered SCVed go to Policy gt Global Properties and select the Remote Access gt Early Version Compatibility tab In this tab you can choose the Required policy for all desktops from the list of predefined policies Select Client is enforcing required policy if you wish that earlier clients that do not enforce the selected policy will not be considered SCVed 3 Close the Global Properties screen Chapter 23 Secure Configuration Verification 529 Configuring SCV 4 If you are using simplified mode the mode that supports VPN communities skip this step If you are using traditional mode edit your Security Policy Rule base and add SCV checks for your remote access rules Client Encrypt or Client Auth rules To enable SCV for a remote
112. conversion of an Encrypt rule is where connections that do not match the first rule are dropped by rules that appear later in the Rule Base Sometimes you can group several Drop rules generated by the conversion of several Encrypt rules into a single Drop rule Add Rules Allowing Communication Inside the VPN Domain Connections matching Encrypt rules where both endpoints are located inside the encryption domain of the same gateway are accepted in a Traditional Rule Base To achieve the same effect in the simplified rule base you must manually add rules that accept the traffic inside the encryption domains of the gateways In most cases it is not necessary to add these rules Add them if you see the SmartView Tracker log message Both endpoint are in the Encryption Domain Auth Encrypt Rules Auth Encrypt rules are not converted automatically When such rules appear in the Rule Base review the converted Rule Base and make sure that the security of these rules are maintained Appendix VPN Shell Configuring a Virtual Interface Using the VPN Shell 730 The VPN Shell used for creating Virtual VPN Tunnel Interfaces is composed of menus and commands The shell can be used interactively or as a single command line Invoking the command vpn shell without any other arguments starts the interactive shell Adding arguments after vpn shell is interpreted as a direct command and executed VPN shell starts the interactive mode
113. customized installation package neo show today item Displays the today false true client_decide item neo_show_taskbar_ item Displays the taskbar false true client_decide icon neo flash icon on enc Displays the flash false true client_decide rypting icon which monitors VPN tunnel activity traffic neo flash icon on fw Displays the flash false true client_decide packet_drop icon which monitors firewall packet dropping activity Chapter 19 SecureClient Mobile 465 Advanced Configuration 466 Configuring a Non Centrally Managed Gateway Configuring a Gateway to Support SecureClient Mobile This method must be performed on each gateway To enable support 1 From the command prompt run ckp regedit a SOFTWARE CheckPoint VPN1 neo enable 1 2 Run cpstop and cpstart to enable support To disable support 1 From the command prompt run ckp regedit d SOFTWARE CheckPoint VPN1 neo enable To configure a certificate to be used by gateway SSL only if SSL Network Extender is disabled proceed as follows 1 Add the neo gw certificate key tO SOFTWARE CheckPoint VpPN1 in the registry on each gateway To add the certificate run the following command from the command prompt ckp regedit a SOFTWARE CheckPoint VPN1 neo gw certificate cert_nickname To remove the certificate run the following command from the command prompt ckp regedit d SOFTWARE CheckPoint VP
114. customized script should be run on central or satellite gateways whenever a tunnel changes its states goes up or down For tracking options see Tracking Options on page 188 4 If a customized script is run edit custom rim sh or bat script in the SFWDIR Scripts directory on each of the gateways Configuring RIM in a Meshed Community 1 Open the Meshed Community properties gt Tunnel Management page In the Permanent Tunnels section select Set Permanent Tunnels The following Permanent Tunnel modes are then made available e On all tunnels in the community e On all tunnels of specific gateways e On specific tunnels in the community For more information on these options see Permanent Tunnels on page 170 When choosing tunnels keep in mind that RIM can only be enabled on tunnels that have been configured to be permanent To configure permanent tunnels see Configuring Tunnel Features on page 168 2 Select Enable Route Injection Mechanism RIM Chapter 8 Route Injection Mechanism 187 Configuring RIM 3 Click Settings The Route Injection Mechanism Settings window open Community WE I Enable customer editable script execution Tracking Route injection track Log Cancel Help Decide if e RIM should run automatically on the gateways SecurePlatform IPSO or Linux only e A customized script should be run on the gateway whenever a tunnel changes its state goes up or down
115. define an Interoperable Device object from Manage gt Network Objects gt New gt Interoperable Device e If it is a Check Point gateway In the Network Objects tree right click and select New gt Check Point gt Externally Managed Gateway 3 Set the various attributes of the peer gateway In particular be sure to do the following e In the General Properties page of the gateway object select VPN for an Externally Managed Check Point gateway object only 86 Configuring a VPN with External Gateways Using a Pre Shared Secret in the Topology page define the Topology and the VPN Domain using the VPN Domain information obtained from the peer administrator If the VPN Domain does not contain all the IP addresses behind the gateway define the VPN domain manually by defining a group or network of machines and setting them as the VPN Domain 4 Define the Community The following details assume that a Star Community was chosen but a Meshed Community is an option as well If working with a Mesh community ignore the difference between the Central gateways and the Satellite gateways Z Agree with the peer administrator about the various IKE properties and set them in the VPN Properties page and the Advanced Properties page of the community object Define the Central gateways These will usually be the internally managed ones If there is no another Community defined for them decide whether or not to mesh the centra
116. e Keep installed Default Do not uninstall If the user wishes to uninstall the SSL Network Extender he she can do so manually e Ask user whether to uninstall Ask user whether or not to uninstall when the user disconnects e Force uninstall Always uninstall automatically when the user disconnects For a description of the user disconnect experience refer to Uninstall on Disconnect uninstall and will not uninstall the SSL Network Extender if a user has entered a OS Note The Uninstall on Disconnect feature will not ask the user whether or not to suspend hibernate state while he she was connected 6 You can determine whether Endpoint Security on Demand will be activated or not When ESOD is activated users attempting to connect to the SSL Network Extender will be required to successfully undergo an ESOD scan before being allowed to access the SSL Network Extender Select the desired option from the drop down list The options are e None e Endpoint Security on Demand 642 Configuring the SSL Network Extender Fetching the xml Configuration File After installing the ESOD server and configuring it you must fetch the xml config file from the ESOD server by performing the following steps 1 Open a browser on any machine 2 Browse to http lt site ip gt lt site name or virtual directory gt sre report asp and save the displayed XML file to disk using Save As 3 Copy the XML file to SFWDIR conf ext
117. e Update topology every hours The site s topology will be updated before the next key exchange if the defined period has elapsed since the last topology update The following features become available if Update topology every hours is enabled e Automatic update If enabled the site will be updated after the key exchange according to the value of Update topology every hours This will allow to avoid prompting the user to update sites e Upon VPN 1 SecuRemote SecureClient startup If enabled the user will be prompted to update the topology when the SecuRemote Client starts If the user is not connected to the network when the SecuRemote Client starts he or she can reject the prompt In this case the topology will be automatically updated after the next key exchange with the site Chapter 27 Remote Access Advanced Configuration 589 How to Work with non Check Point Firewalls How to Work with non Check Point Firewalls If a SecuRemote SecureClients is located behind a non Check Point firewall the following ports must be opened on the firewall to allow SecuRemote SecureClient traffic to pass Table 27 3 ports to open for non Check Point firewalls port explanation UDP port 500 always even if using IKE over TCP TCP port 500 only if using IKE over TCP IP protocol 50 ESP unless always using UDP encapsulation UDP port 2746 configurable only if using UDP encapsulation UDP port 259 only if
118. e area eeen das a a a a EEE EE 54 Understanding DoS Attacks molann a e e e aa ei 54 IKE DoS Attac kS ario aaen aa e aa AA Aa EE aE aE 54 Defense Against IKE DoS Attacks ccccsccceecceeeceeeeeeceeeeeeeeeeeseeeseeeneeeaeeeaes 55 SmartDashboard IKE Dos Attack Protection Settings cccccsseeeeseeeeeaeeeees 56 Advanced IKE Dos Attack Protection Settings cccccccssecccseeeeeeseeeseeesneeees 57 Configuring Advanced IKE Properti S c ccccccescccssceeceeeceeseceseeeeseeeesaeessneeeeaes 59 On the VPN Community Network Object cccccccsecccceeeeeseeeeseeeeseeeeeaeeeeaaes 59 On the Gateway Network Object ccccccseececeeeeeeeeeeeceeeeceeceueeeeeeeeeseeeseeesenees 59 Table of Contents 5 Chapter 4 Chapter 5 Introduction to Site to Site VPN The Need for Virtual Private Networks ccccccceeeeeeeeceeeeeeeaeeeeeeeseaeeeeeeseeeeeeeees 62 Confidential ity eeii meny nn en aaa hel a0 Pate nal Medals idan a one ed 62 A thenticatio Neres a ae deine te sehen bes San ana a rana a ae eaa teed 62 INTE SHITY A A E A E E es E S E E S 62 The Check Point Solution for VPN ccccccseeeeeeeceeeeeeeceeeeeeeecaeeeeseeseeeeeeeseeeeeeees 63 HOW iit Worksin aa alia a tas Tents aa a e a a levees aa e S 63 VPN COMMUNITIES aen aaa a a ea Ea 65 VPN TODOIOSIES siiente aa a a a a a a ene ales e LNN 66 Authentication Between Community Members cccceecccsseeeseeeeeeeeeeaeeeesnees 71 Dynamically
119. editor in order to add or remove flags Note Exporting startup c will also export the global property neo allow client db export with the value set to true To restrict users from exporting the client configuration edit the startup C and remove the property or set it to false Client Deployment Overview Defining the Client Installation Version The default client installation version is the client build number defined by Check Point To change the client installation version l eS ew Obtain the SecureClient Mobile distribution zip file from the Check Point Download Center site or from the CD Save the distribution zip file to your local machine and extract its contents One of the files is the SecureClient Mobile Setup lt build number gt zip file Extract SecureClient Mobile Setup lt build number gt zip to a folder for example scm This creates a number of subfolders In the SCM folder open the SecureClient Mobile Setup lt build number gt inf file using a text editor Change the following attribute to the desired build number NEO VERSION NUMBER lt build number gt Save the file Continue to Creating a CAB Package on page 473 Creating a CAB Package A CAB package is created from the application files using the Cabwiz utility Cabwiz can be downloaded and installed from the Microsoft Pocket PC 2003 SDK To create a CAB package l To obtain the Cabwiz util
120. file proceed as follows 1 Obtain the SecureClient Mobile distribution zip file from the Check Point Download Center site or from the CD 2 Save the distribution zip file to your local machine and extract its contents One of the files is the SecureClient Mobile MSI file 3 Run tools neo_msi_tool exe SecureClient_Mobile MSI SecureClient_Mobile CAB Configuring the SAA Plugin Enabling the SAA plugin enables the ability to implement additonal authentication schemes for example SoftID The plugin also allows customizing the login page To enable the SAA plugin using GuiDBedit 1 Set the property neo saa_guilibs to the SAA plugin name for example SAAPlugin dll 2 Save the change and exit GuiDBEdit 3 Install the updated policy Once the SAA plugin is enabled on the gateway the client can be configured in one of two ways 1 Manually 2 Using a predefined package Client Deployment Overview Configuring the SAA Plugin on the Client Manually On the device 1 Copy the SAA plugin into the following folder Program Files CheckPoint SecureClient Mobile 2 Connect to the gateway During the connection process the defined SAA plugin pop up appears In the event you receive the following error message Configuration Error Failed to load SAA plugin use the client login page username password to connect Once connected quit and relaunch the client again Using a Predefined Package This configuration is for s
121. firewall settings permit clear traffic to exit the device to the encryption domain This is required when the connected PC is located inside the encryption domain and the encryption of data is not necessary A message balloon appears when the client disconnects client_decide neo allow clear while _ disconnected Enables clear traffic to the encryption domain when the client is disconnected The client prevents clear traffic to the encryption domain from exiting the machine at all times except if this flag is set to true Note In an IPSEC client this functionality is achieved using the VPN chain in the firewall In SecureClient Mobile this functionality is achieved using the firewall rule setting false true client_decide 464 Table 19 4 General Properties Advanced Configuration Property Description Valid Values Default value in bold neo_run_client_on_dev Runs the client on false true client_decide ice startup device startup neo enable kill Specifies whether the false true client_decide user can stop the client If this option is set to false the quit option does not appear in the client menu neo_allow_client_debu Enables the client false true client_decide g_ logs troubleshooting window neo_allow_client_db_e Enables the client to false true client_decide xport export its local database to a clear text file is used to create a
122. for subnets and the option remains unsupported on the remote peer when host A communicates with host C a Security Association SA 1 will be negotiated between host A s subnet and host C s IP address The same SA is then used between any host on the 10 10 11 x subnet and Host C When host A communicates with host B a separate Security Association SA 2 is negotiated between host A s subnet and host B As before the same SA is then used between any host in 10 10 11 x subnet and Host B Overview Figure 2 5 SA per host 10 10 11 x o SA 2 10 10 12 10 10 10 x 10 10 13 x Paiki Gaane Remote VPN Peer In other words when Support Key exchange for subnets is not enabled on communicating gateways then a security association is negotiated between individual IP addresses in effect a unique SA per host Chapter 2 IPSEC amp IKE 53 IKE DOS Protection IKE DOS Protection 54 In This Section Understanding DoS Attacks page 54 IKE DoS Attacks page 54 Defense Against IKE DoS Attacks page 55 SmartDashboard IKE Dos Attack Protection Settings page 56 Advanced IKE Dos Attack Protection Settings page 57 Understanding DoS Attacks Denial of Service DoS attacks are intended to reduce performance block legitimate users from using a service or even bring down a service They are not direct security threats in the sense that no confidential data is exposed and no user gains unauthorized privileges However th
123. gateway is done through a network interface card proceed to step 5 5 Select Connect to connect to the organization using Office Mode The administrator can simplify configuration by configuring a profile in advance and providing it to the user Office Mode per Site In SmartDashboard 1 Click Policy gt Global Properties gt Remote Access gt VPN Advanced The VPN Advanced window is displayed Chapter 15 Office Mode 323 Configuring Office Mode Figure 15 6 VPN Advanced Window E Remote Access VPN Basic Secure Configur SSL Network E SecureClient Mc Early Versions C SmartDirectory LDA QoS SmartMap Firewall 1 Gx User uthority Management High 4 ConnectControl DSE Open Security Stateful Inspection 2 In the Office Mode section select Use first allocated Office Mode IP address for all connections to the Gateways of the site 3 Click OK 324 Chapter 16 SecuRemote SecureClient In This Chapter The Need for SecureClient page 326 The Check Point Solution page 327 SCV Granularity for VPN Communities page 328 Selective Routing page 330 Desktop Security Policy page 333 NAT Traversal Tunneling page 336 Configuring Idle Detection page 349 Configuring SecureClient page 340 325 The Need for SecureClient The Need for SecureClient 326 Anyone who wishes to send or receive e mail while at home or while over the weekend needs to do so
124. gateways are selected in SmartDashboard Chapter 6 Route Based VPN In This Chapter Overview page 130 VPN Tunnel Interface VTI page 131 Using Dynamic Routing Protocols page 135 Configuring Numbered VTIs page 136 VTIs in a Clustered Environment page 139 Configuring VTIs in a Clustered Environment page 140 Enabling Dynamic Routing Protocols on VTIs page 147 Configuring Anti Spoofing on VTIs page 151 Configuring a Loopback Interface page 153 Configuring Unnumbered VTIs page 156 Routing Multicast Packets Through VPN Tunnels page 160 129 Overview Overview 130 The use of VPN Tunnel Interfaces VTI introduces a new method of configuring VPNs called Route Based VPN This method is based on the notion that setting up a VTI between peer gateways is much like connecting them directly A VTI is an operating system level virtual interface that can be used as a gateway to the encryption domain of the peer gateway Each VTI is associated with a single tunnel to a security gateway The tunnel itself with all its properties is defined as before by a VPN Community linking the two gateways The peer gateway should also be configured with a corresponding VTI The native IP routing mechanism on each gateway can then direct traffic into the tunnel just as it would for any other type of interface All traffic destined to the encryption domain of a peer gateway will be routed through the associated VTI This infrastructure allows dynamic r
125. ia iea aa aiaa iaia daea iae iah Management of Internal CA Certificates ccccccecccceeceeeeeeeseeeeeeeeeaeeeenees Importing Certificate niite hie oc aaa fev eda aud ened oe Reheat Topology Update sine sdteccs retin aseteeiaieier ies etnias aed a a Divan dd aE Pete a SECU PONCY aiaa ini aoier a a a tonal beoatet lattes aaa Route All Traffic Hub Mode ccccecccceesessseeeeeeeeeeeeeeeeeeesaeeaeeeseeseeeeeeeeesaaaea Cli nt Sid ContiSurations 22 25 4608 e e a ea a a aa COMNECtING tO a Site EEES aoe de A AEE T E Contiguring Display Settines sinsa eoa aaraa a a a Stat s P ger inne aenda ee aea aa aaa EEEa aAa Eaa a E E Taaa Advanced Configuration ccccccccseeceseeeeeaeeeeeeeeaes Configuring a Non Centrally Managed Gateway Configuration in a Mixed SecureClient and SecureClient Mobile Environment 467 Client Deployment OVErVieW cccccceeccceeececeeeeeeeceseeeesseeceseeeeeseeeeseesesaeeeeseeees 469 Package CUSTOMIZATION eniinn hows sla derdslaudarsavcuesbecsuectees 469 Table of Contents 13 Adding a File to a CAB Package ccccceccccceecececeseeeeeeeceeeeeseeseeeesneeesaeeeeas 470 Deleting a File from a CAB Package ccccccccssccccecceeeeceseeeeeeeeeeseeeeeneeeenaes 471 Exporting the Client Configuration ccccccecccccecceseeeceeeeeseeeeseeeesaueeeeeeeeeaes 472 Defining the Client Installation Version ccccccccsscccceeceseeeeseeeesaeeeeseeeeeaes 473 Creatinga CAB Pack
126. in the SmartDirectory LDAP server is done externally and not locally Secondly on a SmartDirectory LDAP server templates can be modified and applied to users dynamically This means that user definitions are easy to change and to manage and changes are instantaneous or live Changes that are applied to a SmartDirectory LDAP template are reflected immediately for all users who are using that template NT Group RADIUS Class Authentication Feature Authentication can take place according to NT groups or RADIUS classes In this way remote access users are authenticated according to the remote access community group they belong to Q Note Only NT groups are supported not Active Directory 282 VPN for Remote Access Configuration VPN for Remote Access Configuration In This Section Establishing Remote Access VPN page 284 Defining User and Authentication Methods in LDAP page 286 Defining User Properties and Authentication Methods page 286 Initiating User Certificates in the ICA Management Tool page 286 Generating Certificates for Users in SmartDashboard page 287 Initiating Certificates for Users in SmartDashboard page 287 Configure Certificates Using Third Party PKI page 288 Enabling Hybrid Mode and Methods of Authentication page 289 Configuring Authentication for NT groups and RADIUS Classes page 290 Using a Pre Shared Secret page 290 Defining an LDAP User Group page 290 Defining a User Group page 291 Defining a VPN Commu
127. is done for inbound packets An IPsec packet enters the machine coming from gateway Y The VPN kernel intercepts the packet on the physical interface The VPN kernel identifies the originating VPN peer gateway The VPN kernel decapsulates the packet and extracts the original IP packet The VPN kernel detects that a VPN Tunnel Interface exists for the peer VPN gateway and reroutes the packet from the physical interface to the associated VPN Tunnel Interface The packet enters the IP stack through the VPN Tunnel Interface Chapter6 Route Based VPN 131 VPN Tunnel Interface VTI Figure 6 1 Routing to a Virtual Interface Security Gateway Virtual Interface Virtual interface Incoming VPN traffic Physical interface _ In Route Based VPN VTIs are created on the local gateway Each VTI is associated with a corresponding VTI on a remote peer Traffic routed from the local gateway via the VTI is transferred encrypted to the associated peer gateway Figure 6 2 Route Based VPN am NSE ainis A VTI aed 4 b GWb_ vTI member_GWA2 Clust r GWA In this scenario e There is a VTI connecting Cluster GWA and GWb e There is a VTI connecting Cluster GWA and GWc e There is a VTI connecting GWb and GWc 132 VPN Tunnel Interface VTI A virtual interface behaves like a point to point interface directly connected to the remote peer Traffic between network hosts is r
128. mapped drives remain functional even as users roam in and out of the network Note While Endpoint Connect can reside on the same host with SecureClient or Endpoint Security users should avoid connecting with the two VPN clients to the same network at the same time pabilities Resident on the users desktop or laptop Endpoint Connect provides various capabilities for connectivity security installation and administration Connectivity e Network Layer Connectivity An IPSec VPN connection to the gateway for secure encrypted communication If the network connection is lost the client seamlessly reconnects without user intervention e Intelligent Auto detect and connect Whenever the gateway or client s location changes Endpoint Connect autodetects the best method to establish a connection using either NAT T or Visitor mode intelligently auto switching between the two modes as necessary e Smart location awareness Endpoint Connect intelligently detects whether it is inside or outside of the VPN domain Enterprise LAN and automatically connects or disconnects as required Capabilities Proxy detection Proxy servers between the client and the gateway are automatically detected authenticated to and replaced when no longer valid Transparent Network and Interface Roaming If the IP address of the client changes for example if the client is using a wireless connection then physically connects to a LAN that is not part o
129. msi 386 Chapter 18 Endpoint Connect API In This Chapter Introduction to the Client OPSEC API page 388 Function Return Codes page 389 Client Functions Communicating with Service page 390 Notification Identifiers page 399 Functions from Service to Client page 405 This section covers the OPSEC API for embedded custom client integrations The API contains functions exported by the TrAPI dll library an API infrastructure employed to transfer messages between the client and the tracsrvwrapper service The API exposes functions that form synchronic actions for example retrieving the status for a specific connection The API also contains functions that enable the client to register to receive various notifications from the service Because the notifications can arrive at any time these functions are considered asynchronic API calls to the client block the client until the function completes When the API calls any API function the API infrastructure sends the corresponding message to the service and waits for the service s response Function prototypes are defined in the TrAPITypes h header file To use the client API first download the client zip file from the Check Point Support Center The zip file contains the library file TrAPI dlIl and the header files TrAPITypes h and TrAPI h 387 Introduction to the Client OPSEC API 388 Introduction to the Client OPSEC API The client API is C based Exported functions must have a
130. must be the IP address of the gateway if referring to a specific gateway otherwise an empty string Each argument must be a string that holds the name of the attribute Prototype TRAPI CPAPI TrStatus TrSetConfiguration TrMsg pConfiguration Arguments Argument IN OUT Meaning pConfiguration in configuration to be stored TrAPIGetVersion Returns the client version Prototype TRAPI CPAPI TrStatus TrAPIGetVersion TrVersion version Chapter 18 Endpoint Connect API 397 Client Functions Communicating with Service 398 Arguments Argument IN OUT Meaning version out Returns major version minor version and build number TrSendNotification Sends a notification from the client to the service All notifications are described in TrAPIType h The client can register with the service to receive only specific notifications By default the client receives all notifications Prototype TRAPI CPAPI TrStatus TrSendNotification TrNotification pClientNotification Arguments Argument IN OUT Meaning pClientNotification in Notifications to send to the service TrRegisterErrorCallback When communication with the service is lost the client registers a callback to be called by TrAPI dll Prototype TRAPI CPAPI void TrRegisterErrorCallback ErrorCbFunctor cb void clientOpaque Notification Identifiers Arguments Argument IN OUT Meaning ErrorCbFunc
131. neo remember user password timeout neo user auth methods neo user re auth timeout and neo saa_guilibs url properties Note RSA SoftID is an authentication method that generates a unique onetime passcode every 60 seconds used for secure access over the Internet The passcode is generated using the PIN and obtained automatically SecureClient Mobile gets the passcode from SoftID by communicating directly with the SoftID application The SoftID application must be installed on the device but does not have to be running When the user has no PIN either because the tokencard is new or the administrator reset the PIN the PIN field is left blank Once logged in the user is directed to a page that requires a PIN to be created This PIN is used for subsequent logins Prior to logging in the token file containing the shared token must be imported into the SoftID application This file is required for the authentication between the Authentication server ACE Server and the SoftID application The token file is protected by the pass_phrase The pass_phrase may be obtained from the system administrator Chapter 19 SecureClient Mobile 425 Connectivity Features Support for Alternate Gateway The client supports two methods for high availability and load sharing 1 Clustering Two or more gateways are logically placed behind one IP address providing full session continuation and load balancing in case of hardware failure 2 DNS based cl
132. network 10 0 1 10 0 0 0 0 area 0 0 0 0 localhost config router ospf network 10 0 0 3 0 0 0 0 area 0 0 0 0 Redistribute kernel routes this is only here as an xample please s the dynamic routing book for more specific commands concerning redistribution of routes localhost config router ospf redistribute kernel localhost config router ospf exit localhost config exit SSSR Write configuration to disk localhost write memory IU0 999 Configuration written to etc gated ami localhost quit Chapter 6 Route Based VPN 149 Enabling Dynamic Routing Protocols on VTIs Table 6 8 Dynamic Routing on GWC 150 SSS ae Launch the Dynamic Routing Module GWc expert Enter expert password You are in expert mode now Expert GWc cligated localhost gt enable localhost configure terminal Saintes aac Enable OSPF and provide an OSPF router ID localhost config router ospf 1 localhost config router ospf router id 190 190 1 1 SeseSss2 Define interfaces IP s on which OSPF runs Use the cluster IP as defined in topology and the area ID for the interface IP localhost config router ospf network 10 0 1 20 0 0 0 0 area 0 0 0 0 localhost config router ospf network 10 0 0 2 0 0 0 0 area 0 0 0 0 Redistribute kernel routes this is only here as an xample please s the dynamic routing book for more specific commands concerning redistribution of routes localh
133. new group of machines or networks by clicking New In the VPN page Certificate List area Add a certificate issued by the ICA Still on the VPN page click Traditional mode configuration The Traditional mode IKE properties window opens e In the Support authentication methods area select Public Key Signatures To specify that the gateway will only use certificates issued by the ICA click Specify and select the ICA e Select IKE Phase 1 encryption and data integrity methods or accept the checked defaults Defining the Encrypt Rule 8 In the Security Rule Base define the Encrypt rule s 9 If you wish to change the IKE Phase 2 properties for this rule double click the Encrypt action and make the required changes Chapter 13 Traditional Mode VPNs 259 Configuring Traditional Mode VPNs 260 VPN Between Internal Gateways Using Third Party CA Certificates 1 Obtain the CA certificate and define the Certificate Authority CA object For details see Enrolling with a Certificate Authority on page 107 Defining the Gateways 2 9 Define the Check Point gateway object In the Network Objects tree right click and select New gt Check Point gt Gateway In the General Properties page select either VPN In the Communication window establish Secure Internal Communication In the Topology page define the IP address network mask and anti spoofing for every gateway interface Still on the Topology
134. of the gateway the connection is dropped For example referring to Figure B 1 and Table B 1 if Source X is in Net_C and Destination Y is in Net_D gateway 1 drops the connection This is because the Action says Encrypt but the connection cannot be encrypted because the source is not in the Encryption Domain of gateway 1 2 If the source and destination are inside the encryption Domain of the same gateway In this case the connection is accepted in the clear For example referring to Figure B 1 and Table B 1 if Source X is in Net_A and Destination Y is in Net_B the connection originates at X and reaches the gateway which forwards the response back to Y The connection is not encrypted because there is no peer gateway for Y that could decrypt the connection A SmartView Tracker log is issued Both endpoint are in the Encryption Domain AppendixB 721 Principles of the Conversion to Simplified Mode 722 The converter Wizard attempts to maintain the best possible balance between connectivity and security by using the following principles e Refuse all traffic that could have been refused in traditional Mode This may mean that some connections may be dropped that were allowed by the traditional rule base e Encrypt at least all traffic that would be encrypted in traditional policy This means that the converted policy may encrypt more connections than the original policy What this means is that not all traditional polici
135. on Office Mode addresses Chapter 19 SecureClient Mobile 447 Configuring SecureClient Mobile Authentication Schemes There are four ways to identify and authenticate a remote user 448 Certificate The system authenticates the user through a certificate Enrollment is not permitted Certificate with enrollment The system authenticates the user through a certificate Enrollment is permitted If the user does not have a certificate enrollment is permitted using a registration key provided by the system administrator Legacy The system authenticates the user through their username and password as well as other challenge response options for example SecurlID Mixed The system attempts to authenticate the user through a certificate If the user does not have a valid certificate the system attempts to authenticate the user through one of the legacy methods Note The Certificate with enrollment feature is currently not implemented by the client It will have the same effect as selecting Certificate option SecureClient supports a secure authentication SAA OPSEC interface that allows third party extensions to the standard authentication schemes For this scheme to work Legacy scheme should be selected here The neo saa _guilibs peopery should also be updated with the SAA DLL name using the GuiDBEdit tool Configuring the Authentication Method There are two methods used to configure the authentication method l
136. period in hours during which the SCV policy is considered valid since the last logon to the Policy Server When this timeout is about to expire SecureClient will attempt to logon to the Policy Server to get a new SCV policy Chapter 23 Secure Configuration Verification 555 Configuring SCV 556 Possible values are between 1 and 504 hours 21 days The default value is 168 hours one week If you set the value to O the SCV policy never expires no time out enforce ip forwarding true false If true the IP Forwarding between network interface cards on the user s desktop must be disabled for the user to be considered SCVed ip forwarding mismatchmessage Message string placed here The value is a string displayed when ip forwarding is enabled For example ip forwarding mismatchmessage Please etc This is relevant only if ip forwarding is part of the SCV checks that is if the parameter is defined as True not verified script script_name bat The name of executable that will be run when the Desktop is not SCVed The next three parameters provide more options related to the running of the executable not verified script run_show true false If true the executable s progress will be displayed in an onscreen window not_verified script run_admin true false If true the executable will run with administrator privileges not verified script run always true false
137. posed by Malware types such as Worms Trojan horses Hacker s tools Key loggers Browser plug ins Adwares Third party cookies and so forth SSL Network Extender can be configured to work in Hub Mode VPN routing for remote access clients is enabled via Hub Mode In Hub mode all traffic is directed through a central Hub Chapter 30 SSL Network Extender 635 Configuring the SSL Network Extender Configuring the SSL Network Extender The following sections describe how to configure the server Load Sharing Cluster Support customizing the Web GUI upgrading the SSL Network Extender client and Installation for Users without Administrator privileges are also discussed In This Section Configuring the Server page 636 Load Sharing Cluster Support page 646 Customizing the SSL Network Extender Portal page 647 Installation for Users without Administrator Privileges page 651 Configuring the Server Before configuring the server verify that you have a valid license for the SSL Network Extender Use cpconfig to verify that you have a valid license for the SSL Network Extender Check Point software is activated with a License Key You can obtain this License Key by registering the Certificate Key that appears on the back of the software media pack in the Check Point Support Center http support checkpoint com 636 Configuring the SSL Network Extender Server Side Configuration The SSL Network Extender requires only server side
138. protocols IKE creates the VPN tunnel and this tunnel is used to transfer IPSec encoded data Think of IKE as the process that builds a tunnel and IPSec packets as trucks that carry the encrypted data along the tunnel Figure 4 1 Simplified VPN tunnel IPSec Security Security Gateway IPSec packet Gateway j VPN tunne Sim How it Works In Figure 4 2 host 1 and host 6 need to communicate The connection passes in the clear between host 1 and the local gateway From the source and destination addresses of the packet the gateway determines that this should be an encrypted connection If this is the first time the connection is made the local gateway initiates an IKE negotiation with the peer gateway in front of host 6 During the negotiation both gateways authenticate each other and agree on encryption methods and keys After a successful IKE negotiation a VPN tunnel is created From now on every packet that passes between the gateways is encrypted according to the IPSec protocol IKE supplies authenticity gateways are sure they are communicating with each other and creates the foundation for IPSec Once the tunnel is created IPSec provides privacy through encryption and integrity via one way hash functions Chapter 4 Introduction to Site to Site VPN 63 The Check Point Solution for VPN 64 Figure 4 2 Confidentiality integrity and authentication via IPSec Security Gateway VPN Tunnel Ipsec
139. random bits H Public Key I each side produces a DH private key Public Key m S ssa PEE Each peer derives a DH public key from its private key Public keys are exchang r 7 S Public ki hanged Each side produces a shared secret from their private key and the other s public key Shared secret is the Diffie Hellman key DH Key used to exchange key material random bits and other mathematical data Agreement on methods of encryption and integrity for IKE phase II I Key Material Material Each side independently K baa 3 generates a symmetrical key based on the DH key and the key material exchanged between them Symmetrical key Symmetrical key IKE Phase lI Quick mode or IPSec Phase IKE phase II is encrypted according to the keys and methods agreed upon in IKE phase The key material exchanged during IKE phase II is used for building the IPSec keys The outcome of phase II is the IPSec Security Association The IPSec SA is an agreement on keys and methods for IPSec thus IPSec takes place according to the keys and methods agreed upon in IKE phase II Chapter 2 IPSEC amp IKE 45 Overview Figure 2 2 IKE Phase II IKE Phase II Security Gateway Security Gateway Key Material Peers exchange more key material and agree on encryption and integrity Symmetrical key Symmetrical key methods for IPSec Agreements e
140. seamless connectivity for the end user The client GUI and visual elements were designed with user friendliness and minimal interaction Session Continuation and Timeout Once authenticated the client is assigned a session id that is valid for a configurable duration During this time if the client s VPN connection is dropped due to various networking conditions the client uses its session id to seamlessly reconnect the VPN connection without disturbing the overall user experience For example this occurs if a user goes through a tunnel or enters an elevator If user moves its internet connectivity from one interface to another for instance from GPRS UMTS to WiFi SecureClient Mobile seamlessly reconnects maintaining connections that are open above the VPN tunnel The user may be prompted for authentication credentials five minutes before the session is timed out Once these credentials are accepted the time out interval is initialized If the user does not provide in time it is disconnected from the server and must reconnect and re authenticate the client manually The user can also manually end its session by disconnecting the client This feature is on by default and can be configured using the neo user re auth timeout and neo implicit disconnect timeout properties Chapter 19 SecureClient Mobile 423 Connectivity Features 424 Initiate Dialup SecureClient Mobile can be configured to initiate a dialup connection for examp
141. securely When on the road several challenges are presented by different network environments such as a hotel Internet connection or the connection from a business partner s network The Check Point Solution The Check Point Solution VPN SecuRemote SecureClient allows you to connect to your organization in a secure manner while at the same time protecting your machine from attacks that originate on the Internet You can access private files over the Internet knowing that unauthorized persons cannot view the same file or alter it With VPN SecuRemote SecureClient remote users connect to the organization using any network adapter including wireless adapters or modem dialup Once both sides are sure they are communicating with the intended party all subsequent communication is private encrypted and secure This is illustrated in Figure 16 1 Figure 16 1 SecureClient connecting to Site Site s Gateway VPN Tunnel Remote User How it Works SecuRemote SecureClient provides secure connectivity by authenticating the parties and encrypting the data that passes between them To do this VPN SecuRemote SecureClient takes advantage of standard Internet protocols for strong encryption and authentication Authentication means that both parties identify themselves correctly Encryption ensures that only the authenticated parties can read the data passed between them In addition the integrity of the data is maintained which means the
142. site s gateway The gateway contacts the ACE Server for user authentication information This means e Remote users must be defined as RSA users on the ACE Server e On the gateway SecurlD users must be placed in a group with an external user profile account that specifies SecurlD as the authentication method For remote users to successfully use RSA s softID 1 Create a remote users group on the Ace Server 2 Distribute the SDTID token file or several tokens to the remote users out of band 3 Instruct remote users on how to import the tokens Chapter 17 Endpoint Connect 375 Configuring Logging Options for Client Users 376 Configuring Logging Options for Client Users The Options window Advanced tab of the client enables users to send log using their default mail client Administrators can Define an email address for these log files by modifying the send_client_logs attribute in SFWDIR conf trac_client_1 ttm on the gateway send_ client logs gateway default email example com If an email address is not defined in trac client_1 ttm clicking Collect Logs in the Options gt Advanced window collects all the client logs into a single CAB file which the user can save and then send to the network administrator as an attachment Disabling CAPI Authentication Endpoint Connect supports user authentication through the use of PKCS 12 certificates A PKCS 12 certificate can be acces
143. step procedures for each phase Figure 14 2 displays a general workflow for establishing remote access VPN 284 VPN for Remote Access Configuration Figure 14 2 Work Flow for establishing remote access VPN Create Gateway and define Gateway Properties Define user properties in Internal database Create LDAP account unit and define user properties Managing Users Initiate user Certificate in ICA Management tool Generate Initiate user Enable Hybrid certificate in cannone for Configure mode and Certificates Authentication Seanttisetinoets SmartDashboard methods for users Enable Hybrid mode and Authentication methods for users er ere Define VPN Community and Participants Define access rules in Security Policy Rule Base Install Policy Chapter 14 Introduction to Remote Access VPN 285 VPN for Remote Access Configuration Creating the Gateway and Defining Gateway Properties 1 In SmartDashboard create the gateway network object On the General Properties page of the network object select VPN Initialize a secure communication channel between the VPN module and the Security Management server by clicking Communication 4 On the Topology page of gateway define the gateway s interfaces and the VPN domain A certificate is automatically issued by the Internal CA for the gateway Defining User and Authentication Methods in LDAP 1 Obtain and install
144. that was not completed by the user you can disable the pending certificate by clicking Disable in the Certificates tab of the User Properties window If the certificate is already active you can revoke it by clicking Revoke in the Certificates tab of the User Properties window For Users Managed in LDAP If users are managed in LDAP certificates are revoked using the ICA management tool Chapter 14 Introduction to Remote Access VPN 293 VPN for Remote Access Configuration 294 Modifying Encryption Properties for Remote Access VPN The encryption properties of the users participating in a Remote Access community are set by default If you must modify the encryption algorithm the data integrity method and or the Diffie Hellman group you can either do this globally for all users or configure the properties per user To modify the user encryption properties globally 1 Select Policy gt Global Properties gt Remote Access gt VPN IKE Phase 1 Configure the appropriate settings e Support encryption algorithms Select the encryption algorithms that will be supported with remote hosts e Use encryption algorithms Choose the encryption algorithm that will have the highest priority of the selected algorithms If given a choice of more that one encryption algorithm to use the algorithm selected in this field will be used e Support Data Integrity Select the hash algorithms that will be supported with remote hosts to e
145. the ICA Management Tool cccseceeeeeeeees 286 Generating Certificates for Users in SmartDashboard cccccceceeseeeeeaeeeeees 287 Initiating Certificates for Users in SmartDashboard ccccecccseeeeeeeeeeseeeeeas 287 Configure Certificates Using Third Party PK cc cccccssececseeceseeeeeeeeeaeeeees 288 Enabling Hybrid Mode and Methods of Authentication ccccccccseeeeeeeeees 289 Configuring Authentication for NT groups and RADIUS Classes 000006 290 Using a Pre Shared Secret cierne neea iii ea aa aE E a 290 Defining an LDAP User Group ccccccccceeeeccceseeeaeeceeeeceseeeeeseeeeeaeeesseeeesaaes 290 Defining a USer Grou D a aa a a tele aide cee e a 291 Defining a VPN Community and its Participants cccccceccsseeceseeeeeeeeeeaees 291 Defining Access Control RUI S ccccceecccsscccceeeeceeeeeeeseesueeeseeeeeaeeeesaeseeaaes 291 Installing the POlCY aeter dneni ae a aan a aaae a aa E eda E a da ENSE aaa 292 User Certificate Management ccccccseccceeeeceeeeceeeeeeeseeeeeeeeeeaeeeseeeesaeeeeas 292 Modifying Encryption Properties for Remote Access VPN sscccseeeeseeeeees 294 Working with RSA S Hard and Soft Tokens cccccceccccecceeeceeeseeeeeeeesaeeeeas 295 Chapter 15 Office Mode The Need for Remote Clients to be Part of the LAN c cccecceeceeceeeeeeeeeeeeeeenees 300 Office Mode SoN ON n yall hanacdeausedioandsdaaeibards haven bed v
146. the Remote Client ccccecceeeeeees 274 ConnmectionuMode sists sessed face a a ea araa aa TE Ea ts 275 User Protiles is aaae a a a a a a ees eee 275 Access Control for Remote Access COMMUNILY ccccccceeseeeeeeeceeaeeeeseeeeenes 276 Client Gateway Authentication SCHEMES ccccccceseeeeeseeeceeeeeeeeeeeseeeeneees 276 Advanced Features innii e a lel epi a aie aTi EE ened 279 Alternatives to SecuRemote SecureClient cccceceeeeeeeeeeeeeeeeeeaeeeeeeeaaees 279 VPN for Remote Access Considerations ccccccseeeeeeecceeeeeeeecaeeeeeeeeaeeeeeeeeaeeees 280 Policy Definition for Remote ACCESS ccccceccccececeecceeeeeeseeeeseeeesaeeeeseeeesaas 280 User Certificate Creation Methods when Using the ICA cc cecceeseeeeee scene 280 Internal User Database vs External User Database ccecceeeeeeeeeeeeeeeees 281 NT Group RADIUS Class Authentication Feature ccccccecceseeceeaeeeeeeeeeeaee 282 VPN for Remote Access Configuration ccccccseccsecceseceeeeeeeceeeeeeseeeeaeeeseeeaeenaees 283 Establishing Remote Access VPN ccccccsecccsceeeeecceeeceeeeceeeeeeeaeeeeeeeeeenaes 284 Creating the Gateway and Defining Gateway Properties cccccseceeeeeeeees 286 Defining User and Authentication Methods in LDAP ccccecceceeeeeeeeeeaees 286 Defining User Properties and Authentication Methods cccccceeeeeeeeeeeeee 286 Initiating User Certificates in
147. the SSL Network Extender will be upgraded automatically or not Select the client upgrade mode from the drop down list The options are e Do not upgrade Users of older versions will not be prompted to upgrade e Ask user Default Ask user whether or not to upgrade when the user connects e Force upgrade Every user whether users of older versions or new users will download and install the newest SSL Network Extender version Note The Force Upgrade option should only be used in cases where the system administrator is sure that all the users have administrator privileges Otherwise the user will not be able to connect to and use the SSL Network Extender For a description of the user upgrade experience refer to Downloading and Connecting the Client 4 You can determine whether the SSL Network Extender client will support the 5 RC4 encryption method as well as 3DES RC4 is a faster encryption method Select the supported encryption method from the drop down list The options are e 3DES only Default The SSL Network Extender client supports 3DES only e 3DES or RC4 The SSL Network Extender client supports the RC4 encryption method as well as 3DES You can determine whether the SSL Network Extender will be uninstalled automatically when the user disconnects Select the desired option from the drop down list The options are Chapter 30 SSL Network Extender 641 Configuring the SSL Network Extender
148. the certificate on a diskette 2 The client right clicks the certificate selects Install Certificate Alternatively 1 The client inserts the diskette containing the certificate The client opens the browser From Tools gt Internet options gt select Contents tab Click certificates Ce a aS Click Import The Certificate Import Wizard opens 6 Import the Certificate from the diskette 708 Appendix Appendix A VPN Command Line Interface In This Chapter VPN Comman ds page 712 Secure Client Comman ds page 714 Desktop Policy Commands page 716 VPN Commands The following command lines relate to VPN and are also documented in the Command Line Interface CLI Guide Table A 1 VPN Command Line interface Command Description VPN This command and subcommands are used for working with various aspects of VPN VPN commands executed on the command line generate status information regarding VPN processes or are used to stop and start specific VPN services vpn accel This command performs operations on accelerator cards encryption only cards not the full SecureXL cards and VPNx VPNx is a software module that takes advantage of multiple CPUs to accelerate VPN operations vpn compreset This command resets the compression decompression statistics to zero vpn compstat This command displays compression decompression statistics vpn crl zap This command is used to erase all Certificate
149. the client and software can be neither installed or configured on the client side is accomplished through the use of Clientless VPN Clientless VPN provides secure SSL based communication between clients and servers that support HTTPS In addition e The gateway accepts any encryption method that is proposed by the client and supported in VPN e The gateway can enforce the use of strong encryption for example 3DES e Clientless VPN supports user authentication How it Works Clientless VPN connections can be broken down into two clear phases e Establishing a Secure Channel e Communication Phase Establishing a Secure Channel A secure connection is established in the following way 1 The client s browser makes an HTTPS request to the web server 2 The request reaches the security gateway 3 The security gateway checks the Security Policy to see if the connection matches a rule for HTTPS 4 Ifa rule is matched and Clientless VPN is enabled on the gateway the gateway diverts the connection to the Clientless VPN Security Server Clientless VPN makes use of a special Security Server on the gateway The Clientless VPN Security Server is a daemon process invoked by the gateway to handle Clientless VPN connections Once invoked the Clientless VPN Security Server continues to run as a background process 5 SSL negotiation takes place between the client and the security gateway during which the gateway authenticates itself to
150. the currently logged in user belongs it must obtain this information from the Policy Server as follows after SecureClient authenticates itself to the Policy Server the Policy Server resolves the user groups to which the user belongs and sends this information to SecureClient Once SecureClient knows to which groups the user belongs it is able to enforce the rules defined for that user Rules can also be applied to radius groups on the RADIUS server Default Policy When SecureClient is started and before it connects to the Policy Server it enforces a default policy which consists of the rules defined for all users in the last policy downloaded from the Policy Server This is because at this point SecureClient does not know to which groups the user belongs The default policy is enforced until the user downloads an updated policy and the current user s groups information from a Policy server If a SecureClient loses its connection to the Policy Server it enforces the default policy until the connection is restored and a Policy is downloaded Chapter 21 Desktop Security 493 Desktop Security Solution 494 Policy Server What is a Policy Server A Policy Server is a module installed on a security gateway which serves as a repository for the Desktop Security Policy SecureClient machines download their Desktop Security Policies from the Policy Server High Availability and Load Balancing For load balancing and high av
151. the device Trusted Certificates and SCP Store This locked configuration is common especially with SmartPhone devices This allows the client installer and executables which are signed by Check Point certificates to be installed and run The Check Point certificates are packaged in a small CAB installer that needs to be installed once on the target device before any Check Point product is installed 1 The installer cpcert cab is found in the client ZIP package under the unlock_smartphone folder 2 Copy the cab file to the device while in ActiveSync Run the cab on the device using File Explorer 4 At the end of the installtion you should get a message cpcert cab was successfully installed on your device 438 Client Side Installation CAB Package The cab file is provided by the administrator and may be stored anywhere on the mobile device or an attached storage card The installation can be automated using configuration tools such as Over The Air OTA Installation To install the CAB package 1 On the mobile device in the File Explorer window navigate to the folder where the cab file was placed and select the cab file 2 If prompted to select an installation location Select Device Installing on storage cards is not supported The SecureClient Mobile Setup window opens SecureClient Mobile Setup Install is complete You must reboot for the new settings to take effect Do you want to reboot now
152. the left select the connection s destination Click OK Chapter 26 Using Directional VPN for Remote Access 577 Configuring Directional VPN with Remote Access Communities 578 Chapter 21 Remote Access Advanced Configuration In This Chapter Non Private Client IP Addresses page 580 Preventing a Client Inside the Encryption Domain from Encrypting page 581 Authentication Timeout and Password Caching page 583 SecuRemote SecureClient and Secure Domain Logon SDL page 584 Back Connections Server to Client page 588 Auto Topology Update Connect Mode only page 589 How to Work with non Check Point Firewalls page 590 Early SecuRemote SecureClients Versions page 591 Resolving Internal Names with the SecuRemote DNS Server page 592 579 Non Private Client IP Addresses Non Private Client IP Addresses Remote Access Connections Suppose a SecuRemote SecureClient user connects from behind a NAT device using a non private IP address that belongs to another organization During the life of the connection the gateway routes all traffic intended for that non private IP address to the SecuRemote SecureClient user even traffic intended for the real owner of the IP address Solving Remote Access Issues Set the vpn restrict _client_phase2_ id in the Objects 5 0 C file to the appropriate value as follows Table 27 1 vpn_restrict_client_phase2_id value om only meaning SecuRemote SecureClient behind NAT devices ca
153. the site s gateway The gateway contacts the ACE Server for user authentication information This means e The remote users must be defined as RSA users on the ACE Server e On the security gateway the SecurlD users must be placed into a group with an external user profile account that specifies SecurlD as the authentication method SecurlD Authentication Devices Several versions of SecurlD devices are available The older format is a small device that displays a numeric code called a tokencode and time bars The token code changes every sixty seconds and provides the basis for authentication To authenticate the user must add to the beginning of the tokencode a special password called a PIN number The time bar indicates how much time is left before the next tokencode is generated The remote user is requested to enter both the PIN number and tokencode into SecureClient s connection window The newer format resembles a credit card and displays the tokencode time bars and a numeric pad for typing in the PIN number These type of device mixes the tokencode with the entered PIN number to create a Passcode SecureClient requests only the passcode Chapter 14 Introduction to Remote Access VPN 295 VPN for Remote Access Configuration SoftID operates the same as the passcode device but consists only of software that sits on the desktop 80114323 Software Token File Copy View Tools Help 15 x 26424989 RSA
154. the trusted CAs themselves If the CA that issues the certificate is a subordinate CA that OS Note The list displays only those subordinate CA s that lead directly to a trusted CA and does not lead directly to a trusted CA the subordinate CA will not appear in the list Su Choose the appropriate method for Key Pair creation and storage See Distributed Key Management and Storage on page 101 for more information 7 Click Generate Chapter 5 Public Key Infrastructure 107 Configuration of PKI Operations 108 The Generate Certificate Properties window is displayed Generate Certificate Request q x Certificate Request Fill in the DN and press OK for the Certificate Request generation DN EN Londonaw O CheckPoint C UK IV Define Alternate Name Text Add Edit Remove OK Cancel 8 10 11 Enter the appropriate DN The final DN that appears in the certificate is decided by the CA administrator If a Subject Alternate Name extension is required in the certificate check the Define Alternate Name check box Adding the object IP as Alternate name extension can be configured as a default setting by selecting in Global Properties gt SmartDashboard Customization gt Configure gt Certificates and PKI properties the options add_ip_alt_name_for_opsec_certs add_ip_alt_name_for_ICA_certs The configuration in this step is also applicable for Internal CA s Click OK Th
155. the user When the user connects using SecureClient Mobile without a certificate the Enrollment window opens and the user can create a certificate by entering the registration key they received from the system administrator Wj Note The system administrator can direct the user to the URL Sr http lt IP gt registration html to receive a registration key and create a certificate even if they do not wish to use the SSL Network Extender at that time Importing a Certificate To import a certificate using SecureClient Mobile the certificate must already be on the Pocket PC and located in the My Documents directory To import a certificate 1 Select Start gt Programs gt Connection gt Certimport 450 Configuring SecureClient Mobile Click the certificate to be imported Enter the certificate password Select Import issuer to Root CA to import the certificate of the CA that was issued for the imported certificate Use this feature when user and server certificates are issued by the same CA for example a Check Point internal CA To view the additional certificate select Start gt Settings gt System gt Certificates gt Root To view the personal certificate select Start gt Settings gt System gt Certificates gt Personal Click ok A window opens indicating that the certificate was imported successfully Click OK Topology Update Topology updates are downloaded or updated to the client automatic
156. the user to re enter their credentials neo_always_ connected Always connected The client false true automatically connects to the client_decide last connected gateway When the device has a valid IP address When the device wakes up after it had low power and after a soft reset After the condition that caused the device to automatically disconnect ceases to exist Allow clear traffic during ActiveSync Disconnect when idle Chapter 19 SecureClient Mobile 457 Advanced Configuration Table 19 1 VPN Properties Property Description Valid Values Default value in bold neo_always_ connected retr The always connected retry 1 default y timeout in minutes If an MAX_INT automatic connection fails the client tries to reconnect again and again on an interval set by this value The client also tries to reconnect after the IP address of the client changes or if the user manually requests a connection neo initiate dialup This flag instructs the client to false true automatically initiate an existing dialup connection for example GPRS When the always connected flag is set to true the user requests a connection and there is no valid IP on the machine client_decide neo _disconnect_when_idl Disconnect when idle Automatically disconnects the tunnel when there is no user interaction over a defined time period A message balloon appears when the client disconnects false t
157. to the user out of band preferably via diskette In Global Properties Authentication window add or disable suffix matching For users with certificates it is possible to specify that only certificates with a specified suffix in their DN are accepted This feature is enabled by default and is required only if the user names are not the full DN All certificates DN s are checked against this suffix Initiating Certificates for Users in SmartDashboard An alternative to generating certificates for remote users is to only nitiate the certificate generation process The process is then completed by the user To initiate the certificate creation process 1 On the User properties window Encryption tab click Edit The IKE phase 2 properties window opens On the Authentication tab select Public key In the Certificates tab of the User Properties window click Initialize and select Copy to clipboard The registration key is copied to the clipboard Open a text editor for example Notepad and paste in the registration key 4 Transfer the registration key to the user out of band In Global Properties Authentication window add or disable suffix matching For users with certificates it is possible to specify that only certificates with a specified suffix in their DN are accepted This feature is enabled by default and is required only if the user names are not the full DN All certificates DN s are checked against
158. to with Firewall IP pools On the other hand purchasing a DHCP server can be viewed by some as an unnecessary financial burden in which case the IP pool option might be preferred Routing Table Modifications IP addresses assigned by Office Mode need to be routed by the internal LAN routers to the gateway or gateway cluster that assigned the address This is to make sure packets destined to remote access Office Mode users reach the gateway in order to be encapsulated and returned to the client machine This may require changes to the organization s routing tables Using the Multiple External Interfaces Feature Enabling this feature instructs Office Mode to perform routing decisions after the packets are encapsulated using IPSEC to prevent routing problems discussed in Using Office Mode with Multiple External Interfaces on page 307 This feature adds new checks and changes to the routing of packets through the gateway and has an impact on performance As a result it is recommended to use this feature only when e The gateway has multiple external interfaces and e Office Mode packets are routed to the wrong external interface Chapter 15 Office Mode 313 Configuring Office Mode Configuring Office Mode 314 In This Section Office Mode IP Pool Configuration page 314 Office Mode via ipassignment conf File page 318 Office Mode DHCP Configuration page 320 Office Mode Configuration on SecureClient page 323
159. traffic configuration default to use the settings configured in the Outgoing Route Selection section e Reply from the same interface to route traffic back to the interface and next hop that it came through Chapter 11 Link Selection 225 Configuring Link Selection Configuring Source IP Address Settings On the Link Selection page 1 Click Source IP address settings 2 Choose either e Automatic derived from the method of IP selection by remote peer default The source IP address of outgoing traffic is derived from the method selected in the IP Selection by Remote Peer section e Manual e Main IP address The source IP is derived from the General Properties page of the gateway e Selected address from topology table The chosen IP from the drop down menu becomes the source IP e IP address of chosen interface The source IP is the same IP of the interface where the traffic is being routed through When responding to an IKE session use Dbedit to configure the reply from same IP default true attribute to follow the settings in the Source IP address settings window or to respond from the same IP When set to true the same IP address will be used When set to false the IP address will be derived from the Source IP address settings window 226 Configuring Link Selection Configuring On Demand links On Demand Links can only be enabled when Route Based Probing is configured The properties to edit are
160. until it stops responding Chapter 25 Link Selection for Remote Access Clients 571 Link Selection for Remote Access Scenarios Calculate IP Based on Network Topology Since a remote access client can be in a different place each time it connects a new calculation takes place each time the client connects Figure 25 3 Accessing the internal network et s A Remote Users Remote User In Figure 25 3 all remote users access the internal network by calculating which interface to use based on its current location The remote user located outside the network will use an external interface and the remote users located within the network will use an internal interface 572 Configuring Link Selection Configuring Link Selection Link selection is configured on each gateway in the Topology gt Link Selection window The settings apply to both gateway to gateway connections and remote access client to gateway connections The Link Selection configuration for remote users can be configured separately by using the following attributes These settings will override the settings configured on the Link Selection page Using Dbedit Change the value apply resolving mechanism _to_SR to false on the gateway s object Use ip resolution mechanism to select a link selection method The valid values are e mainIpVpn e singleIpVpn e singleNATIpVPN e topologyCalc oneTimeProb e ongoingProb single VPN IP RA I
161. use _ext_auth_msg true false Specifies whether SecuRemote SecureClient will show custom messages in the authentication window upon success or failure The messages should be placed in a file named AuthMsg txt located in the SecuRemote directory typically in Program Files CheckPoint See the AuthMsg txt file in the SecuRemote package for more details Global use ext_logo bitmap true false Specifies whether SecuRemote SecureClient will show a custom bitmap in the authentication window The file should be named logo bmp and should be placed in the SecuRemote directory usually located under Program Files CheckPoint Global guilibs Used to specify SAA DLL and is documented in this context Global pwd_type now later Used internally to indicates now or later auth dialog state Do not modify Global connect mode erase pwd after update true false Erase password after a site update in Connect Mode Used with silent_update_on_connect Global disable mode transition true false Do not enable user to switch between modes via GUI or command line Global connect _api_ support true false Indicates SecuRemote SecureClient mode Set to true in order to work with the Connect API Global connect_mode Indicates SecuRemote SecureClient mode True for connect mode Global allow clear traffic while disconnected true false Topology is not loaded when disconnected ens
162. use of certificates If the user authenticates through certificates obtain the certificate from the relevant CA and supply the user with the certificate If the certificate is a certificate issued by the Internal CA refer to VPN for Remote clients on how to issue these certificates e Configuring authentication servers such as RADIUS if authentication servers are employed Refer to Authentication in the Firewall Administration Guide Creating Appropriate Rules in the Security Policy Rule Base A requirement of Clientless VPN is that for every connection the Security Server must be employed This fact influences how rules allowing Clientless VPN are created in the Security Policy Rule Base For no User Authentication If user authentication is not required a rule must be defined that implements the URI resource For example Table 32 1 Source Destination Service Action Any Web server HTTPS URI resource Accept The rules states that when any source attempts an HTTPS connection to the web server the connection is accepted A URI resource is required in order to force the Security Server to be employed on every connection as required by Clientless VPN Configuring Clientless VPN For more information on defining URI resources refer to Content Security in the Firewall Administration Guide For User Authentication In the Security Policy Rule base define a rule for either Client authentication o
163. version is lower than 5 0 an alert is sent to the Security Management server machine and a popup message is shown to the user with indication of the problem The local scv Sets The local scv policy files contains one set called SCVObject This set must always be present and contains all the subsets which deal with the SCV checks and parameters Currently SCVObject has 3 subsets 534 SCVNames This section is the main SCV policy definition section in which all of the SCV checks and actions are defined This is the definition part of the SCV policy and doesn t actually determine the SCV checks that will be performed In this section sets of tests are defined Later on the administrator will choose from these sets those he wants to run on the user s desktop SCVPolicy This section specifies the names of the SCV checks that should actually be performed on the client s machine from the SCV checks defined in SCVNames SCVGlobalParams This section contains some global SCV parameters Configuring SCV SCVNames In this section the administrator specifies the names and different checks for the SCV products Here is a general definition of an SCV check subset of SCVNames SCVCheckNamel type plugin parameters Expressionl value Expression2 value begin_admin admin send_log alert mismatchmessage Failure Message send admin The test section begins with the name of the SCV
164. wait for all the fragments reassemble and NAT them When the first fragment arrives the NAT device successfully translates the address information in the IP header and port information in the UDP header and forwards the packet When the second fragment arrives the NATing device cannot translate the port information because the second packet does not contain a UDP header the packet is dropped The IKE negotiation fails During IKE phase Ss To understand why large UDP packets arise we need to take a closer look at the first phase of IKE During IKE phase the remote access client and gateway attempt to authenticate each other One way of authenticating is through the use of certificates If the certificate or Certificate Revocation List CRL is long large UDP packets result which are then fragmented by the operating system of the remote client Note If the VPN peers authenticate each other using pre shared secrets large UDP packets are not created however certificates are more secure and thus recommended IKE Over TCP IKE over TCP solves the problem of large UDP packets created during IKE phase The IKE negotiation is performed using TCP packets TCP packets are not fragmented in the IP header of a TCP packet the DF flag do not fragment is turned on A full TCP session is opened between the peers for the IKE negotiation during phase I During IKE phase Il A remote access client does not have a policy regar
165. was sent over the VPN tunnel for a certain period of time In the event a VPN tunnel is considered to be idle the user is notified that the VPN session is about to be disconnected An administrator can manually configure services to be considered as implicit services which are not user initiated Such services will be ignored by the idle detection mechanism Chapter 16 SecuRemote SecureClient 337 Switching Modes Switching Modes The VPN 1 SecureClient product has two views compact and extended The compact view is recommended for users that do not require multiple sites and profile management The extended view offers profile management and multiple server definitions 338 HTML Based Help HTML Based Help An HTML based user manual can be packaged in a SecureClient Package The HTML help contains extensive help and graphics Chapter 16 SecuRemote SecureClient 339 Configuring SecureClient Configuring SecureClient In This Chapter Configuring SCV Granularity for VPN Communities page 340 Configuring block_scv_client_connections page 340 Configuring Selective Routing page 341 Configuring Desktop Security Policy Expiration Time page 342 Configuring NAT Traversal page 345 Configuring Idle Detection page 349 Configuring SCV Granularity for VPN Communities In SmartDashboard Click Policy gt Global Properties 2 Click next to Remote Access to expand the branch and select Secure Configuration Verification SCV
166. will be offered regardless of the value of this property Gateway e supports tcp ike use_site_default If IKE over TCP is configured on the client AND either this property is true or it s use_site_default and site_default_tcp_ike is true then IKE phase 1 will be done over TCP Gateway e supportSRIkeMM true false When the authentication method is PKI if this property is false Main mode is not supported Gateway Multiple Entry Point Ss Note Bold indicates the default value Global Managers or Gateway indicates the location in Userc C See Structure of Userc C on page 608 Do not manually edit Global properties resolver ttl 10 Specifies how many seconds SecuRemote will wait before deciding that a gateway is down Global active resolver true false Specifies whether SecuRemote should periodically check the gateway status Active gateway resolving may cause the dial up connection to try to connect to an ISP Turning this property off will avoid problems associated with this behavior Global resolver session interval 30 Specifies for how many seconds the gateway status up or down remains valid Global Managers Chapter 29 Userc C and Product ini Configuration Files 617 Userc C File Parameters 618 Encrypted Back Connections Ss Note Bold indicates the default value Global Managers or Gateway indicates the location in Userc C See Structure of Use
167. with two external interfaces both of which have public IP addresses one for the HTTP server and one for the Visitor Mode server This second routable address can be achieved in two ways e installing an additional network interface for the Visitor Mode server or e by utilizing a virtual IP on the same network interface which is blocking the port On the gateway object running the Visitor Mode server General Properties gt Remote Access page gt there is a setting for Allocated IP address All the available IP addresses can be configured to listen on port 443 for Visitor Mode connections Chapter 31 Resolving Connectivity Issues 687 Overcoming Restricted Internet Access Visitor Mode with SecurePlatform Nokia SecurePlatform running on Linux and Nokia boxes are installed with a pre configured HTTPS server the server runs on the gateway and listens on port 443 Installing an additional network interface or utilizing a virtual IP for the Visitor Mode server is not relevant since these HTTPS servers automatically bind to all available IP addresses In this case it is preferable to reserve 443 for Visitor Mode since users connecting for example from a hotel may only be allowed to connect via ports 80 and 443 These pre configured HTTPS servers need to be allocated ports that do not conflict with the Visitor Mode server Visitor Mode in a MEPed Environment Visitor Mode also works in a MEPed environment For more information s
168. you must trust the CA that signed the server certificate The system administrator can define which CAs may be trusted by the user You can view in the certificate in order to decide if you wish to proceed Note The administrator can direct the user to the URL http lt mngmt IP gt 18264 to install this CA certificate thereby establishing trust and avoiding future displays of this message 2 Click Yes If Endpoint Security on Demand is enabled the ESOD web page is displayed If this is the first time that the user is scanned with ESOD the user should install the ESOD ActiveX object If this is the first time that ESOD is used the following Server Confirmation window appears The user is asked to confirm that the listed ESOD server is identical to the organization s site for remote access Figure 30 5 Server Confirmation window Client erification x JARE TECHNOLOGIES LTD I Check Point Client Verification will now scan your computer and P 2 send the scan report to the following site 194 29 46 75 Please confirm that this site is identical to the organization s site for remote access J Save this confirmation for future use me 3 Click one of the following e f the user clicks No an error message is displayed and the user is denied access e f the user clicks Yes in Figure 30 5 the ESOD client continues the software scan Moreover if the Save this confirmation for fu
169. 0 10 255 255 255 0 192 168 30 20 2 If both routes for outgoing traffic from gateway A are available the route from 192 168 10 10 to 192 168 40 10 has the lowest metric highest priority and is therefore the preferred route Responding Traffic When responding to a remotely initiated tunnel there are two options for selecting the interface and next hop that is used these settings are relevant for IKE and RDP sessions only e Use outgoing traffic configuration Select this option to choose an interface using the same method selected in the Outgoing Route Selection section e Reply from the same interface This option will send the returning traffic through the same interface and next hop it came in Note When Route Based Probing is enabled Reply from the same interface is the selected method Source IP Address Settings The source IP address used for outgoing packets can be configured for sessions initiated by the gateway When initiating a VPN tunnel set the source IP address using one of the following e Automatic derived from the method of IP selection by remote peer The source IP address of outgoing traffic is derived from the method selected in the IP Selection by Remote Peer section If Main address or Selected address from topology table are chosen in the IP Selection by Remote Peer section then the source IP when initiating a VPN tunnel is the IP specified for that method Chapter 11 Li
170. 1 Global Properties xj 362 Firewall NAT Network Add Authentication YPN VPN 1 UTM Edge C Remote Access VPN Basic VPN Advance VPN IPSEC P Certificates Secure Configu SSL Network E SecureClient Mc Endpoint Conne Early Versions C Hot Spot Hotel SmartDirectory LDA QoS SmartMap FireWall 1 GX UserAuthority Management High ConnectControl OSE Open Securit Stateful Inspection Log and Alert Reporting Tools OPSEC SmarCenter gil E YPN IKE Phase 1 Support encryption algorithms DES 3DES AES 128 AES 256 JAES 256 7 MDS MSH 1 SHAI x Use encryption algorithm Support Data Integrity Use Data Integrity Support Diffie Hellman groups CGroup 1 768 bit CGroup 14 2048 bit MGroup 2 1024 bit gt een Eee Li Use Diffie Hellman group Group 2 1024 bit esi Cancel Help Endpoint Connect Advanced Settings Endpoint Connect Advanced Settings 1 In SmartDashboard open Global Properties gt Remote Access gt Endpoint Connect Global Properties F x Firewall Endpoint Connect NAT Network Add Authentication Authentication Settings VPN VPN 1 UTM Edge E Enable password caching No he Remote Access ar fi 440 4 minutes VPN Basic rs 5 VPN Advance Re authenticate user ever
171. 10 0 0 2 Mask 255 255 255 255 Peer GWb Peer 1D 180 180 1 1 Status attached VPN shell gt quit GWc ifconfig vt GWa vt GWa Link encap IPIP Tunnel HWaddr inet addr 10 0 0 3 P t P 10 0 1 20 Mask 255 255 255 255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU 1500 Metric 1 RX packets 0 errors 0 dropped 0 overruns 0 frame 0 TX packets 1 errors 0 dropped 0 overruns 0 carrier 0 collisions 0 txqueuelen 0 RX bytes 0 0 0 b TX bytes 36 36 0 b GWc ifconfig vt GWb vt GWb Link encap IPIP Tunnel HWaddr inet addr 10 0 0 3 P t P 10 0 0 2 Mask 255 255 255 255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU 1500 Metric 1 RX packets 0 errors 0 dropped 0 overruns 0 frame 0 TX packets 1 errors 0 dropped 0 overruns 0 carrier 0 collisions 0 txqueuelen 0 RX bytes 0 0 0 b TX bytes 36 36 0 b Enabling Dynamic Routing Protocols on VTIs Enabling Dynamic Routing Protocols on VTIs Using the example in Figure 6 2 on page 132 Table 6 5 through Table 6 8 illustrate how the OSPF dynamic routing protocol is enabled on VTIs both for single members and for cluster members using SecurePlatform Note that the network commands for single members and cluster members are not the same For more information on advanced routing commands and syntaxes see the Check Point Advanced Routing Suite Command Line Interface book When peering with a Cisco GRE enabled device a point to point GRE tunnel is required Use the following command to configure the tunnel inte
172. 114323 z Passphrase PEE r Password Enter NEW PIN number 4 to 8 digits m Cancel Hep The PIN must be entered Chapter 14 Introduction to Remote Access VPN 297 VPN for Remote Access Configuration If the token requires a passphrase the remote user sees this window I PN 1 SecureClient RSA Software Token Authentication es Software Token Token Serial Number 000080114326 7 prm 298 Chapter Office Mode In This Chapter The Need for Remote Clients to be Part of the LAN Office Mode Solution Office Mode Considerations Configuring Office Mode 15 page 300 page 301 page 313 page 314 299 The Need for Remote Clients to be Part of the LAN The Need for Remote Clients to be Part of the LAN 300 As remote access to internal networks of organizations becomes widespread it is essential that remote users are able to access as many of the internal resources of the organization as possible Typically when remote access is implemented the client connects using an IP address locally assigned by for example an ISP The client may even receive a non routable IP which is then hidden behind a NATing device Because of this several problems may arise e Some networking protocols or resources may require the client s IP address to be an internal one Router ACLs access lists for example might be configured to allow only specific or internal IP addres
173. 1440 Reauthenticate user every 480 minutes 480 Connectivity Settings Use the settings in this section to determine connect and disconnect options Connect mode covers whether the user should manually connect each time the user is always connected or whether the decision can be made on the client side If the decision is left to the client the user can select the Enable Always Connect option on the Settings tab of the site properties window If you do not open this window then default values apply Table 17 5 Default Connectivity values Option SmartDashboard Endpoint Connect default value default value Connect mode Client decide Yes Location Aware Connectivity Client decide Yes Disconnect when no connectivity Client decide No to network Disconnect when device is idle Client decide No Location Aware Connectivity Endpoint Connect intelligently detects whether it is inside or outside of the VPN domain Enterprise LAN and automatically connects or disconnects as required When the client is detected within the internal network the VPN connection is terminated If the client is in Always Connect mode the VPN connection is established again when the client exits Endpoint Connect Advanced Settings Configuring Location Aware Connectivity To configure Location Aware Connectivity a Select Yes from the drop down box and click Configure The Location Awareness Settings window opens x
174. 20 ae coe g The digital signature has been validated by a trusted source More Information e f the system administrator configured the upgrade option the following Upgrade Confirmation window is displayed Figure 30 17Upgrade Confirmation window There is a newer version of SSL Network Extender available Do you wish to upgrade now Note Administrative privileges are required eee Pee If you click OK you must reauthenticate and a new SSL Network Extender version is installed 662 SSL Network Extender User Experience If you click Cancel the SSL Network Extender connects normally The Upgrade Confirmation window will not be displayed again for a week The SSL Network Extender window appears A Click here to upgrade link is displayed in this window enabling the user to upgrade even at this point If you click on the Click here to upgrade link you must reauthenticate before the upgrade can proceed 8 At first connection the user is notified that the client will be associated with a specific gateway Click Yes Figure 30 18Client associated with specific gateway xi Check Point SOFTWARE TECHNOLOGIES LTD You have reached SSL Network Extender gateway Gateway Identification motif VPN Certificate Root CA MUCK AN SCAN ROSA NEAL TOLL FUN Fingerprint DATA TRY ART BILL TERM Please press Yes to continue or No to cancel the action No The server certificate of the ga
175. 30 SSL Network Extender 659 SSL Network Extender User Experience Figure 30 11Password window Certificate Import wizard O S o xi Password To maintain security the private key was protected with a password Type the password for the private key Password peer ooo I Enable strong private key protection You will be prompted every time the private key is used by an application if you enable this option I Mark the private key as exportable lt Back Cancel It is strongly recommended that the user enable Strong Private Key Protection The user will then be prompted for consent credentials as configured each time authentication is required Otherwise authentication will be fully transparent for the user d Enter your password click Next twice If the user enabled Strong Private Key Protection the following Importing a New Private Exchange Key window appears Figure 30 12Importing a New Private Exchange Key window x An application is creating a Protected item Crypto Pl Private Key Security level set to Medium Set Security Level E Cancel Details e f you click OK the Security Level is assigned the default value Medium and the user will be asked to consent each time the certificate is required for authentication e f you click Set Security Level the following Set Security Level window appears Select either High or Medium and click Next 660 SSL Network Extender User
176. 314 Configuring IP Assignment Based on Source IP Address cccccceeeeeeeeeeeeee 317 Office Mode via ipassignment conf File ccccccccsscceeeseeeeeeeaeeeeseeeeeaeeeeaes 318 Subnet masks and Office Mode Addresses cccccsseeeeeeeeeeeeeeeeeeeeeeeeeeaees 318 Checking the Syntaxssccsstacniacire a Inet iahen AKE IEE 319 Office Mode DHCP Configuration cccccsecccceccceecceeeceseeeeeaeeeesaeeeeaas 320 Office Mode Using a RADIUS Server ccccccccceccceesceeeeeceeeeeeeseeeesneesseeeeees 321 Office Mode Configuration on S CUreCli Nt ccccsecccseeceseeceseeeeeseeeeeaeeeeaes 323 Office Mode per Site seii piip fe nie en ee eee Rea 323 Chapter 16 SecuRemote SecureClient THE NeedFor Sec ureC lent a rannan a a aa r a 326 The Check Point Solution sestiscccctucetdbvenlecsnsvccscceaasduichiafudscdi pai diea diaa riean 327 HOW It WORKS fide enean aa e a A aa dest a adaa e 327 SCV Granularity for VPN Communities ccccccceccceeeeeseeeeeeeeeseeeeeeeeeeeeeeeseeees 328 Blocking Unverified SCV Connections ccccceccesecceeeeeceeeceseeeeeeeeesseeeeseeeesaaes 329 Selective ROUTINE heehee aa aa a a ea d aeaa nanat 330 Desktop Security POLICY en a ee a a a aaa aaa aioe th 333 When is a Policy Downloaded poni eeir a a aaia aana 333 Policy Expiration and Renewal ccccccccseccceeeccceeeceseeceseecesaeeesseeeesaeeeesaees 333 Prepackaged Poli cysic at32t este a a a a aa tote bes dots patt
177. 4 Configuring VPN Routing for Remote Access VPN Configuration of Client to Client Routing by Including the Office Mode Range of Addresses in the VPN Domain of the Gateway To configure VPN routing for remote access clients via the VPN domain add the Office mode range of addresses to the VPN domain of the gateway 1 In SmartDashboard create an address range object for the Office Mode addresses Create a group that contains both the VPN domain and Office mode range 3 On the General properties window of the gateway object gt Topology page gt VPN domain section select Manually defined 4 Select the group that contains both the VPN domain of the gateway and the Office mode addresses The remote clients must connect to the site and perform a site update before they can communicate with each other Client to Client via Multiple Hubs Using Hub Mode Figure 24 6 shows two remote clients each configured to work in Hub mode with a different gateway Figure 24 6 Remote clients with different Hubs Remote Client 2 Remote Gient 1 Remote Client 1 works in Hub mode with Hub 1 Remote Client 2 works in Hub mode with the Hub 2 In order for VPN routing to be performed correctly e Remote clients must be working in Office mode Chapter 24 VPN Routing Remote Access 565 Configuring VPN Routing for Remote Access VPN e Office mode address range of each gateway must be included in the vpn_route conf file installed on the other
178. 40 480 default neo_saa_guilibs The DLL name or full path that is loaded for authentication with the server neo saa url The absolute URL for SAA authentication Chapter 19 SecureClient Mobile 461 Advanced Configuration Table 19 3 Firewall Properties Property neo enable firewall p olicy Description Enables the firewall policy Valid Values Default value in bold false true client_ decide neo firewall policy The supported firewall policies Allow all Outgoing only Outgoing and encrypted Encrypted only Block all never disabled allow_all outgoing_only outgoing _and_encrypte d encrypted_only block_all neo enable activesync Enables ActiveSync to PC disabled if firewall is not installed false true client_ decide neo enable ip forward ing Enables IP forwarding when firewall is enabled false true client_ decide neo enable automatic_ Automatically update the false true client_ policy update policy when it expires decide neo policy expire The policy expiration 1 infinite timeout in minutes 10 MAX_INT 525600 neo automatic policy frequency with which the 5 MAX_INT 120 update frequency client updates policy files in minutes neo request policy up If set to true the client false true date prompts the user to update the policy upon policy expiration automatic policy upda
179. 55 0 Undefined eth3 10 1 0 1 255 255 255 0 This Network eth4 10 2 0 1 255 255 255 0 This Network ethS 10 3 0 1 255 255 255 0 This Network Note IPv6 address configuration is available in each interface s edit dialog box Add Edit Remove Show YPN Domain All IP Addresses behind Gateway based on Topology information Manually defined z Hew Show VPN Domain Set domain for Remote Access Community cow _ te 4 On the VPN gt VPN Advanced page enable NAT Traversal Check Point Gateway Corporate aw VPN Advanced YPN Tunnel Sharing Control the number of VPN tunnels opened between peer Gateways Use the community settings Custom settings Gne VPN tunnel per each pair of hosts One Pe per subnet pair Gre VPN tunnel per Gateway pair Restart Options IV Perform an organized shutdown of tunnels upon gateway restart NAT traversal Industry standard IV Support NAT traversal applies to Remote Access and Site to Site connections Cancel Help Chapter 17 Endpoint Connect 359 Obligatory Settings See NAT Traversal on page 378 for additional information 5 On the Remote Access Page enable Visitor Mode Check Point Gateway cpmodule General Properties Authentication Logs and Masters Capacity Optimization Cooperative Enforceme Advanced 6 On the Remote Access gt Office Mode page enable Office Mode and configure the appropriat
180. 7 Remote Access Advanced Configuration 587 Back Connections Server to Client Back Connections Server to Client 588 Back connections connections from the server to the client are required by certain applications such as Xterm These connections do not have to be explicitly defined in the Rule Base To achieve this when a user logs on to a site the username and IP address are stored in an authentication database for 15 minutes this time frame is configurable During this time all back connections from server to client are allowed After this time back connections are sent in clear Sending Keep Alive Packets to the Server To enable the 15 minute interval configure back connections so that Keep Alive transmissions are sent by the client to the server This is especially necessary when a NAT device is used By sending Keep Alive packets the IP Address maintained in the authentication database is constantly renewed In the Remote Access page of the Global Properties window check Enable back connections from gateway to client and specify a value for Send Keep Alive packet to the Gateway Auto Topology Update Connect Mode only Auto Topology Update Connect Mode only You can configure SecuRemote Clients to automatically update a site s topology either when starting SecuRemote or just before the IKE key exchange in the Remote Access page of the Global Properties window In this window the system administrator can
181. A B C and D there will be six secrets A B A C A D B C B D and C D e On A define the secrets for B C and D e On B define the secrets for C and D e On C define the secret for D The following procedure applies to both internal and external security gateways When working with externally managed gateways the administrator of the peer external gateways must configure his or her gateways appropriately Obtain Information from the Peer Administrator If working with externally managed gateways obtain from the peer administrator the external gateway topology and VPN Domain information You must also agree on the pre shared secrets and on authentication encryption and data integrity methods for the VPN Chapter 13 Traditional Mode VPNs 263 Configuring Traditional Mode VPNs 264 Defining the Gateways Define the gateway object e f the gateway is an internal gateway define a Check Point gateway object In the Network Objects tree right click and select New gt Check Point gt Gateway e f the gateway is externally managed e fitis a Check Point gateway In the Network Objects tree right click and select New gt Check Point gt Externally Managed Gateway e If it is not a Check Point gateway select Manage gt Network Objects gt New gt Interoperable Device For an internally managed gateway or for a Check Point externally managed gateway in the General Properties page of the gateway ob
182. AST MTU 1500 Metric 1 RX packets 0 errors 0 dropped 0 overruns 0 frame 0 TX packets 1 errors 0 dropped 0 overruns 0 carrier 0 collisions 0 txqueuelen 0 RX bytes 0 0 0 b TX bytes 36 36 0 b GWb ifconfig vt GWc vt GWc Link encap IPIP Tunnel HWaddr inet addr 10 0 0 2 P t P 10 0 0 3 Mask 255 255 255 255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU 1500 Metric 1 RX packets 0 errors 0 dropped 0 overruns 0 frame 0 TX packets 1 errors 0 dropped 0 overruns 0 carrier 0 collisions 0 txqueuelen 0 RX bytes 0 0 0 b TX bytes 36 36 0 b Chapter6 Route Based VPN 145 Configuring VTIs in a Clustered Environment Table 6 4 Configuring GWc 146 Sse Access the VPN shell Command Line Interface GWc vpn shell This help a Go up one level quit Quit interface Manipulate tunnel interfaces show Show internal data tunnels Manipulate tunnel data E i Add vt GWa VPN shell gt interface add numbered 10 0 0 3 10 0 1 20 GWa Interface vt GWa was added successfully to the system a Add vt GWb VPN shell gt interface add numbered 10 0 0 3 10 0 0 2 GWb Interface vt GWb was added successfully to the system SSS SS Se Verify configuration VPN shell gt show interface detailed all vt GWa Type numbered MTU 1500 inet addr 10 0 0 3 P t P 10 0 1 20 Mask 255 255 255 255 Peer GWa Peer 1D 170 170 1 10 Status attached vt GWb Type numbered MTU 1500 inet addr 10 0 0 3 P t P
183. Argument IN OUT Meaning message in the message pos in the position of the message val in the value of the message default_text in the message text TrNotificationConstruct This function creates a new TrNotification and return NULL upon error Prototype TRAPI CPAPI TrNotification TrNotificationConstruct TrNotificationID ID unsigned int arguments num Arguments Argument IN OUT Meaning ID in ID of the notification arguments num in number of arguments TrNotificationGetID This function fills the notification ID and return the status of the operation Prototype TRAPI CPAPI TrStatus TrNotificationGetID TrNotification notification TrNotificationID ID Chapter 18 Endpoint Connect API 413 Functions from Service to Client 414 Arguments Argument IN OUT Meaning notification in the given notification ID out the ID of the notification TrNotificationClone This function clones a given TrNotification Prototype TRAPI CPAPI TrNotification TrNotificationClone TrNotification notification Arguments Argument IN OUT Meaning notification in the notification to be cloned TrNotificationDestroy This function destroys a given TrNotification Prototype TRAPI CPAPI void TrNotificationDestroy TrNotification notification Arguments Argument IN OUT Meaning notification in the notification to be destroyed TrNotificationAr
184. C style declaration To access these API functions from C use the extern C declaration The API supports Two General Functions for Error Tracing e TrlnitNewExceptionFilter e TrCloseExceptionFilter Use these functions to print the stack when a process terminates unexpectedly Functions to transfer messages to the service e TrAPIInit e 6TrAPIInitDebug e TrAP IDebug e TrStart e TrStop e TrisTracActive e TrConnEnum e TrConnGetinfo e TrConnConnect e TrConnCancelConnect e TrConnCreate e TrConnDelete e TrGetInformation e TrGetConfiguration e 6TrSetConfiguration e TrSendLogs e TrGetStatus e TrAPIGetVersion e TrSendNotification e 6TrRegisterErrorCallback Function Return Codes Functions to Receive Notifications from the Service Use the following functions to receive notifications from the trac service All notifications are described in TrAPIType h The client can register with the service to receive only specific notifications By default the client receives all notifications e 6TrRegisterNotificationCallback e TrUnregisterNotificationCallback Function Return Codes The return codes and numerical equivalents for API Functions are as follows Function Return Code Equivalent Meaning TrOK O Function executed without error TrFAIL 1000 Function failed TrConnAlreadyConnected 999 Connect function failed because the client is already connected
185. CA owned by the company itself If the administrator decides to use a certificate from the internal CA known and trusted the CA certificate must be supplied to the client and the client configured to trust it If the administrator decides to work with an external Certificate Authority the administrator must 1 Obtain the CA certificate 2 Configure the Security Management server to trust this CA 3 Obtain and configure a certificate for the gateway 4 Supply the CA certificate to the client The administrator must now instruct the user to configure the client to trust this CA Number of Security Servers to Run In order to balance the load when there are many Clientless VPN connections the administrator will have to decide how many Security Servers to run Up to ten Security Servers can be run on the same gateway Check Point recommends running one VPN Security Server per 150 active users Be careful not to confuse active users with all registered users For example if you have 700 registered Clientless VPN users in the database yet only an average of 70 users make Clientless VPN connections concurrently run only one Security Server Special considerations for Clientless VPN Level of Encryption While the gateway can be configured to enforce the use of strong encryption such as 3DES the use of 3DES can affect performance of the gateway machine The client browser must also support 3DES Chapter 32 Clientless VPN 703 Conf
186. Check Point Solution for Remote Access page 271 VPN for Remote Access Considerations page 280 VPN for Remote Access Configuration page 283 269 Need for Remote Access VPN Need for Remote Access VPN 270 Whenever users access the organization from remote locations it is essential that the usual requirements of secure connectivity be met but also the special demands of remote clients for example e The IP of a remote access client might be unknown e The remote access client might be connected to a corporate LAN during the working day and connected to a hotel LAN during the evening perhaps hidden behind some kind of NATing device e The remote client might need to connect to the corporate LAN via a wireless access point e Typically when a remote client user is out of the office they are not protected by the current security policy the remote access client is both exposed to Internet threats and can provide a way into the corporate network if an attack goes through the client To resolve these issues a security framework is needed that ensures remote access to the network is properly secured The Check Point Solution for Remote Access The Check Point Solution for Remote Access In This Section Establishing a Connection Between a Remote User and a Gateway page 273 Remote Access Community page 274 Access Control for Remote Access Community page 276 Identifying Elements of the Network to the Remote Client page 274 Clien
187. Check Point VPN Solution The Basic Check Point VPN Solution In This Section Understanding the Terminology page 38 Site to Site VPN page 39 VPN Communities page 39 Remote Access VPN page 41 Virtual Private Networking technology leverages existing infrastructure the Internet as a way of building and enhancing existing connectivity in a secure manner Based on standard Internet secure protocols VPN implementation enables secure links between special types of network nodes Check Point Security Gateways Site to Site VPN ensures secure links between gateways Remote Access VPN ensures secure links between gateways and remote access clients Check Point s Security gateway is an integrated software solution that provides connectivity to corporate networks remote and mobile users branch offices and business partners on a wide range of open platforms and security appliances shows Check Point Security Gateways integrate access control authentication and encryption to guarantee the security of network connections over the public Internet A typical deployment places a Check Point Security Gateway connecting the corporate network from the Internet and remote access software on the laptops of mobile users Other remote sites are guarded by additional Check Point Security Gateways and communication between all components regulated by a strict security policy VPN Components VPN is composed of e VPN endpoints such as gateways c
188. Command Line Interface and OPSec API for configuration and monitoring as well as the ability to be installed and run as a service Administration e Unified Central Management e Advanced User Management e Unified updates e Regulatory Compliance with Advanced Monitoring Logging and Reporting DLL version numbers collected in a special file for troubleshooting purposes Chapter 17 Endpoint Connect 355 Enabling Endpoint Connectivity Enabling Endpoint Connectivity To enable Endpoint Connect connectivity with the gateway 1 Open GuiDBedit and connect to Security Management server as shown in Figure 17 7 Figure 17 7 GuiDBedit 192 168 186 128 Check Point Database Tool File View Objects Fields Search Queries Help a ie Object Name Last Modify Time gateway _ckp Sun Aug 17 12 29 47 2008 SA host_plain Sun Aug 17 10 12 32 2008 Administrators CPDShield dynamic_object Sun Aug 17 09 28 27 2008 Desktop AuxiliaryNet dynamic_object Sun Aug 17 09 28 27 2008 Global Properties DMZNet dynamic_object Sun Aug 17 09 28 27 2008 Large Scale Manager Pfinternalvet dynamic_object Sun Aug 17 09 28 27 2008 J Managed Objects LocalMachine_All_Interfaces dynamic_object Sun Aug 17 09 28 27 2008 Network Objects LocalMachine dynamic_object Sun Aug 17 09 28 27 2008 m network_objects IE CP_default_Office_Mode_addresses_ network Sun Aug 17 09 28 27 2008 m sofaware_gw_types OPSEC Other Policies Provide
189. Configuration ase1 ecesc even sdieven ddvcirstied ichsaadiavacadeasshedecs sacdasane fats 498 Client Side Configuration sss resi koerte Vocab tele ined stadel di a palaa eaS 499 Chapter 22 Layer Two Tunneling Protocol L2TP Clients 14 The Need for Supporting L2TP Clients cccccccccseccccseceeseeceeeeeceseeeeseeeeesneeees 502 Solution Working with L2TP Clients Introduction to7 E27 P Centser aaraa a aE eG i Eai Aih Establishing a VPN between a Microsoft IPSec L2TP Client and a Check Point GaleWAY Peres ievectn sav oles dav dtarteatiesssatensaietentts EAT 504 Behavior of an L2TP Connection itom aaa eE aE 505 security Gateway Requirements for IPSeC L2TP c cccccceececeeeeeeeseeeeeeeeaees 505 Authentication of Users and Client Machines ccccsseeeeceeeeeeeeeeeaeeeeeeeeaees 506 User Certificate PurpoSeS riesenia ate edie ewes vc vin stew a ee voces 509 Considerations for Choosing Microsoft IPSec L2TP Clients cccccseeceeeeeeeeeeees 510 Configuring Remote Access for Microsoft IPSec L2TP Clients cccceeceeeeeeees 511 General Configuration Procedure cccccccccsecceaecceceeceeeeeceseeceeueeeeseeeesaeeeeaes 511 Configuring a Remote Access EnvirOnMent ccccceccccsscceseeeeeueeeeseeeeeaeeeeaes 512 Defining the Client Machines and their Certificates ccccccccceeeceeeeeeeaeees 512 Configuring Office Mode and L2TP Support ccccccccseeceseeeeseeeeeaeeeeeeeeeeaes 512 Prepari
190. Configuring RIM 186 In This Section Configuring RIM in a Star Community page 186 Configuring RIM in a Meshed Community page 187 Enabling the RIM_inject_peer_interfaces flag page 188 Tracking Options page 188 Configuring RIM in a Star Community 1 Open the Star Community properties gt Tunnel Management page In the Permanent Tunnels section select Set Permanent Tunnels The following Permanent Tunnel modes are then made available e On all tunnels in the community e On all tunnels of specific gateways e On specific tunnels in the community For more information on these options see Permanent Tunnels on page 170 When choosing tunnels keep in mind that RIM can only be enabled on tunnels that have been configured to be permanent On all tunnels in the community must be selected if MEP is enabled on the community To configure permanent tunnels see Configuring Tunnel Features on page 168 2 Select Enable Route Injection Mechanism RIM 3 Click Settings Configuring RIM The Route Injection Mechanism Settings window opens Route Injection Mechanisa Settings xi Center Gateways IV Enable automatic RIM J Enable customer editable script execution Satellite Gateways J Enable customer editable script execution Tracking Route injection track SNMP Trap Alert Ne Decide if e RIM should run automatically on the central or satellite gateways SecurePlatform IPSO or Linux only e A
191. Configuring Tunnel Idleness on the Server 1 Connect to the Security Management server using GuiDBedit 2 Open the Global Properties gt properties gt firewall_properties object Tunnel Idleness Last Modify Time Eifirewall _properties firewall_properties Mon Aug 18 15 49 55 2008 Administrators Desktop properties Large Scale Manager Managed Objects Network Objects OPSEC Other Policies Provider 1 QOS Read Only Configuration a ea Reporting re A Services desktop_to_expire_passwords boolean desktop_topology_over_IKE boolean true true desktop_update_at_start boolean false desktop update frequen numbe Q int_min int_max disconnect_on_idle owned object disconnect_on_idle disconnect_on_idle do_not_check_idleness_on_icmp_packets boolean False do_not_check_idleness_on_these_services container tcp_service udp_service enable_disconnect_on_idle boolean false idle_timeout_in_minutes number 30 2 1440 disconnect_on_token_removal boolean false disconnect_when_in_enc_ boolean display_rule_tooltip boolean true display_rulename_column boolean true true dns_resolving_domain_name string domain_tcp boolean false domain_tcp_p string first first last before last First domain_tcp_router boolean true true domain_tcp_router_p string First first last before last First domain_udp boolean false domain_udp_p string first first last
192. Considerations for Choosing Microsoft IPSec L2TP Clients 510 SecureClient is much more than a personal firewall It is a complete desktop security solution that allows the administrator to define a full desktop security policy for the client IPSec clients are more basic remote clients and for some organizations may provide an adequate set of capabilities When using an IPSec L2TP client it is not possible to connect to organization and to the outside world at the same time For some organizations this may be an appropriate connection policy as it effectively dedicates the machine to being connected to the organization SecuRemote SecureClient on the other hand makes it possible to be connected to the organization and to the Internet at the same time Configuring Remote Access for Microsoft IPSec L2TP Clients Configuring Remote Access for Microsoft IPSec L2TP Clients In This Section General Configuration Procedure page 511 Configuring a Remote Access Environment page 512 Defining the Client Machines and their Certificates page 512 Configuring Office Mode and L2TP Support page 512 Preparing the Client Machines page 512 Placing the Client Certificate in the Machine Certificate Store page 513 Placing the User Certificate in the User Certificate Store page 514 Setting up the Microsoft PSec L2TP Client Connection Profile page 514 Configuring User Certificate Purposes page 515 Making the L2TP Connection page 516 For More Information
193. Contents Summary of Contents This guide describes the VPN components of a Check Point Security Gateway It contains the following sections and chapters Section 1 Introduction to VPN Technology This section describes the basic components of a VPN and provides the background for the technology that comprises the VPN infrastructure Chapter Chapter 1 Overview Description Provides an overview of Check Point s solution for VPN Chapter 2 IPSEC amp IKE Description of encryption modes used to transport packets securely using VPN tunnels Chapter 5 Public Key Infrastructure Public Key Infrastructure is a system of certificate authorities that verify and authenticate the validity of each party exchanging information Section 2 Site to Site VPN This section explains how to ensure secure communication between gateway modules Chapter Chapter 4 Introduction to Site to Site VPN Description An introduction to the basics of VPN s between gateways and VPN communities Chapter 5 Domain Based VPN Domain Based VPN is a method of controlling how VPN traffic is routed between gateway modules and remote access clients within a community Chapter 6 Route Based VPN Route Based VPN is a method of controlling how VPN traffic is routed between gateways using VPN Tunnel Interfaces Chapter 7 Tunnel Management Tunnel Managemen
194. DAIP gateways and 3rd party DAIP gateways using the Matching Criteria configuration DAIP gateways may initiate a VPN tunnel with non DAIP gateways However since a DAIP gateway s external IP address is always changing peer gateways cannot know in advance which IP address to use to connect to the DAIP gateway As a result a peer gateway cannot initiate a VPN tunnel with a DAIP gateway unless DNS Resolving is configured on the DAIP gateway For more information see Link Selection on page 207 If the IP on the DAIP gateway changes during a session it will renegotiate IKE using the newly assigned IP address In a star community when VPN routing is configured DAIP gateways cannot initiate connections from their external IP through the center gateway s to other DAIP gateways or through the center to the Internet In this configuration connections from the encryption domain of the DAIP are supported The Check Point Solution for VPN Routing Traffic within a VPN Community Ss VPN routing provides a way of controlling how VPN traffic is directed There are two methods for VPN routing e Domain Based VPN e Route Based VPN Domain Based VPN This method routes VPN traffic based on the encryption domain behind each gateway in the community In a star community this allows satellite gateways to communicate with each other through center gateways Configuration for Domain Based VPN is performed directly through SmartDashboard For
195. E negotiation is initiated automatically to the security gateway When using Office Mode a special IKE mode called config mode is inserted between phase 1 and phase 2 of IKE During config mode the client requests an IP from the gateway Several other parameters are also configurable this way such as a DNS server IP address and a WINS server IP address After the gateway allocates the IP address the client assigns the IP to a Virtual Adapter on the Operating system The routing of packets to the corporate LAN is modified to go through this adapter Packets routed in this way bear the IP address assigned by the gateway as their source IP address Before exiting through the real adapter the packets will be IPSec encapsulated using the external IP address assigned to the real adapter as the source address In this way non routable IP addresses can be used with Office Mode the Office Mode non routable address is concealed within the IPSec packet For Office Mode to work the IP address assigned by the security gateway needs to be routable to that gateway from within the corporate LAN This will allow packets on the LAN being sent to the client to be routed back through the gateway See also Office Mode and Static Routes in a Non flat Network on page 304 Note A remote user with SecuRemote only is not supported in Office Mode A Closer Look The following steps illustrate the process taking place when a remote user connected throu
196. ESOD server or the ESOD configuration tool Customers can download the ESOD server from http www checkpoint com products clientless index html along with its documentation Features The SSL Network Extender features are listed below Easy installation and deployment Intuitive and easy interface for configuration and use The SSL Network Extender mechanism is based on Visitor Mode and Office Mode Automatic proxy detection is implemented Small size client Download size of SSL Network Extender package lt 400K after installation size of SSL Network Extender on disk is approximately 650K All security gateway authentication schemes are supported Authentication can be performed using a certificate Check Point password or external user databases such as SecurlD LDAP RADIUS and so forth At the end of the session no information about the user or gateway remains on the client machine Extensive logging capability on the gateway identical to that in VPN 1 SecuRemote SecureClient High Availability Clusters and Failover are supported Special Considerations for the SSL Network Extender SSL Network Extender Upgrade is supported The SSL Network Extender supports the RC4 encryption method Users can authenticate using certificates issued by any trusted CA that is defined as such by the system administrator in SmartDashboard SSL Network Extender is now supported on IPSO Endpoint Security on Demand prevents threats
197. Experience Figure 30 13Set Security Level window Importing a new private exchange key Choose a security level appropriate for this item High Request my permission with a password when this item is to be used C eda Request my permission when this item is to be used lt Back Cancel e Click Finish The following Import Successful window appears Figure 30 14 mport Successful window x Gi The import was successful f Click OK g Close and reopen your browser You can now use the certificate that has now been imported for logging in 7 If you are connecting to the SSL gateway for the first time a VeriSign certificate message appears requesting the user s consent to continue installation Chapter 30 SSL Network Extender 661 SSL Network Extender User Experience Figure 30 15VeriSign Certificate Message F Check Point SSL Network Extender Microsoft Internet Explorer Check Point SOFTWARE TECHNOLOGIES LTO We Secure the Internet TSN and dented parami Check Pont SL Natok Nian santali y Vein h Ml oe Ocn e If you connect using Java Applet the following Java security message will appear Click Yes Figure 30 16Java Security Message Warning Security x The application s digital signature has been verified lt Do you want to run the application javer Name Extender Publisher Check Point Software Technologies Ltd From https 192 168 0
198. Expressions and meanings for the vpn shell as shown in Table C 1 e The basic format of the command is path path path arguments for example interface add takes you directly to the menu for adding numbered interfaces e Within the vpn shell command line completion is available for example i a n is completed to interface add numbered and executed provided there are not two commands starting with the same letter e Use Control D to exit the vpn shell end of line when including vpn shell commands in a script Table C 1 vpn shell commands arguments Expression Meaning Shows available commands Returns to the top of the main menu two dots Moves up one menu level quit Exists the VPN shell show interface summary Shows summary of all interfaces or of a specific interface show interface detailed Shows summary of all interfaces or of a specific interface with greater detail interface add numbered Adds a numbered interface Local IP remote IP peer name and interface name required interface add unnumbered Adds an unnumbered interface Peer name and interface name required interface modify peer mtu Modify the MTU of an interface by peer name Table C 1 vpn shell commands arguments Expression interface modify peer netmask Meaning Modify the netmask of an interface by peer name interface modify ifname mtu Modify the MTU of an interface by given interface name interf
199. From the Connect to CA with protocol select the protocol used to connect with the certificate authority either SCEP CPMV1 or CPMV2 Note For entrust 5 0 and later use CPMV1 5 Click Properties e If you chose SCEP as the protocol in the Properties for SCEP protocol window enter the CA identifier such as example com and the Certification Authority Registration Authority URL e If you chose cmpV1 as the protocol in the Properties for CMP protocol V1 window enter the appropriate IP address and port number The default port is 829 e f you chose cmpV2 as the protocol in the Properties for CMP protocol V2 window decide whether to use direct TCP or HTTP as the transport layer Note If Automatic enrollment is not selected then enrollment will have to be performed manually 6 Choose a method for retrieving CRLs from this CA If the CA publishes CRLs on HTTP server choose HTTP Server s Certificates issued by the CA must contain the CRL location in an URL in the CRL Distribution Point extension If the CA publishes CRL on LDAP server choose LDAP Server s In this case you must define an LDAP Account Unit as well See the Security Management Server Adminstration guide for more details about defining an LDAP object Make sure that CRL retrieval is checked in the General tab of the LDAP Account Unit Properties window Certificates issued by the CA must contain the LDAP DN on which the CRL resides in the CRL distr
200. GX Gateway Ongoing Probing Statically NATed IP Ongoing Probing Use DNS resolving Ongoing Probing Calculate IP based on network topology Main IP Main IP Main IP Ongoing Probing Ongoing Probing One Time Probing One Time Probing Note If the manual IP address list for probing is configured Pre NGX R60 remote access clients will probe all of the IP addresses and not just those listed in the IP address list If Primary Address is configured Pre NGX R60 remote access clients will treat all IP addresses with the same priority and will ignore the Primary Address Chapter 26 Using Directional VPN for Remote Access Enhancements to Remote Access Communities Remote Access communities now support e Directional VPN e User groups in the destination column of a rule Directional VPN in RA Communities With Directional VPN configured for Remote Access communities the option exists to reject connections to or from a particular network object Consider the rules in Figure 26 1 Figure 26 1 Directional VPN in Remote Access Communities SOURCE DESTINATION SERVICE ACTION Any Any KY Remote_Access_Community iqgapey Mylntranet Any drop Any Any Wo Remote_Access_Community qgayp Any Traffic Any accept Connections are not allowed between remote users and hosts within the Mylntranet VPN community Every other connection originating in the Remote Acces
201. Gateway B does not know how to negotiate with A because it does not yet have the Policy Therefore Policy installation on gateway B fails The solution for this is to make sure that control connections do not have to pass through a VPN tunnel Allowing Firewall Control Connections Inside a VPN If you turn off implied rules you must make sure that control connections are not changed by the security gateways To do this add the services that are used for control connections to the Excluded Services page of the Community object Ss Note Even though control connections between the Security Management server and the gateway are not encrypted by the community they are nevertheless encrypted and authenticated using Secure Internal Communication SIC Discovering Which Services are Used for Control Connections 1 In the main menu select View gt Implied Rules 2 In the Global Properties FireWall page very that control connections are accepted 3 Examine the Security Rule Base to see what Implied Rules are visible Note the services used in the Implied Rules Chapter 4 Introduction to Site to Site VPN 89 How to Authorize Firewall Control Connections in VPN Communities 90 Chapter 9 Public Key Infrastructure In This Chapter Need for Integration with Different PKI Solutions page 92 Supporting a Wide Variety of PKI Solutions page 93 Special Considerations for PKI page 101 Configuration of PKI Operations pag
202. Help The client timeout is read from the Endpoint Connect Settings in Global Properties gt Remote Access Working with RSA Hard and Soft Tokens Global Properties E i x Endpoint Connect Firewall NAT Network Add Authentication Authentication Settings VPN H VPN 1 UTM Edge E Enable password caching No E Remote Access Cache password fo 1440 a ear VPN anc aie VPN IKE Pha VPN IPSEC P Connectivity Settings Certificates Secure Configui Connect mode Configured on endpoint client x SSL Network E R ee re ee z SecureClient Mc Location Aware Connectivity Configured on endpoint client 7 Configure Disconnect when connectivity to network is lost Configured on endpoint client 7 Early Versions C Hot Spot Hotel Disconnect when device is idle Configured on endpoint client x Svaaaad LDA Security Settings SmartMap Route all traffic through gateway No iw FireWall 1 GX UserAuthority Configuration and Version Settings Management High ConnectControl Client upgrade mode Ask user x OSE Open Securit Stateful Inspection Log and Alert Reporting Tools OPSEC SmarCenter ar gt i Cancel Help Working with RSA Hard and Soft Tokens If SecurlD is used for authentication you must manage the users on RSA s ACE management server ACE manages the database of RSA users and their assigned hard or soft tokens The client contacts the
203. IM injects into the local routing tables of both gateways the encryption domain of the peer gateway However when RIM enabled gateways communicate with a gateway that has Hide NAT enabled the peer s interfaces need to be injected as well Figure 8 4 Gateway with Hide NAT Security Gateway B Router 3 Router 2 Security Gateway A Router 1 Internet Security Gateway C Router 4 In this scenario e Secuirity gateways A and B are both RIM enabled and gateway C has Hide NAT enabled on the external interface hiding all the IP addresses behind it e Host 1 behind gateway C initiates a VPN tunnel with Host 2 through gateway A In Figure 8 4 Router 3 contains the routes to all the hosts behind gateway C Router 3 however does not have the Hide NAT IP address of gateway C and as a result cannot properly route packets back to host 1 This solution for routing the packets back properly is twofold 1 Select the flag RIM inject peer interfaces in the Global Properties page This flag will inject router 3 with all of the IP addresses of gateway C including the Hide NAT address Injecting Peer Gateway Interfaces 2 Configure the router not to propagate the information injected to other gateways If the router is not configured properly using the example in Figure 8 4 could result in gateway B routing traffic to gateway C through gateway A Chapter 8 Route Injection Mechanism 185 Configuring RIM
204. IP address Chapter6 Route Based VPN 143 Configuring VTIs in a Clustered Environment 3 Interface name 5 Configure the VTI VIP in the Topology tab 6 Click OK and install policy The sample configurations in Table 6 3 and Table 6 4 use the same gateway names and IP addresses used in Figure 6 3 on page 137 144 Configuring VTIs in a Clustered Environment Table 6 3 Configuring GWb Raia Access the VPN shell Command Line Interface GWb vpn shell This help sa Go up one level quit Quit interface Manipulate tunnel interfaces show Show internal data tunnels Manipulate tunnel data SSeS Add vt GWa VPN shell gt interface add numbered 10 0 0 2 10 0 1 10 GWa nterface vt GWa was added successfully to the system SS SesS Add vt GWc VPN shell gt interface add numbered 10 0 0 2 10 0 0 3 GWe nterface vt GWc was added successfully to the system RESTS SSS Verify configuration VPN shell gt show interface detailed all vt GWa Type numbered MTU 1500 inet addr 10 0 0 2 P t P 10 0 1 10 Mask 255 255 255 255 Peer GWa Peer ID 170 170 1 10 Status attached ka H vt GWe Type numbered MTU 1500 inet addr 10 0 0 2 P t P 10 0 0 3 Mask 255 255 255 255 Peer GWc Peer 1D 190 190 1 1 Status attached VPN shell gt quit GWb ifconfig vt GWa vt GWa Link encap IPIP Tunnel HWaddr inet addr 10 0 0 2 P t P 10 0 1 10 Mask 255 255 255 255 UP POINTOPOINT RUNNING NOARP MULTIC
205. If true the executable will run every time the Desktop is not SCVed If false it will run once per SecureClient session allow non_scv_clients true false If true the client will send a verified state to the enforcing gateway even if the OS does not support SCV Chapter 24 VPN Routing Remote Access In This Chapter The Need for VPN Routing page 558 Check Point Solution for Greater Connectivity and Security page 559 Configuring VPN Routing for Remote Access VPN page 564 557 The Need for VPN Routing The Need for VPN Routing 558 There are a number of scenarios in which a gateway or remote access clients cannot connect directly to another gateway or clients Sometimes a given gateway or client is incapable of supplying the required level of security For example e Two gateways with dynamically assigned IP addresses DAIP gateways Hosts behind either gateway need to communicate however the changing nature of the IP addresses means the two DAIP gateways cannot open VPN tunnels At the moment of tunnel creation the exact IP address of the other is unknown e SecuRemote SecureClient users wish to have a private conversation using Voice over IP VoIP software or utilize other client to client communication software such as Microsoft NetMeeting Remote access clients cannot open connections directly with each other only with configured gateways In all cases a method is needed to enhance connectivit
206. Issues During IPSec NAT Traversal UDP Encapsulation for Firewalls and Proxies Having successfully negotiated IKE phases and II we move into the IPSec stage Data payloads encrypted with for example 3DES and hashed for integrity with MD5 are placed within an IPSec packet However this IPSec packet no longer contains a TCP or UDP header A hide NAT device needs to translate the port information inside the header The TCP UDP header has been encrypted along with the data payload and can no longer be read by the NATing device A port number needs to be added UDP Encapsulation is a process that adds a special UDP header that contains readable port information to the IPSec packet Figure 31 2 UDP Encapsulation IP TCP Port No Daa aa S IP packet Com IP IPSec Data baus packet Ceme 1p ke UDP amp 0 IPSec Data header UDP encapsulated packet uss IPSec packet encrypts the port information contained in the TCP header of a regular IP packet UDP encapsulation adds a UDP header containing another port number The new port information is not the same as the original The port number 2746 is included in both the source and destination ports The NAT device uses the source port for the hide operation but the destination address and port number remains the same When the peer gateway sees 2746 as the port number in the destination address the gateway calls a routine to decapsulate the p
207. Issues The Need for Connectivity Resolution Features cccccccccessseeeaeeceeeeseeeeeeaeeees 676 Check Point Solution for Connectivity ISSUGS ccccceeccceeeeeeeeeeseeeeeeeseseaeeeaeeees 677 Other Connectivity ISSUES anri fess a reed oe dee sacs a oa a reeset 677 Overcoming NAT Related ISSUCS cccccceccccseeceeeeceseeeeseeeeseeceseeseeeeeeeseeeesneeees 678 During IKE phase l ic ieee pxer elders ade Pen ere et ie nds pee eeu ee teed 679 D ring KE phase lis seein covtussebetehecstsadevivsiedineds distuvadde sg deetiat Mac Sow endah 679 During IPSEC ncia aa fades Sree a a a e aa aae aidata 681 NAT and Load Sharing Clusters cccccceccccsececeseceseeeeceeeeeeeeeeseeeeesneeesaeeeas 683 Overcoming Restricted Internet ACCESS ccscccescceeeceeceeecaeeeeueeeeeseeeseeeneeeaeeraes 685 VISITOR MO ieran i ai e a iT iad aaan d Ea ae aaia Venida aeiia ae 685 Configuring Remote Access Connectivity cccccccccseeeeceeeeeeeeceeeeeeeeeeeeseeeeseeees 689 Configuring IKE Over TO Rik a a a edt een i EA ites nas gaa 689 Configuring Small IKE phase I Proposals cccccsecceseeceeeseeseeeeeseeeeeaeeeees 690 Configuring NAT Traversal UDP Encapsulation c ccccceeceseeeeeeeeeeeaeeeees 690 Configuring Visitor Mod s einan ea ees toca aad Seto aeea 691 Configuring Remote Clients to Work with Proxy Servers cccccssceesseeeeaeeeeees 693 Chapter 32 Clientless VPN The Need for Clientless VPN
208. Issues page 677 Overcoming NAT Related Issues page 678 Overcoming Restricted Internet Access page 685 Configuring Remote Access Connectivity page 689 675 The Need for Connectivity Resolution Features The Need for Connectivity Resolution Features 676 While there are a few connectivity issues regarding VPN between gateways remote access clients present a special challenge Remote clients are by their nature mobile During the morning they may be located within the network of a partner company the following evening connected to a hotel LAN or behind some type of enforcement or NATing device Under these conditions a number of connectivity issues can arise e Issues involving NAT devices that do not support fragmentation e Issues involving service port filtering on the enforcement device Check Point Solution for Connectivity Issues Check Point Solution for Connectivity Issues Check Point resolves NAT related connectivity issues with a number of features IKE over TCP Small IKE phase II proposals UDP encapsulation IPSec Path Maximum Transmission Unit IPSec PMTU Check Point resolves port filtering issues with Visitor Mode formally TCP Tunneling Other Connectivity Issues Other connectivity issues can arise for example when a remote client receives an IP address that matches an IP on the internal network Routing issues of this sort are resolved using Office mode For more information see Office Mode
209. KE properties window opens e Select IKE Phase 1 encryption and integrity methods in coordination with the peer gateway s administrator or accept the defaults e In the Support authentication methods area select Public Key signatures On the VPN page click Matching Criteria The Certificate Matching Criteria window opens The configurations settings in this window force the externally managed gateway to present a certificate from a defined CA and require that the details on the certificate match those specified here This is enforced by the internally managed gateways during IKE negotiation Configuring Traditional Mode VPNs Defining the Encrypt Rule 17 In the Security Rule Base define the Encrypt rule s 18 If you wish to change the IKE Phase 2 properties for this rule double click the Encrypt action and make the required changes Configuring a VPN using a Pre Shared Secret Ss When using a pre shared secret to authenticate gateways you need to enable each gateway in the VPN for pre shared secrets Then on each gateway define a pre shared secret for each of the other gateways However for each pair of gateways you only need to define the pre shared secrets for the pair on one of the gateways Note A pre shared secret defined for externally managed VPN modules in the community is not supported if one of the internally managed members is of version earlier than NG FP3 For example in a VPN with four gateways
210. LMHOSTS all platforms or WINS all platforms except Win 9x For Win NT and Win 2000 configure the SDL timeout Define the site where the domain controller resides and download update the topology If the client is not already a domain member configure the machine as a domain member For Win NT and 2000 e Enable Auto Local Logon optional e Enable Secure Domain Logon Reboot the computer and logon Using Secure Domain Logon After you have rebooted the computer 1 When the Windows NT Logon window is displayed enter the operating system credentials Click OK The SecuRemote Logon window is displayed Enter the SecuRemote credentials in the defined time see Configuring SDL Timeout on page 586 If you fail to logon and no cached information is used wait one minute and try again If SDL is already configured on the client the administrator can customize SecuRemote SecureClient installation packages with SDL enabled by default thereby relieving the user of the need to configure SDL manually This can be done in two ways Create a self extracting client package using the SecureClient Packaging Tool see Packaging SecureClient and select Enable Secure Domain Logon SDL in the Operating System Logon window or Edit the product ini file in the SecuRemote installation package by setting the value of EnableSDL to 1 See Userc C and Product ini Configuration Files for more information Chapter 2
211. Link Selection 217 On Demand Links ODL On Demand Links ODL Ss 218 Route based probing enables use of an On Demand Link which is triggered upon failure of all primary links When a failure is detected a custom script is used to activate the ODL and change the appropriate routing information The ODL s metric must be set to be larger than a configured minimum in order for it to be considered an ODL Figure 11 5 On Demand Links Security Gateway Sp Internet In Figure 11 5 the gateway has two external links one to an ISP the other an ISDN dialup both of which provide connectivity to the Internet On the gateway shown in Figure 11 5 the Route Based Probing mechanism probes all the non On Demand Links and selects the active link with the lowest metric A script is run to activate an On Demand Link when all other links with higher priorities become unavailable When the link becomes available again a shut down script is run and the connection continues through the link with the ISP See Configuring On Demand links on page 227 Note On Demand Links are probed only once using a single RDP session For this reason fail over between On Demand Links is not supported Link Selection and ISP Redundancy Link Selection and ISP Redundancy ISP Redundancy enables reliable Internet connectivity by allowing a single or clustered security gateway s to connect to the Internet via redundant ISP con
212. Meaning connHandle in the handle of the site to be deleted TrGetinformation This function returns a list of all Domain Names The service obtains the list of DNs from certificates in the certificate store Prototype TRAPI CPAPI TrStatus TrGetInformation TrParam paramType TrMsg pParamValue Arguments Argument IN OUT Meaning paramType in Two types are available e TR_USE_DN_LIST Returns list of DNs e TR_ICS REPORT_FILENAME Returns location of the compliance check report pParamValue out the returned message TrGetConfiguration Retrieves information related to site variables The function expects an argument list The first argument must be the IP address of the gateway if referring to a specific gateway otherwise an empty string Each argument must be a string that holds the name of the requested configuration variable Prototype TRAPI CPAPI TrStatus TrGetConfiguration TrMsg pParams TrMsg pConfiguration Client Functions Communicating with Service Arguments Argument IN OUT Meaning pParams in Message that contains attributes to retrieve such as default time out pConfiguration out Returns requested attribute TrSetConfiguration This function saves the user s configuration as an attribute value pair for example Attribute Value IP Address 192 168 x x Authentication scheme The function expects an argument list The first argument
213. Mode e f port 443 is the assigned port for TCPT server do not change the tcp https default in the Allocated Port section e If a customized port other than the default port is agreed upon from the drop down menu select the service that corresponds to this port If the chosen port is not represented by a pre defined service in SmartDashboard create this service e In Allocated IP Address the default is All IPs To avoid port conflicts select the appropriate routable valid IP for the Visitor Mode server If the server has Dynamic Interface Resolving Configuration enabled on the VPN Advanced page it is recommended to allocate a specific address for visitor mode instead of All IPs Note When Visitor Mode is activated on the gateway the RDP interface discovery mechanism does not work A Visitor Mode handshake is used instead These settings configure a Visitor Mode server to run on the gateway Visitor Mode and Gateway Clusters Cluster support is limited The high availability and Load Sharing solutions must provide stickiness That is the visitor mode connection must always go through the same cluster member Chapter 31 Resolving Connectivity Issues 691 Configuring Remote Access Connectivity Failover from cluster member to cluster member in a High Availability scenario is not supported 692 Configuring Remote Access Connectivity Enabling Visitor Mode Using a Connection Profile Create a customized conne
214. N Communitie S cccccceeeeeeeeeeeeeeeeeeeeeeeeeaes 194 Special Considerations for Wire Mode ccccsecceseecceeecceaeeceseeeeseeeeeaeeeesaeeeaaes 196 Configuring Wire Mode mirre i i elke noes create dete behateanadcetnleeideged eter gate 197 Enabling Wire Mode on a VPN Community ccccecccceeececeececueceeseseeeaeeeanes 197 Enabling Wire Mode on a Specific Gateway cccccceeceseeeeeseeeeeeeceeeeeeeaes 197 Chapter 10 Directional VPN Enforcement The Need for Directional VPN c ccecceceeceeeeeeeeeeeeeeeeesueeeeeeeaaeeeeeesaeeeeeeeesaeeees 200 The Check Point SOlUtION wii e cect aieciescckanedcaensebeseedacevackscsthcidecstoudecssasseesvnedecaves 201 Directional Enforcement within a Community ccccecceseeeceeeeeeeeeeeeaeeeeanes 201 Directional Enforcement between Communities ccccceeeeeeeeeeeeeeeeeeeeeees 202 Configuring Directional VPN scic ds cessacaei eens wxaceeenasiegaiesdavsaaa fad guaeZebaeg adeasdtaneneoacs 204 Configuring Directional VPN Within a Community ccccecceseeeeeeeeeeeeeeees 204 Configuring Directional VPN Between Communiti s cccccceecceeeeeeeeeeeeas 205 Chapter 11 Link Selection OVEINIGW ita e teers aaae a a anes onsots a a aai a Mader a aae 208 Using Link SeleGtion sic sched acts abe a N a a be Se at 209 IP Selection by Remote Peers sco sgaiest ouch ancdeaoetoensa etnaeei ees ies det dln 209 Outgoing Route Selection ice cescei sescoseetee
215. N domain Hub C is the name of the security gateway enabled for VPN routing Spoke_A_VPN_Dom is the name of the network object that represents Spoke A s encryption domain See Figure 5 4 for an example of how the file appears Configuring Domain Based VPN Figure 5 4 vpn_route conf Spoke_B_VPN_DOM Hub _C Spoke_A Spoke_A_VPN_DOM Hub_C Spoke_B Configuring the Accept VPN Traffic Rule In SmartDashboard 1 Double click on a Star or Meshed community On the General properties page select the Accept all encrypted traffic checkbox 3 In a Star community click Advanced to choose between accepting encrypted traffic on Both center and satellite Gateways or Satellite Gateways only 4 Click OK A rule will appear in the Rule Base that will accept VPN traffic between the selected gateways Configuring Multiple Hubs Figure 5 5 shows two Hubs A and B Hub A has two spokes spoke_Al and spoke_A2 Hub B has a single spoke spoke_B In addition Hub A is managed from Security Management server A while Hub B is managed via Security Management server B Figure 5 5 Configuring multiple vpn_route conf files Security Management server A y Spoke A2 Spoke A1 Security Management server B For the two VPN star communities based around Hubs A and B Chapter 5 Domain Based VPN 125 Configuring Domain Based VPN 126 e Spokes Al and A2 need to route all traffic going outside of the VPN community through Hub A
216. N1 neo gw certificate If SSL Network Extender is disabled and no certificate for SecureClient Mobile clients is defined a certificate issued by the internal CA is used Transform Template Files TTM The security policy is defined on each gateway individually using the TTM files when the management patch is not installed on the Security Management server TTM files are found on each gateway in the sFpIR con folder There are three types of TTM files e vpn_client_1 ttm Refer to Table 19 1 for details e fw client 1 ttm Refer to Table 19 3 for details e neo client 1 ttm Refer to Table 19 4 for details To configure the security policy using TTM files Advanced Configuration 1 Open a TTM file using any text editor 2 Set the default value for the property you are changing for example neo_ request policy update gateway default true or neo request policy update gateway map false false strue true client decide client decide default true 3 Change the default setting true to create a new default setting for the security policy 4 Save the file and select install policy The following property is used to set the policy expiration timeout for all policies except the firewall policy expiry gateway default 100 The following property is used to set the firewall policy expiration timeout expiry gateway neo policy expire default 100 Configuratio
217. Other issues such as Domain Name Resolution involving DNS servers found on an internal network protected by a gateway are resolved with Split DNS For more information on Split DNS see Remote Access Advanced Configuration Chapter 31 Resolving Connectivity Issues 677 Overcoming NAT Related Issues Overcoming NAT Related Issues NAT related issues arise with hide NAT devices that do not support packet fragmentation When a remote access client attempts to create a VPN tunnel with its peer gateway the IKE or IPSec packets may be larger than the Maximum Transmission Unit MTU value If the resulting packets are greater than the MTU the packets are fragmented at the Data Link layer of the Operating System s TCP IP stack Problems arise when the remote access client is behind a hide NAT device that does not support this kind of packet fragmentation Figure 31 1 UDP Fragmentation VPN Site Nating in Device Fragmentation Fragment 1 gt H Fragment 2 S HAPO Hide NAT not only changes the IP header but also the port information contained in the UDP header In Figure 31 1 the UDP packet is too long so the remote client fragments the packet The first fragment consists of the IP header plus the UDP 678 Overcoming NAT Related Issues header and some portion of the data The second fragment consists of only the IP header and the second data fragment The NATing device does not know how to
218. P is used by the remote host e Under Multiple Interfaces specify whether you want routing to be done after the encapsulation of Office Mode packets allowing traffic to be routed correctly when your gateway has multiple external interfaces e Select Anti Spoofing if you wish the firewall to check that Office Mode packets are not spoofed Chapter 15 Office Mode 315 Configuring Office Mode 316 It is possible to specify which WINS and DNS servers Office Mode users should use To specify WINS and or DNS servers continue to step 3 Otherwise skip to step 6 Note WINS and DNS servers should be set on the Security Management server machine only when IP pool is the selected method 3 Create a DNS server object by selecting Manage gt Network Objects gt New gt Node gt Host and specify the DNS machine s name IP address and subnet mask Repeat this step if you have additional DNS servers 4 Create a WINS server object by selecting Manage gt Network objects gt New gt Node gt Host and specify the WINS machine s name IP address and subnet mask Repeat this step if you have additional WINS servers 5 In the Check Point Gateway Remote Access gt Office Mode page in the IP Pool section click the optional parameters button e In the IP Pool Optional Parameters window select the appropriate objects for the primary and backup DNS and WINS servers e n the Domain name field specify the suffix of
219. PI 417 Functions from Service to Client 418 Arguments Argument IN OUT Meaning notification in the given notification pos in position of the notification val in value of the notification default_text in notification text TrArgGetType This functions fills the TrArg type and returns the status of the operation Prototype TRAPI CPAPI TrStatus TrArgGetType TrArg arg TrArgType type Arguments Argument IN OUT Meaning arg in the argument type out the argument type string int double etc TrArgGetintVal This functions fills the int value and returns the status of the operation If TrArg is not an int an error is returned Prototype TRAPI CPAPI TrStatus TrArgGetIntVal TrArg arg int val Functions from Service to Client Arguments Argument IN OUT Meaning arg in the argument val out value of the argument TrArgGetDoubleVal This function fills the double value and return the status of the operation If TrArg is not double an error is returned Prototype TRAPI CPAPI TrStatus TrArgGetDoubleVal TrArg arg double val Arguments Argument IN OUT Meaning arg in the argument val out value of the argument TrArgGetStrVal This function fills the string value and returns the status of the operation If TrArg is not a string an error is returned Prototype TRAPI CPAPI TrStatus TrArgGetStrVal TrArg
220. RL Pre Fetch Cache cccccccccssccceeeccceceeseecesueeeeaeeeseeeeeans 114 Configuring CRL Grace Period cccecccceeccceeeceseeeeeeeeeeaeeeeeeeeeeeeeeesneeesaeeeeas 114 CONTISUTING 7 OCS Pieni nita sctshtinvahon eae ieee Hele eh Sede hee eae oh de 115 Site to Site VPN Chapter 5 Domain Based VPN OVET EW ects aoa a aaa a ladcortlabientiagias thats Hacdes tanhees eaaa 120 VPN Routing and Access Control ccccccccceeeceeeeceseeceeeeeeeeeeseeeeeeseeeeesneeeesneeees 121 Configuring Domain Based VPN sccccseecccseeeeceeeeeeeeeeseeceseeeeeseeeeeeseseeeesaeees 122 Configuring VPN Routing for Gateways via SmartDashboard cccceeceeeee 122 Configuration via Editing the VPN Configuration File ccc cecceseeeeeeeeeeees 124 Configuring the Accept VPN Traffic Rule ccccccecccceeeceseecesaeceeaeeeeeaeeeaes 125 Configuring Multiple HUDS ccccccccccseececeeeeeeeeeeseeeeseeseeeeeeeseeeesaeeeesneeeegs 125 Configuring SmartLSM Security Gateways cccccceecccecceseeeeseeeeeaeeeeeeeeaees 128 Chapter 6 Route Based VPN OVEIWICW E EEE E E T E E A oniwaddes ieenleatds da tueveds oavenesen dee 130 VPN Tunnel Interface VTI n n ea a a aa aoia 131 NUMBER VT haired annae ae Re pe ata ea e e nA DiE enha 133 Unnumbered Vil teirinn Horie einai ea N aa e aR aE 134 Using Dynamic Routing Protocols ccccccsecccseeceseeeecaeeceeeeceeeeesseeeeseeeeeaeeeeens 135 Configuring Numbered WEIS c
221. SL Network Extender e If the configured authentication scheme is Certificate without Enrollment and the user already has a certificate If the user does not already have a certificate access is denied e If the configured authentication scheme is Certificate with Enrollment and the user does not already have a certificate the Enrollment window is displayed see Figure 30 8 Enter the Registration Key and select PKCS 12 Password Click Ok The PKCS 12 file is downloaded Chapter 30 SSL Network Extender 657 SSL Network Extender User Experience Figure 30 8 Enrollment window E SSL Network Extender Registration Page Microsoft Internet Ea 215 x SSL Network Extender Enter a registration key and choose a pas word ED e Yese yR 2004 Check Point Software Technologies Ltd At this point the user should open the file and utilize the Microsoft Certificate Import wizard as follows Note It is strongly recommended that the user set the property Do not save encrypted pages to disk on the Advanced tab of the Internet Properties of Internet Explorer This will prevent the certificate from being cached on disk Importing a Client Certificate with the Microsoft Certificate Import Wizard to Internet Explorer Importing a client certificate to Internet Explorer is acceptable for allowing access to either a home PC with broadband access or a corporate laptop with a dial up connection The client certificate will be au
222. SecurlD HHRAOEOEROAD Enter The Advanced view displays the tokencode and passcode with COPY buttons allowing the user to cut and paste between softID and SecureClient 80114323 Software Token E Ee x File Copy View Tools Help PIN f Clear PIN Current PASSCODE 93274516 Copy for normal authentication Current Tokencode 93274515 Copy for new PIN mode Next PASSCODE 98611745 Copy for new PIN mode Next Tokencode 98611744 Copy for next Tokencode mode SoftiID and SecureClient For remote users to successfully use RSA s softlD 1 The administrator creates the remote users on the Ace Server 2 Out of band the administrator distributes the SDTID token file or several tokens to the remote users The remote user imports the tokens 4 The following userc c property on SecureClient must be set in the OPTIONS section support_rsa_soft_tokens true 296 VPN for Remote Access Configuration The remote user sees three windows PN 1 SecureClient RSA Software Token Authentication r Software Token Token Serial Number 000080114326 7 Passphrase r Password Enter PIN In this window the remote user needs to enter the Token Serial Number and PIN If the remote user does not enter a PIN number the following window appears PN 1 SecureClient RSA Software Token Authentication E r Software Token Token Serial Number 000080
223. The next time that the user connects to the SSL Network Extender portal this skin will not be available to him her Example cd SFWDIR conf extender skin custom mkdir skinl touch disable Install Policy Creating a Skin 1 Enter the custom subdirectory 2 Create a folder with the desired skin name will override the existing skin definition as long as the new skin definition exists Once you QE Note Verify that this name is not already used in chkp If it is the new skin definition have deleted the new skin definition the chkp skin definition will once again be used Each skin folder must contain the following five style sheets e help data css The main OLH page uses this style sheet e help css The inner frame on the OLH page uses this style sheet e index css The ESOD pages and the main SSL Network Extender portal page use this style sheet e style css All login pages use this style sheet e style main css The main SSL Network Extender Connection page Proxy Authentication page and Certificate Registration page use this style sheet Note It is recommended that you copy the aforementioned files from another chkp skin and then modify them as desired 3 Install Policy after creating the new skin 648 Configuring the SSL Network Extender Example Add your company logo to the main SSL Network Extender portal page cd SFWDIR conf extender skin custom mkdir lt skin_ name gt cd lt skin_name gt co
224. VPN domain the LAN behind the gateway are encrypted inside this VPN tunnel using the IPSec standard Except for when the user is asked to authenticate in some manner the VPN establishment process is transparent Figure 14 1 Remote to Gateway VPN site 1 VPN site 2 Gateway 1 Internet Remote ient In Figure 14 1 the remote user initiates a connection to gateway 1 User management is not performed via the VPN database but an LDAP server belonging to VPN Site 2 Authentication takes place during the IKE negotiation Gateway 1 verifies that the user exists by querying the LDAP server behind gateway 2 Once the user s existence is verified the gateway then authenticates the user for example by validating the user s certificate Once IKE is successfully completed a tunnel is created the remote client connects to Host 1 Chapter 14 Introduction to Remote Access VPN 273 The Check Point Solution for Remote Access 274 If the client is behind the gateway for example if the user is accessing the corporate LAN from a company office connections from the client to destinations that are also behind the LAN gateway are not encrypted Remote Access Community A Check Point Remote Access community enables you to quickly configure a VPN between a group of remote users and one or more security gateways A Remote Access community is a virtual entity that defines secure communications between security gateways and remote
225. Virtual Private Networks Administration Guide Version R70 Check Point 703333 April 23 2009 sii SED SOFTWARE TECHNOLOGIES LTD 2003 2009 Check Point Software Technologies Ltd All rights reserved This product and related documentation are protected by copyright and distributed under licensing restricting their use copying distribution and decompilation No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point While every precaution has been taken in the preparation of this book Check Point assumes no responsibility for errors or omissions This publication and features described herein are subject to change without notice RESTRICTED RIGHTS LEGEND Use duplication or disclosure by the government is subject to restrictions as set forth in subparagraph c 1 ii of the Rights in Technical Data and Computer Software clause at DFARS 252 227 7013 and FAR 52 227 19 TRADEMARKS Please refer to http www checkpoint com copyright html for a list of our trademarks For third party notices see http www checkpoint com 3rd_party_copyright html Contents Preface Who Should US THis GUJE aininn aaien a aaa eel vacwuah bhaveuh rbaa ASTET 22 Summary OF CONTENTS an iaa aaan anean eiia eaaa ie eaa ae aaa e Seaan 23 Section 1 Introduction to VPN Technology cccccsececcescceeeseeseeeesueeeseeeeees 23 Section 2 Site to Site VPN
226. a _HFA appended to the file name Such configuration files should manually be renamed after copying any relevant configuration data into them There are 3 configuration files that are part of the SCM support and should be renamed FWDIR conf HFA ttm gt SFWDIR conf ttm Downloading HFAs If you do not have an HFA installed download the latest HFA for your gateway version from http www checkpoint com downloads latest hfa htm Chapter 19 SecureClient Mobile 435 Installing SecureClient Mobile Security Management Server Support To centrally manage SCM supporting gateways you need the following Security Management server versions e R65 or later e R62 with the SCM management patch e R61 with the SCM management patch e R60 with the SCM management patch Downloading SCM Management Patch The the relevant patch version from http www checkpoint com downloads Product SecureClient Mobile Version R60 R61 R62 OS Windows Mobile Choose the relevant add on Add on for NNNN Based Security Management server where NNNN is your Security Management server OS version Management Patch Installation To install the management patch 1 At the command prompt on the Security Management server type fwl HOTFIX AAA HF HANN NNN NN 2 When prompted type y to continue with the installation 3 At the command prompt on the Security Management server run the following commands cpstop cpdb scheme_adjust cpstart 4
227. a aien Mle Seedy 424 Always Connected arii eo aaa a a hia E A E A TAE 424 Authentication Schemes ardana aa o a aa a a 424 Support for Alternate Gateway cccceccseccseccasecseeceeeeeeeeeeeeeeeeeeeaeeeeeeeeeeeeees 426 12 Gateway HIStONy E AAE S ashen GAS oadece Had Meek eed eae an 426 Allow Clear Traffic During ActiveSync and When Disconnected ccs0006 426 Secure Configuration Verification SCV Traversal 0 ccceeeeeeeeeeeeeeeeeeaaeeeeeees 427 Topology and Split TUNNGIING cccccceccccsecccceceeeeeeeeeeeeseeeesaeeseeeeeeeseeeeseeeeeas 428 Hub Mode VPN Routing for Remote ACCESS ccccceeeeeeeecaeeeeeeeeeeeeeeeeeeeeseeeas 429 Office Modene aa eaa a E Ea lS laaits E a vis leds wethess ae aneh 429 Visitor M de SSL T nel meninei n a e a a EN A iS eE 429 Security Policies and Client Decide cccccceccccsecceeeeeseeeecaeeeeeeeeeeeeeesseeeeaneeees 430 IP Firewall Policy ee a a a a A E ie edn ee 431 Connectivity POlCy mitsen ee paadi aai a A tat aE iya EN eE EnEn eaaa sedis 432 General GUI Polly tccaccie cossisccesncabesnceldvanecdeccneslbvidcebbevetsrla vec a hned aa bei deraa i 433 Client Deployment Repackaging and Upgrade cccccccccccsseeecaeeeeeeeceseeeeeseees 434 Installifig SecureClient MObi lees saoieetsaticeberstanadde a a Ea 435 SecureClient Mobile Gateway Side Installation c cccccseeccseeeeseeeeeeeeeeaes 435 Modul SUPPO E a a a e ae a a aena aE awa acta ES 435
228. a connection with host 1 The connection can be directed through either M1 or M2 However host 1 is within M2 s original VPN domain For this reason M2 is considered the gateway closest to the destination IP Address M2 is therefore considered the primary gateway and M1 the backup gateway for Host 1 If there were additional gateways in the center these gateways would also be considered as backup gateways for M2 If the VPN domains have fully or partially overlapping encryption domains then more than one gateway will be chosen as the closest entry point to the network As a result more than one gateway will be considered as primary When there are more than one primary or backup gateways available the gateway is selected using an additional selection mechanism This advanced selection mechanism can be either See Advanced Settings on page 239 e First to Respond e Random Selection for load distribution Chapter 12 Multiple Entry Point VPNs 235 Explicit MEP 236 For return packets you can use RIM on the center gateways If RIM is also enabled set a metric with a lower priority value for the leased line than the VPN tunnel The satellite S1 might simultaneously have more than one VPN tunnel open with the MEPed gateways for example M2 as the chosen entry point for host 1 and M1 as the chosen entry point for host 3 While both M1 and M2 will publish routes to host 1 and host 3 the lower priority metric will e
229. a license that enables the VPN module to retrieve information from an LDAP server Create an LDAP account unit Define users as LDAP users A new network object for LDAP users is created on the Users tree The LDAP users also appear in the objects list window to the right For more information see LDAP and User Management in the Security Management Server Administration Guide Defining User Properties and Authentication Methods Refer to Overview section in the Security Management Server Administration Guide Initiating User Certificates in the ICA Management Tool 1 Double click a user to open that user s property window On the Encryption tab click Edit The IKE phase 2 properties window opens On the Authentication tab of this window select Public Key 2 Initiate the user certificate in the ICA management tool For more information see the Security Management Server Administration Guide 286 VPN for Remote Access Configuration Generating Certificates for Users in SmartDashboard 1 On the User properties window Encryption tab click Edit The IKE phase 2 properties window opens On the Authentication tab select Public key In the Certificates tab of the User Properties window click Generate and Save Enter and confirm a PKCS 12 password PKCS 12 is a portable format for storing or transporting a user s private keys certificates etc The PKCS 12 file and the password should be securely transferred
230. able in the Security Policy Rule Base is Encrypt When encrypt is selected all traffic between the gateways is encrypted Check Point Security gateways are more easily configured through the use of VPN communities otherwise known as working in Simplified Mode For more information regarding traditional mode see Traditional Mode VPNs on page 251 Migrating from Traditional Mode to Simplified Mode To switch from Traditional mode to Simplified mode For more information see Converting a Traditional Policy to a Community Based Policy on page 717 1 On the Global Properties gt VPN page select either Simplified mode to all new Security Policies or Traditional or Simplified per new Security Policy File gt Save If you do not save you are prompted to do so File gt New The New Policy Package window opens 3 Create a name for the new security policy package and select Security and Address Translation 4 For the VPN configuration method select Simplified mode if you selected Traditional or Simplified per new Security policy in Global Properties Click OK In the Security Policy Rule base a new column marked VPN appears and the Encrypt option is no longer available in the Action column You are now working in Simplified Mode Chapter 4 Introduction to Site to Site VPN 77 Configuring Site to Site VPNs Configuring a Meshed Community Between Internally Managed Gateways Internally managed VPN communities ha
231. abled true false Set to true to enable a user to perform Hotspot registration log true false Set to true to send logs with the list of IP addresses and ports accessed during registration connect timeout 600 Maximum number of seconds to complete registration max ip count 5 Maximum number of IP addresses allowed during registration block hotspot_after connect true false If set to true upon successful connect the recorded ports and addresses will not remain open max trials 0 This value represents the maximum number of unsuccessful hotspot registration attempts that an end user may perform Once this limit is reached the user will not be allowed to attempt registration again The counter Userc C File Parameters is reset upon reboot or upon a successful VPN connect In addition if you modify the max trials value the modification will take affect only upon successful connect or reboot If the max trials value is set to O an unlimited number of trials is allowed e local subnets true false Restrict access to local subnets only e ports 80 443 8080 Restrict access to specific ports Encryption in Userc C See Structure of Userc C on page 608 Do not manually edit Global aS Note Bold indicates the default value Global Managers or Gateway indicates the location properties e use cert true false Specifies whether Use Certificate will be checked in the IKE Authentication wi
232. ac wisyncustaiuaandiuteeeeieben ances 583 The SOLUTION sh vcctesehgdtetiteden A aaa a e e a e a Raven TA a aE 583 SecuRemote SecureClient and Secure Domain Logon SDL cccccceeeeeeeeeeeeees 584 The ProDle Mins ceeweside ne ioced a e a a Baten civouseciesier A et Melanie 584 THE SOLUCIO Misin rie apean e ade saddae aad cd ena aain p saa a Ee a nana ea Dae 584 Configuring SDE Timed t dsn eect tie ani a i a a aa a ea adati 586 Cached Informatio a a e sate a a a a tna i 586 Configuring Secure Domain LOGOM s ea a a reaa anaia aie ea otat 587 Using Sectire Domain LOg N ecrire arar ai eitri ia aeaii 587 Back Connections Server to CliQnt cccccccccsssssssseseseeeeeeeeeeesseeeeeseeeeeeeeeeeeneaaes 588 Sending Keep Alive Packets to the Server c ccccececceseseeeeeeeeeeeeseeeeaneees 588 Auto Topology Update Connect Mode onlly eccccccseeeeeeeeeeeeeeeeeeaeeeeeeeeaeeeees 589 How to Work with non Check Point Firewalls cccccceccceseeceseeeseeeeeeeeeesaeeeaes 590 Early SecuRemote SecureClients Versions ccccceececsscceeeeseeseeceseeeeseeeeseneeeees 591 Resolving Internal Names with the SecuRemote DNS Server ccccseeeeseeeeeees 592 TAG PROD IGM anne vested adetas ee de aa eaa iE nln dave Nada EA Peart frees whiteness 592 The Solution h cseate tid aa aa a oie Woche Da e aa aTa a aaa be 592 Chapter 28 Multiple Entry Point for Remote Access VPNs The Need for Multiple Entry Point Gateways
233. access rule right click on the action tab of the rule and choose Edit properties gt Apply rule Only if Desktop Configuration is Verified Close the properties screen by pressing OK 5 Edit the local scv file in the SFWDIR conf directory and configure the SCV policy For more information see SCV Policy Syntax on page 530 and The local scv Sets on page 534 6 Install the policy in the policy install dialog box select the Advanced Security policy for the gateways and the Desktop Security policy for the Policy Servers Client Side Configuration 1 If you intend to use an OPSEC SCV application install the application on the client and enable the application s integration with SCV see the application s documentation for information on how to do this 2 Start SecureClient and connect to the gateway to receive the SCV Policy See Desktop Security for more information SCV Policy Syntax The SCV Policy is configured by the administrator in the text file SFWDIR conf local scv This file can be edited either manually by the administrator using a text editor or using a tool called SCVEditor available at http www opsec com The local scv file is a policy file containing sets subsets and expressions Note In general you can use the pre defined checks in the SCVNames section of the local scv file as templates and list the modified checks in the SCVPolicy section without writing new SCV subsets Sets and S
234. ace modify ifname netmask Modify the netmask of an interface by given interface name interface delete peer Delete interface by given peer name interface delete ifname Delete interface by given interface name interface show summary Shows summary of all interfaces or of a specific interface interface show detailed Shows summary of all interfaces or of a specific interface with greater detail tunnels show IKE all Displays all valid SA s tunnels show IKE peer Displays valid SA for a specific peer gateway IP address required tunnels show IPSec all Displays all IPSec tunnels tunnels show IPSec peer Displays IPSec tunnels for a specific peer tunnels delete IKE peer Deletes valid SA s for a specific peer gateway IP address required tunnels delete IKE user Deletes valid SA s for a specific user internal IP address and user name required tunnels delete IKE all Deletes all valid SA s tunnels delete IPSec peer Deletes IPSec tunnels for a specific peer gateway IP address required tunnels delete IPSec user Deletes IPSec tunnels for a specific user internal IP address and user name required tunnels delete IPSec all Deletes all IPSec tunnels tunnels delete all Deletes all SA s and IPSec tunnels AppendixC 731 732
235. acket IPSec Path Maximum Transmission Units IPSec Path MTU is a way of dealing with IPSec packet fragmentation The Data Link layer imposes an upper limit on the size of the packets that can be sent across the physical network the Maximum Transmission Unit or MTU Before sending a Chapter 31 Resolving Connectivity Issues 681 Overcoming NAT Related Issues 682 packet the TCP IP stack of the operating system queries the local interface to obtain its MTU The IP layer of the TCP IP stack compares the MTU of the local interface with the size of the packet and fragments the packet if necessary When a remote client is communicating across multiple routers with a gateway it is the smallest MTU of all the routers that is important this is the path MTU PMTU and for remote access clients there is a special PSec PMTU discovery mechanism to prevent the OS of the client from fragmenting the IPSec packet if the IPSec packet is too large However the PMTU between the remote client and the gateway will not remain constant since routing across the Internet is dynamic The route from gateway to client may not be the same in both directions hence each direction may have its own PMTU VPN handles this in two ways e Active IPSec PMTU e Passive IPSec PMTU Active IPSec PMTU After IKE phase II but before the IPSec stage the remote access client sends special discovery IPSec packets of various sizes to the gateway The DF do not fragment
236. affic can be inspected for malicious content before being passed to the client Visitor Mode When the client needs to connect through a gateway that limits connections to port 80 or 443 encrypted IPSec traffic between the client and the gateway is tunneled inside a regular TCP connection 64 bit Support The Endpoint Connect Installation package determines whether the underlying operating system is 32 or 64 bit and installs the appropriate drivers Installation and Use Small footprint Offline and Web deployment Endpoint Connect is easily distributed through the Connectra portal Automatic upgrades Endpoint Connect upgrades are automatic transparent to the user and do not require administrator privileges or a client reboot Site and Create New Site connection wizards For quickly configuring connections to corporate resources CLI Scripting For automation and internal testing and use as an embedded headless client OPSEC API Available for embedded applications Endpoint Connect is also designed to be part of specialized customer integrations and deployments for example organizations that build their own corporate presence applications that require VPN components The client s intelligent auto detect and disconnect features make it ideal for remote unmanned devices that need multiple High Availability Administration options such as embedded Windows ATMs For such scenarios Endpoint Connect offers a native
237. affic may also need to be sent unencrypted in the clear when the mobile device is located in a private network inside the encryption domain For example when a Wi Fi base station is located inside the corporate network 426 Connectivity Features Configuring the client not to allow clear traffic in ActiveSync effectively makes the client auto disconnect if it is placed in cradle And would also prevent the user from manually connecting as long as the device is cradled Configure this feature using the neo clear in activesync neo allow clear while disconnected and neo disconnect when in enc domain properties Secure Configuration Verification SCV Traversal SecureClient Mobile users can connect to a gateway that requires SCV validation In cases where a gateway is configured to only allow access to clients that have passed the SCV checks an exception can be made not to apply the SCV check to SSL clients This includes SecureClient Mobile and SSL Network Extender SNX To enable this feature navigate to Global Properties gt Remote Access gt Secure Configuration Verification SCV gt Exceptions Select the Do not apply Secure Configuration Verification on SSL clients connections checkbox Chapter 19 SecureClient Mobile 427 Topology and Split Tunneling Topology and Split Tunneling 428 A topology is the collection of enabled VPN links in a system of gateways their VPN domains hosts located behind each gateway and t
238. age arana tes aoa a lotic edhe eda ws eA terete 473 Creating ari MSI Packages reiii eas eaaa iactles seotde a a 474 Gontiguring the SAA PIUSIN i nae a a araa a a ee ia a piae ea bs 474 Troubleshooting e ae cals e a a a Golde ashlee seed a a Aa del 476 Enabling Log FileSe reeni iii nea ense a aaia e aa aaia ta aiani 476 Routing TAD Gs wccancdenwain ereda eia ee a de ada aa aaa aaia G eaat 476 IP COnTISU NATION see eaa da a chads Shed aa oa aaa aaa 476 Error Messages a a edit soles aAa EAN a eraai ges 476 ACditiGnal RESOUICES anino tanar a a E E aE E 478 Chapter 20 Packaging SecureClient Introduction The Need to Simplify Remote Client Installations ccccceeeee 480 The Check Point Solution SecureClient Packaging Tool cccccceseeceseeeeeeeeees 481 OVEIVIOW E E E E EE E verdes saneeies Debden so akeaa tata deeeutddaeWarele alee 481 How Does Packaging Tool Work cccccccsecccscecceeeeeeeceeeeceseeeeeseeeeeaeeeeanes 482 The MSI Packaging Solution cccccceeccseceeeeeeeeeeceeeeeeeeeeeeseeesaeeeeaneeeanes 482 Creating a Preconfisur d Package 2 6 22 cect cccdvdheacds deadies ide dads Mader sactenyeadtevetaatess 483 Creating a New Package Profile ccccccsccccseeceseceeeeeeeaeseeeaeeeeseeesneeesaeeeas 483 G nerating a Package tirare tiiat e Mahan eran ele ek a mea E aE ye 484 Adding Scripts to a Package o c2 0csessee see sins savceesisieeas seeded cass tadenasfeuscdeveriees 485 Configuring MSI
239. ailability you can configure multiple Policy Servers Load balancing can be especially important at times of high load for example when a large number of users log in at the beginning of the work day Connect Mode e High Availability between all Policy Servers trying selected first SecureClient will always try the specified Policy Server first If this server is unavailable the SecureClient will randomly choose a different server from among the remaining servers e High Availability only among selected Policy Servers SecureClient will randomly choose a Policy Server from the specified group This option provides Load Balancing as well since the load will be more equally distributed among the Policy Servers Policy Download When is a Policy Downloaded When a user creates a site in SecureClient a list of Policy Servers is downloaded to the client s machine If the user is using Connect mode the default mode a policy will be automatically downloaded from a Policy Server when the SecureClient machine connects to the site The automatic policy download can also be disabled this configuration is controlled in the user s profile Desktop Security Solution Policy Renewal If a time out is defined for a policy default is 60 minutes SecureClient will reconnect to the Policy Server to download a new policy when half specified time period has elapsed If more than one Policy Server is defined see High Availability
240. alable and resilient but also provides e Confidentiality e Integrity e Authentication Confidentiality Only the communicating parties must be able to read the private information exchanged between them Authentication The communicating parties must be sure they are connecting with the intended party Integrity The sensitive data passed between the communicating parties is unchanged and this can be proved with an integrity check 62 The Check Point Solution for VPN The Check Point Solution for VPN A Virtual Private Network VPN is a secure connectivity platform that both connects networks and protects the data passing between them For example an organization may have geographically spaced networks connected via the Internet the company has connectivity but no privacy Check Point Security Gateways provide privacy by encrypting those connections that need to be secure Another company may connect all parts of its geographically spaced network through the use of dedicated leased lines this company has achieved connectivity and privacy but at great expense The Check Point Product Suite offers a cheaper connectivity solution by connecting the different parts of the network via the public Internet A Virtual Private Network is a network that employs encrypted tunnels to exchange securely protected data Check Point Security gateways create encrypted tunnels by using the Internet Key Exchange IKE and P Security IPSec
241. ally each time that a user connects to a gateway and when a user reconnects after an authentication timeout occurs It is also updated on a regular basis as defined by the administrator To define the frequency with which updated site details are downloaded to the client l 2 In SmartDashboard select Policy gt Global Properties gt Remote Access In Topology Update select Update topology every hours 3 Enter the frequency in hours with which the policy should be updated Security Policy A security policy is created by the system administrator in order to regulate incoming and outgoing traffic If a client connects and SecureClient Mobile support is not enabled a default policy is enforced as defined in the client package Use one of the following methods listed in order of priority to configure a security policy l Using SmartDashboad click Policy gt Global properties gt Remote Access gt SecureClient Mobile and select Yes in the Enable firewall policy drop down menu Set the Firewall policy and Enable Microsoft ActiveSync policy to the required values Chapter 19 SecureClient Mobile 451 Configuring SecureClient Mobile 2 Using the GUIDBEdit tool on the Security Management server For additional information refer to Advanced Configuration on page 455 3 Modifying the TTM files on each gateway For additional information refer to Transform Template Files TTM on page 466 4 Modifying
242. an error stating that the converter cannot translate such rules automatically In this case it is important to review the translated rule base before installing it in order to avoid security breaches It may be necessary to add rules to make sure that all the traffic that was previously dropped by the original Rule Base is dropped in the translated Rule Base How the Converter Handles Disabled Rules If a rule in the Traditional VPN Rule Base was disabled the translated rule in the simplified Rule Base will also be disabled After Running the Wizard After running the Wizard examine the Rule Base to see that it has retained the desired functionality and if necessary optimize the Rule Base and make other changes as follows These points have been covered in the earlier discussion but are summarized here for convenience Take out Unneeded Drop Rules In some cases you can delete the second Drop rule generated by the conversion of an Encrypt rule because it will never match any connection and the first rule is sufficient This is the case for rules where the following are true e The source and destination are located in the encryption domain of gateways appearing in the Installed on column of the rule e A Community links all gateways protecting addresses in the Source and also links gateways protecting addresses in the Destination AppendixB 727 728 Another case where you can delete the second Drop rule generated by the
243. and without UDP encapsulation when dealing with remote access There is no UDP encapsulation between gateways There is no need to enable UDP on the client unless you want to shorten the existing small IKE phase II proposals Enable UDP encapsulation in a connection profile the remote user works in connect mode to automatically receive the profile To configure a From the file menu Manage gt Remote Access gt Connection profiles the Connection Profiles window opens Click New b Connection Profile Properties window opens On the Advanced tab select Force UDP Encapsulation If the user is not working in connect mode the user has to manually enable UDP Encapsulation on the client On the client s file menu Tools gt Advanced IKE Settings select Force UDP Encapsulation 690 Configuring Remote Access Connectivity Selecting UDP encapsulation on the gateway means that the gateway supports both encapsulated VPN traffic and traffic that is not encapsulated Note Microsoft L2TP IPSec clients cannot work with Check Point gateways when UDP encapsulation is required Configuring Visitor Mode Visitor Mode requires the configuration of both the Server and the Client See also Visitor Mode and MEP on page 599 Server Configuration To enable the TCP tunnelling feature on the security gateway On the gateway object running the Visitor Mode Server Remote Access page gt Visitor Mode section select Support Visitor
244. aneously IKE negotiations handled exceeds the accespted threshold it concludes that it is either under load or experiencing a Denial of Service attack In such a case the gateway can filter out peers that are the probable source of a potential Denial of Service attack There are two kinds of protection Stateless Protection Against IKE DoS Attacks A security gateway prevents IKE DoS Attacks by delaying allocation of gateway resources until the peer proves itself to be legitimate The following process is called stateless protection 1 If the gateway concludes that it is either under load or experiencing a Denial of Service attack and it receives an IKE request it replies to the alleged source with a packet that contains a number that only the gateway can generate The gateway then forgets about the IKE request In other words it does not need to store the IKE request in its memory which is why the protection is called Stateless 2 The machine that receives the packet is required to reinitiate the IKE request by sending an IKE request that includes this number 3 If the gateway receives an IKE request that contains this number the gateway will recognize the number as being one that only it can generate and will only then continue with the IKE negotiation despite being under load If the Check Point Security Gateway receives IKE requests from many IP addresses each address is sent a different unique number and each add
245. aps both machines are the same in terms of strength of performance but one has a cheaper or faster connection to the Internet In this case the machine with the better Internet connection should be configured as the primary See Primary Backup Gateways on page 242 Load Distribution in which the remote VPN peer randomly selects a gateway with which to open a connection For each IP source destination address pair a new gateway is randomly selected An organization might have a number of machines with equal performance abilities In this case it makes sense to enable load distribution The machines are used in a random and equal way See Random Selection on page 236 Implicit MEP is supported if the gateways with overlapping encryption domains are in the same community If they are located in different communities only one of the gateways will be used for this encryption domain Note When upgrading from a version prior to NGX R60 where Implicit MEP was already configured the settings previously configured will remain Implicit MEP First to Respond When there is no primary gateway all gateways share equal priority When all gateway s share equal priority e Remote VPN peers send RDP packets to all the gateways in the MEP configuration e The first gateway to respond to the probing RDP packets gets chosen as the entry point to network The idea behind first to respond is proximity The gateway wh
246. are located behind gateway 2 As a result SecureClient users do not need to re authenticate when accessing the resources behind gateway 2 This also allows for logging all the SecureClient activity to other resources behind other gateways Note For remote hosts to successfully access resources behind gateway 1 either all Office Mode IP s must be part of gateway 2 s encryption domain or Hide NAT must be enabled on gateway 1 Desktop Security Policy Desktop Security Policy When is a Policy Downloaded When a user creates a site in SecureClient a list of Policy Servers is downloaded to the client s machine A policy will be automatically downloaded from a Policy Server when the SecureClient machine connects to the site The automatic policy download can also be disabled this configuration is controlled in the user s profile Policy Expiration and Renewal The Desktop security policy is only valid for a certain period of time After half of the period set has elapsed the remote client queries the Policy Server for a renewal update The client tries to renew the current policy even if the previous renewal failed If the renewal process continually fails then the current Desktop Security Policy expires the remote client remains with the previous policy During the Security Policy update the mobile users log files are being uploaded to the Policy Server Prepackaged Policy SecureClient can be pre packaged to include a d
247. arly Versions Compatibility 2 Select Static calculation based on network topology if pre NGX gateways should use topology calculation to resolve IP addresses 3 Select Dynamic interface resolving mechanism to convert to one of the methods in Table 11 4 The R70 gateway will convert the method used by the Pre NGX gateway as follows Table 11 4 Backward Compatibility R70 Gateway Method Selected address from topology table Method used by Pre NGX Gateway Ongoing Probing Statically NATed IP Ongoing Probing Use DNS resolving Ongoing Probing Calculate IP based on network topology Main IP Main IP Main IP Ongoing Probing Ongoing Probing One Time Probing One Time Probing Note If the manual IP address list for probing is configured Pre NGX R60 gateways will probe all of the IP addresses and not just those listed in the IP address list When link tracking is activated on the local gateway the gateway sends a log for every new resolving decision performed to one of its remote VPN peers VPN tunnels When dynamic ongoing resolving is configured on the remote peer or when Route Based Probing is activated on the local gateway log entries are issued for all resolving changes Chapter 12 Multiple Entry Point VPNs In This Chapter Overview page 230 Explicit MEP page 232 Implicit MEP page 240 Routing Return Packets page 244 Configuring MEP page 247 229 Overvi
248. assword Management of Internal CA Certificates If the administrator has configured Certificate with Enrollment as the user authentication scheme the user can create a certificate for his her use by using a registration key provided by the system administrator To create a user certificate for enrollment 1 Follow the procedure described in The Internal Certificate Authority ICA and the ICA Management Tool in the Security Management Server Administration Guide Q Note In this version enrollment to an External CA is not supported 640 2 Browse to the ICA Management Tool site https lt mngmt IP gt 18265 and select Create Certificates Configuring the SSL Network Extender 3 Enter the user s name and click Initiate to receive a Registration Key and send it to the user When the user attempts to connect to the SSL Network Extender without having a certificate the Enrollment window is displayed and he she can create a certificate for his her use by entering the Registration Key received from the system administrator For a description of the user login experience refer to Downloading and Connecting the Client Note The system administrator can direct the user to the URL http lt IP gt registration html to allow the user to receive a Registration Key and create a certificate even if they do not wish to use the SSL Network Extender at this time 3 You can determine whether
249. at are not configured for VPN For example an employee might unexpectedly need to log into the company mail server from an Internet cafe The employee cannot install software on the browser or even configure it yet the connection to the company mail server must still be secure and the employee must have some means of authentication Consider a software company wishing to provide its beta sites with access to bug tracking software via a web server The beta peers do not employ VPN technology The connection must be secure and the beta users must be authenticated Another scenario an e commerce company is suffering attacks over the Internet The company needs to be able to monitor incoming packets for harmful content yet packets in a standard SSL based connection passing directly between client and server are encrypted The administrator must both secure this connection and make the packets available for monitoring The common factor in these scenarios is that a secure connection must be established in a situation where VPN technology is not available on the client side A solution is required that e Supports secure connections e Does not involve installation or configuration of software on the client side e Allows users to be authenticated e Allows packets to be inspected by the gateway The Check Point Solution for Clientless VPN The Check Point Solution for Clientless VPN Securing connections when VPN technology is not available to
250. at this label exists is to allow nested ANDed sections inside ORed sections For example if an Configuring SCV administrator considers old browsers as secure since they do not have a lot of potentially unsafe components and new browsers as secure since they contain all the latest security patches he can define the following SCV rules begin_or orl begin_and and1 browser major version 5 browser minor version 0 browser version operand gt send and1 begin_and and2 browser major version 3 browser minor version 0 browser version operand lt send and2 end orl In the example above the first AND section checks whether the version of IE gt 5 0 the second AND section checks whether the version of IE is lt 3 0 and the are ORed The entire example is evaluated as true only if the version of IE is larger than or equal to 5 0 OR lower than or equal to 3 0 Expressions and Labels with Special Meanings There are several expressions and labels which have special meaning e begin_admin admin this label starts a section defining several actions which are performed only if the client is considered as non SCVed by previous expressions in the subset i e if previous expressions in the subset have returned a value of false The end of this section is marked by the end admin label e send_log type This expression is used as part of the begin_admin admin end admin sec
251. ate the line disconnect_on_ smartcard removal STRING false GW_USER 0 c Replace false with true d Save and close the file Chapter 17 Endpoint Connect 379 Tunnel Idleness 380 Tunnel Idleness A number of organizations may have specific security requirements such that an open VPN tunnel should be transporting work related traffic to the site at all times An idle or inactive tunnel should be shut down Stay alive packets or noise such as NetBios Broadcasts to port 83 or DNS broadcasts to port 137 are not considered work related A mail program such as OUTLOOK performing a send receive operation every five minutes would be considered work related and the tunnel kept open For this reason a tunnel idleness interval can be configured in accordance with the company s security policy Tunnel idleness can be set either in the gateway policy or on the client Configuring Tunnel Idleness on the Client 1 Open for editing sprogramfiles checkpoint endpoint connect trac defaults 2 Locate the line tunnel idleness timeoutINT 0 GW_USER 0 3 Replace INT O with a value For example INT 20 will shut down an inactive VPN tunnel after twenty minutes INT 0 means no tunnel idleness The feature is switched off This setting is only enforced if no policy regarding tunnel idleness is set on the gateway Otherwise the gateway policy set by Security Management server is enforced
252. ateway e All the gateways in the MEP 1 Must support visitor mode 2 The user must be working with a Visitor Mode enabled profile Routing Return Packets To make sure return packets are routed correctly the MEPed gateway makes use of IP pool NAT IP Pool NAT IP pool NAT is a type of NAT in which source IP addresses from remote VPN domains are mapped to an IP address drawing from a pool of registered IP addresses In order to maintain symmetric sessions using MEPed gateways the MEPed gateway performs NAT using a range of IP addresses dedicated to that specific gateway and should be routed within the internal network to the originating gateway When the returning packets reach the gateway the gateway restores the original source IP address and forwards the packets to the source Note When Office Mode is enabled there is no need to configure IP Pool NAT since Office Mode dynamically assigns IP s to remote hosts Chapter 28 Multiple Entry Point for Remote Access VPNs 599 Disabling MEP Disabling MEP When MEP is disabled MEP RDP probing and fail over will not be performed As a result remote hosts will connect to the gateway defined without considering the MEP configuration 600 Configuring MEP Configuring MEP In This Section First to Respond page 601 Primary Backup page 602 Load Distribution page 603 Configuring Return Packets page 603 Configuring Preferred Backup Gateway page 604 Disabling MEP pag
253. ating systems are not Configuring SCV Some other minor changes from the described syntax appear in the local scv policy file You can review the changes in the default local scv policy file In general you can use the pre defined checks in the SCVNames section as templates and list the modified checks in the SCVPolicy section without writing new SCV subsets Note To enforce a specific SCV check set the parameters of the check in the SCVNames section and include the name of the check in SCVPolicy Sample SCVObject SCVNames user policy scv type plugin parameters BrowserMonitor type plugin parameters browser major version 5 browser minor version 0 browser_ version operand gt browser version mismatchmassage Please upgrade your Internet browser 7 intranet_ download signed activex disable sintranet run activex disable intranet download files disable intranet_java permissions disable trusted download signed activex disable trusted run activex disable trusted download files disable trusted java permissions disable internet download signed activex disable internet run activex disable internet_download files disable internet_java permissions disable restricted download signed activex disable restricted run activex disable restricted download files disable restricted java permissions disable send log alert Ghee et
254. ay M2 and the connection would be dropped because packets that come into a gateway whose session was initiated through a different gateway are considered out of state packets Since gateway M2 s internal interface is trusted and wire mode in enabled on the community no stateful inspection is performed and gateway M2 will successfully continue the connection without losing any information Wire Mode with Route Based VPN Figure 9 2 Wire Mode in a Satellite community t Satellite Gateway A Satellite Gateway B Chapter 9 Wire Mode 193 Wire Mode Scenarios In the scenario depicted in Figure 9 2 e Wire mode is enabled on Center gateway C without an internal trusted interface specified e The community is wire mode enabled e Host 1 residing behind Satellite gateway A wishes to open a connection through a VPN tunnel with Host 2 behind Satellite gateway B In a satellite community Center gateways are used to route traffic between Satellite gateways within the community In this case traffic from the Satellite gateways is only rerouted by gateway C and cannot pass through gateway C s firewall Therefore stateful inspection does not need to take place at gateway C Since wire mode is enabled on the community and on gateway C making them trusted stateful inspection is bypassed Stateful inspection however does take place on gateways A and B Wire Mode Between Two VPN Communities Figure 9 3 Wire Mo
255. before last first domain_udp_router boolean true true domain_udp_router_p string first first last before last First dqnt_nnnuin hidden foiders messane honlean true oe Ready 192 168 186 1 Read Write Ui 3 Configure the following parameters e disconnect_on idle e do not check idleness on_icmp packets e do not check idleness on these services By listing services you effectively include the associated port numbers For example if NetBios is entered as the service then port 83 is not monitored for tunnel idleness e enable disconnect _on idle e idle timeout_in minutes Chapter 17 Endpoint Connect 381 Cooperative Enforcement Ss Set a value such as 30 for thirty minutes Note If you enter a value for idle timeout_in minutes then enable disconnect_on_idle must also be set to TRUE 4 Save and install a policy Cooperative Enforcement Endpoint Connect works with Cooperative Enforcement technology Cooperative enforcement relies on the Endpoint Security server compliance feature which defines whether a remote client is secure and blocks connections that do not meet predefined requisites Using this feature each firewall module queries an Endpoint Security server to determine the policy compliance of any client that attempts to open a connection through it By enabling cooperative enforcement an administrator can allow traffic only from clients that comply with the firewall module s software configuratio
256. board use with or without the user s consent Some keystroke loggers transmit the recorded information to third parties Adware Programs that display advertisements or records information about Web use habits and store it or forward it to marketers or advertisers without the user s authorization or knowledge Browser plug ins Programs that change settings in the user s browser or adds functionality to the browser Some browser plug ins change the default search page to a pay per search site change the user s home page or transmit the browser history to a third party Dialers Programs that change the user s dialup connection settings so that instead of connecting to a local Internet Service Provider the user connects to a different network usually a toll number or international phone number 3rd party cookies Cookies that are used to deliver information about the user s Internet activity to marketers Other undesirable software Any unsolicited software that secretly performs undesirable actions on a user s computer and does not fit any of the above descriptions 632 Special Considerations for the SSL Network Extender Special Considerations for the SSL Network Extender This section lists SSL Network Extender special considerations i e pre requisites features and limitations In This Section Pre Requisites page 633 Features page 634 Pre Requisites The SSL Networ
257. boot the SecuRemote SecureClient machine Configuring SDL Timeout Because SDL depends on the synchronization of concurrent processes flexibility in defining timeouts is important The SDL Timeout feature of Secure Domain Logon allows you to define the period during which a user must enter his or her domain controller credentials When the allocated time expires and no cached information is used if applicable the logon fails The timeout is controlled by the sdl_netlogon_ timeout lt value in seconds gt parameter in the file Objects 5 0 C Note This feature is not applicable if the Auto Local Logon option is enabled Connect Mode Only Cached Information When the SecuRemote SecureClient machine successfully logs on to a domain controller the user s profile is saved in cache This cached information will be used if subsequent logons to the domain controller fail for whatever reason To configure this option in the client registry proceed as follows 1 Go to HKLM Software Microsoft Windows NT Current Version Winlogon 2 Create a new key CachedLogonCount with the valid range of values from O to 50 The value of the key is the number of previous logon attempts that a server will cache A value of O disables logon caching and any value above 50 will only cache 50 logon attempts 586 SecuRemote SecureClient and Secure Domain Logon SDL Configuring Secure Domain Logon l Configure the SecuRemote Client to use
258. built The Diffie Hellman algorithm builds an encryption key known as a Shared secret from the private key of one party and the public key of the other Since the IPSec symmetrical keys are derived from this DH key shared between the peers at no point are symmetric keys actually exchanged IKE Phase I During IKE Phase e The peers authenticate either by certificates or via a pre shared secret More authentication methods are available when one of the peers is a remote access client e A Diffie Hellman key is created The nature of the Diffie Hellman protocol means that both sides can independently create the shared secret a key which is known only to the peers e Key material random bits and other mathematical data as well as an agreement on methods for IKE phase Il are exchanged between the peers In terms of performance the generation of the Diffie Hellman Key is slow and heavy The outcome of this phase is the IKE SA an agreement on keys and methods for IKE phase Il Figure 2 1 illustrates the process that takes place during IKE phase but does not necessarily reflect the actual order of events Overview Figure 2 1 IKE phase IKE Phase I for Security Gateways mn sees ee ee ves ess se gt Peers authenticate using certificates or a pre shared gt secret Certificate virawaanensiiee bee ued Sewee eesteeebineeeseeee i ccawes Cdn COD DORIC ECS Eon S eN 6 d ccieaicie cles 655055 0 44 1 Froma pool of
259. ccsetoseeiei eet ein A a aaa 136 Enabling Route Based VPN cccccccseecceeeecceeeeeeeeeceseeeeseeeeeaeeeeeaeeeeaeeeanees 136 Numbered Vils rannta nea e a sauces ae E A seus lavas TE aes 136 VTIs in a Clustered Environment ccccccceeceeecceeeeeeeeeeeeeeeesaeeeeeesaueeeeeeaaeeeeeees 139 Configuring VTIs in a Clustered Environment cccccceecceseceeeeeeeeeeeseseeeeeaeeees 140 Enabling Dynamic Routing Protocols on VTIS cccccceecceeseeeseeeeeeeeeeeeeceeaeeeeanes 147 Configuring Anti Spoofing on VTIS ccccccccceeccceeceeeeeeeeeeeeeseeeesaeeeeseecesaeeesneees 151 Configuring a Loopback Interface c ccecccccecccceceeeeeeceeeeeeseeceeseeeeseeeeaeeeesneees 153 Configuring Unnumbered VTIS ccccccccesccceececeeeeeeeeeseeeeeeeeeeeeeeeeeeeseeeeaneeees 156 Routing Multicast Packets Through VPN TUNnnelS cc cecceseeceeeeeeeeeeeeaeeeaees 160 Chapter 7 Tunnel Management OVEINVIOW a aro aoai aeara eaa a thedtevseaitevasaddes ideals 164 Permanent TUNNEIS sioen hansa a enii neiaie ea e E Eee 164 VEN Tunnel Sharing oiden ae a edee ea E a E e n eRe ts 167 Config ring Tunnel Feat reSeci esi elie a a ea dune deh a daaa dahani biaa 168 Permanent TUNNELS sienn ni euis anera iape eea o daa aea rA ea Ea 170 Advanced Permanent Tunnel Configuration ccccccecceceececeeeeeeeeeeeeeesaeees 173 Tracking Optlons ngere en an bien e an ae aa e a a a ea T eaea sabe 174 Terminating Permanent Tunnels gatzen aaa e
260. ce If a NAT device is detected between the peers communication between them switches to UDP port 4500 NAT T is not supported using Aggressive Mode UDP port 4500 must be enabled which will be used for the entire VPN session NAT T is supported for Edge devices L2TP clients and 3rd party gateways IKE over TCP IKE over TCP solves the problem of large UDP packets created during IKE phase The IKE negotiation is performed using TCP packets TCP packets are not fragmented in the IP header of a TCP packet the DF flag do not fragment is turned on A full TCP session is opened between the remote host and the gateway for the IKE negotiation during phase UDP Encapsulation This method adds a special UDP header that contains readable port information to the IPSec packet The new port information is not the same as the original The port number 2746 is included in both the source and destination ports The NAT device uses the source port for the hide operation but the destination address and port number remains the same When the peer gateway sees 2746 as the port number in the destination address the gateway calls a routine to decapsulate the packet Idleness Detection idleness Detection SecureClient has the ability to determine VPN traffic idleness while a user is connected using SecureClient to a Check Point gateway A VPN tunnel is considered to be idle when no network traffic which originated by an explicit action of a user
261. ce is active Prototype TRAPI CPAPI bool TriIsTracActive TrConnEnum Ennumerates all configured sites Returns a connection handle according to the given index starting from zero When there are no more sites in the list a NULL value is returned Prototype TRAPI_CPAPI TrConn TrConnEnum int connIndex Client Functions Communicating with Service Arguments Argument IN OUT Meaning connIndex in the connection handle representing the connection for the site TrConnGetInfo According to a given connection handle this function retrieves information from the connection STRUCT Prototype TRAPI CPAPI TrStatus TrConnGetInfo TrConn connHandle TrConnStruct connStruct Chapter 18 Endpoint Connect API 393 Client Functions Communicating with Service Arguments Argument IN OUT Meaning connHandle in The handle for the connection TrConnStruct out The connection information as contained in the STRUCT e char mDisplayName PARAM MAX LEN the same of the site as given by the user e char mGwIP PARAM MAX LEN the IP address of the site s gateway e char mGwHostname PARAM MAX LEN the FQDN of the site nt mConnStatus the status of the connection connecting connected reconnecting or terminated when the service is down Idle O e ji e bool mIsActiveSite TRUE if this connection is the active site meaning the last site to which the user successfully c
262. ceptions The Secure Configuration Verfication Exceptions Screen appears Secure Configuration Verification Exceptions The following hosts can be accessed using the selected services even if the client is not verified D Select Do not apply Secure Configuration Verification on SSL Clients Connections Click OK 468 Client Deployment Overview Client Deployment Overview SecureClient Mobile is packaged as a self installing CAB cabinet or MSI Microsoft Installer file package Users can install either package without specifying configuration details This ensures the proper configuration of SecureClient Mobile software A CAB file package contains compressed files which are mainly used to distribute software The CAB file package is installed directly on the mobile device and has a cab file extension The MSI package is installed on the user s personal computer and has a msi file extension It is used for a silent unattended installation During installation the CAB file package is extracted from the MSI package and installed on a connected mobile device using ActiveSync services Package Customization The administrator obtains the SecureClient Mobile distribution package from the Check Point Download Center The distribution package is located in a zip file which contains the folders file listed in Table 19 5 Table 19 5 Folder File Explanation client_api SecureClient Mobile API plus sample code cl
263. certificate _ nal SSL Clients Authentication Hub Mode configuration SmartView Monitor i F UserAuthority Server IV Allow SecureClient to route traffic through this gateway Logs and Masters Capacity Optimization Cooperative Enforceme NAT traversal Check Point proprietary Advanced IV Support NAT traversal mechanism UDP encapsulation Allocated port je YPN1_IPSEC_encapsulation Visitor Mode configuration I Support Visitor Mode ENVICe je https Le Machine s Interface al Interfaces z Cancel Help wo 372 Secure Configuration Verification Select Allow SecureClient to route traffic through the gateway The setting applies equally to Endpoint Connect Secure Configuration Verification While SecureClient uses the SCV settings configured in Global Properties no SCV enforcement occurs for Endpoint Connect Endpoint Connect takes advantage of Cooperative enforcement to guarantee a secure configuration This means that for Endpoint Connect 1 Bypass SVC for none SecureClient traffic by creating an exception a b Open Global Properties gt Remote Access gt Secure Configuration Verification Select Apply Secure Configuration Verification on Simplified mode Security Policies Click Exceptions In the Secure Configuration Verification Exceptions window select Do not apply Secure Configuration Verification on SSL client connections Global Properti
264. certificate is used to authenticate the peer Every deployment of Check Point Security Management server includes an Internal Certificate Authority ICA that issues VPN certificates for the VPN modules it manages These VPN certificates simplify the definition of VPNs between these modules For more information about the ICA see the Security Management server Administration Guide Situations can arise when integration with other PKI solutions is required for example e AVPN must be established with a security gateway managed by an external Security Management server For example the peer gateway belongs to another organization which utilizes Check Point products and its certificate is signed by its own Security Management server s ICA e AVPN must be established with a non Check Point VPN entity In this case the peer s certificate is signed by a third party CA e An organization may decide for whatever reason to use a third party CA to generate certificates for its gateways Supporting a Wide Variety of PKI Solutions Supporting a Wide Variety of PKI Solutions Check Point Security Gateways support many different scenarios for integrating PKI in VPN environments Multiple CA Support for Single VPN Tunnel Two gateways present a certificate signed by different ICAs Support for non ICA CAs In addition to ICA security gateways support the following Certificate Authorities e External ICA The ICA of another Secu
265. check SCVCheckName1 SCVCheckNamel defines the name of the set of tests It is defined in the SCV application and should be provided by the SCV manufacturer The type plugin expression specifies that the test is performed by an SCV DLL plugin The parameters subset is where the SCV rules and actions are defined The type plugin expression and the parameters subset should always be specified when defining a subset of SCV checks such as SCVCheckNamel1 SCVPolicy This section defines the names of the SCV checks that should be enforced the names are part of the SCV check names specified in SCVNames This section s general structure is SCVPolicy SCVCheckNamel1 SCVCheckName2 Note there is a space between the colon and the opening brace The Difference between SCVNames and SCVPolicy e The SCVNames section defines the different parameters for the checks e The SCVPolicy section states which checks are enforced To enforce a specific SCV check e Set the check s parameters in SCVNames e Include the name of the check in SCVPolicy Chapter 23 Secure Configuration Verification 535 Configuring SCV 536 SC VGlobalParams This section includes global parameters for SCV SCVGlobalParams enable status notifications true status notifications timeout 10 disconnect when not verified false block_ connections on_unverified false scv_policy timeout_hours 24 enforce ip forward
266. click on the user s certificate icon the p12 file in the location where it is saved A Certificate Import Wizard is displayed Enter the password In the Certificate Store window make sure that the certificate store is selected automatically based on the certificate type Select Finish to complete the Import operation Using the MMC the certificate can be seen in the certificate store for the current user Setting up the Microsoft IPSec L2TP Client Connection Profile Once the Client machine s certificate and the user s certificate have been properly distributed set up the L2TP connection profile 1 7 In the client machine right click on the My Network Places icon on the desktop and select Properties In the Network and Dial up Connections window select Make New Connection The Network Connection Wizard is displayed In the Network Connection Type window On Windows 2000 machines select Connect to a private network through the Internet On Windows XP machines select VPN or dial up and in the next window select VPN In the Destination Address window enter the IP address or the resolvable host name of the gateway In the Connection Availability window make the new connection available For all users or Only for myself In the closing window provide a name for the new connection for example L2TP_connection The Connect window for the new connection type is displayed To complete the L2TP connecti
267. clients For an explanation of the file s syntax see the comments the lines beginning with the character in the sample file below aS Note This file must be manually added to all the modules Chapter 15 Office Mode 311 Enabling IP Address per User 312 Sample ipassignment conf File This file is used to implement the IP per user feature It allows the administrator to assign specific addresses to specific users or specific ranges to specific groups when they connect using Office Mode or L2TP The format of this file is simple Each line specifies the target gateway the IP address or addresses we wish to assign and the user or group name as in the following examples Gateway Type IP Address User Name Paris GW TOL 5 58 Jean Brasilia addr 10 6 5 8 Joao comments are allowed iami addr 10 7 5 8 CN John OU users O cpmgmt acme com gibeuu iami range 100 107 105 110 100 107 105 119 24 Finance iami net 10 7 5 32 28 Accounting Note that real records do not begin with a pound sign and the commas are optional Invalid lines are treated as comments Also the user name may be followed by a pound sign and a comment The first item is the gateway name This could be a name an IP address or an asterisk to signify all gateways A gateway will only honor lines that refer to it The second item is a descriptor It can be addr range or net addr specifies one IP for one user
268. community Properties window a new rule is added to the Security Policy Rule Base This rule is neither a regular rule or an implied rule but an automatic community rule and can be distinguished by its beige colored background Excluded Services In the VPN Communities Properties window Excluded Services page you can select services that are not to be encrypted for example Firewall control connections Services in the clear means do not make a VPN tunnel for this connection For further information regarding control connections see How to Authorize Firewall Control Connections in VPN Communities on page 88 Note that Excluded Services is not supported when using Route Based VPN Chapter 4 Introduction to Site to Site VPN 75 Special Considerations for Planning a VPN Topology Special Considerations for Planning a VPN Topology When planning a VPN topology it is important to ask a number of questions 76 Li 2 3 Who needs secure private access From a VPN point of view what will be the structure of the organization Internally managed gateways authenticate each other using certificates but how will externally managed gateways authenticate e Do these externally managed gateways support PKI e Which CA should be trusted Configuring Site to Site VPNs Configuring Site to Site VPNs VPN communities can be configured in either traditional or simplified mode In Traditional mode one of the actions avail
269. conditions is not true the rule is not matched If all conditions of the rule are met the rule is matched and the connection allowed It is also possible for a rule in the Security Policy Rule Base to be relevant for both VPN communities and host machines not in the community For example Figure 4 10 Access control in VPN communities Internal Web D a x Security Internet S teway 2 Security Gateway 1 The Check Point Solution for VPN The rule in the Security Policy Rule base allows an HTTP connection between any internal IP with any IP Table 4 2 Source Destination VP Service Action N Any_internal_machine Any Any HTTP Accept In Figure 4 10 an HTTP connection between host 1 and the Internal web server behind gateway 2 matches this rule A connection between the host 1 and the web server on the Internet also matches this rule however the connection between host l and the internal web server is a connection between members of a VPN community and passes encrypted the connection between host 1 and the Internet web server passes in the clear In both cases the connection is simply matched to the Security Policy Rule whether or not the connection is encrypted is dealt with on the VPN level VPN is another level of security separate from the access contro level Accepting all Encrypted Traffic If you select Accept all encrypted traffic on the General page of the VPN
270. cryption makes TCP IP packets appear mixed up This kind of data cannot be compressed and bandwidth is lost as a result If IP compression is enabled packets are compressed before encryption This has the effect of recovering the lost bandwidth Overview Subnets and Security Associations By default a VPN tunnel is never created just for the hosts machines involved in the communication but for the complete subnets the hosts reside on Figure 2 3 VPN per subnet e a P ef 10 10 12 10 10 13 10 10 10 x Security Gateway Remote VPN Peer In Figure 2 3 a gateway protects a network consisting of two subnets 10 10 10 x and 10 10 11 x with netmask 255 255 255 0 for both A second gateway the remote peer protects subnets 10 10 12 x and 10 10 13 x with netmask 255 255 255 0 Because a VPN tunnel is created by default for complete subnets four SA s exist between the gateway and the peer gateway When Host A communicates with Host B an SA is created between Host A s subnet and Host B s subnet Chapter 2 IPSEC amp IKE 51 Overview 52 Unique SA Per Pair of Peers By disabling the Support Key exchange for subnets option on each gateway it is possible to create a unique Security Association per pair of peers Figure 2 4 SA per IP address a et 10 10 12 x 10 10 10 x 10 10 13 x Security Gateway Internet In Figure 2 4 if the gateway is configured to Support key exchange
271. ct the CA that issues the certificate the trusted CAs themselves If the CA that issues the certificate is a subordinate CA that CS Note The list displays only those subordinate CA s that lead directly to a trusted CA and does not lead directly to a trusted CA the subordinate CA will not appear in the list 5 Select a method for key pair generation and storage 6 Click Generate and select Automatic enrollment The Generate Keys and Get Automatic Enrollment Certificate window opens x Certificate Authority Setup Information Key Identifier Authorization code Request Certificate For DN Add Edit Remove Enrollment Properties emp 2 protocol transport http URL http www checkpoint com Cancel Help e Supply the Key Identifier and your secret authorization code e Click OK 110 rE 10 11 Configuration of PKI Operations When the certificate appears in the Certificates List on the network objects VPN page click View and either Copy to Clipboard or Save to File the text in the Certificate Request View window Send the request to CA administrator Different Certificate Authorities provide different means for doing this for example an advanced enrollment form on their website The issued certificate can be delivered in various ways such as email Once you have received the certificate save it to disk On the VPN tab of the network object select the appropriate certifica
272. ction profile for Visitor Mode users This profile enables the Visitor Mode feature on the Client side To create the profile 1 In SmartDashboard Manage gt Remote Access gt Connection profiles the Connection Profiles window opens 2 Click New to create a new connection profile or Edit to alter an existing profile The Connection Profile Properties window opens 3 On the Advanced tab select Visitor Mode On the remote client configure the user to work in connect mode Configuring Remote Clients to Work with Proxy Servers 1 In SecureClient select Detect Proxy from Internet Explorer Settings xi Proxy definiti Manually define proxy Address Port C No proxy transparent proxy Proxy authentication User name Password Confirm Password Cancel Help In previous versions the proxy had to be manually defined 2 Provide a username and password for proxy authentication This information is latter transferred with the connect command to the proxy server Chapter 31 Resolving Connectivity Issues 693 Configuring Remote Access Connectivity 694 Figure 31 7 Proxy settings in Internet Explorer Automatic configuration Automatic configuration may override manual settings To ensure the use of manual settings disable automatic configuration J Automatically detect settings I Use automatic configuration script Address Proxy server v Use a proxy se
273. ction window Resolving Addresses via Main and Single IPs If remote VPN peers should connect to the main IP address of the gateway or a single IP address reserved for VPN traffic then on the VPN gt Link Selection page of the gateway object select one of the following e Main address of the gateway e Selected address from topology table select an IP address from the drop down menu e Statically NATed IP enter the required IP address Chapter 11 Link Selection 223 Configuring Link Selection Resolving Addresses using DNS lookup If remote VPN peers should resolve the local gateway s IP address through DNS lookup then 1 On the VPN gt Link Selection page of the gateway object select Use DNS resolving The fully qualified domain name FQDN queried can be set on this page or derived from the Global Properties e Full hostname Enter the FQDN of the gateway e g www checkpoint com not which DNS server should be queried www is the host checkpoint is the second level domain and com is the top level domain e Derived from global properties By selecting this method the host name is derived from the General Properties page in the gateway and the domain name is derived from the Global Properties gt VPN page Resolving Addresses via Probing If remote peers should resolve the local gateway s IP address via RDP probing then 1 On the VPN gt Link Selection page of the gateway object select Use a probi
274. ctuniPilera cate avessecheePiend teh chcdeotec ah a a Nii eaaa 609 Userc File Parameters uic cerei seeder esucties aa aaiae ianea deka aiae tiaa 610 SECUPEC II SME 2 eee re ei nera n a R e T here Ad oad iedee laadida 610 E AAI O EEEN EAEE Maco beta AE E AE 613 MultiplesEntry Point E E A A ET 617 Encrypted Back Connections omreisende aaae 618 TO POlOGY NERAN E EEE TE A E AE T Renate nia athav au at beodeess 618 NE Doma SUP POMts ae sere 2atenshtaeiceees esr a a r ei DERE Ea 619 MS A EE o E EEE A EAEE 620 Prod ct Ini Parameters nesre a a aaa a r eaga arbi 623 Chapter 30 SSL Network Extender Introduction to the SSL Network Extender cccccccceeeeceeeeeeeeeeeeeeeeeeeesseeeeeeees 628 How the SSL Network Extender Works ceceeceeeeeeeeeeeeeeeeeeeeeaaeeesaeeeeaeeeeaaes 629 Commonly Used Concepts merens rni a a a i aiaa 630 Remote Access VPN anase i a aaant ea aaa edie he ed kote Lectern ie 630 Remote Access COMMUNILY ccccceccceecceeceeceeeceeeeceeeeeueceeeseeeneeeeeeseeeseeenaees 630 OMICS Mode eode eda pona e sadedies bende s Ea gan Pee Sue tas aaa aE ae apa ERE EE 630 Visitor M dem esinta iaie a aei e ea E a E E e i 631 Endpoint Security on Demand cccceecccesecceeeceeaeeceseeceseeeeeaeeeesueeeeaeeesnees 631 Special Considerations for the SSL Network Extender ccccccceseseeseeceseeeeanees 633 PresReGQuiSIteS iis cece stewcesaaue detect aad aas e atiae aded oad AKda wads ht SRA woke 633 Featur
275. cure connectivity be met but also the special demands of remote clients These requirements include e Connectivity The remote client must be able to access the organization from various locations even if behind a NATing device Proxy or Firewall The range of applications available must include web applications mail file shares and other more specialized applications required to meet corporate needs e Secure connectivity Guaranteed by the combination of authentication confidentiality and data integrity for every connection e Usability Installation must be easy No configuration should be required as a result of network modification The given solution should be seamless for the connecting user To resolve these issues a secure connectivity framework is needed to ensure that remote access to the corporate network is securely enabled The SSL Secure Socket Layer Network Extender is a simple to implement remote access solution A thin client is installed on the user s machine The SSL Network Extender client has a much smaller size than other clients It is connected to an SSL enabled web server that is part of the Enforcement Module By default the SSL enabled web server is disabled It is activated by using the SmartDashboard thus enabling full secure IP connectivity over SSL The SSL Network Extender requires a server side configuration only unlike other remote access clients Once the end user has connected to a server the
276. curity gateway a VPN tunnel is established between the Microsoft IPSec L2TP client and the gateway as shown in Figure 22 1 Figure 22 1 IPSec Client to Check Point Gateway Connection Internal et hosts g Security Gateway Remote IPsec Client The process of the VPN establishment is transparent to the user and works as follows 1 A user at an Microsoft IPSec L2TP client initiates a connection to a security gateway 2 The Microsoft IPSec L2TP client starts an IKE Internet Key Exchange negotiation with the peer gateway in order to initiate construction of an encrypted tunnel 3 During IKE negotiation the identities of the remote client machine and the security gateway are authenticated This authentication is performed by means of certificates Both sides send their certificates to each other as means of proving their identity This ensures that a connection can be made only from the authenticated machine Both peers exchange encryption keys and the IKE negotiation ends Encryption is now established between the client and the gateway All connections between the client and the gateway are encrypted inside this VPN tunnel using the IPSec standard Solution Working with L2TP Clients 6 The Client starts a short L2TP negotiation at the end of which the client can pass to the gateway L2TP frames that are IPSec encrypted and encapsulated 7 The security gateway now authenticates the user at the Micros
277. d Using the ICA generate a certificate and transfer it to the user out of band Alternatively initiate the certificate generation process on Security Management server The process is completed independently by the user The administrator can also initiate a certificate generation on the ICA management tool the only option available if users are defined on an LDAP server It is also possible to use third party Certificate Authorities to create certificates for authentication between security gateways and remote users The supported certificate formats are PKCS 12 CAPI and Entrust Users can also be provided with a hardware token for storing certificates This option offers the advantage of higher level of security since the private key resides only on the hardware token As part of the certificate validation process during the IKE negotiation both the client and the gateway check the peer s certificate against the Certificate Revocation List CRL published by the CA which issued the certificate If the client is unable to retrieve a CRL the gateway retrieves the CRL on the client s behalf and transfers the CRL to the client during the IKE negotiation the CRL is digitally signed by the CA for security Chapter 14 Introduction to Remote Access VPN 277 The Check Point Solution for Remote Access 278 Pre Shared Secret This authentication method has the advantage of simplicity but it is less secure than certificates
278. d IKE Properties Configuring Advanced IKE Properties IKE is configured in two places e On the VPN community network object for IKE properties e On the gateway network object for subnet key exchange On the VPN Community Network Object 1 VPN Properties page select e Encryption methods for IKE phase and II e Integrity methods for IKE phase and Il 2 On the Advanced Settings gt Advanced VPN Properties page select e Which Diffie Hellman group to use e When to renegotiate the IKE Security Associations e Whether to use aggressive mode Main mode is the default e Whether to use Perfect Forward Secrecy and with which Diffie Hellman group e When to renegotiate the IPSec security associations e Whether to use Support IP compression On the Gateway Network Object On the VPN Advanced page dese ect Support Key exchange for subnets if you want the SA to be calculated per host The default is to support key exchange for subnets Chapter 2 IPSEC amp IKE 59 Configuring Advanced IKE Properties 60 Chapter Introduction to Site to Site VPN In This Chapter The Need for Virtual Private Networks The Check Point Solution for VPN Special Considerations for Planning a VPN Topology Configuring Site to Site VPNs page 62 page 63 page 76 page 77 61 The Need for Virtual Private Networks The Need for Virtual Private Networks Communicating parties need a connectivity platform that is not only fast sc
279. d keys will be checked For the machine to be verified the key should not exist allow_no_user default true This parameter is valid only when a user is logged in to the machine Since SC services and SCV checks run also when no user is logged on a decision should be taken if the check passed or failed If no user is logged on to the machine and a running RegMonitor check is configured to monitor HKEY_CURRENT_USER the behavior is according to the flag allow no user If allow_no_user is true the check will PASS If allow_no_user is false the check will FAIL This attribute is not by default included in the local scv file If the attribute does not exist in the file then the default setting used is also true Configuring this attribute is done via local scv For example RegMonitor type plugin parameters keyexist HKEY CURRENT USER Software CheckPoint allow_no_user true begin_admin admin send_log alert mismatchmessage mismatch message send admin Chapter 23 Secure Configuration Verification 551 Configuring SCV 552 Not all the mentioned fields for RegMonitor need to appear in the local scv file Some of them may not appear at all or may appear more than once These fields may also be ORed and ANDed In this way multiple registry entries can be checked and the results ORed or ANDed for extra flexibility Script for Internet Explorer Service Pack RegMonit
280. d on SSL HTTPS tunneling and enables handheld devices to securely access resources behind Check Point gateways The client can be triggered controlled by 3rd party applications by exporting a programmable and extensible interface SecureClient Mobile has the following two modes of operation e Centrally Managed Mode The client connects to a gateway module configured for SecureClient Mobile and downloads a set of policies that were sent to the gateway from the Security Management server The client then enforces these policies For this mode to work a security gateway and the Security Management server must be configured to support the client This mode is supported on the following gateway versions R65 R62 R61_HFA1 and above R60_HFA4 and above A patch to the Security Management server P1 is also needed on versions earlier than R65 The patch extends the schema database with relevant additions Connectra gateway R62 and above supports this mode too e SSL Network Extender Mode The client connects to a gateway configured only for SSL Network Extender In this mode the client does not download policies but enforces a set of policies predefined upon client installation The client works with any gateway configured for SSL Network Extender Network mode available on Check Point VPN 1 Pro R55 HF10 versions and above and on Connectra 2 0 versions and above This is a backward compatibility mode that enables the running of a subset of
281. d selecting Profile gt Generate You will be asked to enter a package source and destination folders Under Package source folder select the directory in which the original SecureClient installation you prepared in step 2 is located Make sure you select the directory in which the SecureClient setup files actually exist and not a higher level directory Under Package destination folder and file name select an empty directory to which the new package will be copied and enter a name for the file being generated Press Next to continue to the next window If the package details can not be extracted from the package you will be prompted to enter the package details operating system type SecureClient version and service pack If the package details conflict with another package Creating a Preconfigured Package for example you ve updated the Windows 98 SecureClient package from FP3 to NG with Application Intelligence you will be prompted to approve the replacement of the older package with the newer one The Packaging Tool will perform the actions you requested Adding Scripts to a Package To specify that a script should be run after the user installs or uninstalls SecureClient proceed as follows 1 Edit the product ini file 2 To specify a post installation script add the file s name to the install section 3 To specify a post uninstallation script add the file s name to the uninstall section The script
282. d stays chosen until the next time a policy is installed RDP Probing When more than one IP address is available on a gateway for VPN Link Selection may employ a probing method to determine which link is to be used The probing methods of choosing a destination IP are implemented using a proprietary protocol that uses UDP port 259 This protocol e ls proprietary to Check Point e Does not comply with RDP as specified in RFC 908 1151 e Works only between Check Point entities IP addresses you do not wish to be probed i e internal IP addresses may be removed from the list of IP s to be probed see Resolving Addresses via Probing on page 224 For both the probing options one time and on going a Primary Address can be assigned aS vi Note UDP RDP packets are not encrypted The RDP mechanism tests connectivity only 210 Using Link Selection Primary Address When implementing one of the probing methods on a gateway that has a number of IP addresses for VPN one of the IP addresses can be designated as a Primary Address As a result peers assign the primary address IP a higher priority even if other interfaces have a lower metric Enabling a primary address has no influence on the IP selected for outgoing VPN traffic If the remote gateway connects to a peer gateway that has a primary address defined then the remote gateway will connect to the primary address if active regardless of network speed latency o
283. d supply it to the peer administrator Define the Network Object s of the gateway s that are internally managed In particular be sure to do the following e In the General Properties page of the gateway object select VPN 5 Configuring a VPN with External Gateways Using PKI e Inthe Topology page define the Topology and the VPN Domain If the VPN Domain does not contain all the IP addresses behind the gateway define the VPN domain manually by defining a group or network of machines and setting them as the VPN Domain If the ICA certificate is not appropriate for this VPN tunnel then in the VPN page generate a certificate from the relevant CA see Enrolling with a Certificate Authority on page 107 Define the Network Object s of the externally managed gateway s e If it is not a Check Point gateway define an Interoperable Device object from Manage gt Network Objects gt New gt Interoperable Device e If it is a Check Point gateway In the Network Objects tree right click and select New gt Check Point gt Externally Managed Gateway Set the various attributes of the peer gateway In particular be sure to do the following e In the General Properties page of the gateway object select VPN for an Externally Managed Check Point gateway object only e in the Topology page define the Topology and the VPN Domain using the VPN Domain information obtained from the peer administrator If the VPN
284. d them when connections inside the encryption domain are matched by the Encrypt rule An indication of this is the appearance of the log in SmartView Tracker Both endpoint are in the Encryption Domain AppendixB 725 726 Conversion of Client Encrypt Rules Each Client Encrypt rule translates to a single rule that preserves the behavior of the client Encrypt rule For example the Traditional Mode rule in Table B 4 allows Remote Access users to access Net_D Table B 4 Remote Access Rule in Traditional Mode Source Destination Service Action Track All_Users alaska Net_D My_Services Client Encrypt Log The translated rule is shown in Table B 5 The Remote Access community is put in the VPN field and the Action of the rule is Accept Table B 5 Translated Remote Access Rule in Simplified Mode Source Dest VPN Service Action Track All_Users alaska Net_D Remote Access My_Services Accept Log Community Conversion of Auth Encrypt Rules In a Traditional Mode policy Auth Encrypt Rules are rules with User Client or Session Authentication together with Add Encryption selected in the Action of the Rule For Auth Encrypt rules as shown in Table B 6 with Client Authentication the Source specifies both a restriction on the source location and also the authorized users Any connection matching the rule must be authenticated and encrypted If encryption is not possible the connection is dro
285. data cannot be altered during transit Chapter 16 SecuRemote SecureClient 327 SCV Granularity for VPN Communities SCV Granularity for VPN Communities Access can be granted to specific hosts without being verified in order to allow the remote host to become fully compliant with the networks Security Policy For example if the Anti Virus software is not up to date on a remote host the gateway would normally block the connection entirely However access can be granted to the antivirus server in order to get the appropriate updates After the updates are retrieved and installed on the remote host it will pass the SCV check and get full access SCV granularity is supported for Simplified Mode configuration only 328 Blocking Unverified SCV Connections Blocking Unverified SCV Connections When a client becomes unverified there is an option in the local scv file to block connections that require verification block scv_client_connections When this feature is active and the client enters an unverified state all SCV connections are blocked even those which were opened during the time the client was verified However only SCV connections are blocked that is only those connections that require the client to be in a verified state Other connections are not blocked Chapter 16 SecuRemote SecureClient 329 Selective Routing Selective Routing A VPN tunnel setup requires a configuration of a VPN domain for each participant gateway
286. dd to selection Selected Tunnel Properties OK Cancel Help A 2 Click in the cell that intersects the gateways where a permanent tunnel is required 3 Click Selected Tunnel Properties and the Tunnel Properties window is displayed Figure 7 5 Tunnel Properties window Tunnel Properties Tunnel endpoints B Remote 3 gw to B Renote 1 gw V Set these tunrels to be permanent tunnels Use Comnunity Track Options Set specific track options for these tunnels Tunnel down track Popup Alert Tunnel up track Log Cancel Help 4 Select Set these tunnels to be permanent tunnels Configuring Tunnel Features To terminate the Permanent Tunnel between these two gateways deselect Set these tunnels to be permanent tunnels 5 Click OK Advanced Permanent Tunnel Configuration In SmartDashboard l Click Policy gt Global Properties The Global Properties window is displayed Select SmartDashboard Customization from the properties list In the Advanced Configuration section click Configure The Advanced configuration window is displayed Click VPN Advanced Properties gt Tunnel Management to view the five attributes that may be configured to customize the amount of tunnel tests sent and the intervals in which they are sent life_sign_timeout Designate the amount of time the tunnel test runs without a response before the peer host is declared down life_sign_trans
287. de Between Two VPN Communities In the scenario portrayed in Figure 9 3 e Gateway A belongs to Community 1 e Gateway B belongs to Community 2 e Gateway C belongs to Communities 1 and 2 194 Wire Mode Scenarios e Wire mode is enabled on Center gateway C without an internal trusted interface specified e Wire mode is enabled on both communities e Host 1 residing behind Satellite gateway A wishes to open a connection through a VPN tunnel with Host 2 behind Satellite gateway B Wire mode can also be enabled for routing VPN traffic between two gateways which are not members of the same community Gateway C is a member of both communities and therefore recognizes both communities as trusted When host 1 behind gateway A initiates a connection to host 2 behind gateway B gateway C is used to route traffic between the two communities Since the traffic is not actually entering gateway C there is no need for stateful inspection to take place at that gateway Stateful inspection however does take place on gateways A and B Chapter9 Wire Mode 195 Special Considerations for Wire Mode Special Considerations for Wire Mode Currently wire mode is only supported on SecurePlatform and Nokia IPSO platforms 196 Configuring Wire Mode Configuring Wire Mode Wire mode is configured in two places 1 Community Properties meshed or star 2 Gateway Properties Enabling Wire Mode on a VPN Community 1 In SmartDashboard c
288. deed sees acens tas ca geids Sadend dads Beater 211 Using Route Based Probing iveene annee aa iea a Na a aE 212 Responding trahie a earra en aa a a EE aTa 213 Source IP Address Settings insnet areenaa ep aira iaaiiai 213 Link Selection Scenarios siii ae e aeie E E a eaa 215 Gateway with a Single External Interface cccccceccccecceseeeeseeeeeaeeeeeeeeeeas 215 Gateway with a Dynamic IP Address DAIP 0 ccceceeeeeeeeeeeeeeeeeeeeeeeeeeaes 216 Gateway with Several IP Addresses Used by Different Parties ccccccee 216 Gateway With One External Interface and Interface Behind a Static NAT Device 217 On Demand Links ODL cccccccccecccceccssueceseeceeeeeeeeueseseeeseueeseeuaeeeeeeseveseuenees 218 Link Selection and ISP Redundancy serei ana a ee e 219 Early Versions Compatibility Resolving MeChaniSm cccccseeeeeseeeseeeeeaeeeeeees 222 Configuring Mink SeleCtiOnizte zsek6osiitt oar cide e a beh aE a a TE Ri 223 Resolving Addresses via Main and Single IPS ccccccccccsecccceeeeeseeeeeeeesaeees 223 Resolving Addresses using DNS lOOKUD cccccccceecceeseceseeceseeeeeaeeeesneeeeaees 224 Resolving Addresses via ProbDing cccccssccccnecceaeeceseeceseeeeseeeesenseeaeeesnees 224 Configuring Outgoing Route Selection ccccccecccceecceceeceseeeeeeeeeeaeeeesaeeeeaes 225 Configuring For Responding Tratfic cccccccccssecceeeecesseceseeeeeseeeeseeeeeaeeeeanes 225 Configurin
289. ding methods of encryption and integrity Remote access clients negotiate methods for encryption and integrity via a series of proposals and need to negotiate a possible combinations with the gateway This can lead to large UDP packets which are once again fragmented by the remote client s OS before sending The NAT device in front of the remote client drops the packet that has no UDP header containing port information Again the IKE negotiation fails Why not use IKE over TCP again as in phase 1 Chapter 31 Resolving Connectivity Issues 679 Overcoming NAT Related Issues 680 IKE over TCP solves the fragmentation problem of long packets but in phase Il there are times when the gateway needs to initiate the connection to the remote client Only the remote client initiates phase I but either side can identify the need for a phase renewal of keys if the gateway identifies the need the gateway initiates the connection If the gateway initiates the connection the gateway knows the IP address of the NATing device but cannot supply a port number that translates to the remote client behind the NATing device The port number used during previous connections is only temporary and can quickly change The NATing device cannot forward the connection correctly for the remote client the connection initiated by the gateway fails It is possible to use IKE over TCP but this demands a TCP connection to be always open the open sessio
290. down Permanent Tunnels are shut down by deselecting the configuration options to make them active and re installing the policy VPN Tunnel Sharing For a VPN community the configuration is set on the Tunnel Management page of the Community Properties window For a specific gateway the configuration is set on the VPN Advanced page of the gateway s properties window VPN Tunnel Sharing provides greater interoperability and scalability by controlling the number of VPN tunnels created between peer gateways Configuration of VPN Tunnel Sharing can be set on both the VPN community and gateway object e One VPN Tunnel per each pair of hosts A VPN tunnel is created for every session initiated between every pair of hosts e One VPN Tunnel per subnet pair Once a VPN tunnel has been opened between two subnets subsequent sessions between the same subnets will share the same VPN tunnel This is the default setting and is compliant with the IPSec industry standard e One VPN Tunnel per Gateway pair One VPN tunnel is created between peer gateways and shared by all hosts behind each peer gateway In case of a conflict between the tunnel properties of a VPN community and a gateway object that is a member of that same community the stricter setting is followed For example a gateway that was set to One VPN Tunnel per each pair of hosts and a community that was set to One VPN Tunnel per subnet pair would follow One VPN Tunnel per each pai
291. duction to Site to Site VPN 71 The Check Point Solution for VPN 72 However if a VPN tunnel needs to be created with an externally managed gateway a gateway managed by a different Security Management server the externally managed gateway e Might support certificates but certificates issued by an external CA in which case both gateways need to trust the other s CA For more information see Configuring a VPN with External Gateways Using PKI on page 81 e May not support certificates in which case VPN supports the use of a pre shared secret For more information see Configuring a VPN with External Gateways Using a Pre Shared Secret on page 85 A secret is defined per external gateway If there are five internal gateways and two externally managed gateways then there are two pre shared secrets The two pre shared secrets are used by the five internally managed gateways In other words all the internally managed gateways use the same pre shared secret when communicating with a particular externally managed gateway Dynamically Assigned IP Gateways A Dynamically Assigned IP DAIP gateway is a gateway where the external interface s IP address is assigned dynamically by the ISP Creating VPN tunnels with DAIP gateways are only supported by using certificate authentication Peer gateways identify internally managed DAIP gateways using the DN of the certificate Peer gateways identify externally managed
292. dvanced M Content Advisor RRR Ratings help you control the Internet content that can be viewed on this computer i Setting m Certificates Use certificates to positively identify yourself certification authorities and publishers Clear SSL State Certificates Publishers f Personal information AutoComplete stores previous entries AutoComplete ed and suggests matches for you Microsoft Profile Assistant stores your My Profile personal information 2 Click Certificates The Certificates window is displayed 670 SSL Network Extender User Experience Figure 30 23Certificates window Intended purpose lt All gt z Personal other People Intermediate Certification Authorities Trusted Root Certificatior 4 gt Issued To a y ISSUE By Expiratio _ Friendly Name 2 venus zzbkgt 06 14 2006 CN a OU users Import Export Remove Advanced Certificate intended purposes lt All gt 3 Select the certificate to be removed and click Remove Chapter 30 SSL Network Extender 671 Troubleshooting Troubleshooting Tips on how to resolve issues that you may encounter SSL Network Extender Issues Ss 672 All user s packets destined directly to the external SSL Network Extender gateway will not be encrypted by the SSL Network Extender If there is a need to explicitly connect to the gateway through the SSL t
293. dvanced custom settings and click Settings In the Advanced Security Settings window under Logon security select Use Extensible Authentication Protocol EAP and click Properties 6 In the Smart Card or other Certificate Properties window uncheck Validate server certificate and click OK Note The client validates all aspects of the gateway certificate during IKE authentication other than the Server Authentication purpose Making the L2TP Connection 7 Click on Connect to make the L2TP connection 8 To view the IP address assigned to the connection either view the Details tab in the connection Status window or use the ipconfig all command 516 Configuring Remote Access for Microsoft IPSec L2TP Clients For More Information For more information about how to configure advanced capabilities for Microsoft IPSec L2TP clients see e Non Private Client IP Addresses on page 580 e Enabling IP Address per User on page 310 e Back Connections Server to Client on page 588 The L2TP protocol is defined in RFC 2661 Encryption of L2TP using IPSec is described in RFC 3193 For information about the L2TP protocol and the Microsoft IPSec L2TP client see the Network and Dial Up Connections Help in Windows 2000 and XP Chapter 22 Layer Two Tunneling Protocol L2TP Clients 517 Configuring Remote Access for Microsoft I PSec L2TP Clients 518 Chapter 23 Secure Configuration Verification I
294. e Rule Base may be required Note The terms VPN Domain and Encryption Domain mean the same thing Usually VPN Domain is used in the context of Simplified policies and Encryption Domain for Traditional policies AppendixB 719 How an Encrypt Rule Works in Traditional Mode When a Traditional policy is converted to a Simplified policy an Encrypt rule is converted to rules that use communities In order to understand the conversion it is important to understand how an Encrypt rule works Figure B 1 will be used to understand the conversion and the limitations of the conversion process It shows a VPN between gateways and the Encryption Domain of each gateway Net_A and Net_B are the encryption Domain of gateway 1 and Net_D is the encryption Domain of gateway 2 Figure B 1 A VPN between Gateways and the Encryption VPN Domain of each Gateway Encryption Domain of VPN Tunnel S Internet A IT VPN Tunnel Table B 1 shows how the VPN is implemented in an Encrypt rule Table B 1 Sample Encrypt rule in a Traditional Rule Base Source Destination Service Action Track Install On X Y My_Services Encrypt Log Policy Targets 720 A connection that matches an Encrypt rule is encrypted or decrypted and forwarded by the gateways enforcing the policy There are two exceptions 1 If the source or the destination are behind the security gateway but are not in the VPN Domain
295. e clients by enforcing a Desktop Security Policy on the remote client Preface 25 Section 3 Remote Access VPN Chapter Chapter 22 Layer Two Tunneling Protocol L2TP Clients Description Check Point Security Gateways can create VPNs with a number of third party IPSec clients This chapter focuses on the Microsoft IPSec L2TP client Chapter 23 Secure Configuration Verification Secure Configuration Verification SCV enables the administrator to monitor the configuration of remote computers to confirm that the configuration complies with the organization s Security Policy and to block connectivity for machines that do not comply Chapter 24 VPN Routing Remote Access Understanding how VPN Routing provides a way of controlling how VPN traffic is directed between gateway modules and remote access clients Chapter 25 Link Selection for Remote Access Clients Explanation of how the Link Selection feature is used to determine which interface is used for incoming and outgoing VPN traffic as well as the best possible path between gateway modules and remote access clients Chapter 26 Using Directional VPN for Remote Access Explains how to control the direction of VPN traffic between gateways and remote access clients Chapter 27 Remote Access Advanced Configuration Understanding more complex remote access scenarios Chapter 28 Multipl
296. e 103 91 Need for Integration with Different PKI Solutions Need for Integration with Different PKI Solutions 92 X 509 based PKI solutions provide the infrastructure that enables entities to establish trust relationships between each other based on their mutual trust of the Certificate Authority CA The trusted CA issues a certificate for an entity which includes the entity s public key Peer entities that trust the CA can trust the certificate because they can verify the CA s signature and rely on the information in the certificate the most important of which is the association of the entity with the public key IKE standards recommend the use of PKI in VPN environments where strong authentication is required A security gateway taking part in VPN tunnel establishment must have an RSA key pair and a certificate issued by a trusted CA The certificate contains details about the module s identity its public key CRL retrieval details and is signed by the CA When two entities try to establish a VPN tunnel each side supplies its peer with random information signed by its private key and with the certificate that contains the public key The certificate enables the establishment of a trust relationship between the gateways each gateway uses the peer gateway s public key to verify the source of the signed information and the CA s public key to validate the certificate s authenticity In other words the validated
297. e 129 Wire Mode is supported for NGX R60 gateways and forward Chapter9 Wire Mode 191 Wire Mode Scenarios Wire Mode Scenarios In This Section Wire Mode in a MEP Configuration page 192 Wire Mode with Route Based VPN page 193 Wire Mode Between Two VPN Communities page 194 Wire mode may be used to improve connectivity and performance in different infrastructures This section describes scenarios that benefit from the implementation of wire mode Wire Mode in a MEP Configuration Figure 9 1 Wire Mode in MEP scenario Original VPN domain of M2 a AA AA Original VPN domain of M1 P S1 VPN domain 192 Wire Mode Scenarios In this scenario e Gateway M1 and gateway M2 are both wire mode enabled and have trusted internal interfaces e The community where gateway M1 and gateway M2 reside is wire mode enabled e Host 1 residing behind gateway S1 is communicating through a VPN tunnel with Host 2 residing behind gateway M1 e MEP is configured for gateway M1 and gateway M2 with gateway M1 being the primary gateway and gateway M2 as the backup For more information on MEP see Multiple Entry Point VPNs on page 229 In this case if gateway M1 goes down the connection fails over to gateway M2 A packet leaving Host 2 will be redirected by the router behind gateway M1 to gateway M2 since gateway M2 is designated as the backup gateway Without wire mode stateful inspection would be enforced at gatew
298. e 236 Manually set priority list gateway priorities can be set manually for the entire community or for individual satellite gateways See Manually Set Priority List on page 237 Chapter 12 Multiple Entry Point VPNs 233 Explicit MEP 234 First to Respond When there is no primary gateway all gateways share equal priority When all gateway s share equal priority as in Figure 12 2 e Remote peers send RDP packets to all the gateways in the MEP configuration e The first gateway to respond to the probing RDP packets gets chosen as the entry point to network The idea behind first to respond is proximity The gateway which is closer to the remote peer responds first e A VPN tunnel is opened with the first to respond All subsequent connections pass through the chosen gateway e f the gateway ceases to respond a new gateway is chosen Figure 12 2 No primary equal priority MEP multiple Sein TN entry point Gateway R Domain Remote Peer Internet Explicit MEP By VPN Domain Prior to enabling MEP each IP address belonged to a specific VPN domain Using By VPN Domain the gateway of that domain becomes the chosen entry point In Figure 12 3 the VPN Star community has two central MEPed gateways M1 and M2 each of which have their own VPN domains and remote satellite S1 Figure 12 3 By VPN domain Original VPN domain of M1 Host 2 in the VPN domain of satellite S1 initiates
299. e 605 To configure MEP decide on the MEP selection method e First to Respond e Primary Backup e Load Distribution First to Respond When more than one gateway leads to the same overlapping VPN domain they are considered MEPed by the remote peer and the first gateway to respond to the probing protocol is chosen To configure first to respond define that part of the network that is shared by all the gateways into a single group and assign that group as the VPN domain On the Properties window of each gateway network object Topology page gt VPN Domain section select Manually defined and define the same VPN domain for all gateways Chapter 28 Multiple Entry Point for Remote Access VPNs 601 Configuring MEP Primary Backup 1 In the Global Properties window VPN gt Advanced page select Enable Backup Gateway 2 In the network objects tree Groups section create a group consisting of the gateways that act as backup gateways 3 On the VPN page of the network object selected as the Primary gateway select Use Backup Gateways and select the group of backup gateways from the drop down box This gateway now functions as the primary gateway for a specific VPN domain 4 Define the VPN for the backup gateway s Backup gateways do not always have 602 5 a VPN domain of their own They simply back up the primary If the backup gateway does not have a VPN domain of its own the VPN domain should include only the backup
300. e Authentication SAA plug in For additional information refer to Adding a File to a CAB Package on page 470 Deleting a file from the CAB package for example the Cert_import utility may not be needed for some configurations For additional information refer to Deleting a File from a CAB Package on page 471 Preconfiguring the client database parameters For additional information refer to Exporting the Client Configuration on page 472 Defining the client installation version For additional information refer to Defining the Client Installation Version on page 473 Adding a File to a CAB Package To add a file to a CAB package 1 Obtain the SecureClient Mobile distribution zip file from the Check Point Download Center site or from the CD Save the distribution zip file to your local machine and extract its contents One of the files is the SecureClient Mobile lt build number gt zip file Extract SecureClient Mobile lt build number gt zip to a folder for example scm This creates a number of subfolders Copy and paste the file s to be included in the package to the cong folder one of the extracted subfolders created in step 3 In the scm folder open the SecureClient Mobile Setup lt build number gt inf file using a text editor In the SecureClient Mobile Setup lt build number gt inf file add the name s of the file s to be included in the package to the following sections
301. e Entry Point for Remote Access VPNs Description of how the Multiple Entry Point MEP feature provides a high availability and load sharing solution for VPN connections between peer gateways and remote access clients Chapter 29 Userc C and Product ini Configuration Files How to edit the Userc c and Product ini files to customize SecuRemote SecureClient Appendices Ap Chapter Chapter 30 SSL Network Extender Description Contains an introduction of the SSL Network Extender and the advantages it has for remote access clients Chapter 31 Resolving Connectivity Issues Provides information of some of the challenges remote access clients face when connecting and various Check Point solutions Chapter 32 Clientless VPN Explanation of how Clientless VPN provides secure SSL based communication between clients when VPN technology is not available pendices This guide contains the following appendices Appendix Chapter A VPN Command Line Interface Description A list of CLI command lines related to VPN Chapter B Converting a Traditional Policy to a Community Based Policy Backround to both traditoinal and simplified modes as well as instructions for converting policies Chapter C VPN Shell Provides all the commands and arguments used for VTI s using the VPN Shell Preface 2 7 Related Documentation
302. e for the default gateway s MAC address see mac_xlate Global sda_implicit true false The working mode of the Software Distribution Agent SDA True implicit false explicit Global Managers sda_imlicit frequency The frequency in minutes with which the Software Distribution Agent SDA connects to ASD server to check for updates Global Managers sr build number sr_sw_url path sr_sw_url path 9x sr build number 9x sr sw url path nt sr build number nt sr sw url path w2k sr build number w2k On the Security Management server machine the names are desktop_sw_version desktop_build_number etc These attributes help SecureClient decide if it needs to upgrade itself Managers install id nt install_id_9x install_id_w2k Installation IDs Managers Product ini Parameters Product ini Parameters Table 29 1 Parameters for Product ini Parameter bold indicates the default OverwriteConfiguration 0 1 Meaning Sets the value for Update or Overwrite choice during upgrade The default value 0 means Update is chosen ShowUpdateOverwrite 0 1 Show the Update or Overwrite window to the user during installation If the window is not shown to the user the value placed in OverwriteConfiguration will be used PathAskUser 0 1 Show the Choose Installation Destination window to the user during installation If the window is not shown to the user the default value chos
303. e mode IP address The user attempting to connect is not configured to have an office mode IP address and therefore the connection failed Ensure that the user is configured to receive an office mode IP address The certificate provided is invalid Please provide the username and password Invalid certificate provided Either install a new user certificate or connect with a username and password Connection to the server server name was lost There is no connection to the server and the client disconnected Try to reconnect Security warning Server fingerprint has changed during connection Contact your administrator Server validation failed and therefore the connection failed Contact your administrator Chapter 19 SecureClient Mobile 477 Troubleshooting Additional Resources 478 For additional resources on setting up SecureClient Mobile refer to How to add your own root certificate via CAB file How to add root certificates to Windows Mobile 2003 Smartphone and to Windows Mobile 2002 Smartphone Windows Mobile 5 0 Security Model FAQ ActiveSync 4 x Troubleshooting Guide Chapter 20 Packaging SecureClient In This Chapter Introduction The Need to Simplify Remote Client Installations page 480 The Check Point Solution SecureClient Packaging Tool page 481 Creating a Preconfigured Package page 483 Configuring MSI Packaging page 486 479 Introduct
304. e public key and the DN are then used to DER encode a PKCS 10 Certificate Request Once the Certificate Request is ready click View The Certificate Request View window appears with the encoding Copy the whole text in the window and deliver it to the CA Configuration of PKI Operations The CA administrator must now complete the task of issuing the certificate Different CAs provide different ways of doing this such as an advanced enrollment form as opposed to the regular form for users The issued certificate may be delivered in various ways for example email Once the certificate has arrived it needs to be stored A Go to the Severs and OPSEC Applications tab of the network object select the appropriate CA object B On the OPEC PKI tab click Get and browse to the location in which the certificate was saved Select the appropriate file and verify the certificate details D Close object and save Chapter 5 Public Key Infrastructure 109 Configuration of PKI Operations Automatic Enrollment with the Certificate Authority On the OPSEC PKI tab of the CA object make sure Automatically enroll certificate is selected and SCEP or CMP are chosen as the connecting protocol Then 1 On the relevant network object open the VPN tab 2 In the Certificates List section click Add The Certificate Properties window opens Enter a Certificate Nickname any string used as an identifier From the drop down list box sele
305. e settings 360 Obligatory Settings Check Point Gateway cpmodule General Properties i Topology NAT SmartDefense SSL Clients Authentication Logs and Masters Capacity Optimization Cooperative Enforceme E Advanced Additional IP Addi Anti Spoofing E Enable Office Mode when the remote client may be working with an IP address that clashes with an IP address on the network behind the gateway When working with Office Mode Endpoint Connect takes an Office IP address from the same reserved pool of IP addresses as SecureClient Mobile or SSL Network Extender 7 On the Remote Access gt SSL Clients page enable SSL clients Chapter 17 Endpoint Connect 361 Obligatory Settings Check Point Gateway cpmodule x General Properties Topology NAT SmartDefense YPN E Remote Access Office Mode Clientless VPN SSL Clients Authentication Logs and Masters Capacity Optimization Cooperative Enforceme Advanced gt F SSL Clients SSL clients allowed to connect to this gateway V SSL Network Extender M SecureClient Mobile The gateway authenticates with this certificate defautCert x Cancel Help 8 Endpoint Connect does not support the DES encryption algorithm If you have a gateway configured to support only the DES encryption algorithm then reconfigure the settings in Global Properties gt Remote Access VPN IKE phase
306. e this Table 5 5 Source Destination VPN Service Action Any Any B_Community Any Accept A_Community Hubs_Community For both vpn_route conf files e A Community is a star VPN community comprised of Hub_A Spoke_Al and Spoke_A2 e B Community is a star VPN community comprised of Hub_B and Spoke_B e Hubs Community is a meshed VPN community comprised of Hub_A and Hub_B it could also be a star community with the central gateways meshed Chapter 5 Domain Based VPN 127 Configuring Domain Based VPN 128 Configuring SmartLSM Security Gateways If branch office gateways are managed by SmartProvisioning as SmartLSM security gateways enable VPN routing for a hub and spoke configuration by editing the vpn_route conf file on the Security Management server In SmartDashboard 1 Generate a group that contains the encryption domains of all the satellite SmartLSM security gateways and call it Robo_domain 2 Generate a group that contains all the central gateways and call it Center_gws 3 In vpn_route conf add the rule Destination Router Install on Rob_domain Center_gws Robo_profile If access to the SmartLSM security gateway through the VPN tunnel is required the gateway s external IP address should be included in the ROBO_domain Multiple router gateways are now supported on condition that e the gateways are listed under install on in vpn_route conf or e the satellites
307. e users The RADIUS protocol uses UDP for communications with the gateway RADIUS Servers and RADIUS Server Group objects are defined in SmartDashboard SecurlD Token Management ACE Server Developed by RSA Security SecurlD requires users to both possess a token authenticator and to supply a PIN or password Token authenticators generate one time passwords that are synchronized to an RSA ACE Server and may come in the form of hardware or software Hardware tokens are key ring or credit card sized devices while software tokens reside on the PC or device from which the user wants to authenticate All tokens generate a random one time use access code that changes every minute or so When a user attempts to authenticate to a protected resource that one time use code must be validated by the ACE Server When employing SecurlD as an authentication scheme the security gateway forwards authentication requests by remote users to the ACE Server ACE manages the database of RSA users and their assigned hard or soft tokens The Chapter 14 Introduction to Remote Access VPN 281 VPN for Remote Access Considerations VPN module acts as an ACE Agent 5 0 which means that it directs all access requests to the RSA ACE Server for authentication For agent configuration see ACE Server documentation There are two main difference between user management on the internal database and user management on a SmartDirectory LDAP server Firstly user management
308. e_on_install host_certs_key_size 1024 prefetch_crls_duration 7200 Details CALs will be prefetched regularly according to this duration in seconds gt Cancel Help When a new policy is installed the cache is flushed and a new CRL will be retrieved on demand CRL Grace Period Temporary loss of connection with the CRL repository or slight differences between clocks on the different machines may cause valid of CRLs to be considered invalid and thus the certificates to be invalid as well VPN overcomes this problem by supplying a CRL Grace Period During this period a CRL is considered valid even if it is not valid according to the CLR validity time Special Considerations for PKI Special Considerations for PKI In This Section Using the Internal CA vs Deploying a Third Party CA page 101 Distributed Key Management and Storage page 101 Using the Internal CA vs Deploying a Third Party CA The Internal CA makes it easy to use PKI for Check Point applications such as site to site and remote access VPNs However an administrator may prefer to continue using a CA that is already functioning within the organization for example a CA used to provide secure email and disk encryption Distributed Key Management and Storage Distributed Key Management DKM provides an additional layer of security during the key generation phase Instead of the Security Management server generating both public and private keys and dow
309. ecccseeeeeeeeeeeeeeeeaeeeeaees 720 Principles of the Conversion to Simplified Mode c ccccecccseseeeaeeeaeeeeeaeeeeanes 722 Placing the Gateways into the COMMUNITIES ccccceecceeeeceeeeeeeeeeeeseeeeeaeeeeees 723 Conversion of Encrypt Rules tensed ce skate ane Magra e ee ieii tienda os 724 When the Converted Rule Base is too ReStriCtive 0ccceccceeeeeeeeeeeeeeeeeeaees 725 Conversion of Client Encrypt Rules cccccccccceececeeeeeeeeeseeeeeeeeesaeeeesaeeeaes 726 Conversion of AUTH ENCrypt RUICS cccceeceecceeeceeeceeeeeceeeceeeeseueeeeeeeeeaeeeaes 726 How the Converter Handles Disabled Rules 0 ccceeeeeeeeneeeeeeeeeeaeeeeaeees 727 After Running the Wizard icscots es minre dinie rita EEE SEEE ENA EA 727 VPN Shell Configuring a Virtual Interface Using the VPN Shell ccccccseeceseeeeeeeeeeeeeeees 730 Table of Contents 19 20 Preface In This Chapter Who Should Use This Guide Summary of Contents Related Documentation More Information Feedback page 22 page 23 page 28 page 29 page 29 21 Who Should Use This Guide Who Should Use This Guide 22 This guide is intended for administrators responsible for maintaining network security within an enterprise including policy management and user support This guide assumes a basic understanding of e System administration e The underlying operating system e Internet protocols IP TCP UDP etc Summary of
310. eceeeceeceeeeneeeeeeeeeseeeseeeaeeeaees 568 Link Selection for Remote Access SCENALIOS ccceecceseeeeceeeeaeeseseeeeeaeeeesneeees 570 Gateway with a Single External IP Address cccccecccceeeceeeeceeeeeeeaeeeeseeeeeas 570 Gateway with Multiple External IP AdCreSS S cccccccceeceeseeeeeeeeeeeeeesaeeeas 571 Calculate IP Based on Network Topology cccscccsecceecceeceecceseeeeeeeeseeeseeeaes 572 Configuring Link Selection iienaa ea Bowers e aE a aa andes ese 573 Configuring the Early Version Compatibility Resolving Mechanism 5 574 Chapter 26 Using Directional VPN for Remote Access Enhancements to Remote Access Communities cccccceeceseeeeeseeeeeeeeeeaes 575 Configuring Directional VPN with Remote Access Communities c s0ccceseeees 577 Chapter 27 Remote Access Advanced Configuration Non Private Client IP Addresses ccccccecccceecceeeeceseeeeseeeesaceeeeeceseeeesseeesaneeeees 580 Remote Access Connections izeni a a a a a e aa 580 Solving Remote Access ISSUCS ccccceececeeceeeeceeeeeeceaeeceseeeeseeeesaeeeeseeeesneees 580 Preventing a Client Inside the Encryption Domain from Encrypting 00 581 PGR TOD GM ramana acters ata ar a ac iaic cate aE pease ac oad 581 The Solution sisiane a e te Jet as E AE ieee E E uate 581 Authentication Timeout and Password Caching cccccsecccsseeeeseeeeeeeceseeeeaeeees 583 TE Proble M anneal oe da seh adds vaad sub stu uit v
311. ecking the Syntax The syntax of the ipassignment file can be checked using the command ipafile check From a shell prompt use issue vpn ipafile check ipassignment conf The two parameters are e warn Display errors e detail Show all details For example user Checkpoint conf vpn ipafile_check ipassignment conf warn Readingfilerecords Invalid IP address specification in line 0057 Invalid IP address specification in line 0059 Invalid subnet in line 0060 user Checkpoint conf vpn ipafile_check ipassignment conf detail Reading file records Line 0051 is a comment starts with Line 0052 is a comment starts with Line 0053 is a comment starts with Line 0054 is a comment starts with Line 0055 is a comment starts with Line 0056 ignored because it is empty Invalid IP address specification in line 0057 Invalid IP address specification in line 0058 line 0059 is OK User paul Invalid subnet in line 0060 line 0061 is OK Group dns 1 1 1 1 Line 0062 ignored because it is empty Line 0063 ignored because it is empty Could not read line 64 in conf file maybe EOF user Checkpoint conf Chapter 15 Office Mode 319 Configuring Office Mode 320 Office Mode DHCP Configuration I When DHCP is the selected mode DNS and WINS parameters are downloaded from the DHCP server If using Office Mode in DHCP mode and you wish to supply the user with DNS and or WINS information make sure that t
312. ect mode During connect mode the remote user deliberately initiates a VPN link to a specific gateway Subsequent connections to any host behind other gateways will transparently initiate additional VPN links as required Connect mode offers e Office mode to resolve routing issues between the client and the gateway See Office Mode on page 299 e Visitor mode for when the client needs to tunnel all client to gateway traffic through a regular TCP connection on port 443 e Routing all traffic through Gateway Hub mode to achieve higher levels of security and connectivity e Auto connect when an application tries to open a connection to a host behind a gateway the user is prompted to initiate a VPN link to that gateway For example when the e mail client tries to access the IMAP server behind gateway X SecureClient prompts the user to initiate a tunnel to that gateway e User profiles Location Profiles See User Profiles on page 275 User Profiles Mobile users are faced with a variety of connectivity issues During the morning they find themselves connected to the LAN of a partner company during the evening behind some kind of NATing device employed by the hotel where they are staying Different user profiles are used to overcome changing connectivity conditions Users create their own profiles or the network administrator creates a number of profiles for them If the administrator creates a profile the pro
313. ected on the Central Gateways page of the Star Community Properties window Chapter 4 Introduction to Site to Site VPN 67 The Check Point Solution for VPN 68 Choosing a Topology Which topology to choose for a VPN community depends on the overall policy of the the organization For example a meshed community is usually appropriate for an Intranet in which only gateways which are part of the internally managed network are allowed to participate gateways belonging to company partners are not A Star VPN community is usually appropriate when an organization needs to exchange information with networks belonging to external partners These partners need to communicate with the organization but not with each other The organization s gateway is defined as a central gateway the partner gateways are defined as satellites For more complex scenarios consider a company with headquarters in two countries London and New York Each headquarters has a number of branch offices The branch offices only need to communicate with the HQ in their country not with each other only the HQ s in New York and London need to communicate directly To comply with this policy define two star communities London and New York Configure the London and New York gateways as central gateways Configure the gateways of New York and London branch offices as satellites This allows the branch offices to communicate with the HQ in their countr
314. ecurity gateway to include the encryption domain of the VPN peer When a tunnel to a MEPed gateway goes down the gateway removes the appropriate return route from its own local routing table This change is then distributed backwards to the routers behind the gateway RIM is based both on the ability of the gateway to update its local routing table and the presence of the a dynamic routing protocol to distribute the change to the network behind the gateway There is little sense in enabling RIM on the gateway if a dynamic routing protocol is not available to distribute changes Routing Return Packets When MEP is enabled RIM can be enabled only if permanent tunnels are enabled for the whole community In a MEP configuration RIM is available when using the First to Respond Manual set priority list and VPN Domain mechanisms In the first two options satellite gateways see the center gateways as unified as if one tunnel is connecting them As a result only the chosen MEP gateway will inject the routes In VPN Domain MEP it could be that all MEP gateways will inject the routes which requires configuring the routers behind the MEP gateways to return packets to the correct gateway RIM is not available when Random Selection is the selected entry point mechanism For more information on RIM see Route Injection Mechanism on page 177 Chapter 12 Multiple Entry Point VPNs 245 Special Considerations Special Consideratio
315. ecute permissions are available on the file Use the command chmod x snx_install sh to add execution permissions Download the SSL Network Extender manual installation The following links will appear e Download MSI installation package for Windows SSL Network Extender User Experience e Download command line SSL Network Extender for Linux e Download command line SSL Network Extender for Macintosh 3 Select the appropriate operating system The Shell archive package is downloaded to the user s home directory 4 To execute the installation script run snx_install sh If the user does not have root permissions the user is prompted to enter a root password in order to install the package Enter the password and press Enter 5 To connect after installation perform the following Se Connect using the SNX command Server 1 snx s lt server name gt u lt user name gt Check Point s Linux SNX build 5416000xXxX HSs5arss5c gt Enter Password Please enter your password SNX authentication Please confirm the connection to gateway lt server name gt Root CA fingerprint MOOD TREK ALP EEL FILM MESH RUBY BELA MACE TEND DRY PUT lan rita Accept Fingerprint if it is valid Do you accept yles N o y SNX connected Session parameters Office Mode IP 9 1 3 9 DNS Server 19 18 17 16 DNS Suffix domain com Timeout 10 minutes 6 To connect after installation perform the following Chapter 30 SSL Network Exte
316. ecuted multiple times on a peer this parameter will only be transferred to the script with the value of l the first time the script runs on the peer The value 1 indicates that this is the first time this script is being executed The next time the script is executed it is transferred with the value of O and the parameter is disregarded For example you may send an email alert to the system administrator the moment a tunnel goes down RIM_PEER_ENC_NET VPN domain of the VPN peer tnimon conf File tnimon conf File In R54 and R55 RIM was configured using the tnlmon conf file If your RIM settings are already configured using the tnlmon conf file there is no need to reconfigure RIM using SmartDashboard RIM is supported in a mixed community where there are gateways configured using the GUI and other gateways using the tnlmon conf file RIM is not supported when communicating with 3rd party gateways However if RIM is configured in the tnlmon conf file these settings will take precedence over any RIM settings in the GUI To configure RIM using the tnlmon conf file refer to the R54 and R55 User Guides Chapter 8 Route Injection Mechanism 183 Injecting Peer Gateway Interfaces Injecting Peer Gateway Interfaces 184 The RIM inject peer interfaces flag is used to inject into the routing tables the peer gateway s IP addresses in addition to the networks behind the gateway For example after a VPN tunnel is created R
317. ed Gateways window Select Gateways Select gateways to set permanent tunnels with their peer gateways Community Members Selected Gateways N Remote 3 qw Remote 1 qvwy N Remote 4 qw N Remote 2 qw N Remote 5 qw Add gt ae S lt Remove Gateway Tunnels Properties Note in case of a conflict between tunnel properties of two gateways the default tunnel properties which are defined on the community will be used Cancel Help 2 To configure the Tracking options for a specific gateway highlight a gateway and click on Gateway Tunnels Properties To configure On specific tunnels in the community 1 Select On specific tunnels in the community and click the Select Permanent Tunnels button The Select Permanent Tunnels window is displayed In the example given in Figure 7 4 a permanent tunnel was configured between Remote 1 gw and Remote 3 gw and another permanent tunnel was configured between Remote 2 gw and Remote 5 gw Chapter 7 Tunnel Management 171 Configuring Tunnel Features 172 Figure 7 4 Select Permanent Tunnels window Show all member gateways Show only specific gateways Set Shown Gateways Select All Tunnels remote 1 gw Remote 2 gw Remote 3 gw Remote tow Remote 5 ow gw N Select tunnel between row Remote 3 All Member Gatewa v Remote 4 gw Remote 5 gw C reni All Member Gatewa A
318. ed in Connect Mode and Office Mode SecuRemote SecureClient automatically resolves the NT domain name using dynamic WINS Otherwise SecuRemote SecureClient resolves the NT domain name using either LMHOSTS or WINS LMHOSTS The LMHOSTS name resolution service can be used in both LAN and dial up configurations as follows Enter the relevant information see Figure 27 1 the SFWDIR conf dnsinfo C file on the security gateway and install the policy Figure 27 1 Syntax LMdata ipaddr lt IP address gt sname lt host name gt domain lt domain name gt ipaddr lt IP address gt name lt host name gt domain lt domain name gt When SecuRemote SecureClient updates the topology the name resolution data will be automatically transferred to the dnsinfo entry of the SecuRemote SecureClient userc C file and then to its LMHOSTS file WINS Connect Mode Only The WINS name resolution service can be used in dial up configurations only It is not supported on Win 9x platforms Chapter 27 Remote Access Advanced Configuration 585 SecuRemote SecureClient and Secure Domain Logon SDL To use the WINS proceed as follows on the SecuRemote SecureClient virtual adapter AN Warning You must do this before enabling SDL see Enabling and Disabling Secure Domain Logon on page 584 1 Specify the primary and optionally the secondary WINS servers protected by the security gateway 2 Re
319. ed in chkp If it is the new language definition will override the existing language definition as long as the new language definition exists Once you have deleted the new language definition the chkp language definition will once again be used 3 Copy the messages js file of an existing chkp language to this folder 4 Edit the messages js file and translate the text bracketed by quotation marks 5 Save 6 Install Policy after adding the new language Example cd SFWDIR conf extender language mkdir custom cd custom mkdir lt language_name gt cd lt language_name gt copy chkp english messages js Edit the messages js file and translate the text bracketed by quotation marks Save In custom english messages js add a line as follows lt language_name gt translation of language_name Configuring the SSL Network Extender Install Policy OS Note No spaces are allowed in the lt language_name gt Modifying a Language 1 Enter the custom subdirectory 2 Create a folder with a language name that matches the chkp language folder to be modified 3 Create an empty messages js file and insert only those messages that you want to modify in the following format lt variable name gt lt desired text gt aS Note For reference refer to the messages js file located in chkp lt language gt Installation for Users without Administrator Privileges The SSL Network Extender usually require
320. ee Visitor Mode and MEP on page 599 Interface Resolution For interface resolution in a Visitor Mode environment it is recommended to use static IP resolution or dedicate a single interface for Visitor Mode Sq Note Visitor mode is only supported for Internet Explorer 4 0 and up 688 Configuring Remote Access Connectivity Configuring Remote Access Connectivity In this Section Configuring IKE Over TCP page 689 Configuring Small IKE phase II Proposals page 690 Configuring NAT Traversal UDP Encapsulation page 690 Configuring Visitor Mode page 691 Configuring Remote Clients to Work with Proxy Servers page 693 Configuring IKE Over TCP 1 For the gateway open Global Properties gt Remote Access page gt VPN Basic sub page gt IKE over TCP section Select Gateways support IKE over TCP 2 Enable IKE over TCP in a connection profile the remote user works in connect mode to automatically receive the profile To configure a From the file menu Manage gt Remote Access gt Connection profiles the Connection Profiles window opens Click New b Connection Profile Properties window opens On the Advanced tab select Support IKE over TCP If the user is not working in connect mode the user has to manually enable IKE over TCP on the client When IKE over TCP is enabled on the gateway the gateway continues to support IKE over UDP as well For remote clients IKE over TCP is supported only for as long as the
321. ee v x gt i s s s s j k y s s y k F 5 i 7 7 gt A i Key Material Key Material DH key is combined with the _ key material to produce the symmetrical IPSec key Symmetrical IPSec keys used _ in bulk data transfer IPSec SA Once the IPSec keys are created bulk data transfer takes place IPSec Security Gateway IPSec packet Security Gateway VPN tunne Sim CENORYP TON IKE negotiation builds the TENORYP TION tunnel IPSec keys used to create encrypted IP packets for transporting data DECRYPTION Data payload encrypted DES DECRYPTION AES or other Data integrity ensured with one way hash functions MDS or SHA1 Fast bulk data transfer 46 Overview Methods of Encryption and Integrity Two parameters are decided during the negotiation e Encryption algorithm e Hash algorithm Table 2 1 displays the number of methods for encryption and integrity supported by security gateways Table 2 1 Methods of Encryption integrity for IKE Parameter IKE Phase IKE IKE Phase II IPSec SA SA Encryption AES 256 default 3DEA 3DES AES 128 default DES AES 256 CAST DES CAST DES 40CP CAST 40 NULL Integrity MD5 MD5 default SHA1 default SHA1 NULL means perform an integrity check only packets are not encrypted Diffie Hellman Groups The Diffie Hellman key computat
322. eed for Desktop Security The Need for Desktop Security 490 A security gateway protects a network by enforcing a Security Policy on the traffic to and from that network that passes through the security gateway A remote client located outside the protected network is vulnerable to attack because traffic to the remote client does not pass through the security gateway no Security Policy is enforced on this traffic There is a further danger an attacker might gain access to a protected network by compromising a remote client which may in turn compromise the protected network for example by relaying a virus through the VPN tunnel Even if the security gateway enforces a very restrictive Security Policy the LAN remains vulnerable to attacks routed through unprotected remote clients Desktop Security Solution Desktop Security Solution In This Section Introducing Desktop Security page 491 The Desktop Security Policy page 492 Policy Server page 494 Policy Download page 494 Introducing Desktop Security Check Point VPN SecureClient protects remote clients by enforcing a Desktop Security Policy on the remote client The administrator defines the Desktop Security Policy in the form of a Rule Base Rules can be assigned either to specific user groups or to all users enabling the definition of flexible policies The Desktop Security Policy is downloaded by the Security Management server to a Policy Server a module installed on a
323. eeeeeseeeesneeees 376 Disabling CAPI Authentication ccccccccceeccesesecceeeeeeeeeseeceseeeeseeeesaeeeeaes 376 Disabling DNS based Geo Cluster Name Resolution ccccceeceeeeeeeeaeeeeaees 377 Configuring Endpoint Compliance Checks cccccseccccaeeeeeeeeeeeseeeeeeeesaeeeas 378 NAP Traversal cetera tiated earan ar ceeded ene BA na teeta 378 Smart Card Removal Detection 0 cccccceceseeeeneeeeaeeeeeaeeeseaeeeaaaeeeueeesaeeeees 379 TUN Mel VASMOSS vem fee aean ae a aeta eai EE Aee deve AET a Vaada ak 380 Cooperative Enforcement arrneo taiii aiaia ri ap dati 382 Using the Packaging Tool ssie iiaeia ane ia a a ae e a a a adaa a edanan 385 Chapter 18 Endpoint Connect API Introduction to the Client OPSEC API cccccccceccceeeceeeeeeeeeeeaceeeeeeeeeaeenaees 388 FUNCHON Ret rn CodeS n circa ae waned oa cee gata dec elds E date manerets 389 Client Functions Communicating with Service cccccsececeseceeeeeeeseeeesaeeeeas 390 NOtifiC ation Identifiers ainmeannan ei aina a d da paai 399 Functions from Service to Clienti a aa a a a a 405 Chapter 19 SecureClient Mobile Overview of SecureClient Mobile cccccececcececececeeeeeeeaeeeeeeeeeeeeeeaeeeaeeeeeetars 422 Connectivity Features ani suid veloc Dice a aa a Pea evita ees ees te Add 423 Session Continuation and TiM Out ccccccccecccecceeeeeeeeeeeeeeeeeeeeseeseeeneeeneees 423 Initiate DialUp arean ne thi diet the denM ea e a a a Gace Ea
324. een them If you choose to use this feature you must select one of the following e High Availability among all servers trying selected first Select the primary Policy Server e High Availability only among selected servers Select the servers to which you wish to connect As an administrator you can eliminate the user s need to configure these steps by creating a custom profile for them Chapter 21 Desktop Security 499 Configuring Desktop Security 500 Chapter 22 Layer Two Tunneling Protocol L2TP Clients In This Chapter The Need for Supporting L2TP Clients page 502 Solution Working with L2TP Clients page 503 Considerations for Choosing Microsoft IPSec L2TP Clients page 510 Configuring Remote Access for Microsoft IPSec L2TP Clients page 511 501 The Need for Supporting L2TP Clients The Need for Supporting L2TP Clients 502 For some organizations there are clear benefits to be gained by using the Microsoft IPSec client for remote access to internal network rather than the more feature rich and secure Check Point SecuRemote SecureClient Reasons for using the Microsoft L2TP IPSec client include the fact that is an inherent part of the Windows 2000 and Windows XP operating systems does not require an additional client to be installed and is free Solution Working with L2TP Clients Solution Working with L2TP Clients In This Section Introduction to L2TP Clients page 503 Establishing a VPN b
325. efault policy by 1 Open SC tar gz Placing the policy files in the tar gz directory local scv local dt local lp etc In the install section of product ini specifying initialpolicy bat Re packaging the client using packing tool or running setup from the tar gz Ol eR zi Installing SC from the generated package tar gz directory The policy becomes active when the client is started for the first time Policy Server High Availability When connecting to a gateway you automatically logon to the Policy Server residing behind that gateway If an alternative policy server was defined in the connection profile you may logon to a Policy Server residing on another gateway by activating the Policy Server High Availability functionality by setting the use profile ps_ configuration option as true in the userc c file Chapter 16 SecuRemote SecureClient 333 Desktop Security Policy 334 Wireless Hot Spot Hotel Registration Wireless Hotspot is a wireless broadband Internet access service available at public locations such as airport lounges coffee shops and hotels When using Hotspot application a user launches a web browser and attempts to connect to the Internet When this occurs the browser is automatically redirected by the Hotspot server to the Hotspot Welcome page for registration during the registration process the user fills in the required information Once the registration is complete the user may continue surfing the Inter
326. egin_ admin admin send log alert mismatchmessage Pleas send admin AntiVirusMonitor type plugin sparameters type Norton Signature gt 20020819 begin admin admin send log alert install security patch Q147222 Chapter 23 Secure Configuration Verification 539 Configuring SCV mismatchmessage Pleas option update your AntiVirus use the LiveUpdat send admin HWMonitor type plugin parameters cputype GenuinelIntel cpumodel 9 cpufamily 6 begin_ admin admin send log alert mismatchmessage Your machine must have an nIntel R Centrino TM processor installed end admin ScriptRun type plugin parameters sexe VerifyScript bat begin_ admin admin send log alert mismatchmessage Verification script has determined that your configuration does not meet policy requirements send admin RegMonitor type plugin parameters value Software TrendMicro PC cillinNTCorp CurrentVersion Misc PatternVer gt 414 begin_ admin admin send log alert mismatchmessage Pleas option send admin update your AntiVirus use the LiveUpdat SCVMonitor type plugin parameters scv_version 54014 begin admin admin send log alert __ imismatchmessage Pleas Verification products package upgrade your Secure Configuration
327. eighboring encryption domains as well The neighboring encryption domains should reside behind gateways that are members of the same VPN community as the assigning gateway Since the remote hosts connections are dependant on the Office Mode IP address it received should the gateway that issued the IP become unavailable all the connections to the site will terminate In order for all gateways on the site to recognize the remote users Office Mode IP addresses the Office Mode IP range must be known by all of the gateways and the IP ranges must be routable in all the networks However when the Office Mode per Site feature is in use the P per user feature cannot be implemented aS Note When Office Mode per Site is activated Office Mode Anti Spoofing is not enforced 308 Office Mode Solution Figure 15 2 Office Mode per Site x VPN Domain A gt gt Gateway 2 Gateway 1 Remote Host In this scenario e The remote user makes a connection to gateway 1 e Gateway 1 assigns an Office Mode IP address to the remote user e While still connected to gateway 1 the remote user can make a connection to hosts behind gateway 2 using the Office Mode IP address issued by gateway 1 Chapter 15 Office Mode 309 Enabling IP Address per User Enabling IP Address per User The Problem In some configurations a router or other device restricts access to portions of the network to specified IP addresses A remote user connecting in Of
328. election for Load distribution Manually set priority list MEP rules If either By VPN domain or Manually set priority list is selected then Advanced options provide additional granularity MEP Selection Methods First to Respond in which the first gateway to reply to the peer gateway is chosen An organization would choose this option if for example the organization has two gateways in a MEPed configuration one in London the other in New York It makes sense for peers located in England to try the London gateway first and the NY gateway second Being geographically closer to the peers in England the London gateway will be the first to respond and becomes the entry point to the internal network See First to Respond on page 234 VPN Domain is when the destination IP belongs to a particular VPN domain the gateway of that domain becomes the chosen entry point This gateway becomes the primary gateway while other gateways in the MEP configuration become its backup gateways See By VPN Domain on page 235 Random Selection in which the remote peer randomly selects a gateway with which to open a VPN connection For each IP source destination address pair a new gateway is randomly selected An organization might have a number of machines with equal performance abilities In this case it makes sense to enable load distribution The machines are used in a random and equal way See Random Selection on pag
329. emote SecureClient tgz format installation package Perform the required manual editing of products ini 3 Recreate the tgz file This is the SecuRemote SecureClient package for end users Chapter 29 Userc C and Product ini Configuration Files 609 Userc C File Parameters Userc C File Parameters Ss 610 In This Section SecureClient page 610 Encryption page 613 Multiple Entry Point page 617 Encrypted Back Connections page 618 Topology page 618 NT Domain Support page 619 Miscellaneous page 620 SecureClient Note Bold indicates the default value Global Managers or Gateway indicates the location in Userc C See Structure of Userc C on page 608 Do not manually edit Global properties default_ps n n n n Specifies the IP address of the default Policy Server If this property exists SecureClient will automatically log on to the Policy Server with IP n n n n when it is launched relieving the user of the need to manually log on to the Policy Server Global manual slan control true false Disabling this property will remove the Disable Policy menu items from the Policy menu Global allow clear in enc domain true false If enabled unencrypted connections will be accepted by SecureClient NG over Encrypt desktop rules and by SecureClient 4 1 running Encrypted Only or Outgoing and Encrypted policy as long as both the source and the destination IP addresses are in the encryption domain of a s
330. en by InstallShield will be used usually this will be C Program Files CheckPoint SecuRemote DesktopSecurityAskUser 0 1 Show the Desktop Security window to the user during installation If the window is not shown to the user the value placed in DesktopSecurityDefault will be used DesktopSecurityDefault 0 1 Sets the value for Desktop Security installation A value of 1 means that SecureClient will be installed while a value of O means that SecuRemote will be installed InstallDialupOnly 0 1 Sets the value for binding to All Adapters or to Dialup Adapters only A value of O means that the installation will bind to All Adapters ShowNetworkBindings 0 1 Show the Adapter Bindings window to the user during installation If the window is not shown to the user the value placed in InstallDialupOnly will be used ShowReadmeFile 0 1 Show the Readme window to the user this window asks the user whether he she would like to view the readme file before finishing the installation A value of O means that the window will not be shown to the user and the readme file will not be read during installation ShowBackgroundImage 0 1 Determine whether the background image will be displayed during installation ShowSetupInfoDialogs 0 1 Determine whether informative InstallShield dialogs which require no user interaction will be displayed DisableCancelInstall 0 1 An option to disable the Cancel opera
331. en device is idle Configured on endpoint client x SmartDirectory LDA s A QoS Security Settings SmartMap Route all traffic through gateway No FireWall 1 Gx No UserAuthority Configuration and Version Settings Yes ee Management High Configured on endpoint client ConnectControl Client upgrade mode OSE Open Securit Stateful Inspection Log and Alert Reporting Tools OPSEC SmarCenter ail gt Cancel Help The options are Chapter 17 Endpoint Connect 371 Hub Mode e Not to route all the traffic through the gateway e To route all traffic through the gateway e Route according to the Endpoint client configuration If the client configuration is the determining factor see the client s Settings tab for a particular site A Properties of 192 168 1 1 ie Details Settings Authentication scheme Certificate P12 z Always Connect Enable Always Connect to allow the client to connect automatically to your active site when possible IV Enable Always Connect PN tunneling When connected all outbound traffic is encrypted and sent to the gateway but only traffic directed at site resources is passed 2 On the Gateway gt Remote Access page Ce i x General Properties Remote Access Topology NAT L2TP Support efense Support L2TP relevant only when Office Mode is active Remote Access Authentication Metho MD5 Challenge BG Office Mode Clientless VPN Use this
332. ender request xml on the gateway Upgrading ESOD Note At present the Dynamic ESOD Update feature is not supported You can manually upgrade ESOD as follows 1 Replace the ICSScanner cab file under SFWDIR conf extender with the new package 2 Edit the file ics html under FWDIR conf extender as follows i Search for Version and replace the current value with the new version ii Save 7 Click Advanced The SSL Network Extender Advanced Settings window is displayed Figure 30 1 SSL Network Extender Advanced Settings window SSL Network Extender Advanced Settings Re authenticate user every minutes Client sends keep alive packets every Fe seconds OK Cancel Chapter 30 SSL Network Extender 643 Configuring the SSL Network Extender 8 Configure the Session Timeout period Once authenticated remote users are assigned an SSL Network Extender session The session provides the context in which the SSL Network Extender processes all subsequent requests until the user logs out or the session ends due to a time out aS Note The default value is 8 hours The minimum is 10 minutes and the maximum is 24 hours Five minutes before the specified session time timeout has elapsed the user may be prompted for his her credentials depending upon authentication settings and once the credentials are accepted the timeout interval is initialized If the user has not provided credentials before the tim
333. ent Tunnel is configured between gateways in a MEPed environment where RIM is enabled the satellite gateways see the center gateways as unified As a result the connection will not fail but will fail over to another center gateway on a newly created permanent tunnel For more information on MEP see Multiple Entry Point VPNs on page 229 Figure 7 1 Permanent Tunnel in MEP environment M2 VPN domain Backup Security Gateway M2 Host SS SA SS L gt Primary Security Gateway In this scenario e Host 1 residing behind gateway S1 is communicating through a Permanent Tunnel with Host 2 residing behind gateway M1 Chapter 7 Tunnel Management 165 Overview 166 e M1 and M2 are in a MEPed environment e M1 and M2 are in a MEPed environment with Route Injection Mechanism RIM enabled e M1 is the Primary gateway and M2 is the Backup gateway In this case should gateway M1 become unavailable the connection would continue though a newly created permanent tunnel between S1 and M2 Tunnel Testing for Permanent Tunnels Tunnel test is a proprietary Check Point protocol that is used to test if VPN tunnels are active A packet has an arbitrary length with only the first byte containing meaningful data this is the type field The type field can take any of the following values 1 Test 2 Reply 3 Connect 4 Connected Tunnel testing requires two gateways one configured as a p
334. ents are configured for Hub mode with different gateways the routing takes place in three stages each remote client to its designated gateway then between the gateways Figure 24 5 Remote clients to different hubs Remote Client 1 Remote Gient 2 Check Point Solution for Greater Connectivity and Security In Figure 24 5 remote client 1 is configured for Hub mode with gateway A Remote client 2 is configured for Hub mode with gateway B For the connection to be routed correctly e Office mode must be enabled e VPN configuration files on both gateways must include the Office Mode address range used by the other In Figure 24 5 the VPN configuration file on gateway A directs all traffic aimed at an Office Mode IP address of gateway B towards gateway B A connection leaves Remote Client1 and is sent to gateway A From gateway A the connection is redirected to gateway B Gateway B once more redirects the traffic towards Remote Client2 The reply from Remote Client2 follows the same path but in reverse e Office mode addresses used by both gateways must be non overlapping Including the Office Mode Range of Addresses in the VPN Domain of the Gateway Another way to achieve client to client communication is by defining an Office Mode range of addresses for remote clients and including this range of addresses in the VPN domain of the gateway that acts as the Hub Each remote client directs communication to the remote peer via the gatewa
335. eout has elapsed the user is disconnected from the server and will need to reconnect the client manually 9 Configure the keep alive packets transmission frequency The keep alive packets inform NAT devices or HTTP proxies via which the user is connected that the user connection is still active 10 Click OK The SSL Network Extender Global Properties window is displayed 11 Click OK Configuring ESOD Policies On the Security Management server Note Make sure that Endpoint Security on Demand is enabled in the Global Properties gt Remote Access gt SSL Network Extender page 1 Navigate to the SFWDIR 1lib directory Backup the vpn _table def file Change the file name vpn_table HFA def to vpn_table def On the security gateway 1 Using the ESOD server or ESOD configuration Tool which can be downloaded from the Check Point download center create xml policy files for each group and place them in SFWDIR conf extender 2 You can create a default policy file named request xml This is only optional and will be used when no group is given 644 3 4 Configuring the SSL Network Extender In the SFWDIR conf folder create a file called ics group This should be a text file in which each row lists a group name and its policy xml file Example of ics group file Groupl groupl xml Group2 group2 xml Group3 defGroup xml Group4 defGroup xml Important notes about the ics group file e The group name must be the
336. ept VPN Traffic Rule on page 125 Chapter 5 Domain Based VPN 121 Configuring Domain Based VPN Configuring Domain Based VPN In This Section Configuring VPN Routing for Gateways via SmartDashboard page 122 Configuration via Editing the VPN Configuration File page 124 Configuring Multiple Hubs page 125 Configuring SmartLSM Security Gateways page 128 Common VPN routing scenarios can be configured through a VPN star community but not all VPN routing configuration is handled through SmartDashboard VPN routing between gateways star or mesh can be also be configured by editing the configuration file FWDIR conf vpn_route conf VPN routing cannot be configured between gateways that do not belong to a VPN community Configuring VPN Routing for Gateways via SmartDashboard For simple hubs and spokes or situations in which there is only one Hub the easiest way is to configure a VPN star community in SmartDashboard 1 On the Star Community properties window Central Gateways page select the gateway that functions as the Hub 2 On the Satellite Gateways page select gateways as the spokes or satellites On the VPN Routing page Enable VPN routing for satellites section select one of these options e To center and to other Satellites through center This allows connectivity between the gateways for example if the spoke gateways are DAIP gateways and the Hub is a gateway with a static IP address e To center
337. er the traffic between them passed through a NAT device For a number of reasons NAT is incompatible with IPSec e PSec assures the authenticity of the sender and the integrity of the data by checking to see that the data payload has not been changed in transit A NAT device alters the IP address of the remote client The Internet Key Exchange IKE protocol used by IPSec embeds the client s IP address in its payload and this embedded address when it reaches the gateway will fail to match the source address of the packet which is now that of the NAT device When addresses don t match the gateway drops the packet e TCP and UDP checksums in the TCP header are sometimes used to verify the packet s integrity The checksum contains the IP addresses of the remote client and gateway and the port numbers used for the communication IPSec encrypts the headers with the Encapsulating Security Payload ESP protocol Since the header is encrypted the NAT device cannot alter it This results in an invalid checksum The Connectra gateway again rejects the packet The Endpoint Connect Client resolves these and other NAT related issues by using NAT Traversal NAT T as a way of passing IPSec packets through the NAT device On the Connectra gateway default ports are e Internet Key Exchange IKE User Datagram Protocol UDP on port 500 Note only IKEv1 is supported e Psec NAT T UDP on port 4500 e Encapsulating Security Payload ESP I
338. er xp 10 Specifies the minor version required for Windows XP operating systems to be verified os_ version operand xp gt Operator for checking the operating system s service pack on Windows XP service pack major version number xp 0 Specifies the major service pack version required for Windows XP operating systems to be verified service pack minor version number xp 0 Specifies the minor service pack version required for Windows XP operating systems to be verified service pack version operand xp gt Operator for checking the operating system s service pack on Windows XP os version mismatches Please upgrade your operating system Configuring SCV Message to be displayed in case of a non verified configuration for the operating system s version service pack The operating system s version and service pack will not be checked if none of the parameters appear in the scv file e major_os_version_number_2003 5 Specifies the major version required for Windows 2003 operating systems to be verified e minor_os_version_number_2003 2 Specifies the minor version required for Windows 2003 operating systems to be verified e 0S_version_operand_2003 Operator for checking the operating system s service pack on Windows 2003 e service_pack_major_version_number_2003 0 Specifies the major service pack version required for Windows 2003 operating systems to be verified e
339. ere are two possible methods to configure RIM e Automatic RIM RIM automatically injects the route to the encryption domain of the peer gateways e Custom Script Specify tasks for RIM to perform according to specific needs Route injection can be integrated with MEP functionality which route return packets back through the same MEP gateway For more information on MEP see Multiple Entry Point VPNs on page 229 Automatic RIM Automatic RIM Automatic RIM can be enabled using the GUI when the operating system on the gateway is SecurePlatform IPSO or Linux Although a custom script can be used on these systems no custom written scripts are required Figure 8 1 Automatic RIM 10 10 10 0 Leased Line e amp 172 16 20 0 24 192 168 21 0 24 172 16 10 0 24 192 168 10 0 24 192 168 20 0 24 192 168 10 0 24 In this scenario e Gateways 1 and 2 are both RIM and have a dynamic routing protocol enabled e RI and R4 are enabled routers e When a VPN tunnel is created RIM updates the local routing tables of gateway l and gateway 2 to include the encryption domain of the other gateway e Should the VPN tunnel become unavailable traffic is redirected to the leased line The routing tables for the gateways and routers read as follows Entries in bold represent routes injected into the gateways local routing tables by RIM Gateway 1 Network Destination Netmask Gateway Metric 0 0 0 0 0 0 0 0 172 16 10 2 1
340. ere were no drop rule in the Simplified policy the connection may be matched to and allowed by a rule further down in the Rule Base When the Converted Rule Base is too Restrictive This translation of Encrypt rules into two Simplified Mode rule is at least as restrictive as the original rule However in the converted Rule Base shown in Table B 2 some connections that were matched to and allowed by the original rule Table B 1 may be dropped This may happen with connections between two hosts in the encryption domain of the same gateway For example referring to Figure B 1 connections from a node in Net_A to a Node in Net_B will be dropped by the converted Rule Base This is because community rules define traffic between VPN Domains and do not relate to traffic within a VPN Domain To allow these connections in the converted rule base you must explicitly allow them To do this add one rule between the first rule and the second rule for each policy target appearing in the install on field For example the two Rules in Table B 2 become three rules as in Table B 3 Table B 3 Manually Added Rule in the converted Encrypt Rule Base Src Dest VPN Service Action Track Install On X Y All_GW_to_GW My_Services Accept Log Policy Targets Net_A Net_B Any My_Services Accept Log Gateway 1 X Y Any My_Services Drop Log Policy Targets In most cases it is not necessary to add these rules Only ad
341. es and ports accessed during registration connect_timeout 600 Maximum number of seconds to complete registration max_ip_count 5 Maximum number of IP addresses allowed during registration block_hotspot_after_connect false If set to true upon successful connect the recorded ports and addresses will not remain open Chapter 16 SecuRemote SecureClient 343 Configuring SecureClient Table 16 1 Hotspot Parameters Parameter Default Description max_trials 0 This value represents the maximum number of unsuccessful hotspot registration attempts that an end user may perform Once this limit is reached the user will not be allowed to attempt registration again The counter is reset upon reboot or upon a successful VPN connect In addition if you modify the max trials value the modification will take affect only upon successful connect or reboot If the max trials value is set to O an unlimited number of trials is allowed local_subnets false Restrict access to local subnets only ports 80 Restrict access to specific ports 443 8080 344 Configuring Enable Logging Enable Logging is configured in SmartDashboard and SecuRemote SecureClient In SmartDashboard 1 Go to Global Properties gt Remote Access gt VPN Advanced 2 Select Allow users to save troubleshooting logs 3 Click OK In the system tray of the desktop 1 Right click the SecureClient icon From the popup menu select Settings 2
342. es can be converted in a way that exactly preserves the policy that is specified in the Security Rule Base The converted rule s in the Simplified VPN can under certain circumstances behave somewhat differently than the encryption rule for Traditional VPNs described in How an Encrypt Rule Works in Traditional Mode on page 720 Running the converter is a simple two or three step process After running the wizard you should review the Security Rule Base to make sure that it has maintained its required functionality and optimize it if needed Placing the Gateways into the Communities The first step in converting a traditional VPN to a simplified VPN is to create VPN communities that describe the topology of the organization The conversion wizard requires the administrator to place gateways into communities It cannot do this automatically because it is very difficult to deduce from the traditional policy what communities should be defined between gateways The wizard allows you define communities and to drag and drop gateways into the communities Referring to Figure B 1 the administrator must make gateway 1 and gateway 2 members of the same community by dragging both the gateway objects into the same site to site community object You may prefer to create several communities with different encryption properties to reflect the way that the traditional VPN policy works If no communities have been previously defined there are by defa
343. es i Firewall NAT Network Add Authentication E VPN VPN 1 UTM Edge C E Remote Access VPN Basic VPN Advance VPN IKE Pha VPN IPSEC P Certificates Secure Configu SSL Network E SecureClient Mc Endpoint Conne Early Versions C Hot Spot Hotel SmartDirectory LDA QoS SmartMap Firewall 1 GX UserAuthority Management High ConnectControl OSE Open Securit Stateful Inspection E Log and Alert Reporting Tools OPSEC SmarCenter gail gt Secure Configuration Verification SC Apply Secure Configuration Verification IV Apply Secure Configuration Verification on Simplified mode Security Policies Upon verification failure Block client s connectior m gt Secure Configuration erification Exceptions C Accept and log client s c The following hosts can be accessed using the selected services even if the client is not verified ae Basic configuration verification c IV Policy is installed on all i IV Only TCP IP protocols lt 1 Configuration Violation Notificati IV Generate log IV Notify the user Add Remove IV Do not apply Secure Configuration Verification on SSL clients connections cme te x x Endpoint Connect 373 Authentication Time out 374 2 On the gateway object turn on Cooperative Enforcement See Cooperative Enforcement on page 382 Authentication Time out These s
344. es maa neta asa ate teed v litem e hetaaay Meet ag ee eet 634 Configuring the SSL Network Extender cccccceccccseceseseeeeecceeeeeeseeeeseeeeeaeeeees 636 CONTSUFING the SEVE oes Seatac SheccR ade cededca ea o e naaa aaa 636 Configuring ESOD Pole AS saw i re a a A E e A EA AEA 644 Load Sharing Cluster SUpport anirai a EAE aa eee 646 Customizing the SSL Network Extender Portal cccccecccseeceeseeeeseeeeeaeeeeaes 647 Installation for Users without Administrator Privileges ccccccccseeeeeeeeeeaes 651 SSL Network Extender User Experience cccccceccccseececeeeceeceeaeeeseneseseeeeeaeeees 652 Configuring Microsoft Internet Explorer cccccccceseecceeeceseeeeeueeeeaneeeeaeeeeaes 652 About ActiveX ControlScan iee a deavacdcaradeesveheev deca i a e ia 653 Downloading and Connecting the Client cccccceccceecceseeeeeeeeeeaeeeeeneeeeaees 653 Table of Contents 17 Uninstallon DISCONN CCl sates siete ssc inves a a a ea dew sacaoar ence 665 Using SSL Network Extender on Linux Mac Operating Systems 006 665 Removing an Imported Certificate cccccccccceeccceecceeeeceeeeeeseeeeseeeeeaeeeaees 670 MFOUDIESNOOTING x cctatc a ceseiees ands a Gunner a ean hatin E ea occas 672 SSL Network Extender ISSUCS cececeeeeceeeeeeeeeeaeeeeeeeeeeaeeeseaeeeeaeeeeaaees 672 ESOD ISSUES hren anena ea ota a ar a eaat iaat ances aaaea eget eai 673 Chapter 31 Resolving Connectivity
345. ess Clients on page 567 Using Link Selection Using Link Selection In This Section IP Selection by Remote Peer page 209 Outgoing Route Selection page 211 Link Selection employs two mechanisms e IP Selection by Remote Peer for incoming traffic e Outgoing Route Selection for outbound traffic IP Selection by Remote Peer There are several methods that can determine how remote peers resolve the IP address of the local gateway Remote peers can connect to the local gateway using e Always use this IP address e Main address The VPN tunnel is created with the gateway main IP specified in the IP Address field on the General Properties page of the gateway e Selected address from topology table The VPN tunnel is created with the gateway using a selected IP address chosen from the drop down menu that lists the IP addresses configured in the Topology page of the gateway e Statically NATed IP The VPN tunnel is created using a NATed IP address This address is not required to be listed in the topology tab e Calculate IP based on network topology This method calculates the IP address used for the VPN tunnel by network topology based on the location of the remote peer For more information see Link Selection for Remote Access Scenarios on page 570 e DNS Resolving This method is required for Dynamically Assigned IP DAIP gateways A VPN tunnel to a DAIP gateway can only be initiated using DNS resolving since the
346. ess VPN 2 Select a Certificate for gateway authentication 3 Select an option for Client authentication e Select Require the client to present a certificate if user authentication is required and that authentication is performed through the use of certificates e Select Ask the client to present a certificate if user authentication is required but you know that not all of the Clientless VPN users have certificates and that some are authenticating in other ways e Select Do not ask the client to present a certificate if user authentication through certificates is not required or performed through other means 4 Number of concurrent servers processes refers to the number of VPN Security Servers to run Depending on the load the administrator can run more than one Security Server See the section on Number of Security Servers to Run on page 702 5 Accept 3DES for Clientless VPN connections when strong encryption must be enforced Chapter 32 Clientless VPN 705 Configuring Clientless VPN 706 Defining Users If user authentication is required 1 Define users either in the internal database or external LDAP server For more information refer to the Security Management server Administration Guide 2 Enable authentication methods by e Configuring the gateway to support the required authentication methods e Configuring the appropriate authentication methods for users for example user name password or through the
347. ess VPN 279 VPN for Remote Access Considerations VPN for Remote Access Considerations In This Section Policy Definition for Remote Access page 280 User Certificate Creation Methods when Using the ICA page 280 Internal User Database vs External User Database page 281 NT Group RADIUS Class Authentication Feature page 282 When designing Remote Access VPN consider the following issues Policy Definition for Remote Access There must be a rule in the Security Policy Rule Base that grants remote users access to the LAN Consider which services are allowed Restrict those services that need to be restricted with an explicit rule in the Security Policy Rule Base User Certificate Creation Methods when Using the ICA Check Point s Internal Certificate Authority ICA offers two ways to create and transfer certificates to remote users 1 The administrator generates a certificate in Security Management server for the remote user saves it to removable media and transfers it to the client out of band 2 The administrator initiates the certificate process on the Security Management server or ICA management tool and is given a registration key The administrator transfers the registration key to the user out of band The client establishes an SSL connection to the ICA using the CMC protocol and completes the certificate generation process using the registraion key In this way e Private keys are generated on the client e T
348. ess control to the user s machine but rather takes advantage of the vulnerable configuration of applications on the client The Secure Configuration Verification Solution The Secure Configuration Verification Solution In This Section Introducing Secure Configuration Verification page 521 How does SCV work page 522 SCV Checks page 524 SCV Policy Syntax page 530 The local scv Sets page 534 A Complete Example of a local scv File page 536 Introducing Secure Configuration Verification Secure Configuration Verification SCV enables the administrator to monitor the configuration of remote computers to confirm that the configuration complies with the organization s Security Policy and to block connectivity for machines that do not comply SCV does not replace the Desktop Security Policy but complements it SCV strengthens enterprise security by ensuring SecureClient machines are configured in accordance with the enterprise Security Policy SCV is a platform for creating and using SCV checks SCV checks include sets of conditions that define a securely configured client system such as the user s browser configuration the current version of the Anti Virus software installed on the desktop computer the proper operation of the personal firewall policy etc These security checks are performed at pre defined intervals by SecureClient Depending on the results of the SCV checks the security gateway decides whether to allow or block con
349. ettings for the gateway determine how long the remote client s password remains valid which is equal to the frequency of IKE phase 1 By default IKE authentication is valid for one day If you do not want to accept the IKE default set a different value here in Global Properties gt Remote Access gt Authentication Timeout Global Properties 3 x Remote Access YPN 1 SecuRemote SecureClient Firewall NAT Network Address Topology Update Authentication f YPN Tl Update topology every 4 Hours VPN 1 UTM Edge Gate Automatic update Remot ess SmartDirectory LDAP QoS Authentication Timeout SmartMap Firewall GX Use default value 1 day UserAuthority Validation timeout every 120 Minutes Management High Ava ConnectControl P Allow caching of static passwords on client OSE Open Security E Stateful Inspection Additional Properties Log sa Alert Tl Enable Back Connections from gateway to client Reporting Tools OPSEC Send keep alive packet to the Gateway fea Seconds SmartCenter Access Non Unique IP Address E SmartD ashboard Custo IV Encrypt DNS traffic VPN 1 SecureClient Logon High Availability IV Use backup Policy Servers on Logon failure Transparent Mode only Choose next Policy Server Choose Policy Server randomly VPN 1 SecureClient Desktop Security Policy expiration time Revert to default policy after feo a Minutes Cancel
350. etween a Microsoft IPSec L2TP Client and a Check Point Gateway page 504 Behavior of an L2TP Connection page 505 security Gateway Requirements for I PSec L2TP page 505 Authentication of Users and Client Machines page 506 User Certificate Purposes page 509 Introduction to L2TP Clients Check Point Security Gateways can create VPNs with a number of third party IPSec clients This explanation focuses on the Microsoft IPSec L2TP client You can access a private network through the Internet by using a virtual private network VPN connection with the Layer Two Tunneling Protocol L2TP L2TP is an industry standard Internet tunneling protocol Check Point supports the Microsoft IPSec L2TP client on Windows 2000 and Windows XP machines The client is an integral part of the Windows operating system Creating a Remote Access environment for users with Microsoft IPSec L2TP clients is based on the same principles as those used for setting up Remote Access for SecuRemote SecureClients It is highly recommended to read and understand Chapter 14 Introduction to Remote Access VPN before attempting to configure Remote Access for Microsoft PSec L2TP clients Chapter 22 Layer Two Tunneling Protocol L2TP Clients 503 Solution Working with L2TP Clients 504 Establishing a VPN between a Microsoft IPSec L2TP Client and a Check Point Gateway To allow the user at the Microsoft IPSec L2TP client to access a network resource protected by a se
351. etwork Extender Using SSL Network Extender on Linux Mac Operating Systems There are two methods to access Network Applications using Linux e Java e Command Line Java 1 When connecting for the first time the SSL Network Extender installation archive package is downloaded This process is similar to the Windows Java installation Chapter 30 SSL Network Extender 665 SSL Network Extender User Experience 666 2 If the user does not have root permissions the user is prompted to enter a root password in order to install the package Enter the password and press Enter After the installation is finished the applet will try to connect If it is the first time the following window is displayed Figure 30 21Fingerprint Verification r 3 SSL Network Extender example ODD HICK LORE BIRD FIB END SLAM BHOY NOB LEO RUSS LIT If the system Administrator has sent the user a fingerprint it is strongly recommended that the user verify that the server certificate fingerprint is identical to the Root CA Fingerprint seen in the window Click Yes to confirm Command Line To download the SSL Network Extender installation archive package 1 In the Network Applications Settings window click on click here in the sentence For Linux command line SSL Network Extender installation click here The Shell archive package is downloaded to the users home directory Before running the installation script make sure ex
352. ew Overview Multiple Entry Point MEP is a feature that provides a high availability and load sharing solution for VPN connections A gateway on which the VPN module is installed provides a single point of entry to the internal network It is the gateway that makes the internal network available to remote machines If a gateway should become unavailable the internal network too is no longer available A MEPed environment has two or more security gateways both protecting and enabling access to the same VPN domain providing peer gateways with uninterrupted access VPN High Availability Using MEP or Clustering Both MEP and Clustering are ways of achieving High Availability and load sharing However 230 Unlike the members of a ClusterXL gateway Cluster there is no physical restriction on the location of MEPed gateways MEPed gateways can be geographically separated machines In a cluster the clustered gateways need to be in the same location directly connected via a sync interface MEPed gateways can be managed by different Security Management servers cluster members must be managed by the same Security Management server In a MEP configuration there is no state synchronization between the MEPed gateways In a cluster all of the gateways hold the state of all the connections to the internal network If one of the gateways fails the connection passes seamlessly over performs failover to another gateway and the
353. eway is responding For example in the scenario shown in Figure 12 4 satellite S1 opens a connection to the VPN domain that includes gateways M1 M2 and M3 M1 is the resolved peer If tracking is enabled the log reads Resolved peer for tunnel from S1 to the MEP that contains M1 M2 and M3 is M1 Primary gateway responding Chapter 12 Multiple Entry Point VPNs 239 Implicit MEP Implicit MEP There are three methods to implement implicit MEP 240 First to Respond in which the first gateway to reply to the peer gateway is chosen An organization would choose this option if for example the organization has two gateways in a MEPed configuration one in London the other in New York It makes sense for VPN 1 peers located in England to try the London gateway first and the NY gateway second Being geographically closer to VPN peers in England the London gateway is the first to respond and becomes the entry point to the internal network See First to Respond on page 234 Primary Backup in which one or multiple backup gateways provide high availability for a primary gateway The remote peer is configured to work with the primary gateway but switches to the backup gateway if the primary goes down An organization might decide to use this configuration if it has two machines in a MEP environment one of which is stronger than the other It makes sense to configure the stronger machine as the primary Or perh
354. ey consume computer resources such as memory or CPU Generally there are two kinds of DoS attack One kind consists of sending malformed garbage packets in the hope of exploiting a bug and crashing the service In the other kind of DoS attack an attacker attempts to exploit a vulnerability of the service or protocol by sending well formed packets IKE DoS attack protection deals with the second kind of attack IKE DoS Attacks The IKE protocol requires that the receiving gateway allocates memory for the first IKE Phase 1 request packet that it receives The gateway replies and receives another packet which it then processes using the information gathered from the first packet An attacker can send many IKE first packets while forging a different source IP address for each The receiving gateway is obliged to reply to each and assign memory for each This can consume all CPU resources thereby preventing connections from legitimate users The attacker sending IKE packets can pretend to be a machine that is allowed to initiate IKE negotiations such as a Check Point Security Gateway This is known as an identified source The attacker can also pretend to have an IP address that the IKE DOS Protection receiving gateway does not know about such as a SecuRemote SecureClient or a Check Point Security Gateway with a dynamic IP address This is known as an unidentified source Defense Against IKE DoS Attacks When the number of simult
355. f a specific IP address from the gateway s topology or statically NATed IP was configured the IP address should be set in this attribute interface resolving ha primary if The primary IP address used for one time ongoing probing use interface IP Used only for one time ongoing probing Set to true if all IP addresses defined in topology tab should be probed Set to false if the manual list of IP addresses should be probed available VPN IP list Used only for one time ongoing probing List of IP addresses that should be probed This list is used only if the value of use interface IP Is false Chapter 25 Link Selection for Remote Access Clients 573 Configuring Link Selection Configuring the Early Version Compatibility Resolving Mechanism 574 In SmartDashboard 1 Click Policy gt Global Properties gt Remote Access gt Early Versions Compatibility 2 Select Static calculation based on network topology if remote access clients downloading topology from pre NGX gateways should use topology calculation to resolve IP addresses 3 Select Dynamic interface resolving mechanism to convert to one of the methods in Table 25 1 The method downloaded in topology to remote access clients by Pre NGX gateways will be converted as follows Table 25 1 Backward Compatibility Gateway Method Selected address from topology table Method used by Remote Access Client downloading topology from a Pre N
356. f the VPN domain interface roaming maintains the logical connection Multiple Sites Endpoint Connect connects to any one of a number of user defined gateways Dead Gateway Detection If the client fails to receive an encrypted packet within a specified time interval it sends a special tunnel test packet to the gateway If the tunnel test packet is acknowledged then the gateway is active If number of tunnel test packets remain unacknowledged the gateway is considered inactive or dead Hotspot Detection and Exclusion Dialup Support Cooperative Enforcement Security Endpoint Security on Demand Provides a full effective end point compliance check for required software updates Anti Virus signatures presence of malware when connecting and repeat scans at specified time intervals Clients that fail the initial scan when connecting gain access to remediation sources Full IPSec VPN Internet Key Change version 1 support for secure authentication Support for strong authentication schemes such as a Username and passwords including cached passwords b SecurlD c Challenge Response d CAPI software and hardware tokens Certificate enrollment renewal and auto Renewal Chapter 17 Endpoint Connect 353 Installation and Use 354 Tunnel idleness Detection Smartcard Removal Detection Hub Mode Increases security by routing all traffic such as traffic to and from the Internet through the gateway where the tr
357. face 31 Feedback 32 Introduction to VPN Technology Chapter Overview In This Chapter The Connectivity Challenge The Basic Check Point VPN Solution page 36 page 37 35 The Connectivity Challenge The Connectivity Challenge With the explosive growth in computer networks and network users IT managers are faced with the task of consolidating existing networks remote sites and remote users into a single secure structure Branch offices require connectivity with other branch offices as well as the central organization Remote users require enhanced connectivity features to cope with today s changing networking environments New partnership deals mean business to business connections with external networks Typically consolidation needs to take place using existing infrastructure For many this means connectivity established via the Internet as opposed to dedicated leased lines Remote sites and users must be unified while at the same time maintaining high levels of security Once connectivity has been established the connections must remain secure offer high levels of privacy authentication and integrity while keeping costs low In addition only legitimate traffic must be allowed to enter the internal network Possibly harmful traffic must be inspected for content Within the internal network different levels of access must also exist so that sensitive data is only available to the right people 36 The Basic
358. faces Error Messages Table 19 6 provides a list of error messages their possible cause and a solution Table 19 6 Error Messages Troubleshooting Error Message Cannot find the server server name Please check the server name and try again Possible Cause There is an error resolving the server name Solution Check the server name and verify that the IP address is valid Error while negotiating with the server server name Please try again Error in client server negotiation Try to connect again You are not permitted to access the server The user is not authorized Check that the user certificate is installed and is valid Table 19 6 Error Messages Troubleshooting Troubleshooting Error Message Your device is not connected to any network Possible Cause The network is not available for connection Solution Connect the device to a network Your device is not connected to any network Dialup connection is not available The network is not available for connection and dialup cannot be initiated The settings may not be configured properly Check that your dialup settings are configured properly Access denied Wrong username or password Wrong credentials supplied Ensure that the credentials are current and retry If the credentials are cached use the clear passwords button User is not permitted to have an offic
359. ffice Mode settings created on Security Management server by editing a plain text file called ipassignment conf in the FWDIR conf directory of the VPN module The module uses these Office Mode settings and not those defined for the object in Security Management server Ipassignment conf can specify e An IP per user group so that a particular user or user group always receives the same Office Mode address This allows the administrator to assign specific addresses to users or particular IP ranges networks to groups when they connect using Office Mode e A different WINS server for a particular user or group e A different DNS server e Different DNS domain suffixes for each entry in the file WINS Specific IP Gateway Type IP Address per eet User Name f ee 4 te 4k H Paris GW 10 5 5 8 f N Jem Brazil addr 10 6 5 8 wins 192 168 3 2 192 168 3 3 Joao Miami addr 10 7 5 8 dns 192 168 3 fe DNS CN John OU users O cpmgint acme com gibeuu Miami range 100 107 105 110 100 107 105 119 24 Finance Miami net 10 7 5 32 28 suffix acct acme com Accounting comments are allowed D Domain Suffix Specific IP per group Subnet masks and Office Mode Addresses You cannot use the ipassignment conf file to assign a subnet mask to a single user If using IP pools the mask is taken from the network object or defaults to 255 255 255 0 if using DHCP 318 Configuring Office Mode Ch
360. fice Mode must be able to ensure that he or she is allocated an IP address which will allow the connection to pass through the router SJ Note If this feature is implemented it is imperative to enable anti spoofing for Office Mode See Anti Spoofing on page 307 for more information The Solution There are two ways to implement this feature depending on whether IP addresses are allocated by a DHCP server or IP Pool DHCP Server If Office Mode addresses are allocated by a DHCP server proceed as follows 1 Open the Check Point object from the Objects Tree 2 In the Object Properties gt Remote Access gt Office Mode page e Enable Office Mode either for all users or for the relevant group e Select a DHCP server and under MAC address for DHCP allocation select calculated per user name Install the Policy on the Module On the Module run the following command to obtain the MAC address assigned to the user vpn macutil lt username gt 5 On the DHCP Server make a new reservation specifying the IP address and MAC address assigning the IP address for the exclusive use of the given user 310 Enabling IP Address per User Ipassignment conf File The SFWDIR conf ipassignment conf file on the Module is used to implement the P per user feature It allows the administrator to assign specific addresses to specific users or specific ranges to specific groups when they connect using Office Mode or L2TP
361. figure the security gateway to supply addresses to the clients by means of the Office Mode feature Chapter 22 Layer Two Tunneling Protocol L2TP Clients 505 Solution Working with L2TP Clients 506 Authentication of Users and Client Machines There are two methods used to authenticate an L2TP connection e Using Legacy Authentication e Using certificates Authentication Methods L2TP clients can use any of the following Authentication schemes to establish a connection e Check Point password e OS password e RADIUS e LDAP e TACACS Using a username and password verifies that a user is who they claim to be All users must be part of the Remote Access community and be configured for Office Mode Certificates During the process of establishing the L2TP connection two sets of authentication are performed First the client machine and the security gateway authenticate each other s identity using certificates Then the user at the client machine and the security gateway authenticate each other using either certificates or a pre shared secret The Microsoft IPSec L2TP client keeps separate certificates for IKE authentication of the client machine and for user authentication On the security gateway if certificates are used for user authentication then the security gateway can use either the same certificate or different certificates for user authentication and for the IKE authentication Certificates for both clie
362. file is downloaded to the client when the user updates the site topology The user selects which profile to work with from a list For example a profile that enables UDP encapsulation in order to cope with some NATing device or a profile that enables Visitor mode when the remote client must tunnel the VPN connection over port 443 The policy server used to download the Desktop Security Policy is also contained in the profile Chapter 14 Introduction to Remote Access VPN 275 The Check Point Solution for Remote Access 276 Access Control for Remote Access Community Typically the administrator needs to define a set of rules that determines access control to and from the network This is also true for remote access clients belonging to a remote access community Policy rules must be created in order to control the way remote clients access the internal network via the gateway Membership of a community does not give automatic access to the network The gateway s Security Policy Rule Base defines access control in other words whether a connection is allowed Whether a connection is encrypted is determined by the community If both the source and the destination belong to the community the connection is encrypted otherwise it is not encrypted For example consider a rule that allows FTP connections If a connection matching the rule is between community members the connection is encrypted If the connection is not between community membe
363. firm that the serial number of the validated certificate is not included among the revoked certificates In addition VPN verifies the validity of the certificate s use in the given situation confirming that e The certificate is authorized to perform the required action For example if the private key is needed to sign data e g for authentication the KeyUsage extension on the certificate if present is checked to see if this action is permitted e The peer used the correct certificate in the negotiation When creating a VPN tunnel with an externally managed module the administrator may decide that only a certificate signed by a specific CA from among the trusted CAs can be accepted Acceptance of certificates with specific details such as a Distinguished Name is possible as well Revocation Checking There are two available methods useful in determining the status of a certificate 1 CRL 2 Online Certificate Status Protocol OCSP CRL VPN can retrieve the CRL from either an HTTP server or an LDAP server If the CRL repository is an HTTP server the module uses the URL published in the CRL Distribution Point extension on the certificate and opens an HTTP connection to the CRL repository to retrieve the CRL If the CRL repository is an LDAP server VPN attempts to locate the CRL in one of the defined LDAP account units In this scenario an LDAP account unit must be defined If the CRL Distribution Point extension exi
364. for both gateways e 6 f the gateway has multiple interfaces and one or more of the interfaces has the same IP address and netmask vpn sw_topology This command downloads the topology for a SofaWare gateway vpn ver This command displays the VPN major version number and build number vpn tu This command launches the TunnelUtil tool which is used to control VPN tunnels AppendixA 713 SecureClient Commands The following commands relate to SecureClient 714 Table A 2 SecureClient command line interface Command Explanation SCC VPN commands executed on SecureClient are used to generate status information stop and start services or connect to defines sites using specific user profiles scc connect This command connects to the site using the specified profile and waits for the connection to be established In other words the OS does not put this command into the background and executes the next command in the queue scc connectnowait This command connects asynchronously to the site using the specified profile This means the OS moves onto the next command in the queue and this command is run in the background scc disconnect This command disconnects from the site using a specific profile scc erasecreds This command unsets authorization credentials scc listprofiles This command lists all profiles scc numprofiles This command displays the number of prof
365. g Source IP Address Settings cccccccccsscccsseceeeeeeseeeesneeeeaeeeeaes 226 Configuring On Demand links 2200 ieccect sennosdvetebeeds Gevesdeiaceedeyedeve vecdd vevenesaness 227 Configuring the Early Version Compatibility Resolving Mechanism 5 228 Outgoing Bink Tracking ms aiani Mot teiasarors Mhabetss ca aea et aaa hess 228 Chapter 12 Multiple Entry Point VPNs OVE EW aia ea aea akc tele pana aa ene canned E E eee tee eee aude eS 230 VPN High Availability Using MEP or Clustering cccccccccceecceeseeeaeeeeeees 230 HOW S TE WOKS a n anida e uade ne thes ee ae Aa adele cde oc ae aba ats a Eai 231 EXPliGiti ME P vere ives E E AA oraenat vende awadev sanesnten auctesh ented ES 232 MEP Selection Methods scene veleiandictiehe casas dian uate thier ee araea iie css 233 MPIC ME Pee eaa aaa aaa eaaa ea eaaa Lacttentaumdeaawetibncates senate eeustentan ete 240 Routing SIDADI s2101 E SEEE TA A A E 244 Sp cial Considerations sianoz r a A a E aE aA 246 oae R E EAN E AAE AET S A 247 Contie rninge EXPIICIE MEP zaina agea a A ana 247 Config ring Implicit MEP niesienie en hee har a aaa a a eat 248 Configuring IP Pool NA Toy nienn ne eieae aaa Sa ae ae aaie en saaa 250 Chapter 13 Traditional Mode VPNs Introduction to Traditional Mode VPNS ccccccseeeeeeeceeeeeeeeeaeeeeeeessaeeeeseeaeneeeees 252 VPN Domains and Encryption Rules ccccccceccceeceeeeeeeeceeeeeeeeeeeeeseeeeseeeeeas 253 Defining VPN P
366. g a Package page 484 Adding Scripts to a Package page 485 The Packaging Tool wizard guides an administrator through the process of creating a preconfigured SecureClient installation package Each package can contain a different combination of a SecureClient version and a pre configured profile You create a package in two essential stages I Configuring and saving a package profile The profile contains all the settings to be installed by the package by default 2 Applying the profile to an exisitng installation package thus creating a properly preconfigured package Creating a New Package Profile 1 To create a new profile Select Profile gt New Enter the profile details and press Next The Packaging Tool wizard will guide you through the next several windows in which you should configure different parameters regarding the user s profile such as policy encryption topology including Partial Topology information certificates client installation and logon parameters SDL Gina DLLs For information about these features see the relevant chapters in the documentation After pre configuring all of the client s settings you will be presented with the Finish screen In this screen you can decide if Packaging Tool should continue to create a new package containing the changes as they appear in the profile or finish the process of profile generation without creating a new package The options in this screen are e N
367. gateway Table 24 1 Destination Next hop router interface Install On Hub1_OfficeMode_range Hubl Hub2 Hub2_OfficeMode_range Hub2 Hubl When Remote Client 1 communicates with Remote Client 2 e The traffic first goes to the Hub 1 since Remote Client 1 is working in Hub mode with Hub 1 e Hub 1 identifies Remote Client 2 s IP address as belonging to the Office mode range of Hub 2 e The vpn_route conf file on Hub 1 identifies the next hop for this traffic as Hub 2 e The traffic reaches the Hub 2 Hub 2 redirects the communication to Remote Client 2 566 Chapter 29 Link Selection for Remote Access Clients In This Chapter Overview page 568 Link Selection for Remote Access Scenarios page 570 Configuring Link Selection page 573 Overview Overview Link Selection is a method used to determine which interface is used for incoming and outgoing VPN traffic as well as the best possible path Using the Link Selection mechanisms the administrator can focus individually on which IP addresses are used for VPN traffic from remote access clients on each gateway 568 For more information on Link Selection see Link Selection on page 207 Selection by Remote Peer There are several method that can determine how remote access clients resolve the IP address of the local gateway Remote peers can connect to the local gateway using e Always use this IP address Main address The VPN tunnel is created w
368. gateway itself a On the Properties window of the backup network object Topology page gt VPN Domain section select Manually defined b Select a group or network that contains only the backup gateway If the backup does have a VPN domain a Verify that the IP address of the backup gateway is not included in the VPN domain of the primary b For each backup gateway define a VPN domain that does not overlap with the VPN domain of any other backup gateway Note There must be no overlap between the VPN domain of the primary gateway and the VPN domain of the backup gateway s that is no IP address can belong to both Configure IP pool NAT to handle return packets See Configuring Return Packets on page 603 Configuring MEP Load Distribution ds 2 In the Global Properties window Remote Access gt VPN Basic page Load distribution section select Enable load distribution for Multiple Entry Point configurations Remote Access connections Define the same VPN domain for all gateways Checking this option also means that load distribution is dynamic that is the remote client randomly selects a gateway Configuring Return Packets Return packets are handled with IP pool NAT addresses belonging to the gateway Configuring IP pool NAT In Global Properties gt NAT page select Enable IP Pool NAT for SecuRemote SecureClient and gateway to gateway connections Then 1 For each gateway create a network
369. gh Office Mode wishes to exchange some information with resources inside the organization e The user is trying to connect to some resource on the LAN thus a packet destined for the internal network is to be sent This packet is routed through the virtual interface that Office Mode had set up and bears the source IP address allocated for the remote user e The packet is encrypted and builds a new encapsulating IP header for it The source IP of the encapsulating packet is the remote client s original IP address and its destination is the IP address of the security gateway The encapsulated packet is then sent to the organization through the Internet Office Mode Solution The security gateway of the organization receives the packet decapsulates and decrypts it revealing the original packet which bears the source IP allocated for the remote user The gateway then forwards the decapsulated packet to its destination The internal resource gets a packet seemingly coming from an internal address It processes the packet and sends response packets back to the remote user These packets are routed back to the internal IP address assigned to the remote user The gateway gets the packet encrypts and encapsulates it with the remote users original routable IP address and returns the packet back to the remote user Figure 15 1 Packets routed correctly to the remote client amp SS Host IP Address 10 0 01 Internet
370. glterCreate This function creates a TrNotificationArglter for a given notification and returns NULL on failure Functions from Service to Client Prototype TRAPI CPAPI TrNotificationArgIter TrNotificationArgIterCreate TrNotification notification Arguments Argument IN OUT Meaning notification in the given notification TrNotificationArg lterDestroy This function destroys a given TrNotificationArglter Prototype TRAPI CPAPI void TrNotificationArgIterDestroy TrNotificationArgIter iter Arguments Argument IN OUT Meaning iter in the iterator TrNotificationArglterGetArgNum This function fills the argument number and returns the status of the operation Prototype TRAPI CPAPI TrStatus TrNotificationArgIterGetArgNum TrNotificationArgIter iter int arg num Chapter 18 Endpoint Connect API 415 Functions from Service to Client Arguments Argument IN OUT Meaning iter in the iterator arg_num in the number of arguments TrNotificationArgiterGetNextArg This function fills the next TrArg in the TrNotification When there are no more TrArgs arg is filled with NULL and the return code is TrOK When failure occurs the function returns the appropriate TrStatus error code and arg is NULL Prototype TRAPI CPAPI TrStatus TrNotificationArgIterGetNextArg TrNotificationArgIter iter TrArg karg Arguments Argument IN OUT Meaning
371. gt Topology gt ISP Redundancy window configure the appropriate settings When SP Redundancy is configured the default setting in the Link Selection page is Use ongoing probing However Link Selection will only probe the ISP s configured in the SP Redundancy window This enables connection failover of the VPN tunnel if connectivity to one of the gateway interfaces fails There are instances when having a different configuration for Link Selection is required Figure 11 7 Two Gateways with two ISP s Security Gateway A ISP 1 ISP 2 Internet Security Gateway C In this scenario e Security gateways A B and C have two ISP s e SP Redundancy is configured on security gateway A e Gateway A should use ISP 1 in order to connect to gateway B and ISP 2 in order to connect to gateway C If one of the ISPs becomes unavailable the other ISP should be used In Figure 11 7 the administrator of gateway A needs to do three things e Uncheck the Apply settings to VPN traffic box in the SP Redundancy window e Reconfigure the Outgoing Route Selection to Route Based Probing in the Link Selection window e Configure the routing table so that ISP 1 is the highest priority for peer gateway B and ISP 2 has the highest priority for peer gateway C Link Selection and ISP Redundancy In this scenario load distribution is achieved since different ISPs are used for different remote peer gateways When a large number of remote
372. gured loopback interface 7 Click Save Chapter6 Route Based VPN 155 Configuring Unnumbered VTIs Configuring Unnumbered VTIs 156 The Nokia IPSO platform supports unnumbered VTIs in a VRRP HA configuration active passive mode only If the VPN Tunnel Interface is unnumbered local and remote IP addresses are not configured This interface is associated with a proxy interface from which the virtual interface inherits an IP address Traffic initiated by the gateway and routed through the virtual interface will have the physical interfaces s IP Address as the source IP Working with unnumbered interfaces eliminates the need to assign two IP addresses per interface the local IP and the remote IP Address and the need to synchronize this information among the peers Unnumbered interfaces are only supported on the Nokia IPSO 3 9 platform In Nokia Network Voyager 1 Login and the following window appears Model P1260 Software Release 3 9 DEV0164A Software Version releng 1515 02 08 2005 030000 Serial Number 7H111111150 Current Time Thu Feb 10 18 16 53 2005 GMT Uptime 1 day 1 hour 42 minutes Physical Memory 512 MB Interface Configuration System Utilization Routing Configuration Network Reports Traffic Management Configuration System Health Router Services Configuration System Logs System Configuration Routing Protocols Security and Access Configuration Hardwa
373. h 174 VEN Tunnel Sharing ee ele ena eae ieee AAR eA 174 Monitoring TUNNEISSA inada a a r Wein e a E aa Ea 175 Table of Contents 7 Chapter 8 Route Injection Mechanism OVEIVIOW E coves doce enuda Seua EE E dua dell aveds Mest nl osietaveedddes 178 A tomatic RIM euina ae e Mane a e Ae A eect ian ain 179 CUSTOMS CrP Kai arda a a aa a a a e a sie ies 181 THIMONICONME IG aane a r e e a a a a a a Ea 183 Injecting Peer Gateway Interfaces ccccccsecceceecceeeeeseeeeeeeeeeseesesaeeeeseeeesaeees 184 Conhsuring RiMiie seer a vate let regia ate hae ohne inten stuns agar acdsee es 186 Configuring RIM in a Star Community ccccceececseeeeceeeeeeeeeeaeeeeseeeesaeeeas 186 Configuring RIM in a Meshed ComMunity ccccccceeceesececceeceeeeeeeeeeesneeees 187 Enabling the RIM_inject_peer_interfaces flag ccccccecccseeceeeeeeeseeeeeaeeeeaees 188 Tracking OPHOMNSS i ocet a test a a a cust ence sive la AA a abd ee 188 Chapter 9 Wire Mode The Need for Wire MOde cccecccceeeeeceeeeeeeeeeeeaeeeeeeeeueeeeeeeaeaeeeessaaeeeeesaeeees 190 The Check Point Solution amena canswest stewed aiahsdiowenets aA AATRE i 191 Wire Mode SCenanOsis can viesncevsss apude eda eaae aa EEEE Lan in EEU duces ctlevuaweddons 192 Wire Mode in a MEP Configuration cccccccccseceeseceeeeeeeeseeceseeeesaeeeesneeees 192 Wire Mode with Route Based VPN cccceeeeeeeeeeeeeeeecaeeeeeeeeeeeeeeseeeeeessaes 193 Wire Mode Between Two VP
374. hase2_proposal_size Managers phase2_ proposal size large small Determines the size of the proposal sent by NG FP3 or higher clients in Quick Mode packet 1 If the value is missing the value of phase2_proposal is taken instead NG FP3 clients will try a large proposal after a small proposal attempt fails Managers vpn_peer ls true false In a MEP fully overlapping encryption domain configuration if this property is TRUE a gateway will be chosen randomly between the MEP gateways and will be given priority Managers ike support_dos protection true false Determines whether the client is willing to respond to a DoS protection request by restarting Main Mode using a stateless protection Equivalent to the SmartDashboard Global Property Support IKE DoS Protection from unidentified Source Managers sr_don t_ check crl true false Do not check the CRL of the certificate Managers crl start_grace 610200 SecuRemote SecureClient may accept CRLs that are not yet valid Managers crl_end_grace 1209600 SecuRemote SecureClient may accept CRLs that have recently expired Managers site default_tcp_ike true false Determines the site default for attempting IKE over TCP Each gateway has a property supports_tcp_ike true false or use_site_default If the value is set to use_site_default then the management property site_default_tcp_ike is used by the client to determine
375. hat this is the Topology from the point of view of the administrator of gateways Al and A2 The administrator of gateways B1 and B2 may well also define a Star Topology but with B1 and B2 as his central gateways and Al and A2 as satellites Chapter 4 Introduction to Site to Site VPN 85 Configuring a VPN with External Gateways Using a Pre Shared Secret Figure 4 13 External Gateways as Satellites in a Star VPN Community Security Gateway B1 Extemal Satellite Security Gateway A2 Internal Central Security Gateway A1 Internal Central Security Gateway B2 External Satellite The configuration instructions require an understanding of how to build a VPN The details can be found in Introduction to Site to Site VPN on page 61 To configure a VPN using pre shared secrets with the external gateways as satellites in a star VPN Community proceed as follows 1 Define the Network Object s of the gateway s that are internally managed In particular be sure to do the following e n the General Properties page of the gateway object select VPN e n the Topology page define the Topology and the VPN Domain If the VPN Domain does not contain all the IP addresses behind the gateway define the VPN domain manually by defining a group or network of machines and setting them as the VPN Domain 2 Define the Network Object s of the externally managed gateway s e If it is not a Check Point gateway
376. he DNS and or WINS information on your DHCP server is set to the correct IP addresses On your DHCP server s configuration make sure that you have designated an IP address space for Office Mode users e g 10 130 56 0 Create a new node object by selecting Manage gt Network objects gt New gt Node gt Host representing the DHCP server and specify the machine s name IP address and subnet mask Open the gateway object through which the remote users will connect to the internal network and select the Remote Access gt Office Mode page Enable Office Mode to either all users or to a certain group e Check the Automatic use DHCP option e Select the DHCP object you have previously created e In the Virtual IP address for DHCP server replies specify an IP address from the sub network of the IP addresses which are designated for Office Mode usage e g 10 130 56 254 Since Office Mode supports DHCP Relay method for IP assignment you can direct the DHCP server as to where to send its replies The routing on the DHCP server and that of internal routers must be adjusted so that packets from the DHCP server to this address are routed through the gateway If you wish to use the Anti Spoofing feature continue to step 5 otherwise skip to step 7 Create a network object to represent the address space you ve allocated for Office Mode on your DHCP server by selecting Manage gt Network Objects gt New gt Network In the Ne
377. he Log View in the SecureClient Diagnostics application En ableDiagnosticsView 0 1 Enable the Diagnostics View in the SecureClient Diagnostics application Sh owKernelInstallation 0 1 Determines whether or not the driver installation dialog is displayed 624 Product ini Parameters Table 29 1 Parameters for Product ini Parameter bold indicates the Meaning default OverwriteEntINI 0 1 Determines whether existing entrust ini files will be overwritten by the entrust ini files in the installation A value of 1 indicates that the existing entrust ini file will be overwritten DefaultPath Full path Default C Program Files CheckPoint SecuRemote ConnectMode 0 1 Set default client mode O transparent 1 connect mode Chapter 29 Userc C and Product ini Configuration Files 625 Product ini Parameters 626 Chapter 30 SSL Network Extender In This Document Introduction to the SSL Network Extender page 628 How the SSL Network Extender Works page 629 Commonly Used Concepts page 630 Special Considerations for the SSL Network Extender page 633 Configuring the SSL Network Extender page 636 SSL Network Extender User Experience page 652 Troubleshooting page 672 627 Introduction to the SSL Network Extender Introduction to the SSL Network Extender 628 Whenever users access the organization from remote locations it is essential that not only the usual requirements of se
378. he VTI may be configured in two ways e Numbered e Unnumbered Numbered VTI If the VPN Tunnel Interface is numbered the interface is assigned a local IP Address and a remote IP Address The local IP Address will be the source IP for the connections originating from the gateway and going through the VTI VTIs may share an IP Address but cannot use an already existing physical interface IP address Numbered interfaces are only supported using the SecurePlatform Operating System Chapter6 Route Based VPN 133 VPN Tunnel Interface VTI Unnumbered VTI 134 If the VTI is unnumbered local and remote IP addresses are not configured Unnumbered VTIs must be assigned a proxy interface The proxy interface is used as the source IP for outbound traffic Unnumbered interfaces eliminate the need to allocate and manage an IP address per interface Unnumbered interfaces are only supported on the Nokia IPSO 3 9 platform Nokia IPSO interfaces may be physical or loopback Using Dynamic Routing Protocols Using Dynamic Routing Protocols VTlIs allow the ability to use Dynamic Routing Protocols to exchange routing information between gateways The Dynamic Routing Protocols supported are BGP4 1 2 OSPF 3 4 RIPv1 SecurePlatform Pro only RIPv2 SecurePlatform Pro only Chapter6 Route Based VPN 135 Configuring Numbered VTIs Configuring Numbered VTIs 136 Route Based VPN is supported using SecurePlatform and Nokia IPSO 3 9 p
379. he client s SCV status i e the SCV status was checked in the last 5 minutes then e lf the client is securely configured the gateway allows the connection Chapter 23 Secure Configuration Verification 523 The Secure Configuration Verification Solution 524 e fthe client is not securely configured the gateway either drops the connection or accepts and logs it this behavior is configurable If the gateway does not know the client s SCV status it initiates an SCV check by sending an ICMP unreachable error message containing an SCV query to the client When a client gets this SCV query it tries to determine its SCV status In Connect mode the client also connects to a Policy Server to download an updated SCV Policy In parallel when the client gets the SCV query it starts sending SCV status replies to the gateway via UDP port 18233 every 20 seconds for 5 minutes These replies are used as a keep alive mechanism in order to keep the user s connection alive in the gateway s state tables while the client is trying to determine its SCV status The keep alive packets also allow the user to open subsequent connections in the 5 minute period in which they are sent without a need for further SCV queries When the client determines its SCV status it sends an SCV reply containing the status back to the gateway via UDP port 18233 When the gateway receives the SCV status of the user it decides how to handle the user s connection
380. he created certificate can be stored as a file on the machines hard drive on a CAPI storage device or on a hardware token This method is especially suitable for geographically spaced remote users 280 VPN for Remote Access Considerations Internal User Database vs External User Database Remote Access functionality includes a flexible user management scheme Users are managed in a number of ways INTERNAL a security gateway can store a static password in its local user database for each user configured in Security Management server No additional software is needed LDAP LDAP is an open industry standard that is used by multiple vendors Check Point products are compliant with LDAP technology This compliancy enables e Users to be managed externally by an LDP server e The Enforcement modules to retrieve CRLs e User information from other applications gathered in the LDAP users database to be shared by many different applications The security gateway consults the user information for authentication purposes RADIUS Remote Authentication Dial In User Service RADIUS is an external authentication scheme that provides security and scalability by separating the authentication function from the access server When employing RADIUS as an authentication scheme the security gateway forwards authentication requests by remote users to the RADIUS server The RADIUS server which stores user account information authenticates th
381. he full name of a system HotFix to be checked In order for the machine to be verified the HotFix should be installed for example KB823980 true verifies that Microsoft s RPC patch is installed on the operating system Not all the mentioned fields for HotFixMonitor need to appear in the local scv file Some of them may not appear at all or may appear more than once These fields may also be ORed and ANDed In this way multiple HotFixes can be checked and the results ORed or ANDed for extra flexibility Chapter 23 Secure Configuration Verification 545 Configuring SCV 546 5 HWMonitor Parameters cputype GenuinelIntel The CPU type as described in the vendor ID string The string has to be exactly 12 characters long For example GenuineIntel or AuthenticAMD or aaa bbb ccc where spaces count as a character cpufamily 6 The CPU family cpumodel 9 The CPU model HWMonitor does not support the begin or and the begin and syntax See also Expressions and Labels with Special Meanings OsMonitor 6 Parameters nforce screen saver minutes to activate 3 Time in minutes for the screen saver to activate If the screen saver does not activate within this time period then the client is not considered verified In addition the screen saver must be password protected screen saver mismatchmessage Your screen saver settings do not meet policy require
382. he gateways in the community In other words the traffic is bidirectional any of the gateways can be the source of a connection any of the gateways can be the destination endpoint But what if the administrator in line with the companies security policy wished to enforce traffic in one direction only Or to allow encrypted traffic to or from gateways not included in the VPN community To enable enforcement within VPN communities VPN implements Directional VPN The Check Point Solution The Check Point Solution In This Section Directional Enforcement within a Community page 201 Directional Enforcement between Communities page 202 Directional VPN specifies where the source address must be and where the destination address must be In this way enforcement can take place e Within a single VPN community e Between VPN communities Directional Enforcement within a Community Figure 10 1 shows a simple meshed VPN community called My ntranet VPN traffic within the Mylntranet Mesh is bidirectional that is either of the gateways or the hosts behind the gateways in the VPN domains can be the source or destination address for a connection Figure 10 1 Directional Enforcement within a Community Mylntranet Mesh Chapter 10 Directional VPN Enforcement 201 The Check Point Solution The match conditions are represented by a series of compound objects The match conditions enforce traffic in the following directio
383. he maximum permission level that IE should have for running signed ActiveX controls from the Internet internet download files disable The maximum permission level that IE should have for downloading files from the Internet internet_java_permissions disable The maximum security level that IE should have for running java applets from the Internet restricted download signed activex disable The maximum permission level that IE should have for downloading signed ActiveX controls from restricted zones restricted run activex disable The maximum permission level that IE should have for running signed ActiveX controls from restricted zones restricted download files disable The maximum permission level that IE should have for downloading files from restricted zones restricted java_permissions disable The maximum security level that IE should have for running java applets from restricted zones send log type Determines whether to send a log to Security Management server for specifying that the client is not SCVed This SCV check does not support the begin admin end admin parameter section The type section should be replaced by log or alert internet options mismach message Your Internet browser settings do not meet policy requirements Mismatch message for the Internet Explorer settings BrowserMonitor can be configured to check only Internet Explorer s version or only the
384. he remote clients external to each gateway The administrator defines the list of networks and hosts accessible for the client once connected to the gateway This list the encryption domain or VPN domain is downloaded to the client after the initial connection and is used by the client to define what network traffic should be tunneled encrypted to the gateway and what traffic should not Hub Mode VPN Routing for Remote Access Hub Mode VPN Routing for Remote Access VPN routing for remote access clients can be enabled through Hub Mode In this mode all traffic from the device is directed through the connected gateway The gateway acts as a router for the remote client When traffic from remote access clients is routed through the gateway subsequent traffic can be filtered inspected and kept in compliance Office Mode This mode enables connections from within the corporate network to the remote access device and client to client connectivity for example P2P and VoIP protocols back connections and push technologies In Office mode the connected gateway assigns an IP address to a remote client This IP address is only used internally for secure encapsulated communication with the home network and is not visible in the public network The IP address assignment takes place once the user connects and authenticates The assignment lease is renewed so long as the user is connected The address may be selected either from a general IP
385. he same certificate for both SSL Network Extender and SecureClient Mobile clients when SSL Network Extender is enabled 1 In SmartDashboard open the gateway object and navigate to Remote Access gt SSL Clients Select the appropriate certificate from the The gateway authenticates with this certificate drop down menu This feature is configured using the the registry See Configuring a Non Centrally Managed Gateway on page 466 for more information Chapter 19 SecureClient Mobile 449 Configuring SecureClient Mobile Certificate Nickname To view the certificate nickname 1 On SmartDashboard open the vpn tab of the relevant network object 2 In the Certificates List section the nickname is listed next teach certificate Management of Internal CA Certificates If the administrator has configured Certificate with Enrollment as the user authentication scheme the user can create a certificate by using a registration key provided by the system administrator To create a user certificate for enrollment 1 Follow the procedure described in The Internal Certificate Authority ICA and the ICA Management Tool in the Security Management Server Administration Guide SS aS Note In this version enrollment to an External CA is not supported 2 Browse to the ICA Management Tool site https lt mngmt IP gt 18265 and select Create Certificates 3 Enter the username and click Initiate to send a registration keyto
386. he username and password are passed on to the RADIUS server which checks that the information is correct and authenticates the user The RADIUS server can also be configured to allocate IP addresses aS Note Authentication and IP assignment must be performed by the same RADIUS server Chapter 15 Office Mode 305 Office Mode Solution IP Address Lease duration When a remote user s machine is assigned an IP address that machine can use it for a certain amount of time This time period is referred to as the IP address lease duration The remote client automatically asks for a lease renewal after half of the IP lease duration period has elapsed Hence if the IP lease duration time is set to 60 minutes a renewal request will be sent after 30 minutes If a renewal is granted the client will request a renewal again after 30 minutes and so on If the renewal fails the client attempts again after half of the remaining time e g 15 minutes then 7 5 minutes etc If no renewal is granted and the 60 minutes of the lease duration times out the tunnel link terminates To renew the connection the remote user must reconnect to the gateway Upon reconnection an IKE renegotiation is initiated and a new tunnel created When the IP address is allocated from a predefined IP pool on the gateway the gateway determines the IP lease duration period default being 15 minutes When using a DHCP server to assign IP addresses to users the DHCP server
387. hese arguments should be zero or empty strings Chapter 18 Endpoint Connect API 409 Functions from Service to Client 410 TrMsgGet ID This function gets the ID of the message Prototype TRAPI CPAPI TrStatus TrMsgGetID TrMsg message char ID Arguments Argument IN OUT Meaning message in the message ID out ID of the message Currently these arguments should be empty strings TrMsgGetDefaultMsg This function fills the given message and returns the status of the operation Prototype TRAPI CPAPI TrStatus TrMsgGetDefaultMsg TrMsg message char def msg Arguments Argument IN OUT Meaning message in Given message def_msg out Return message Currently these arguments should be empty strings TrMsgArgiterCreate This function creates an iterator for a given message returns NULL for failure Prototype TRAPI CPAPI TrMsgArgIter TrMsgArgIterCreate TrMsg message Functions from Service to Client Arguments Argument IN OUT Meaning i Given message message In TrMsgArglterDestroy This function destroys an iterator Prototype TRAPI CPAPI void TrMsgArgiterDestroy TrMsgArgIter iter Arguments Argument IN OUT Meaning in the iterator iter TrMsgArgiterGetArgNum This function fills the argument number and returns the status of the operation Prototype TRAPI CPAPI TrStatus TrMsgArgIterGetArgNu
388. hich forwards the response back to Y The connection is not encrypted because there is no peer gateway for Y that could decrypt the connection A SmartView Tracker log is issued Both endpoints are in the Encryption Domain Defining VPN Properties Defining VPN Properties It is possible to use different encryption methods between the same gateways Different connections between two gateways can be encrypted using different methods This is because different IKE phase 2 properties can be defined per Encrypt rule IKE Phase 1 properties are defined per gateway Chapter 13 Traditional Mode VPNs 255 Internally and Externally Managed Gateways Internally and Externally Managed Gateways 256 The gateways at each end of a VPN tunnel can be managed by the same Security Management server or by different Security Management servers A security gateway that is managed by the Security Management server is called an internal gateway If it is managed by a different Security Management server it is called an external gateway If the peer security gateway is external you must obtain certain details about that gateway from the peer administrator and configure them in SmartDashboard Considerations for VPN Creation Considerations for VPN Creation There are many ways of setting up a VPN Before starting a number of issues need to be considered such as Choosing the Authentication Method Before security gateways can create a VPN
389. hority object 2 To enable the CRL cache check Cache CRL on the module The cache should not be disabled for the ICA In general it is recommended that the cache be enabled for all CA types The cache should be disabled for non ICAs only if stringent security requirements mandate continual retrieval of the CRL aS Note The ICA requires the use of a CRL cache and should never be disabled 3 If CRL Cache is enabled choose whether a CRL is deleted from the cache when it expires or after a fixed period of time unless it expires first The second option encourages retrieval of a CRL more often as CRLs may be issued more frequently then the expiry time By default a CRL is deleted from the cache after 24 hours See CRL Prefetch Cache on page 99 for information about CRL caching Chapter 5 Public Key Infrastructure 113 Configuration of PKI Operations Modifying the CRL Pre Fetch Cache The behavior of the Pre fetch catch can be altered via the Global properties 1 Global Properties gt SmartDashboard Customization gt Configure button The Advanced Configuration window opens 2 Select Check Point CA Properties SecuRemote SecureClient Certificates and PKI properties VPN Advanced Properties al A Certificates and PKI properties Firewall prefetch_crls_duration 7200 SmartCenter Details CRLs will be prefetched regularly according to this duration in seconds User Defined 5 a x
390. ia aaia 348 Configuring Idle Detection cccccececseeeececeeeeeeeeecaeeeeeeseaeeeeesseeeeeesaaeeeeesseaes 349 Configuring the idleness_detection Property sssssissessrrerssrrrrrerrrrrerrrere 349 Chapter 17 Endpoint Connect rod UO OT gz itennestesiie exe bcs codicil Saas ath a Feat latte E tees 351 Why Endpoint Connect 22 cs2 csaseers AA ee eee Eai 351 Capabilities sachet cele Sav ttako ama G otal siete dccet ld tay Malia fences chee ten AA 352 Installationvand USC is na a e e i a A AARE NAS 354 Administration aea e a ccs hac a a a a a a 355 Enabling Endpoint Connectivity ccc cess eea ia i i ieia 356 Configuring the Gateway Using SmartDashboard ccccccsecceeeeeeeeeeeeseeeeeaeeees 358 Obligatory Settings aeni Hed e aaa a des wned Mey lade es aleve ckd eves 358 Endpoint Connect Advanced SettingS cccccccccccsssccesecceeeeeeseeeeseeeesaeeeeanes 363 Configuring Optional Endpoint Connect Settings cccccsseccesseeeeeeeeeseeeeeeeeees 370 Link Selection and MEP oieee nran nge aeia aa an sass aara ea do adde cea rae 370 H b Mode roten n e ae r a enton nae o aa e e a Sema ee 371 Secure Configuration Verification ccccccccccseccecesceceececeeeeeseeeeeseeesneeesaeeeees 373 AUthentication TimeOut acc era hedertes a e a a aa 374 Working with RSA Hard and Soft Tokens ccccccseccesseceeeeeeeeeceeeeeeeeaeeeanes 375 Configuring Logging Options for Client USCIS ccccccccsececeeeees
391. ible that users will connect to the organization through one gateway and to a Policy Server which is installed on a different module In this case they will be prompted twice for authentication once for the gateway module and the other for the Policy Server If a user usually connects to the organization through a specific gateway and this gateway has a Policy Server module installed on it this double authentication can be avoided by configuring the user s profile to use the High Availability among all Policy Servers trying selected first option and selecting the primary Policy Server as that one the gateway through which the user usually connects to the organization This way after the user authenticates to the gateway he will automatically be authorized to download the security policy from the Policy Server installed on that gateway Chapter 21 Desktop Security 497 Configuring Desktop Security Configuring Desktop Security 498 In This Section Server Side Configuration page 498 Client Side Configuration page 499 Server Side Configuration 1 Install the Policy Server add on module from the Check Point installation CD The Policy Server add on should be installed only on machines that have security gateway modules installed on them Open the gateway object on which you have installed a Policy Server and select the General Properties tab In the Check Point Products section select SecureClient Policy Server Go to the A
392. ibution point extension 7 Click Get Chapter 5 Public Key Infrastructure 105 Configuration of PKI Operations 8 If SCEP is configured it will try to connect to the CA and retrieve the certificate If not browse to where you saved the peer CA certificate and select it VPN reads the certificate and displays its details Verify the certificate s details Display and validate the SHA 1 and MD5 fingerprints of the CA certificate 9 Click OK 106 Configuration of PKI Operations Enrolling with a Certificate Authority A certificate is automatically issued by the ICA for all internally managed entities that are VPN capable That is after the administrator has checked the VPN option in the Check Point Products area of a network objects General Properties tab The process for obtaining a certificate from a OPSEC PKI or External Check Point CA is identical Manual Enrollment with OPSEC Certified PKI To create a PKCS 10 Certificate Request 1 Create the CA object as described in Trusting an OPSEC Certified CA on page 104 Open the VPN tab of the relevant Network Object 3 In the Certificate List field click Add The Certificate Properties window is displayed 4 Enter the Certificate Nickname The nickname is only an identifier and has no bearing on the content of the certificate 5 From the CA to enroll from drop down box select the direct OPSEC CA External CheckPoint CA that will issue the certificate
393. ich is closer to the remote VPN peer responds first e A VPN tunnel is opened with the first to respond All subsequent connections pass through the chosen gateway e f the gateway ceases to respond a new gateway is chosen In a star community RDP packets are sent to the gateways and the first to respond is used for routing only when 1 There is more than one center gateway and 2 One of the following VPN routing options was selected e To center and to other satellites through center e To center or through the center to other satellites to internet and other VPN targets This setting is found on the Community Properties gt VPN Advanced gt VPN Routing page Figure 12 7 Implicit MEP VPN Domain B VPN Domain A Gateway A Gateway X In this scenario e MEP is not enabled on the community Chapter 12 Multiple Entry Point VPNs 241 Implicit MEP Ss 242 e First to respond method is used e Gateway X accesses VPN domain A through gateway A e Gateway X accesses VPN domain B through gateway B e Gateway X accesses VPN domain C through gateway A or B In a star community RDP packets are sent to the gateways and the first to respond is used for routing when 1 There is more than one center gateway and 2 One of the following VPN routing options was selected e To center and to other satellites through center e To center or through the center to other satellites to internet and other VPN targets
394. ient by changing the values of the properties in the Userc C and Product ini files contained in the package However not all of the properties in these files can be changed using the Packaging Tool It is possible to changes the behavior of SecuRemote SecureClient by manually editing the Userc C and Product ini files in the SecuRemote SecureClient package before distributing the package to end users The Userc C File Structure of Userc C The Userc C configuration text file contains has three sections Global Managers and Gateways e Global Properties that are not specific to the site managed by a single Security Management server or to the peer gateway It does not change on the client machine To change the Global Properties section of the objects database do not make any manual changes to the Global section of userc C Either edit the SmartDashboard Global Properties or use the DBedit command line or the graphical Database Tool on the Security Management server e Managers Properties that apply per Security Management server Updated whenever the end user performs a Site Update e Gateway Properties that are specific to a particular gateway Updated whenever the end user performs a Site Update The section of the file where each parameter resides is indicated in the Userc C file parameter tables below in the column labelled Location in Userc c How Userc C Is Automatically Updated When the Security Policy is insta
395. ient_pkg SecureClient Mobile components for package customization tools SecureClient Mobile tools for instance MSI package and MSI packaging tool unlock_smartphone This folder contains the Check Point certificate Installing cpcert cab enables the device to trust Check Point software and successfully deploy SecureClient Mobile on locked Windows Mobile devices readme txt Readme file The unpacked client files are the same as those in the CAB package The administrator can customize and package these files into a new CAB or MSI file package before distributing it to users The customized package can include predefined topology and credentials a default firewall policy and other settings Chapter 19 SecureClient Mobile 469 Client Deployment Overview During version upgrades the installer retains the existing client policies and credentials that were not predefined in the upgrade package The administrator can client upgrade using the neo upgrade mode neo upgrade version and neo upgrade url flags When the client is installed on the mobile device another applet called Certificate Import Wizard is also installed This applet enables you to import PKCS 12 certificates to the device The CAB and MSI packages can be edited by the administrator to customize the settings for SecureClient Mobile The administrator can edit the package Adding a file to the CAB package for example a user certificate file or a Secur
396. ificates since internally managed gateways automatically receive a certificate from the internal CA 2 On the Network objects tree select the VPN Communities tab A a Right click Site to Site b From the short cut menu select New Site To Site gt Meshed The Meshed Communities Properties window opens 78 Configuring Site to Site VPNs c On the General page select Accept all encrypted traffic if you need all traffic between the gateways to be encrypted If not then create appropriate rules in the Security Policy Rule Base that allows encrypted traffic between community members d On the Participating Gateways page add the gateways created in step 1 A VPN tunnel is now configured For more information on other options such as VPN Properties Advanced Properties and Shared Secret see IPSEC amp IKE on page 43 3 If you did not select Accept all encrypted traffic in the community build an access control policy for example Table 4 3 Source Destination VPN Service Action Any Any Meshed Any Accept community Where Meshed community is the VPN community you have just defined Configuring a Star VPN Community A star VPN community is configured in much the same way as a meshed community the difference being the options presented on the Star Community Properties window e On the General page Enable VPN routing for satellites section select To center only e On the Cent
397. ificationID Meaning and Format 5 Total progress type eTrArgTypelnt32 val an integer indicating the connect progress in percentages default_text NUL 6 Next step s name type eTrArgTypeStr val a string representing the next step s name empty string if this is the last step default_text NULL 404 Functions from Service to Client Functions from Service to Client In This Section TrRegisterNotificationCallback page 406 TrUnregisterNotificationCallback page 408 TrMsgCreate page 408 TrMsgConstruct page 408 TrMsgDestroy page 409 TrMsgGetVersion page 409 TrMsgGetID page 410 TrMsgGetDefaultMsg page 410 TrMsgArglterCreate page 410 TrMsgArgiterDestroy page 411 TrNotificationArglterGetArgNum page 415 TrMsgArgiterGetNextArg page 411 TrMsgSetIntArg page 412 TrMsgSetStrArg page 412 TrNotificationConstruct page 413 TrNotificationGetID page 413 TrNotificationClone page 414 TrNotificationDestroy page 414 TrNotificationArglterCreate page 414 TrNotificationArglterGetArgNum page 415 TrNotificationArglterGetNextArg page 416 TrNotificationSetIntArg page 416 TrNotificationSetStrArg page 417 TrNotificationSetDoubleArg page 417 TrArgGetType page 418 TrArgGetIntVal page 418 TrArgGetDoubleVal page 419 TrArgGetStrVal page 419 TrArgGetDefText page 419 Chapter 18 Endpoint Connect API 405 Functions from Service to Client 406 The various types of notifications are described in TrAPITypes h TrRegisterNotifica
398. igurations to create a list of responding gateways A gateway is randomly chosen from the list of responding gateways If a gateways stops responding a new gateway is randomly chosen A new gateway is randomly selected for every source destination IP pair While the source and destination IP s remain the same the connection continues through the chosen gateway Chapter 12 Multiple Entry Point VPNs 243 Routing Return Packets Routing Return Packets 244 To make sure return packets are routed correctly the MEPed gateway can make use of either e IP pool NAT which means static NAT or e Route Injection Mechanism IP Pool Network Address Translation NAT IP pool NAT is a type of NAT in which source IP addresses from remote VPN domains are mapped to an IP address drawing from a pool of registered IP addresses In order to maintain symmetric sessions using MEPed gateways the MEPed gateway performs NAT using a range of IP addresses dedicated to that specific gateway and should be routed within the internal network to the originating gateway When the returning packets reach the gateway the gateway restores the original source IP address and forwards the packets to the source RIM Route Injection Mechanism RIM enables a security gateway to use a dynamic routing protocol to propagate the encryption domain of a VPN peer gateway to the internal network When a VPN tunnel is created RIM updates the local routing table of the s
399. iguring Clientless VPN Configuring Clientless VPN For the most part Clientless VPN is configured on the gateway Exceptions occur when e The gateway authenticates itself to the client using a certificate which is not one of the client s default certificates e User authentication is required and that authentication is done through the use of certificates In both cases the relevant certificates must be supplied to the client out of band and the client configured to work with them Configuring the Gateway General Overview To configure the gateway for Clientless VPN e Obtain a certificate for the gateway this is the certificate the gateway uses to authenticate itself to the client during the initial connection e Configure the gateway for Clientless VPN on the Clientless VPN page of the gateway object e Define users and user authentication schemes e Create appropriate rules in the Security Policy Rule Base 704 Configuring Clientless VPN Implementation Obtaining a Certificate for the Gateway If you decide to use a certificate issued by an external Certificate Authority instead of the certificate issued by the internal CA e Configure VPN Pro to trust this CA e Obtain and configure a certificate for the gateway For more information refer to Third Party PKI Configuring Clientless VPN on the Gateway Object On the Clientless VPN page of the gateway object s property window 1 Select Support Clientl
400. ijacked for example if the user steps away from the client for a period of time The problem is finding the correct balance between convenience and security The Solution Multiple authentication can be reduced by two means e Increasing the authentication timeout interval e Caching the user s password Authentication Timeout Interval To specify the length of time between re authentications select Policy gt Global Properties Remote Access and in the Authentication Timeout section enter a value in Validation timeout Alternatively check Use default value For Connect Mode the countdown to the timeout begins from the time that the Client is connected Password Caching When the timeout expires the user will be asked to authenticate again If password caching is enabled SecuRemote SecureClient will supply the cached password automatically and the authentication will take place transparently to the user In other words the user will not be aware that re authentication has taken place Password caching is possible only for multiple use passwords If the user s authentication scheme implement one time passwords for example SecurlD then passwords cannot be cached and the user will be asked to re authenticate when the authentication time out expires For these schemes this feature should not be implemented Password caching is specified in the SecureClient s Authentication window Chapter 27 Remote Access Advanced C
401. iles scc restartsc This command restarts SecureClient services scc passcert This command sets the user s authentication credentials when authentication is performed using certificates scc setmode lt mode gt This command switches the SecuRemote SecureClient mode Command Description scc setpolicy This command enables or disables the current default security policy scc sp This command displays the current default security policy scc startsc This command starts SecureClient services scc status This is command displays the connection status Table A 2 SecureClient command line interface scc stopsc This command stops SecureClient services scc suppressdialogs This command enables or suppresses dialog popups By default suppressdialogs is off scc userpass This commands sets the user s authentication credentials username and password scc ver This command displays the current SecureClient version scc icacertenroll This command enrolls a certificate with the internal CA and currently receives 4 parameters site registration key filename and password Currently the command only supports the creation of p12 files scc sethotspotreg This command line interface now includes HotSpot Hotel registration support AppendixA 715 Desktop Policy Commands The following command lines relate to the Desktop Policy Table A 3 Desk
402. important because that is the basis for rule matches and logs This may use either MD5 challenge passwords or certificates If you choose MD5 challenge the certificate selection in the remote access tab is irrelevant As for the user definition it makes no difference how if at all the authentication tab is defined The password is always the shared secret defined in the encryption tab Note that this behaviour differs from that of Secure Client where passwords in the authentication tab override shared secrets from the encryption tab The client machine administrator must install the certificate in the machine certificate store Chapter 22 Layer Two Tunneling Protocol L2TP Clients 507 Solution Working with L2TP Clients 508 Authenticating the User Connecting with Microsoft PSec L2TP clients requires that every user be authenticated Users can be authenticated with e certificates or e using an MD5 challenge whereby the user is asked to enter a username and a password pre shared secret The user must be informed of the password out of band The user certificate can be easily added to the user certificate store If the user certificate is on a Smart Card plugging it into the client machine will automatically place the certificate into the certificate store Solution Working with L2TP Clients User Certificate Purposes It is possible to make sure that PKI certificates are used only for a defined purpose A ce
403. in the Security Policy Rule Base blocking or allowing specific services 1 Create a rule in the Security Policy Rule Base that deals with remote access connections 2 Double click the entry in the VPN column The VPN Match Conditions window opens YPN Match Conditions es Match conditions x Any connections whether Clear or Encrypted i Only connections encrypted in any Site to Site VPN Community Add Remove For a typical example of usage of the YPN column please see Help Cancel Help 3 Select Only connections encrypted in specific VPN Communities Chapter 14 Introduction to Remote Access VPN 291 VPN for Remote Access Configuration 292 Click Add to include a specific community in this Security Policy Rule 5 Define services and actions For example to allow remote access users to access the organization s SMTP server called SMTP_SRYV create the following rule Table 14 1 Source Destination VPN Service Action Track Any SMTP_SRV_ Remote_Access_Community SMTP Accept Log Installing the Policy Install the policy and instruct the users to create or update the site topology User Certificate Management Managing user certificates involves e Tracing the status of the user s certificate e Automatically renewing a certificate e Revoking certificates Tracing the Status of User s Certificate The status of a user s certificate can
404. ing true not verified script myscript bat not_verified_script_run_show true not_verified_ script _run_admin false not_verified_script_run_always false allow_non_scv_clients false block_scv_client_ connections false A Complete Example of a local scv File Following is a complete example of a local scv file Note that in the following example the internal syntax of some of the SCV subsets differs from the syntax described earlier SCV policy syntax has evolved in recent versions while these SCV checks were written using the old syntax For example in the sc_ver_scv subset the begin_admin admin end admin section does not exist In addition the mismatchmessage expression which was in this section is replaced with MismatchMessage using capital letters expression The syntax and operation of MismatchMessage is similar to the one specified for mismatchmessage although it does not appear in a begin_admin admin end admin section Another difference in the sc_ver_scv subset compared to the syntax explained above concerns the EnforceBuild XX Operand and SecureClient_XX BuildNumber expressions These expressions are not ANDed but rather evaluated automatically in accordance with the operating system the user has For example if the user has a Windows 2000 system only the EnforceBuild_ 2K Operand and SecureClient_2K BuildNumber expressions are evaluated and the expressions relating to different oper
405. ing DHCP Use specific DHCP server Allocate IP address by sequentially trying the checked methods until success New Virtual IP address for DHCP server replies MAC address for DHCP allocation Unique per machine F Optional Parameters Multiple Interfaces J7 Support connectivity enhancement for gateways with multiple extemal interfaces Anti Spoofing J Perform Anti Spoofing on Office Mode addresses Additional IP Addresses for Anti Spooting None z Cancel Help 4 In the Office Mode Method section select From the RADIUS server used to authenticate the user 5 Click OK 322 Configuring Office Mode Office Mode Configuration on SecureClient On the client s machine the following steps should be performed in order to connect to the gateway in Office mode 1 Right click the SecureClient icon in the system tray From the pop up menu select Configure 2 Select Tools gt Configure Connection Profile gt Advanced and select Support Office Mode Click OK Save and Close and then select Exit from your File menu Double click your SecureClient icon on the bottom right side of your screen If you re using a dial up connection to connect to the gateway select Use Dial up and choose the name of your dial up connection profile from the drop down menu it is assumed that such a profile already exists If dial up is not used i e connection to the
406. ing Office Mode with Multiple External Interfaces Typically routing is performed before encryption in VPN In some complex scenarios of Office Mode where the gateway may have several external interfaces this might cause a problem In these scenarios packets destined at a remote user s virtual IP address will be marked as packets that are supposed to be routed through one external interface of the gateway Only after the initial routing decision is made do the packets undergo IPSEC encapsulation After the encapsulation the destination IP address of these packets is changed to the original IP address of the client The routing path that should have been selected for the encapsulated packet might be through a different external interface than that of the original packet since the destination IP address changed in which case a routing error occurs Office Mode has the ability to make sure that all Office Mode packets undergo routing after they are encapsulated Chapter 15 Office Mode 307 Office Mode Solution Office Mode Per Site After a remote user connects and receives an Office Mode IP address from a gateway every connection to that gateways encryption domain will go out with the Office Mode IP as the internal source IP The Office Mode IP is what hosts in the encryption domain will recognize as the remote user s IP address The Office Mode IP address assigned by a specific gateway can be used in its own encryption domain and in n
407. inger and one as a responder A pinger gateway uses the VPN daemon to send encrypted tunnel testing packets to gateways configured to listen for them A responder gateway is configured to listen on port 18234 for the special tunnel testing packets The pinger sends type 1 or 3 The responder sends a packet of identical length with type 2 or 4 respectively During the connect phase tunnel test is used in two ways 1 A connect message is sent to the gateway Receipt of a connected message is the indication that the connection succeeded The connect messages are retransmitted for up to 10 seconds after the IKE negotiation is over if no response is received 2 A series of test messages with various lengths is sent so as to discover the PMTU Path Maximum Transmission Unit of the connection This may also take up to 10 seconds This test is executed to ensure that TCP packets that are too large are not sent TCP packets that are too large will be fragmented and slow down performance Gateways with version R54 and forward can be either a pinger or responder In a MEP environment center gateways can only be responders Overview Gateways with Embedded NG 5 0 and forward can be pingers or responders Older versions of this software can only be responders 3rd party gateways cannot be a pinger or responder VPN Tunnel Sharing Since various vendors implement IPSec tunnels using a number of different methods adminis
408. ingle security gateway Global disable stateful dhcp true false As long as this attribute is false DHCP packets will be allowed by SecureClient regardless of the enforced Desktop Security policy If you set this attribute to true DHCP will be allowed only if the Desktop Security policy allows it explicitly This requires SecureClient version 4 1 to run a policy of Allow All and SecureClient NG to have DHCP enabled through specific rules Global Userc C File Parameters block conns on erase passwords true false If true the Close VPN option will replace Erase Password in the SecureClient s Passwords menu and the button E will appear in the toolbar Selecting Close VPN or clicking the above button result in blocking all encrypted connections Managers enable automatic policy update true false Specifies whether Automatic Policy Update is enabled or not Managers silent policy update true false If true the client will not prompt the user to update the policy upon client startup even if the time specified in automaic_policy_update_frequency has passed The client will still attempt to update the policy after successful key exchange Managers PS_HA true false Use backup Policy Servers on logon failure Managers PS_LB true false If true will randomize policy server list so not all clients will try to connect to the same policy server Managers LB default PS true
409. ings and cause SCV tests to fail A desktop which fails an SCV check is a potential security threat to the organization For example as an administrator you may want to configure the user s browser not to allow him to download Java applets from websites A normal user will not be able to download these applets but a user with administrative privileges can override the browser s configuration A properly defined SCV policy can indicate that the browser s configuration had changed and trigger a proper action on the gateway side However if the user is allowed by the gateway to pass to the LAN either by a wrong configuration of the SCV policy or lack of enforcement of the user s SCV status on the gateway side then the user s desktop will become a potential security risk to the LAN The SCV policy itself is protected Users can not change the SCV policy definition files they receive even if they have administrative rights The SCV policy files supplied to the client are signed before arriving to the client and checked against their signature by SecureClient If the signatures do not match the SCV check fails Chapter 23 Secure Configuration Verification 527 Considerations regarding SCV Using pre NG Clients with SCV Pre NG clients do not include the SCV mechanism described above Version 4 1 clients for example can perform only a limited set of SCV tests e check that one of several predefined Security Policies is installed
410. inistrators prefer not to rely on implied rules and instead prefer to define explicit rules in the Security Rule Base Why Turning off FireWall Implied Rules Blocks Control Connections If you turn off implicit rules you may not be able to install a Policy on a remote security gateway Even if you define explicit rules in place of the implied rules you may still not be able to install the policy Figure 4 14 and the following explanation illustrate the problem Figure 4 14 Turning off control connections can cause Policy installation to fail Security Management server My Attempted IKE negotiation sic NS x ei Security Security Gateway A Gateway B The administrator wishes to configure a VPN between gateways A and B by configuring SmartDashboard To do this the administrator must install a Policy from the Security Management server to the gateways 1 The Security Management server successfully installs the Policy on gateway A As far as gateway A is concerned gateways A and B now belong to the same VPN Community However B does not yet have this Policy 2 How to Authorize Firewall Control Connections in VPN Communities The Security Management server tries to open a connection to gateway B in order to install the Policy Gateway A allows the connection because of the explicit rules allowing the control connections and starts IKE negotiation with gateway B to build a VPN tunnel for the control connection
411. ion The Need to Simplify Remote Client Installations Introduction The Need to Simplify Remote Client Installations 480 As remote access to organizations becomes more widespread administration of the remote client software becomes more difficult Users often lack the technical expertise to configure the software themselves requiring administrators to provide support for large numbers of users many of whom may be geographically dispersed and using a wide variety of platforms The administrator s task is even more difficult if the organization has several groups of users each of which requires a different configuration Administrators need a tool to automate the configuration of software to large user communities This tools must enable the administrator to preconfigure the software so that users do not have to do this themselves The Check Point Solution SecureClient Packaging Tool The Check Point Solution SecureClient Packaging Tool In This Section Overview page 481 How Does Packaging Tool Work page 482 The MSI Packaging Solution page 482 Overview The SecureClient Packaging Tool enables the administrator to create pre configured SecureClient installation packages Users can then use the configured package to install the software without being required to configure details ensuring that users cannot inadvertently misconfigure their SecureClient software Pre packaging can be done using either the e Check Point Pac
412. ion also known as exponential key agreement is based on the Diffie Hellman DH mathematical groups Table 2 2 shows the DH groups supported by a security gateway during the two phases of IKE Table 2 2 DH groups Parameter Diffie Hellman Groups IKE Phase IKE SA Group2 1024 bits default Group1 768 bits Group5 1536 bits Group14 2048 bits IKE Phase II IPSec SA Group2 1024 bits default Groupl 768 bits Groupd 1536 bits Group14 2048 bits A group with more bits ensures a key that is harder to break but carries a heavy cost in terms of performance since the computation requires more CPU cycles Chapter2 IPSEC amp IKE 47 Overview Phase I modes Between security gateways there are two modes for IKE phase Main Mode Aggressive Mode If aggressive mode is not selected the gateway defaults to main mode performing the IKE negotiation using six packets aggressive mode performs the IKE negotiation with three packets Main mode is preferred because Ss Main mode is partially encrypted from the point at which the shared DH key is known to both peers Main mode is less susceptible to Denial of Service DoS attacks In main mode the DH computation is performed after authentication In aggressive mode the DH computation is performed parallel to authentication A peer that is not yet authenticated can force processor intensive Diffie Hellman computations on the other peer
413. ion influences the way that the first and second ones are evaluated In the example above if the version of Internet Explorer is greater than or equal to gt 5 0 then the result is true otherwise it is false If the version of Internet Explorer is for example 4 5 then the result is false if the version is 5 1 or higher then the result is true Logical Sections As mentioned earlier subsequent expressions are automatically ANDed However sometimes it is necessary to perform a logical OR between expressions instead of logical AND This is done by using labels The begin_or orX label this label starts a section containing several expressions The end of this section is marked by a end orX label X should be replaced with a number which differentiates between different sections OR sections All of expressions inside this section are logically ORed producing a single value for the section For example begin_or orl browser major version 5 browser major version 6 end orl This section checks whether the version of Internet Explorer is 5 OR 6 if it is then the result is true otherwise it is false The begin_and andX label this label is similar to the begin_or orX label but the expressions inside are evaluated and logically ANDed The end of this section is marked by a end andX or the end orX label As mentioned earlier simple subsequent expressions are automatically ANDed The reason th
414. ion to Traditional Mode VPNs Introduction to Traditional Mode VPNs 252 Simplified Mode makes it possible to maintain and create simpler and therefore less error prone and more secure VPNs It also makes it easier to understand the VPN topology of an organization and to understand who is allowed to communicate with who In addition new VPN features such as VPN routing are supported only with a Simplified Mode Security Policy However organizations that have large VPN deployments with complex networks may prefer to maintain existing VPN definitions and continue to work within Traditional Mode until they are able to migrate their policies to Simplified Mode For guidelines on how to convert Traditional Mode VPNs to Simplified Mode see Converting a Traditional Policy to a Community Based Policy on page 717 VPN Domains and Encryption Rules VPN Domains and Encryption Rules Figure 13 1 shows a VPN between gateways and the VPN Domain of each gateway Net_A and Net_B are the VPN Domain of gateway 1 Net_D is the VPN Domain of gateway 2 and Net_E is the VPN Domain of gateway 3 Figure 13 1 A VPN between Gateways and the Encryption VPN Domain of each Gateway VPN Domain of Gateway 1 VPN Domain of Gateway 3 VPN Tunnel Intemet VPN Domain of Gateway 2 VPN Tunnel Table 13 1 shows how the VPN is implemented in a rule In Traditional VPN Mode a single rule with the Encrypt rule action deals with both access c
415. ios that benefit from the implementation of Link Selection In This Section Gateway with a Single External IP Address page 570 Gateway with Multiple External IP Addresses page 571 Calculate IP Based on Network Topology page 572 Gateway with a Single External IP Address This is the simplest case In Figure 25 1 the local gateway has a single external interface for VPN Figure 25 1 Single IP for Remote Access Client Security Gateway Now consider configuration for the local gateway in terms of e How remote access clients select an IP on the local gateway for VPN traffic Since there is only one interface available for VPN e For determining how remote access clients discover the local gateways IP for VPN select Main address or choose an IP address from the Selected address from topology table drop down menu e If the IP address is located behind a static NAT device select Statically NATed IP 570 Link Selection for Remote Access Scenarios Gateway with Multiple External IP Addresses In this scenario the local gateway has two external IP addresses available for remote access clients Figure 25 2 Connecting to Gateway with Multiple Interfaces Security Gateway For determining how remote access clients discover the local gateway s IP address use ongoing probing The remote access client connects through the first IP address to respond unless there is a primary IP address configured and stays with this IP
416. is option s meaning is that the administrator does not wish to enforce this property or behavior on its clients These can also be modified using the client CLI and programmables interface API Some of the properties are exposed for the end user control through the options dialog If the gateway does not offer the client to download policies see SSL Network Extender mode above then the client enforces the packaged predefined policy If that policy does not exist it enforces a master non configurable pre defined policy The client updates its policies each time it connects to a gateway A timeout is applied for the policy validity after which the client would pull the gateway for an updated policy 430 IP Firewall Policy IP Firewall Policy SecureClient Mobile has a built in IP firewall which supports predefined security policies One of these policies can be applied for the client to enforce Allow All All traffic is allowed The client will still be protected by implicit firewall rules Allow Outgoing and Encrypted Permits incoming and outgoing encrypted traffic to and from the VPN domain Also permits outgoing non VPN connections that are initiated from the handheld This policy is the recommended setting Allow Outgoing Only All outbound connections are permitted and all inbound connections are blocked This policy will prevent incoming connections from being established from both the non VPN hosts and VPN hosts Allo
417. is defined in SecuRemote SecureClient Working in Connect Mode While Not Connected For users connected in SecuRemote SecureClient Connect Mode you can reduce the frequency of authentication by enabling the allow clear traffic while disconnected property in objects 5 0 C SecuRemote SecureClient will then not encrypt traffic to the peer encryption domain when not connected This will prevent unnecessary authentication when connecting to unencrypted services in the peer encryption domain For example if the site includes both private and public HTTP servers there is no need to encrypt traffic to the public site To prevent a user from unnecessarily authenticating only because she is an internal user configure the following two rules in the Desktop Policy Table 27 2 Source Destination Service Action encryption domain encryption domain Any Accept Any encryption domain Any Encrypt Note If you enable this feature you must ensure that a VPN is defined between the gateways This feature applies only to Connect Mode This feature is disabled when more than one site is defined in SecuRemote SecureClient Authentication Timeout and Password Caching Authentication Timeout and Password Caching The Problem Users consider multiple authentications during the course of a single session to be a nuisance At the same time these multiple authentications are an effective means of ensuring that the session has not been h
418. it is directed to the UFP URL Filtering Protocol server to check the validity of the URL and packet content since the gateway does not possess URL checking functionality The packets are then forwarded to the HTTP server on the Internet NATing the address of the remote client behind the security gateway prevents the HTTP server on the Internet from replying directly to the client If the remote client s address is not NATed the remote client will not accept the clear reply from the HTTP server Remote Client to Client Communication Remote client to client connectivity is achieved in two ways e By routing all the traffic through the gateway e Including the Office Mode range of addresses in the VPN domain of the gateway Routing all Traffic through the Gateway Two remote users use VoIP software to hold a secure conversation The traffic between them is directed through a central Hub as in Figure 24 4 Chapter 24 VPN Routing Remote Access 561 Check Point Solution for Greater Connectivity and Security 562 Figure 24 4 Hub mode for remote access clients Remote Client Security Gateway VoIP VPN Tunnel Remote Client VoIP For this to work e Allow SecureClient to route traffic through this Gateway must be enabled on the gateway e The remote client must be configured with a profile that enables all traffic to be routed through the gateway e Remote clients are working in connect mode If the two remote cli
419. ith the gateway main IP specified in the IP Address field on the General Properties page of the gateway Selected address from topology table The VPN tunnel is created with the gateway using a selected IP address chosen from the drop down menu that lists the IP addresses configured in the Topology page of the gateway Statically NATed IP The VPN tunnel is created using a NATed IP address This address is not required to be listed in the topology tab Calculate IP based on network topology An IP address that is calculated by network topology Using Calculate IP Based on Network Topology the remote access client discovers the appropriate IP address of the gateway through the topology information defined in the gateway s network object Since a remote access client can be in a different place each time it connects a new calculation takes place each time the client connects For this to succeed all the gateway s interfaces must have their topology properly configured e Use a probing method Using ongoing probing When a session is initiated all possible destination IP addresses continuously receive RDP packets The VPN tunnel uses the first IP to respond or to a primary IP if a primary IP is configured and active and stays with this IP until the IP stops responding The RDP probing is activated when a remote access client connects and continues as a background process Overview e Using one time probing When a remote acce
420. its encryption domain contains SSL Network Extender gateway or otherwise overlaps with the SSL Network Extender encryption domain the SSL Network Extender will not function properly To resolve this disable the overlapping site in SecuRemote SecureClient Troubleshooting If the client computer has SecuRemote SecureClient software installed and is configured to work in connect mode and its encryption domain contains SSL Network Extender gateway or otherwise overlaps with the SSL Network Extender encryption domain the SSL Network Extender will not function properly To resolve this verify that the flag allow clear traffic while disconnected is True which is the default value SSL Network Extender connections can not pass SCV rules SecureClient users must be differentiated from SSL Network Extender users in order to allow the SecureClient connections to pass the SCV rules One way to do this is to use the SCV capabilities in the rulebase In Traditional Mode you can configure two types of rules by selecting the Apply Rule Only if Desktop Configuration Options are verified The selected SCV rules will pass only SecureClient connections while the rules that were not selected will pass SecureClient and SSL Network Extender connections When using Simplified Mode the Administrator may specify services that will be excluded from SCV checking Both SecureClient and SSL Network Extender clients attempting to access such services wi
421. ituations where all the users use the SAA plugin to connect In the event that only certain users are required to use the plugin set the neo saa guilibs property to an empty string after you complete the creation of the customized package As a result only the users using the customized package will be using the SAA plugin 1 Follow the steps described in Configuring the SAA Plugin on the Client Manually on page 475 2 Establish a connection with each gateway that will be included in the package This will store each gateway into the clients database 3 Export the client configuration To export the database see Exporting the Client Configuration on page 472 Use the exported startup c to create the customized CAB file include the SAA plugin in the CAB too To create a CAB file see Creating a CAB Package on page 473 Chapter 19 SecureClient Mobile 475 Troubleshooting Troubleshooting 476 Enabling Log Files Log files are files that records client activity which are useful when troubleshooting various issues To enable log files e From the SecureClient Mobile GUI select Menu gt Help gt Troubleshooting e Log files may be enabled for Client the VNA Kernel Virtual Network Adapter and the FW Kernel Routing Table The routing table is used by the TCP IP stack to route IP packets on the device IP Configuration The IP configuration page displays the IP addresses of the various inter
422. ity e Download the Microsoft Pocket PC 2003 SDK from here e Install the SDK on your PC After the SDK is installed the Cabwiz utility is normally located at c Program Files Windows CE Tools wce420 POCKET PC 2003 Tools Edit the package by exporting the client configuration and removing and or adding files for additional information refer to Adding a File to a CAB Package on page 470 Deleting a File from a CAB Package on page 471 and Exporting the Client Configuration on page 472 Copy the cabwiz exe and the cabwiz ddgf files to the scm folder created when extracting the SecureClient Mobile Setup lt build number gt zip file this file was originally extracted from the SecureClient Mobile distribution zip file Chapter 19 SecureClient Mobile 473 Client Deployment Overview 474 4 Copy the makecab exe from the Windows system directory by default C WINDOWS system32 to the scm folder 5 Run the cabwiz SecureClient Mobile Setup lt build number gt inf file The created CAB package has a cab extension Creating an MSI Package The customizable install package ZIP file includes a Windows Installer package MSI file with a placeholder for a new client installer CAB file Once a client CAB is attached to the MSI file it can be installed on a Windows machine PC the attached CAB would then be installed onto a connected PDA though the ActiveSync service To attach a client CAB file to a MSI
423. ject select VPN For an internally managed gateway only in the Communication window establish Secure Internal Communication In the Topology page define the IP address network mask and anti spoofing for every gateway interface Still on the Topology page define the VPN Domain select either e All IP Addresses behind gateway based on Topology information or e Manually defined Either select an existing network or group from the drop down list or create a new group of machines or networks by clicking New In the VPN page click Traditional mode configuration The Traditional mode IKE properties window opens e In the Support authentication methods area select Pre shared Secret click Edit Secrets Only peer gateways which support pre shared secrets appear in the list e Type a secret for each peer gateway e Select IKE phase 1 encryption and data integrity methods or accept the checked defaults Repeat step 1 to step 6 for each gateway taking part in the VPN Configuring Traditional Mode VPNs Defining the Encrypt Rule 8 In the Security Rule Base define the Encrypt rule s 9 If you wish to change the IKE Phase 2 properties for this rule double click the Encrypt action and make the required changes Chapter 13 Traditional Mode VPNs 265 Configuring Traditional Mode VPNs 266 Remote Access VPN Chapter 14 Introduction to Remote Access VPN In This Chapter Need for Remote Access VPN page 270 The
424. k service pack major version number 2k 0 service pack minor version number 2k 0 service pack version operand 2k gt major oS version number xp 5 minor os version number xp 1 0S version operand xp service pack major version number xp 0 service pack minor version number xp 0 service pack version operand xp gt ProcessMonitor type plugin parameters begin or orl AntiVirusl exe true AntiVirus2 exe true send orl 538 Configuring SCV IntrusionMonitor exe true ShareMyFiles exe false begin_ admin admin send_ log alert mismatchmessage Please check that the following processes are running nl AntiVirusl exe or AntiVirus2 exe n2 IntrusionMonitor exe n nPlease check that the following process is not running nl ShareMyFiles exe send admin groupmonitor type plugin parameters begin or orl begin_ and 1 builtin administrator false BUILTIN Users true send 1 begin and 2 builtin administrator true BUILTIN Users false send and2 send orl begin_ admin admin send log alert mismatchmessage You are using SecureClient with 2 non authorized user nMake sure you are logged on as an authorized user securely configured no active user false send admin HotFixMonitor type plugin parameters 2147222 true b
425. k Extender pre requisites are listed below Client side Pre Requisites The SSL Network Extender client side pre requisites are listed below e Remote client must be running the following e Windows 2000 Pro e Windows XP Home Edition and Pro e Windows Vista e Linux RHEL 3 0 e Linux Suse 9 and up e Red Hat Linux 7 3 e Mac OSX Tiger e Remote client must use the following Each must allow ActiveX or Java Applet e Internet Explorer version 5 0 or higher e FireFox e Safari e First time client installation uninstall and upgrade requires administrator privileges on the client computer Chapter 30 SSL Network Extender 633 Special Considerations for the SSL Network Extender 634 Server Side Pre Requisites The SSL Network Extender server side pre requisites are listed below The SSL Network Extender is a server side component which is part of a specific Enforcement Module with which the SSL Network Extender is associated It may be enabled on the gateway already configured to serve as a Remote Access SecureClient gateway The specific security gateway must be configured as a member of the Remote Access Community and configured to work with Visitor Mode This will not interfere with SecureClient functionality but will allow SecureClient users to utilize Visitor Mode The same access rules are configured for both SecureClient and SSL Network Extender users If you want to use Endpoint Security on Demand you should install the
426. k provided with SecureClient you can specify the following expression browser major version 5 This expression checks whether the version of the Internet Explorer browser installed on the client is 5 x If the major version is 5 this expression is evaluated as true otherwise it is evaluated as false The name of the expression e g browser_major_version is determined by the SCV application and is supplied by manufacturer If several expressions appear one after the other they are logically ANDed meaning that only if all expressions are evaluated as true then the value of all of them taken together is true Otherwise if even one of the expressions is false the value of all of them is false For example browser major version 5 browser minor version 0 Chapter 23 Secure Configuration Verification 531 Configuring SCV 532 These expressions are ANDed If the version of Internet Explorer is 5 AND the minor version is O i e version 5 0 then the result is true otherwise it is false If the version of Internet Explorer is for example 4 0 then the first expression Is false and the second one is true and the result of both of them is false Sometimes some expressions can influence the way in which others are evaluated For example browser major version 5 browser minor version 0 browser version operand gt These expressions are ANDed but the third express
427. kaging Tool Wizard e MSI Packaging The benefits of packaging are e Configuration site creation connection and encryption parameter specification etc is performed by professional administrators rather than by unsophisticated and error prone users e Installation and support overhead are greatly reduced e Users security configurations are more uniform across the organization because they are pre defined by the administrator rather than specified by each user individually e The administrator can more quickly respond to security threats by automatically updating remote users security software Chapter 20 Packaging SecureClient 481 The Check Point Solution SecureClient Packaging Tool 482 How Does Packaging Tool Work Packaging Tool combines a client installation package for example the generic SecureClient installation package with a package profile to create a preconfigured SecureClient package The administrator can then distribute the package to the users The administrator can pre configure the client s installation and configuration settings such as the connection mode to the VPN gateway Connect Transparent encryption properties and more These settings are saved in a package profile and can then be used for configuring packages The administrator can create different package profiles for different user groups For example the administrator can create one profile with the configuration parameters f
428. ks coming into the external interface Define a network object that represents those internal networks with valid addresses and from the drop down list select that network object Objects selected in the Don t check packets from drop down menu are disregarded by the anti spoofing enforcement mechanism 9 Under Spoof Tracking select Log and click OK 152 Configuring a Loopback Interface Configuring a Loopback Interface When a VTI connects a Nokia machine and a SecurePlatform machine a loopback interface must be configured and defined in the Topology tab of the gateway In Nokia Network Voyager l Login and the following window appears Model P1260 Software Release 3 9 DEV016A Software Version jreleng 1515 02 08 2005 030000 Serial Number 7H111111150 Current Time Uptime Thu Feb 10 18 16 53 2005 GMT 1 day 1 hour 42 minutes Physical Memory 512 MB o ao Interface Configuration System Utilization Routing Configuration Network Reports Traffic Management Configuration System Health Router Services Configuration System Logs System Configuration Routing Protocols Security and Access Configuration Hardware Monitor IPv6 Configuration Show Co ation Summ 2 Click Interface Configuration Chapter 6 Route Based VPN 153 Configuring a Loopback Interface 3 On the Configuration page click Interfaces
429. l gateways If they are already in a Community do not mesh the central gateways Define the Satellite gateways These will usually be the external ones Agree on a pre shared secret with the administrator of the external Community members Then in the Shared Secret page of the community select Use Only Shared Secret for all External Members For each external peer enter the pre shared secret Define the relevant access rules in the Security Policy Add the Community in the VPN column the services in the Service column the desired Action and the appropriate Track option Install the Security Policy Chapter 4 Introduction to Site to Site VPN 87 How to Authorize Firewall Control Connections in VPN Communities How to Authorize Firewall Control Connections in VPN Communities 88 Check Point Nodes communicate with other Check Point Nodes by means of control connections For example a control connection is used when the Security Policy is installed from the Security Management server to a Security Gateway Also logs are sent from security gateways to the Security Management server across control connections Control connections use Secure Internal Communication SIC Control connections are allowed using Implied Rules in the Security Rule Base Implied Rules are added to or removed from the Security Rule Base by checking or unchecking options in the FireWall Implied Rules page of the SmartDashboard Global Properties Some adm
430. l up track Log YPN Tunnel Sharing Control the number of WPN tunnels opened between peer Gateways One VPN tunnel per each pair of hosts One VPN tunnel per subnet pair One VPN tunnel per Gateway pair e for Permanent Tunnels see Permanent Tunnels on page 170 e for Tracking see Tracking Options on page 174 e for VPN Tunnel Sharing see VPN Tunnel Sharing on page 174 Chapter 7 Tunnel Management 169 Configuring Tunnel Features 170 Permanent Tunnels In the Community Properties window on the Tunnel Management page select Set Permanent Tunnels and the following Permanent Tunnel modes are then made available e On all tunnels in the community e On all tunnels of specific gateways e On specific tunnels in the community To configure all tunnels as permanent select On all tunnels in the community Deselect this option to terminate all Permanent Tunnels in the community To configure On all tunnels of specific gateways 1 Select On all tunnels of specific gateways and click the Select Gateways button The Select Gateways window is displayed The example given in Figure 7 3 shows Remote 1 gw and Remote 2 gw as the only two gateways selected As a result all VPN tunnels connected with Remote 1 gw or Remote 2 gw will be permanent To terminate Permanent Tunnels connected to a specific gateway highlight the gateway and click Remove Configuring Tunnel Features Figure 7 3 Select
431. latforms only and can only be implemented between two gateways within the same community Enabling Route Based VPN If both Domain Based VPN and Route Based VPN are configured then Domain Based VPN will take precedence For Route Based VPN to take priority an empty group should be created and assigned as the VPN domain In SmartDashboard proceed as follows Select Manage gt Network Objects Select the Check Point gateway and right click Edit In the Properties list click Topology In the VPN Domain section select Manually define Click New gt Group gt Simple Group ot OT eee ee Se Enter a name in the Name field and click OK Numbered VTIs Using the new VPN Command Line Interface VPN Shell the administrator creates a VPN Tunnel Interface on the enforcement module for each peer gateway and associates the interface with a peer gateway The VPN Tunnel Interface may be numbered or unnumbered For more information on the VPN Shell see VPN Shell on page 729 Every numbered VTI is assigned a local IP Address and a remote IP Address Prior to configuration a range of IP Addresses must be configured to assign to the VTIs Figure 6 3 Cluster GWA Veni 180 180 1 1 WtGWe f 10 0 0 2 Configuring Numbered VTIs eth0 T AN veGWb 1 10 0 1 12 f 1001 11 f cluster eth0 E or f 170 170 1 40_ 55 5 1 eth 8852 f f as vt GWe veGWe i 5 40 0 1 214 10 0 1 22
432. le GPRS if the device is not elsewhere connected to the Internet Configure this feature using the neo initiate dialup property found in Table 19 1 on page 457 Always Connected SecureClient Mobile can be configured to automatically establish the VPN tunnel with the last gateway to which it was connected when one of the following conditions are met e The device has a valid IP address For example when turning WLAN WiFi on e The device exits standby mode or loads after a softreset shutdown e After the condition that caused the device to automatically disconnect ceases to exist for example when the client automatically disconnects as a result of putting the device in ActiveSync then when the device is released from ActiveSync the client automatically connects This mode of operation is highly advised as the default mode of operations as it relieves the end user from the need to manually establish the VPN tunnel whenever connectivity is needed Combining this mode with Initiate Dialup makes the client connected at all times This allows push protocols VoIP etc Configure this feature using the neo always connected and neo disconnect when idle timeout properties found in Authentication Schemes The client supports most of the common authentication schemes supported by Check Point gateways including Active Directory RADIUS etc There are several ways to authenticate the user and the connected device e Client Certificates
433. le to true to enable and false to disable support D Save the changes to install the policy Configuring the Gateway as a Member of a Remote Access Community To configure a gateway as a member of a remote access community 1 On SmartDashboard select the Gateway Object from the Network Object tab of the Objects Tree The General Properties window opens Chapter 19 SecureClient Mobile 443 Configuring SecureClient Mobile 444 Figure 19 1 General Properties Window E3 Additional Products Topology NAT IPS VPN Remote Access Authentication Logs and Masters Capacity Optimization Cooperative Enforceme Advanced Check Point Gateway General Properties Machine Name sslypn example com Color L IP Address fi 43 100 75 1 Get address I Dynamic Address Comment Corporate Gateway Secure Internal Communication Communication DN Platform Hardware Open server 7 Version NGX R65 x Os windows x Get Software Blades Nework Security Blades Other z Network Security 2 Management 0 Management Blades Other F Firewall Advanced Networking Monitoring Mi IPSec VPN m a A Show a complete picture of network and gt Policy Server re dina iee kd security performance enabling fast F Ips onnectCorircl response to changes in traffic pattems Acceleration amp Clustering or security events URL Filtering pie SecurexL More z I FireWall 1 GX 4 T
434. led or disabled Advanced Configuration Advanced Configuration When the management patch is installed the security policy is configured on the Security Management server using dbedit To configure the security policy using GuiDBEdit tool perform the following This tool is available on the SmartGUls installation in the following location Program Files CheckPoint SmartConsole lt version gt PROGRAM GuiDBEdit exe refer to K13009 1 Select Global Properties gt properties gt firewall_properties 2 In the Field Name column find mobile_remote_access_properties The SecureClient Mobile properties appear below this property 3 Customize the properties to meet the requirements 4 Save the changes and select install policy The changes are not enforced until install policy is run The policy is delivered to all gateways Refer to Table 19 1 for a list of the properties used to configure the security policy Chapter 19 SecureClient Mobile 455 Advanced Configuration Figure 19 3 172 16 8 130 Check Point Database Tool File View Objects Fields Search Queries Help ERIE Tables Queries E frewall_properties Administrators Desktop Global Properties E properties Large Scale Manager Managed Objects Network Objects network_objects sites_objects sofaware_gw_types OPSEC Other Policies 0 8 mum of Provider 1
435. lick Manage gt VPN Communities The VPN Communities window appears Select the community to be configured and click Edit Double click Advanced Settings to view the various options Click Wire Mode The Wire Mode window appears 5 To enable Wire Mode on the community select Allow uninspected encrypted traffic between Wire mode interfaces of the Community s members 6 To enable Wire Mode Routing select Wire Mode Routing Allow members to route uninspected encrypted traffic in VPN routing configurations Enabling Wire Mode on a Specific Gateway 1 In SmartDashboard click Manage gt Network Objects The Network Objects window will appear Select the gateway to be configured and click Edit 3 Double click VPN to expand VPN tree Select the VPN Advanced to display the VPN Advanced window 4 To enable Wire Mode on the gateway select Support Wire Mode Click Add to include the interfaces to be trusted by the selected gateway Click Log Wire mode traffic to log wire mode activity Chapter9 Wire Mode 197 Configuring Wire Mode 198 Chapter 10 Directional VPN Enforcement In This Chapter The Need for Directional VPN page 200 The Check Point Solution page 201 Configuring Directional VPN page 204 199 The Need for Directional VPN The Need for Directional VPN 200 When a VPN community is selected in the VPN column of the Security Policy Rule Base the source and destination IP addresses can belong to any of t
436. lick the Set domain for Remote Access Community button The VPN Domain per Remote Access Community window appears 5 Click the Set button The Set VPN Domain per Remote Access Community window appears Chapter 16 SecuRemote SecureClient 341 Configuring SecureClient 6 From the drop down menu select the object that will represent the Remote Access VPN domain 7 Click OK Configuring Desktop Security Policy Expiration Time 1 In SmartDashboard click Policy gt Global Properties The Global Properties window appears 2 Select Remote Access to display the Remote Access VPN 1 SecuRemote SecureClient window 3 In the VPN 1 SecureClient Desktop Security Policy expiration time section select the amount of time in minutes before the security policy will remain with the current policy 4 Click OK 342 Configuring SecureClient Configuring Hot Spot Hotel Registration Enabling the Hotspot option is configured using the userc c file The Hotspot set with defaults is as follows shotspot enabled slog false max ip count false connect_ timeout block_hotspot_after connect 600 5 false max trials 0 local_subnets false sports 80 443 8080 Table 16 1 Hotspot Parameters Parameter Default Description enabled false Set to true to enable a user to perform Hotspot registration log false Set to true to send logs with the list of IP address
437. ll be allowed access even when not SCV verified SCV will not be enforced on specified services for both types of clients ESOD Issues User did not pass the scan a Continue button is not displayed The user probably did not match the policy requirements e f using ESOD per User Group feature Verify that the user is using the correct policy e According to the policy Explain the user how to remove the elements that are blocking him User cannot access the given URL for his specific group e Make sure that the group listed in the URL is listed in the ics group file with the correct xml file e Make sure that the xml file that is assigned to the group exists in SFWDIR conf extender e Make sure Install Policy has been made since the ics group file has changes User has passed the ESOD scan but gets a Wrong ESOD Scan error when trying to connect Chapter 30 SSL Network Extender 673 Troubleshooting This means that the user has passed the scan intended for a group that he does not belong to e Verify that the user is using the correct URL e Look at the SmartView Tracker The log should state which xml file the user used for the scan Make sure that this file is the same as the user s group file If not direct the user to the correct URL 674 Chapter 31 Resolving Connectivity Issues In This Chapter The Need for Connectivity Resolution Features page 676 Check Point Solution for Connectivity
438. lled on the gateways the objects database is also installed on the gateways The part of the database that relates to remote clients is sent to the Topology Server on the gateway When the clients perform a Site Update they are actually downloading the Topology information from the Topology server which updates the Managers and gateway sections of userc C on the clients The file is stored on the client machine in the SecuRemote database directory The parameters appear in the options section Introduction to Userc C and Product ini How to Manually Edit Userc C Do not make any manual changes to the Global section of userc C Manually edit the Managers and Gateway sections of userc C as follows 1 Extract userc c from the original SecuRemote SecureClient tgz format installation package 2 Edit the userc C parameters as needed userc C file If a parameter is edited incorrectly the file may become corrupted and AN Warning SecuRemote SecureClient performs minimal syntax checking for the sites may need to be redefined 3 Recreate the tgz file The Product ini file The Product ini configuration text file contains mostly properties that relate to the package installation The properties are fixed The Product ini file is read only upon installation of the SecuRemote SecureClient To change products ini use the Packaging Tool or if necessary edit the file manually as follows 1 Extract products ini from the original SecuR
439. lows the administrator to define some general settings and behaviors of the client These include Running the client on device boot The ability of the end user to quit the client to generate debug logs to have the Today Home item and the amount of interaction pop ups and warnings the client produces Configure these features using the neo run client on device startup neo enable kill neo allow client _debug_logs neo allow client db export neo show taskbar today item and neo flash icon on _encrypting drop properties Chapter 19 SecureClient Mobile 433 Client Deployment Repackaging and Upgrade Client Deployment Repackaging and Upgrade 434 SecureClient Mobile comes packaged as a self installing CAB signed for integrity The CAB package can be customized before it is distributed to users to include predefined topology settings credentials and a default firewall policy The CAB can be re packaged with a supplied MSI package Windows Installer to be installed through ActiveSync s installer service from a Windows PC During version upgrades the installer preserves the existing client policies and credentials unless they are specifically overridden by the upgrade package When the client is installed on the mobile device another applet called Certificate Import Wizard is also installed This applet enables the importing of PKCS 12 certificate files to the device CAPI store for use for client authentication Config
440. lp before changing the default values 4 Select Use Sticky Decision Function Using this function when the client connects to the cluster all of its traffic passes through a single gateway If the member gateway fails the client reconnects to another cluster member and resumes its session 446 Configuring SecureClient Mobile 5 Select Gateway Cluster Object gt Remote Access gt Office Mode When defining office mode for use with load sharing clusters only the Manual using IP pool method is supported Gateway Cluster Properties Corporate Cluster 2 General Properties Office Mode Cluster Members O Do not offer Office Mode 3rd Party Configuration Topology Offer Office Mode to group NAT w VPN 6 Remote Access Office Mode Method Office Mode Clientless VPN SSL Network Extender From ipassignment conf located in FWDIR cont always tried first Authentication SmartView Monitor Logs and Masters Capacity Optimization H Advanced Manual using IP pool Allocate IP address by sequentially trying the checked methods until success _ From the RADIUS server used to authenticate the user 4 Using one of the following methods Note Define the IP Pool addresses on each cluster member Automatic using DHCP Optional Parameters tiple Interfaces Support connectivity enhancement for gateways with multiple extemal interfaces poofing Perform Anti Spoofing
441. lts the client is classified as securely configured or non securely configured For example an administrator who wishes to disallow a file sharing application would define a rule in the SCV Policy verifying that the file sharing application process is not running Note The SCV check described in this example is among the pre defined SCV checks included with Security Management server see Check Point SCV Checks on page 524 This check must be configured to test for the specific process If all the SCV tests return the required results the client is considered to be securely configured If even one of the SCV tests returns an unexpected result the client is considered to be non securely configured The Secure Configuration Verification Solution Downloading the SCV Policy to the Client When SecureClient downloads its Desktop Policy from the Policy Server it downloads its SCV Policy at the same time Verifying the SCV Policy After downloading the SCV Policy SecureClient confirms that the SCV DLL s specified in the SCV Policy have not been tampered with by calculating their hash values and comparing the results with the hash values specified for the DLLs when they were installed see nstalling SCV Plugins on the Client Runtime SCV Checks At regular intervals default is every 15 seconds SecureClient performs the SCV checks specified in the SCV Policy by invoking the SCV DLLs and compares the results to the SCV Policy
442. lusters of gateways or remote client software for mobile users which negotiate the VPN link e VPN trust entities for example the Check Point Internal Certificate Authority The ICA is part of the Check Point suite used for establishing trust for SIC connections between gateways authenticating administrators and third party servers The ICA provides certificates for internal gateways and remote access clients which negotiate the VPN link Chapter 1 Overview 37 The Basic Check Point VPN Solution 38 VPN Management tools Security Management server and SmartDashboard SmartDashboard is the SmartConsole used to access the Security Management server The VPN Manager is part of SmartDashboard SmartDashboard enables organizations to define and deploy Intranet and remote Access VPNs Understanding the Terminology A number of terms are used widely in Secure VPN implementation namely VPN A private network configured within a public network such as the Internet VPN Tunnel An exclusive channel or encrypted link between gateways VPN Topology The basic element of VPN is the link or encrypted tunnel Links are created between gateways A collection of links is a topology The topology shows the layout of the VPN Two basic topologies found in VPN are Mesh and Star VPN Gateway The endpoint for the encrypted connection which can be any peer that supports the IPSec protocol framework Gateways can be single standalone modules or arra
443. ly enable a set of specific SCV checks e g only check that the user s SecureClient is enforcing a security policy or as many SCV checks as required e g all of the above SCV checks The SCV checks are performed independently by the SCV Dynamic Link Libraries and SecureClient checks their status through the SCV plugins every 15 seconds and determines whether the user is securely configured or not If one or more of the tests fails the SecureClient is considered to be non securely configured Note To enforce a specific SCV check set the parameters of the check in the SCVNames section and include the name of the check in SCVPolicy Considerations regarding SCV Considerations regarding SCV In This Section Planning the SCV Policy page 527 User Privileges page 527 Using pre NG Clients with SCV page 528 Planning the SCV Policy The file SFWDIR conf local scv on the Security Management server contains a sample of a basic SCV policy for checks that are supplied with any SCV installation You can review this file to help you decide which SCV tests to perform If you need additional SCV checks for OPSEC products such as Anti Virus and Endpoint security SCV checks visit http www opsec com User Privileges To implement SCV effectively it is suggested that you consider not to allow your remote users to have administrative privileges on their desktops Giving the users administrative privileges can allow them to change system sett
444. m TrMsgArgIter iter int arg num Arguments Argument IN OUT Meaning the iterator to get number of arguments iter in arg num out TIrMsgArglterGetNextArg This functions fills the next TrArg in theTrMsg If there are no more TrArgs fills arg with NULL and the return code is TrOK If the function fails an appropriate TrStatus error code is returned and arg is NULL Chapter 18 Endpoint Connect API 411 Functions from Service to Client 412 Prototype TRAPI CPAPI TrStatus TrMsgArgIterGetNextArg TrMsgArgIter iter TrArg arg Arguments Argument IN OUT Meaning iter in the iterator arg out the next argument TrMsgSetintArg This function sets the argument in the given position to int argument and overrides the current argument that exists in the given position Prototype TRAPI CPAPI TrStatus TrMsgSetIntArg TrMsg message int pos int val char default_txt Arguments Argument IN OUT Meaning message in the message pos in position of the message val in value of the message default_text in the message text TIrMsgSetStrArg This function sets the argument in the given position to a str argument and overrides the current argument that exists in the given position Prototype TRAPI CPAPI TrStatus TrMsgSetStrArg TrMsg message int pos char val char default_txt Functions from Service to Client Arguments
445. ment even if use_dkm_cert_by_default is configured Configuration of PKI Operations Configuration of PKI Operations In This Section Trusting a CA Step By Step page 103 Enrolling with a Certificate Authority page 107 Enrolling with a Certificate Authority page 107 Certificate Revocation All CA Types page 111 Certificate Recovery and Renewal page 112 Adding Matching Criteria to the Validation Process page 113 CRL Cache Usage page 113 Modifying the CRL Pre Fetch Cache page 114 Configuring CRL Grace Period page 114 Trusting a CA Step By Step This section describes the procedures for obtaining a CA s own certificate which is a prerequisite for trusting certificates issued by a CA In order to trust a CA a CA server object has to be defined The following sections deal with the various configuration steps required in different scenarios Trusting an ICA A VPN module automatically trusts the ICA of the Security Management server that manages it No further configuration is required Chapter 5 Public Key Infrastructure 103 104 Configuration of PKI Operations Trusting an Externally Managed CA An externally managed CA refers to the ICA of another Security Management server The CA certificate has to be supplied and saved to disk in advance To establish trust 1 Open Manage gt Servers and OPSEC Applications The Servers and OPSEC Application window opens 2 Choose New gt CA Select Trusted
446. ments Mismatch message for the screen saver check The screen saver will not be checked if the property enforce screen saver minutes to activate does not appear or if the time is set to zero send log type Determines whether to send a log to Security Management server for specifying that the client is not SCVed This SCV check does not support the begin admin end admin parameter section The type section should be replaced by log or alert major os version number 9x 4 Specifies the major version required for 9x operating systems to be verified minor os version number 9x 10 Configuring SCV Specifies the minor version required for 9x operating systems to be verified os_ version operand 9x gt Operator for checking the operating system s version on 9x service pack major version number 9x 0 Specifies the major service pack s version required for 9x operating system s to be verified service pack minor version number 9x 0 Specifies the minor service pack s version required for 9x operating systems to be verified service pack version operand 9x gt Operator for checking the operating system s service pack on 9x major os version number nt 4 Specifies the major version required for Windows NT operating systems to be verified minor os version number nt 10 Specifies the minor version required for Windows NT operating systems to be verified
447. mines the maximum time in milliseconds a SecuRemote is willing to spend solving a DoS protection puzzle ike_dos_supported_protection_sr Values None Stateless Puzzles Default Puzzles When downloaded to SecuRemote SecureClient it controls the level of protection the client is willing to support Chapter 2 IPSEC amp IKE 57 IKE DOS Protection 58 gateways use the ike dos protection unidentified initiator property equivalent to the SmartDashboard Global Property Support IKE DoS Protection from unidentified Source to decide what protection to require from remote clients but SecuRemote SecureClient clients use the ike dos protection This same client property is called ike dos supported protection _ sr on the gateway Client Properties Some gateway properties change name when they are downloaded to SecuRemote SecureClient The modified name appears in the Userc C file as follows Table 2 3 Property Names Property Name on Gateway ike dos protection unidentified initiat or Equivalent to the SmartDashboard Global Property Support IKE DoS Protection from unidentified Source Userc C Property Name on SecuRemote SecureClient ike dos protection or ike support dos protection ike_dos_supported_protection_sr ike_dos_protection ike dos puzzle level unidentified init iator ike dos acceptable puzzle 1 evel ike dos max puzzle time sr ike dos max puzzle time Configuring Advance
448. mitter_interval Set the time between tunnel tests life_sign_retransmissions_count When a tunnel test does not receive a reply another test is resent to confirm that the peer is down The Life Sign Retransmission Count is set to how many times the tunnel test is resent without receiving a response life_sign_retransmissions_interval Set the time between the tunnel tests that are resent after it does not receive a response from the peer cluster_status_polling_interval Relevant for HA Clusters only Set the time between tunnel tests between a primary gateway and a backup gateway The tunnel test is sent by the backup gateway When there is no reply the backup gateway will become active Chapter 7 Tunnel Management 173 Configuring Tunnel Features 174 Tracking Options Several types of alerts can be configured to keep administrators up to date on the status of the VPN tunnels The Tracking settings can be configured on the Tunnel Management page of the Community Properties screen for all VPN tunnels or they can be set individually when configuring the permanent tunnels themselves The different options are Log Popup Alert Mail Alert SNMP Trap Alert and User Defined Alert Choosing one of these alert types will enable immediate identification of the problem and the ability to respond to these issues more effectively Terminating Permanent Tunnels Once a Permanent Tunnel is no longer required the tunnel can be shut
449. more information see Domain Based VPN on page 119 Route Based VPN Traffic is routed within the VPN community based on the routing information static or dynamic configured on the Operating Systems of the gateways For more information see Route Based VPN on page 129 Note If both Domain Based VPN and Route Based VPN are configured then Domain Based VPN will take precedence Chapter 4 Introduction to Site to Site VPN 73 The Check Point Solution for VPN 74 Access Control and VPN Communities Configuring gateways into a VPN community does not create a de facto access control policy between the gateways The fact that two gateways belong to the same VPN community does not mean the gateways have access to each other The configuration of the gateways into a VPN community means that if these gateways are allowed to communicate via an access control policy then that communication is encrypted Access control is configured in the Security Policy Rule Base Using the VPN column of the Security Policy Rule Base it is possible to create access control rules that apply only to members of a VPN community for example Table 4 1 Source Destination VPN Service Action Any Any Community_A HTTP Accept The connection is matched only if all the conditions of the rule are true that is it must be an HTTP connection between a source and destination IP address within VPN Community A If any one of these
450. n This configuration is defined in the Endpoint software policy SmartDashboard Configuration When configuring cooperative enforcement for Endpoint Connect clients e In SmartDashboard on the gateway properties window create a group that contains the Endpoint Connect users 382 Cooperative Enforcement x General Properties Cooperative Enforcement Topolo Maas Cooperative Enforcement Settings SmartDefense i VPN IV Authorize clients using Integrity Server ic Remote Access l Monitor Only Authentication SmartView Monitor Track unauthorized client status Log uM UserAuthority Server Logs and Masters Integrity Server Selection Capacity Optimization ru hae ee eee Cooperative Enforcer SFE WP Sasi Sale AOT E Advanced Select Integrity S s regi a IE Client Authorization Check authorization of all clients Bypass authorization of the following clients New Check authorization only for the following clients E GW grour New OK Cancel Help This group when trying to open a connection through the firewall module will be checked for Endpoint Security compliance Manual Configuration The following features cannot be configured in SmartDashboard These features can be modified by manually editing the database with tools such as DBEdit GUIDBEdit e Track authorized hosts Supplies a log entry for any host event that is compliant and has access through the firewall To create this log entry u
451. n This Chapter The Need to Verify Remote Client s Security Status page 520 The Secure Configuration Verification Solution page 521 Considerations regarding SCV page 527 Configuring SCV page 529 519 The Need to Verify Remote Client s Security Status The Need to Verify Remote Client s Security Status 520 Network and Firewall administrators can easily control computers inside their organization In a Microsoft domain based environment this is done by controlling the user s privileges through the network domain controller The administrator can disable hazardous components such as Java and ActiveX controls in browsers install Anti Virus checkers and make sure they are running correctly In the case of remote users the administrator s options are limited because remote users access the organization from outside the LAN e g across the Internet and are usually unable to connect to the domain The administrator cannot control and verify their configuration through the domain controller For example suppose the remote user has ActiveX enabled and connects to a website containing a malicious ActiveX control which infects his or her computer When the remote user connects to the organization s LAN the LAN becomes vulnerable as well Even a properly configured Desktop Security Policy important as it is does not afford protection against this type of attack because the attack does not target a vulnerability in the acc
452. n a community 1 204 In Global Properties gt VPN page gt Advanced gt Select Enable VPN Directional Match in VPN Column In the VPN column of the appropriate rule right click on the VPN community From the pop up menu select Edit Cell The VPN Match Conditions window opens Select Match traffic in this direction only and click Add The Directional VPN Match Condition window opens In the Match on traffic reaching the Gateway from drop down box select the object for internal_clear the source In the Match on traffic leaving the Gateway to box select the relevant community object the destination Add another directional match in which the relevant community object is both the source and destination This allows traffic from the local domain to the community and within the community Click OK Configuring Directional VPN Configuring Directional VPN Between Communities To configure Directional VPN between communities 1 In Global Properties gt VPN page gt Advanced gt Select Enable VPN Directional Match in VPN Column 2 Right click inside the VPN column of the appropriate rule From the pop up menu select Edit Cell or Add Direction The VPN Match Conditions window opens xi x Match all conections wether Clear or Encrypted Do not use this column as a Match Condition Directional Match Condition WE Match traffic in this direction only Non Directional Ma
453. n a mesh and star communities a i a my 7 7 N x i Fo A od Io i 7 e Washington Mesh _7 Enforcement NG London Star Tia DS c Point BETS a _ Any H Washingtonek London x Any G accept Washington is a Mesh community and London is a VPN Star In the VPN column of the Security Policy Rule Base a directional VPN rule has been implemented This means that for a VPN connection to match this rule the source of the connection must be in the Washington Mesh and the destination host must be within the London Star This does not mean that return or back connections are not allowed from London to Washington the three way handshake at the start of every TCP connection demands return connections only that the first packet must originate within the Washington Mesh If a host within the London Star tries to open a connection to a host in the Washington Mesh the connection is dropped This directional enforcement does not affect the topology of either Washington or London The enforcement can be thought of as taking place somewhere between the two communities Chapter 10 Directional VPN Enforcement 203 Configuring Directional VPN Configuring Directional VPN In This Section Configuring Directional VPN Within a Community page 204 Configuring Directional VPN Between Communities page 205 Configuring Directional VPN Within a Community To configure Directional VPN withi
454. n also be used to check for the existence exclusion of more than one process The fields may be ANDed or ORed for flexibility 8 RegMonitor e PredefinedKeys HIVE Specify the registry hive from one of the following choices e HKEY_CURRENT_USER e HKEY_LOCAL_MACHINE e HKEY_USERS If one of the hives is not specified then HKEY_LOCAL_MACHINE is used To configure a check for HKEY_CLASSES_ROOT use HKEY_LOCAL_MACHINE Software Classes and HKEY_CURRENT_USER Software Classes e value registry value path The path of a registry DWORD under the hive specified by the predefined keys will be checked The value should be an operator followed by a number e g Software TrendMicro PC cillinNTCorp CurrentVersion Misc PatternVer gt 414 The syntax for the value parameter is value pathOPval For example value Software PaternVer gt 414 550 Configuring SCV string registry string path The path of a registry string under the hive specified by the predefined keys will be checked The string s value is compared to the given value in the way that DWORDs are compared keyexist registry key path The path of a registry key to check if the key exists under the hive specified by the predefined keys will be checked The key must exist if the machine is to be verified keynexist registry key path The path of a registry key to be checked for exclusion under the hive specified by the predefine
455. n for Multiple Entry Points Preferred Backup Gateway Preferred Backup gateway allows remote hosts to choose which gateway in the MEP configuration will be the backup gateway All other gateways in the MEP configuration will be ignored should the first two gateways become unavailable Figure 28 1 Preferred Backup Gateway Gateway A Primary Gateway VPN Domain SecureRemote SecureClient User In this scenario e The VPN Domain is behind three gateways A B and C e Gateway A is the Primary gateway e Gateway B is the Backup gateway when gateway A is not available e Should gateway A and gateway B become unavailable the remote host will not attempt to connect to gateway C 598 The Check Point Solution for Multiple Entry Points Visitor Mode and MEP Since the RDP gateway discovery mechanism used in a MEPed environment runs over UDP this creates a special challenge for SecureClient in Visitor Mode since all traffic is tunnelled over a regular TCP connection In a MEPed environment e The RDP probing protocol is not used instead a special Visitor Mode handshake is employed e When a MEP failover occurs SecureClient disconnects and the user needs to reconnect to the site in the usual way e Ina Primary Backup configuration the connection will failover to the backup gateway should the primary gateway become unavailable Even if the Primary gateway is restored the connection does not return to the primary g
456. n in a Mixed SecureClient and SecureClient Mobile Environment When connecting SecureClient Mobile to a security gateway that has already been setup to handle SecureClient connection Windows Macosx and 4 1 consider the following issues 1 Topologies with several gateways and Multiple Entry Points MEP In some configurations the remote access topology domain for remote access is based on the gateway to gateway topology If there are a few gateways with non fully overlapping encryption domain this may be a challenge for SecureClient Mobile as the topology downloaded to this client it only knows of the remote access encryption domain of the one connected gateway SCM does not support MEP too To overcome this limitation it is advanced to use Hub Mode when connecting to any of the gateways The client s packets will be routed through the connected gateway to other parts of the network using site to site VPN and will be routed to the Internet as necessary Chapter 19 SecureClient Mobile 467 Advanced Configuration 2 Enable Secure Configuration Verification SCV Traversal When enforcing SCV for remote access on the gateways it is necessary to exempt SSL Clients from the SCV check proceed as follows A In SmartDashboard click Policy gt Global Properties gt Remote Access gt Secure Configuration Verfication SCV B Select the Apply Secure Configuration Verfication on Simplified mode Security Policies option C Click Ex
457. n of Visitor Mode refer to Visitor Mode on page 631 Note The SSL Network Extender uses TCP 443 SSL to establish a secure connection with VPN SecurePlatform and the Nokia platform use TCP 443 SSL for remote administration purposes Another port may be assigned to the SSL Network Extender however this is not recommended as most proxies do not allow ports other than 80 and 443 Instead it is strongly recommended that you assign the SecurePlatform or Nokia platform web user interface to a port other than 443 If you are working with SecurePlatform you may perform the following actions Chapter 30 SSL Network Extender 637 Configuring the SSL Network Extender e You can change the webui port by running the following command webui enable lt port number gt for example webui enable 444 e You can disable the webui completely by running the following command webui disable 8 To change a Voyager port on Nokia platform run voyager e x S lt port number gt x represents the encryption level For more information run voyager h 9 Select Remote Access gt Office Mode 10 Configure Office Mode as described in the Office Mode chapter For a description of Office Mode refer to Office Mode on page 630 OS Note Office Mode support is mandatory on the gateway side 11 Configure Users and Authentication Configuring the Gateway to Support the SSL Network Extender To configure the SSL Network Extender
458. n only connect using Office Mode private _and_om SecuRemote SecureClient can connect using either e using Office Mode or e when using private IP addresses where the meaning of private is specified in the NAT page of the Global Properties window none This setting the default does not address the problem described above attempts another type of connection the connection will be dropped and a log will be aS Note If the user is restricted to Office Mode or to the use of a private IP address and sent to the SmartView Tracker 580 Preventing a Client Inside the Encryption Domain from Encrypting Preventing a Client Inside the Encryption Domain from Encrypting The Problem If a SecuRemote SecureClient located inside the VPN domain of one gateway opens a connection to a host inside the VPN domain of another gateway the connection will be encrypted twice once by the SecuRemote SecureClient and again by the gateway and decrypted only once by the peer gateway The Solution To prevent this from happening configure the SecuRemote SecureClient not to encrypt if both the SecuRemote SecureClient and the host the end points of the connection are in the VPN domains of gateways managed by the same Security Management server To do this enable the send clear traffic_between encryption domains property in objects 5 0 C Note If you enable this feature ensure that a VPN is defined between the ga
459. n reserves the socket on the gateway taking up valuable system resources The more reasonable solution is to keep open the port on the NATing device by sending UDP keep alive packets to the gateway and then performing IKE phase II in the usual way However there is still a need to shorten the UDP packets to prevent possible fragmentation Small IKE Phase II Proposals Both gateway and remote peer start the IKE negotiation by proposing a small number of methods for encryption and integrity The more common methods are included in the small proposals If proposals match between the remote client and the gateway the proposed methods are used if no match is found a greater number of proposals are made Usually a match is found with the small proposals and fragmentation is no longer an issue However there are cases where a match is not found and a larger number of proposals need to be made This will most likely happen in instances where the remote gateway uses AES 128 for encryption and AES 128 is not included in the small proposals A greater number of proposals can result in larger UDP packets These larger packets are once again fragmented at the Data Link Layer of the TCP IP stack on the client and then discarded by the hide NAT device that does not support fragmentation In the case of AES 128 this method of encryption can be included in the small proposals by defining AES 128 as the preferred method Overcoming NAT Related
460. nal Gateways Using a Pre Shared Secret Configuring a VPN with External Gateways Using a Pre Shared Secret Configuring VPN with external gateways those managed by a different Security Management server is more involved than configuring VPN with internal gateways managed by the same Security Management server because e Configuration is done separately in two distinct systems e All details must be agreed and coordinated between the administrators Details such as the IP address or the VPN domain topology cannot be detected automatically but have to be supplied manually by the administrator of the peer VPN gateways There are various scenarios when dealing with externally managed gateways The following description tries to address typical cases but assumes that the peers work with pre shared secrets If this is not the case refer to Configuring a VPN with External Gateways Using PKI on page 81 Note Configuring a VPN using PKI and certificates is considered more secure than using pre shared secrets Although an administrator may choose which community type to use the Star Community is more natural for a VPN with externally managed gateways The Internal gateways will be defined as the central gateways while the external ones will be defined as the satellites The decision whether to mesh the central internal gateways or not depends on the requirements of the organization The diagram below shows this typical topology Note t
461. nal Mode To start a new Traditional Mode policy proceed as follows 1 In the Global Properties window VPN page select either Traditional mode to all new Security Policies or Traditional or Simplified per new Security Policy and save the policy Assuming you selected Traditional or Simplified per new Security Policy 2 3 4 5 From the File menu select New The New Policy Package window opens Give the new policy package a name Select Security and Address Translation In the VPN configuration method area select Traditional mode and click OK In the Security Policy Rule Base notice that one of the available Actions is Encrypt 258 Configuring Traditional Mode VPNs Configuring VPN Between Internal Gateways using ICA Certificates Defining the Gateways 1 For each gateway that is to be part of the VPN define a Check Point gateway object In the Network Objects tree right click and select New gt Check Point gt Gateway In the General Properties page of the Check Point gateway object select VPN 3 In the Communication window establish Secure Internal Communication In the Topology page define the IP address network mask and anti spoofing for every gateway interface 5 Still on the Topology page define the VPN Domain select either e All IP Addresses behind gateway based on Topology information or e Manually defined Either select an existing network or group from the drop down list or create a
462. nce these components are loaded you do not need to download them again unless upgrades or updates become available If you do not want to use an ActiveX component you may work with a Java Applet Note You must have Administrator rights to install or uninstall software on Windows XP Professional as well as on the Windows 2000 operating systems Downloading and Connecting the Client The following section discusses how to download and connect the SSL Network Extender To download the Client 1 Using Internet Explorer browse to the SSL Network Extender portal of the gateway at https lt GW name or IP gt The following Security Alert window may be displayed Figure 30 4 Security Alert Window I x ran Information you exchange with this site cannot be viewed or changed by others However there is a problem with the site s security certificate A The security certificate was issued by a company you have not chosen to trust View the certificate to determine whether you want to trust the certifying authority iv The security certificate date is valid The name on the security certificate is invalid or does not match the name of the site Do you want to proceed View Certificate Chapter 30 SSL Network Extender 653 SSL Network Extender User Experience Ss 654 The site s security certificate has been issued by an authority that you have not designated as a trusted CA Before you connect to this server
463. nd Connectra the Check Point remote access gateway solution Why Endpoint Connect With their requirement to repeatedly reconnect and authenticate to the corporate gateway traditional IPSec clients can be slow and cumbersome Even SSL VPNs with their explicit login requirements through a browser are a less than optimal solution for highly mobile laptop users 351 Capabilities Ca 352 Providing a highly secured low footprint VPN technology with advanced security scanning capabilities Endpoint Connect uses intelligent Auto Connect and roaming technologies to facilitate seamless and transparent interaction with the gateway at the perimeter of the corporate network Designed for corporate users who prefer to use their native desktop to launch business applications rather than the Connectra SSL portal Endpoint Connect users do not have to authenticate each time they connect Through interface roaming technologies client users are always connected to the resources available behind the gateway As corporate users move around an auto connect mode discovers whether users are outside of a secure environment and implements the best way to connect using either NAT T or Visitor Mode In practical terms if client users outside of the internal network open their mail programs a connection is transparently established to the mail server behind the gateway If client users have mapped drives to servers on the internal network those
464. nd data integrity methods for the VPN You must also obtain the CA certificate of the peer either from the peer administrator or directly from the peer CA Defining the CAs 1 Obtain the CA certificate and create the Certificate Authority CA object for the internally managed gateways For details see Enrolling with a Certificate Authority on page 107 Define the CA object for the externally managed gateways and configure it using the peer CA certificate Defining the Internally Managed Gateways 3 Create the Check Point gateway object In the Network Objects tree right click and select New gt Check Point gt Gateway In the General Properties page select either VPN In the Communication window establish Secure Internal Communication In the Topology page define the IP address network mask and anti spoofing for every gateway interface Still on the Topology page define the VPN Domain select either e All IP Addresses behind gateway based on Topology information or e Manually defined Either select an existing network or group from the drop down list or create a new network or group by clicking New In the VPN page Certificate List area Add a certificate issued by the certificate authority defined in step 1 For details see Enrolling with a Certificate Authority on page 107 Still on the VPN page click Traditional mode configuration The Traditional mode IKE properties window opens
465. nder 667 SSL Network Extender User Experience Server 1 snx d SNX Disconnecting Disconnect by running the following done SSL Network Extender Command Attributes Table 30 3 SSL Network Extender Command Attributes sn sn Attributes snx f lt configuration file gt snx d snx s lt server gt snx u lt username gt snx c lt certificate file gt snx l1 lt CA directory gt lt port gt snx e lt cipher gt Description Run SSL Network Extender using parameters defined in a configuration file other than the default name or location Disconnect from Connectra Specify server IP or hostname Specify a valid user Specify which certificate is used to authenticate Define the directory where CA s certificates are stored Change the HTTPS port default port is TCP 443 Enable debugging snx elg log file is created Force a specific encryption algorithm Valid values RC4 and 3DES 668 Table 30 4 Configuration File Attributes Ss Configuration File Attributes SSL Network Extender User Experience It is possible to predefine SSL Network Extender attributes by using a configuration file snxrc located in the users home directory When the SSL Network Extender command SSL Network Extender is executed the attributed stored in the file are used by the SSL Network Extender command To run a file with a different name execute the command snx f lt filenmae gt
466. ndow Global e use entelligence true false Specifies whether SecuRemote should attempt to use the Entrust Entelligence toolkit if installed G obal e entrust_inifile Full path to a non default entrust ini file to be used by SecuRemote SecureClient when working with entrust certificates Global e certfile Name of the last certificate used Global e gettopo port 264 Which port to use for topology update Global e pwd erase on time change true false Performs Erase Passwords when the user changes the system clock Global e force udp encapsulation true false Indicates whether UDP encapsulation is used transparent and active profile in connect mode Also used in Connect Mode to create the default profile Global e support tcp ike true false Indicates whether TCP over IKE is used transparent and active profile in connect mode Also used in Connect Mode to create the default profile Global e support tcp ike true false use_site_default Determine whether or not to attempt IKE over TCP Gateway e support ip assignment true false Indicates whether Office Mode is used transparent and active profile in connect mode Also used in connect mode to create the default profile Global Chapter 29 Userc C and Product ini Configuration Files 613 Userc C File Parameters 614 ChangeUDPsport true false If the value of both flags ChangeUDP
467. ne a Star Topology but with B1 and B2 as his central gateways and Al and A2 as satellites Chapter 4 Introduction to Site to Site VPN 81 Configuring a VPN with External Gateways Using PKI 82 Figure 4 12 External Gateways as Satellites in a Star VPN Community Internal Central Security Gateway B1 External Satellite CERET Security Gateway A2 Internal Central Security Gateway A1 Security Gateway B2 External Satellite The configuration instructions require an understanding of how to build a VPN The details can be found in Introduction to Site to Site VPN on page 61 You also need to understand how to configure PKI See Public Key Infrastructure on page 91 To configure VPN using certificates with the external gateways as satellites in a star VPN Community 1 Obtain the certificate of the CA that issued the certificate for the peer VPN gateways from the peer administrator If the peer gateway is using the ICA you can obtain the CA certificate using a web browser from http lt IP address of peer gateway or Management Server gt 18264 In SmartDashboard define the CA object for the CA that issued the certificate for the peer See Enrolling with a Certificate Authority on page 107 Define the CA that will issue certificates for your side if the Certificate issued by ICA is not appropriate for the required VPN tunnel You may have to export the CA certificate an
468. nected in Office Mode To override set disable split dns in om in the SecuRemote SecureClient userc C file to false Chapter 27 Remote Access Advanced Configuration 593 Resolving Internal Names with the SecuRemote DNS Server 594 Chapter Multiple Entry Point for Remote Access VPNs In This Chapter The Need for Multiple Entry Point Gateways The Check Point Solution for Multiple Entry Points Configuring MEP 28 page 596 page 597 page 601 The Need for Multiple Entry Point Gateways The Need for Multiple Entry Point Gateways 596 The security gateway provides a single point of entry to the internal network It is the gateway that makes the internal network available to remote machines If the gateway fails the internal network is no longer available It therefore makes good sense to have Multiple Entry Points MEP to the same network The Check Point Solution for Multiple Entry Points The Check Point Solution for Multiple Entry Points In a MEPed environment more than one security gateway is both protecting and giving access to the same VPN domain How a remote user selects a gateway in order to reach a destination IP address depends on how the MEPed gateways have been configured which in turn depends on the requirements of the organization For more information see Multiple Entry Point VPNs on page 229 The Check Point solution for multiple entry points is based on a proprietary Probing Protocol
469. nections As part of standard VPN installation it offers two modes of operation e Load Sharing mode connects to both ISPs while sharing the load of outgoing connections between the ISPs New connections are randomly assigned to a link If a link fails all new outgoing connections are directed to the active link This configuration effectively increases the WAN bandwidth while providing connectivity protection This is for firewall traffic only For VPN traffic this method provides redundancy e Primary Backup mode connects to an ISP through the primary link and switches to a backup ISP if the primary ISP link fails When the primary link is restored new outgoing connections are assigned to it while existing connections are maintained over the backup link until they are complete The settings configured in the SP Redundancy window are by default applied to the Link Selection page and will overwrite any pre existing configuration If the Primary Backup setting is configured this will be carried over to the Link Selection configuration For more information on ISP Redundancy see the SP Redundancy chapter in the Firewall Administration Guide Figure 11 6 Local Gateway links to more than one ISP y Internet Remote Peer In Figure 11 6 the local gateway maintains links to ISPs A and B both of which provide connectivity to the Internet Chapter 11 Link Selection 219 Link Selection and ISP Redundancy 220 On the VPN
470. nections from the client to the LAN Check Point s SCV solution comes with a number of predefined SCV checks for the operating system and user s browser and it also allows OPSEC partners such as Anti Virus software manufacturers to add SCV checks for their own products Chapter 23 Secure Configuration Verification 521 The Secure Configuration Verification Solution How does SCV work 522 SCV works in six steps Installing SCV plugins on the client Configuring and SCV Policy on the Security Management server Downloading the SCV Policy to the Client Verifying the SCV Policy Runtime SCV checks oP 20 ee ee EDOL a Making the organizational Security Policy SCV aware Installing SCV Plugins on the Client SCV checks are performed through special DLLs which check elements of the client s configuration and return the results of these checks An SCV application registers its SCV DLLs in the system registry The first step in configuring SCV is for the administrator to install the applications that provide the SCV checks on the client During installation these applications register themselves as SCV plug ins and write a hash value of their SCV DLLs to prevent tampering Configuring an SCV Policy on the Security Management server An SCV Policy is a set of rules or conditions based on the checks that the SCV plug ins provide These conditions define the requested result for each SCV check and on the basis of the resu
471. neffective IKE DoS attack protection is not available for Third party gateways Under heavy load they may be unable to connect SmartDashboard IKE Dos Attack Protection Settings To protect against IKE Dos attacks edit the SmartDashboard IKE Denial of Service Protection settings in the VPN gt Advanced page of the Global Properties e Support IKE DoS protection from identified source The default setting for identified sources is Stateless If the gateway is under load this setting requires the peer to respond to an IKE notification in a way that proves that the IP address of the peer is not spoofed If the peer cannot prove this the gateway does not begin the IKE negotiation If the source is identified protecting using Puzzles is over cautious and may affect performance A third possible setting is None which means no DoS protection e Support IKE DoS protection from unidentified source The default setting for unidentified sources is Puzzles If the gateway is under load this setting requires the peer to solve a mathematical puzzle Solving this puzzle consumes peer CPU resources in a way that makes it difficult to initiate multiple IKE negotiations simultaneously For unidentified sources Stateless protection may not be sufficient because an attacker may well control all the IP addresses from which the IKE requests appear to be sent A third possible setting is None which means no DoS protection IKE DOS Protection
472. net Hotspot allows users with restrictive outbound policies and or Hub Mode to register with Hotspot When a user selects to allow Hotspot SecureClient modifies the desktop security policy and or Hub Mode routing to enable Hotspot registration This modification is restricted by time number of IP addresses and ports SecureClient records the IP addresses and ports that were accessed during the registration phase Enable Logging Enable Logging Enabling logging will locally save all the activity on a remote host This information is useful in tracking problems and troubleshooting The information saved in the log files may contain confidential information and should only be sent back to the system administrator The Enable Logging feature can also be included in a Prepackaged Policy Chapter 16 SecuRemote SecureClient 335 NAT Traversal Tunneling NAT Traversal Tunneling The negotiation prior to the establishment of a VPN tunnel might result in the production of large packets Some NAT devices may not fragment large packets correctly making the connection impossible To resolve this issue there are several methods that may be used 336 NAT T NAT T is based on IETF RFC 3947 and 3948 When a remote user initiates a VPN session with a gateway the remote host informs the gateway that it is able to communicate using NAT T During the initial negotiation both peers attempt to detect whether the traffic passed through a NAT devi
473. nfigured When upgrading from a version prior to NGX R60 where Implicit MEP was already configured the settings previously configured will remain Chapter 12 Multiple Entry Point VPNs 231 Explicit MEP Explicit MEP 232 In a site to site Star VPN community explicit MEP is configured via the community object When MEP is enabled the satellites consider the unified VPN domain of all the gateways as the VPN domain for each gateway This unified VPN domain is considered the VPN domain of each gateway as shown in Figure 12 1 Figure 12 1 Unified encryption domain In Figure 12 1 a Star VPN community has two central gateways M1 and M2 for which MEP has been enabled and three satellite gateways S1 S2 and S3 When S2 opens a connection with host 1 which is behind M1 and M2 the session will be initiated through either M1 or M2 Priority amongst the MEP gateways is determined by the MEP entry point selection mechanism If M2 is the selected entry point and becomes unavailable the connection to host 1 fails over to M1 Returning packets will be rerouted using RIM or IP Pool NAT For more information about returning packets see Routing Return Packets on page 244 There are four methods used to choose which of the gateways will be used as the entry point for any given connection Explicit MEP Select the closest gateway to source First to respond Select the closest gateway to destination By VPN domain Random S
474. nfiguring VTIs in a Clustered Environment the VTI is vt Server_2 For peer gateways that have names that are longer than 12 characters the default interface name is the last five characters plus a 7 byte hash of the peer name calculated to the give the interface a unique name After configuring the VTIs on the cluster members it is required to configure in the SmartConsole the VIP of these VTIs In SmartDashboard Select Manage gt Network Objects Select the Check Point Cluster and right click Edit In Topology window click Edit Topology ie Click Get all members topology The VTIs now appear in the topology Figure 6 4 Edit Topology window Edit Topology eee Network Objective B ClusterGWa m member_GWa1 m member_GWa2 Topology Get Topology Get Topology eth0 eth0 eth0 170 170 1 10 170 170 1 1 170 170 1 2 External Netas 255 255 255 0 255 255 255 0 255 255 255 0 Name tt Sync e e Internal NetMask 255 255 255 0 Name Custer vi vt GW a 0 1 0 1 Point to point Net Mask 255 255 255 255 255 255 255 255 255 255 255 PAddress 10 0 1 10 0 1 10 0 1 12 Point to point oY Mask a 255 255 255 55 255 255 255 255 255 255 255 Add network Get all members topology Copy topology to cluster interfaces Show net mask Note that the Edit Topology window as seen in Figure 6 4 lists the members of a VTI on the same line if the following criteria match 1 Remote peer name 2 Remote
475. ng method 2 Select Using ongoing probing or Using one time probing Click Configure The Probing Settings window opens Probe all addresses defined in the topology tab Probe the following addresses IP Address 192 168 1 1 192 168 1 2 Remove I Primary address s2 OK Cancel Help Select one of the following e Probe all addresses defined in the topology tab e Probe the following addresses 224 Configuring Link Selection The remote peer can probe all of the available interfaces or only those IP addresses manually defined in the list Statically NATed IP addresses that are not assigned to any interface configured in the topology tab can be added to the manually defined IP list Configuring an interface that has priority over the other interfaces is only relevant for a gateway whose IP is resolved via one time or ongoing probing Select Primary Address and select the interface from the drop down box Configuring Outgoing Route Selection Outgoing Route Selection is configured on each gateway in the VPN gt Link Selection window To select the method to choose an interface for outbound traffic select either e Operating system routing table to use the link with the highest priority e Route based probing to probe all links and send traffic with active link with the highest priority Configuring For Responding Traffic On the Link Selection page 1 Click Setup 2 Choose either e Use outgoing
476. ng DNS lookup on page 224 Gateway with Several IP Addresses Used by Different Parties In this scenario the local gateway has a point to point connection from two different interfaces Each interface is used by a different remote party Figure 11 3 Several IP Addresses used by different parties Peer Security Gateway A Peer Security Gateway B In Figure 11 3 the local gateway has two IP addresses used for VPN One interface is used for VPN with a peer gateway A and one interface for peer gateway B For determining how peer gateways discover the local gateway s IP enable one time probing Since only one IP is available for each peer gateway probing only has to take place one time Link Selection Scenarios See Resolving Addresses via Probing on page 224 Gateway With One External Interface and Interface Behind a Static NAT Device In this scenario the local gateway has two external interfaces available for VPN The address of interface A is being translated using a NAT device Figure 11 4 Local Gateway hidden behind a NATing device Local Security Gateway Interface B Peer Security Gateway For determining how peer gateways discover the local gateway s IP use ongoing probing In order for the Static NAT IP address to be probed it must be added to the Probe the following addresses list in the Probing Settings window See Resolving Addresses via Probing on page 224 Chapter 11
477. ng the Client Machines cccccccccsscceseeeeeeceeeeeeeseeeeeneeeeaeeeesneeesaaes 512 Placing the Client Certificate in the Machine Certificate Store c ccc00e 513 Placing the User Certificate in the User Certificate Store ccccecceeeeeeeeees 514 Setting up the Microsoft IPSec L2TP Client Connection Profile 088 514 Configuring User Certificate Purposes cccccsecceceseceeeeeeseeceseeeeeeneeeeaeeeeaes 515 Making th L2TP Connection sceninis narren din voidaan ed add aa aaan tee sd 516 For More Informations cisnes eanan a a a eia ri aa ieee 517 Chapter 23 Secure Configuration Verification The Need to Verify Remote Client s Security Status ccccccccseeccseeeeeeeeeeseeeeeas 520 The Secure Configuration Verification Solution cccecccseeceeeeeeeeeeeeeseeeeseeeeas 521 Introducing Secure Configuration Verification ccccccecceseeceeseeeeeeeeeeaeeeeaes 521 How does SCV WOK a ten cle ee a a a a E TA r a 522 SCV CHECKS inh ae anatod d iaaa Paa saa adea peA aeeaiei Tae eR 524 Considerations regarding SCV viwisiccccevcsseoeslethessteueed dean ddai oplediseocsidetecdehene iti seees 527 Planning theSCVePoliGys 2sce2d piace dein dt de Scan ae a e Sd ated aa o Seda a 527 USerPHIVIIGQES EE EAE E et dedhie ced bateteltatet iui els ee oe adeodnd 527 Using pre NG Clients With S CV onrar inia dat askeigewca seats eects 528 Configuring SCV taccsth ttle tarte Soto Storch cutee men Sla
478. ng the suffix Cancel Help 3 In the Domain tab Figure 27 3 define the domain suffix and the matching rule Names in the domain that correspond to the rule will be resolved by the SecuRemote DNS Server All other names will be resolved by the SecuRemote client s default DNS server Specify the Domain Suffix for which the SecuRemote DNS Server will resolve the internal names for example checkpoint com Select Match only suffix to specify that the maximum number of labels resolved will be 1 For example if Domain Suffix is checkpoint com and Match only suffix is selected that is the maximum prefix label count is in effect 1 then the SecuRemote DNS Server will be used to resolve www checkpoint com and whatever checkpoint com but not www internal checkpoint com Select Match up to labels preceding the suffix to increase the number of labels to be matched For example if Domain Suffix is checkpoint com and Match up to labels preceding the suffix is selected and set to 3 then the SecuRemote DNS Server will be used to resolve www checkpoint com and www internal checkpoint com but not www internal inside checkpoint com Additional Considerations Split DNS is disabled in the following cases In Connect mode while disconnected To override set disable split dns when disconnected in the SecuRemote SecureClient userc c file to false In connect mode while con
479. ng with the portal login and closes the current browser window Continue Causes the ESOD for Connectra client to disregard the scan results and proceed with the log on process 4 You can select a different language from the Language drop down list see Figure 30 6 If you change languages while connected to the SSL Network Extender portal you will be informed that if you continue the process you will be disconnected and must reconnect 5 You can select a different skin from the Skin drop down list see Figure 30 6 You can change skins while connected to the SSL Network Extender portal 656 SSL Network Extender User Experience 6 Click Continue see Figure 30 6 e f the configured authentication scheme is User Password Only the following SSL Network Extender Login window is displayed Figure 30 7 SSL Network Extender Login Window 3 SSL Network Extender Login Microsoft Internet Explorer SSL Network Extender Please enter your user name and password User Nam Check Point JE TECHNOLOGIES 2004 Check Point Software Technologies Ltd Enter the User Name and Password and click OK Note If user authentication has been configured to be performed via a 3rd party authentication mechanism such as SecurlD or LDAP the Administrator may require the user to change his her PIN or Password In such a case an additional Change Credentials window is displayed before the user is allowed to access the S
480. nged into clusters for high availability and load sharing VPN Domain A group that specifies the hosts or networks for which encryption of IP datagrams is performed A VPN gateway provides an entrance point to the VPN Domain Site to Site VPN Refers to a VPN tunnel between gateways Remote Access VPN Refers to remote users accessing the network with client software such as SecuRemote SecureClient or third party IPSec clients The Check Point Security Gateway provides a Remote Access Service to the remote clients Encryption algorithm A set of mathematically expressed processes for rendering information into a meaningless form the mathematical transformations and conversions controlled by a special key In VPN various encryption algorithms such as 3DES and AES ensure that only the communicating peers are able to understand the message Integrity Integrity checks via hash functions ensure that the message has not been intercepted and altered during transmission Trust Public key infrastructure PKI certificates and certificate authorities are employed to establish trust between gateways In the absence of PKI gateways employ a pre shared secret The Basic Check Point VPN Solution e IKE amp IPSec Secure VPN protocols used to manage encryption keys and exchange encrypted packets IPSec is an encryption technology framework which supports several standards to provide authentication and encryption services of da
481. nity and its Participants page 291 Defining Access Control Rules page 291 Installing the Policy page 292 User Certificate Management page 292 Modifying Encryption Properties for Remote Access VPN page 294 Working with RSA S Hard and Soft Tokens page 295 The following configuration assumes you are working in the Simplified mode f not go to Policy gt Global Properties gt VPN select Simplified mode to all new Security Policies and create a new Security Policy Establishing Remote Access VPN requires configuration on both the gateway side via Security Management server and remote user side For the Gateway side the administrator needs to 1 Define the gateway 2 Decide how to manage users 3 Configure the VPN community and its participants 4 Set appropriate access control rules in the Security Policy Rule Base Chapter 14 Introduction to Remote Access VPN 283 VPN for Remote Access Configuration 5 Install the policy on the gateway On the remote client side the user needs to 1 Define a site 2 Register to the internal CA to receive a certificate if required 3 Connect to the site For more information see the SecuRemote SecureClient User Guide Establishing Remote Access VPN The general workflow for establishing remote access VPN is shown in Figure 14 2 Start at the top with Create Gateway and define Gateway properties and trace a route down to nstall policy Sections following the chart detail step by
482. nk Selection 213 Using Link Selection If Calculate IP based on network topology Statically NATed IP Use DNS resolving or Use a probing method is chosen in the IP Selection by Remote Peer section then the source IP when initiating a VPN tunnel is the IP address of the chosen outgoing interface e Manual e Main IP address The source IP is derived from the General Properties page of the gateway e Selected address from topology table The chosen IP from the drop down menu becomes the source IP e P address of chosen interface The source IP is the same IP of the interface where the traffic is being routed through These settings are relevant for RDP and IKE sessions When responding to an IKE session use the reply from_same IP default true attribute to follow the settings in the Source IP address settings window or to respond from the same IP For more information see Configuring Source IP Address Settings on page 226 oS Note When Route Baed Probing is enabled reply from same IP will be seen as true 214 Link Selection Scenarios Link Selection Scenarios Link Selection may be used in different infrastructures This section describes scenarios that benefit from the implementation of Link Selection In This Section Gateway with a Single External Interface page 215 Gateway with Several IP Addresses Used by Different Parties page 216 Gateway With One External Interface and Interface Behind a Static NAT De
483. nloading them to the module during a policy installation the management server instructs the module to create its own public and private keys and send to the management server only its public key The private key is created and stored on the module in either a hardware storage device or via software that emulates hardware storage Security Management server then performs certificate enrollment During a policy installation the certificate is downloaded to the module The private key never leaves the module Local key storage is supported for all CA types Chapter 5 Public Key Infrastructure 101 Special Considerations for PKI Ss 102 DKM is supported for all enrollment methods and can be configured as a default setting by selecting in Global Properties gt SmartDashboard Customization gt Configure gt Certificates and PKI properties the option use_dkm_cert_by_default Advanced configuration e x E SecuRemote SecureClient Certificates and PKI properties YPN Advanced Properties Certificates and PKI properties Details Trust CAPI root store CAs E FireWall 1 SmartCenter uset_certs_kep_size i024 x User Defined wamncertexpiry 2592000 IV use_dkm_cert_by_default J add_ip_alt_name_for_opsec_certs J add_ip_alt_name_for_ICA_certs Cancel Help Note Generating certificates for Edge devices does not support DKM and will be generated locally on the manage
484. nnect Configuring Microsoft Internet Explorer Check Point SSL Network Extender uses ActiveX controls and cookies to connect to applications via the Internet These enabling technologies require specific browser configuration to ensure that the applications are installed and work properly on your computer The Trusted Sites Configuration approach includes the SSL Network Extender Portal as one of your Trusted Sites This approach is highly recommended as it does not lessen your security Please follow the directions below to configure your browser Trusted Sites Configuration 1 In Internet Explorer select Tools gt Internet Options gt Security 2 Select Trusted sites 3 Click Sites 4 Enter the URL of the SSL Network Extender Portal and click Add 5 Click OK twice 652 SSL Network Extender User Experience About ActiveX Controls ActiveX controls are software modules based on Microsoft s Component Object Model COM architecture They add functionality to software applications by seamlessly incorporating pre made modules with the basic software package On the Internet ActiveX controls can be linked to Web pages and downloaded by an ActiveX compliant browser ActiveX controls turn Web pages into software pages that perform like any other program The SSL Network Extender can use ActiveX control in its applications To use ActiveX you must download the specific ActiveX components required for each application O
485. ns e To and from the VPN Community via VPN routing Mylntranet gt MylIntranet e From the Community to the local VPN domains Mylntranet gt internal_clear e From the local VPN domains to the VPN community internal_clear gt MyIntranet Configurable Objects in a Direction Figure 10 2 below lists all the objects that can be configured in a direction This includes three new objects created for Directional VPN Figure 10 2 Objects List Name of Object Meaning H SiteToSiteVPN Regular Star Mesh Community x Remote_Access_Community Remote Access community x Any Traffic Any traffic K All GwToGw All Gateway to Gateway traffic A All_Communities All communities new object External_ciear For traffic outside the community S Internal_clear For traffic between local domains within the community Note Clear text connections originating from the following objects are not subject to enforcement CS e Any Traffic e External_clear e nternal_clear There is no limit to the number of VPN directions that can be configured on a single rule In general if you have many directional enforcements consider replacing them with a standard bidirectional condition Directional Enforcement between Communities VPN Directional enforcement can take place between VPN communities Figure 10 3 shows two VPN communities Washington and London 202 The Check Point Solution Figure 10 3 Directional VPN betwee
486. ns 1 If one of the central gateways is an externally managed gateway e The VPN domain of the central gateways will not be automatically inherited by an externally managed gateway e The RIM configuration will not be automatically downloaded 2 UTM 1 Edge gateways cannot be configured as a MEP gateway but can connect to MEPed gateways 3 DAIP gateways require DNS resolving in order to be configured as a MEP gateway 246 Configuring MEP Configuring MEP To configure MEP decide on 1 The MEP method e Explicit MEP See Explicit MEP on page 232 e Implicit MEP See Implicit MEP on page 240 2 If required method for returning reply packets e P pool NAT e RIM To configure RIM see Configuring RIM on page 186 Configuring Explicit MEP Explicit MEP is only available in Site to Site Star VPN communities where multiple central gateways are defined To configure MEP 1 Open the Star Community properties page gt Advanced Settings gt MEP Multiple Entry Point Select Enable center gateways as MEP Star Community Properties star_saaple xi General MEP Multiple Entry Points Center Gateways Satellite Gateways IV Enable center gateways as MEP VPN Properties Tunnel Management Entry point selection mechanism Choose the method by which the entry point gateway will be E Advanced Settings chosen from the gateways in the center VPN Routing MEP Multiple Entry Excluded Services Select
487. nsure data integrity e Use Data Integrity The hash algorithm chosen here will be given the highest priority if more than one choice is offered e Support Diffie Hellman groups Select the Diffie Hellman groups that will be supported with remote hosts e Use Diffie Hellman group SecureClient users utilize the Diffie Hellman group selected in this field To enforce the global encryption properties for some users while being able to modify them for specific users go to Policy gt Global Properties gt Remote Access gt VPN IPSEC Phase 2 1 Set the required properties in the window and disable Enforce Encryption Algorithm and Data Integrity on all users 2 In the Encryption tab of the User Properties window select IKE and click Edit The IKE Phase 2 Properties window is displayed 3 Select the Encryption tab VPN for Remote Access Configuration 4 If you want the encryption and data integrity algorithms of the user to be taken from the Global Properties definitions select Defined in the Remote Access VPN page of the Global Properties window If you want to customize the algorithms for this user select Defined below and select the appropriate encryption and data integrity algorithms Working with RSA S Hard and Soft Tokens If you use SecurlD for authentication you must manage the users on RSA s ACE management server ACE manages the database of RSA users and their assigned hard or soft tokens SecureClient contacts
488. nsure the leased line is used only when one of the gateways goes down Random Selection Using this method a different gateway is randomly selected as an entry point for incoming traffic Evenly distributing the incoming traffic through all the available gateways can help prevent one gateway from becoming overwhelmed with too much incoming traffic The gateways are probed with RDP packets as in all other MEP configurations to create a list of responding gateways A gateway is randomly chosen from the list of responding gateways If a gateway stops responding another gateway is randomly chosen A new gateway is randomly selected for every source destination IP pair While the source and destination IP s remain the same the connection continues through the chosen gateway In such a configuration RIM is not supported IP Pool NAT must be enabled to ensure return packets are correctly routed through the chosen gateway Explicit MEP Manually Set Priority List The gateway that will be chosen from the central gateways in the star community as the entry point to the core network can be controlled by manually setting a priority per source gateway Each priority constitutes a MEP Rule as illustrated in Figure 12 4 Figure 12 4 MEP Rules In Figure 12 4 three MEP members M1 M2 M3 provide entry points to the network for three satellite gateways S1 S2 S3 Satellite S1 can be configured to try the gateways in the following
489. nt ketene eee 333 Policy Server High Availability ccccccccssccccceceeeceseeeeeseeeeseeeeseeeeeaeeesaees 333 Wireless Hot Spot Hotel Registration ccccccsccccssccceeeceseeceseeeeeseeeeeaeeeeaes 334 EnablesiGee ing taste EES E soe saatsaesthaavedes tives E ieee 335 NAT Traversal TUNNELING sitesci2 sco apnena ove aa aa a d aa E ATEENAN 336 ldle ss Detection ieiet aad i onesies cab ddan E En EE ENEE 337 SWITCHING Modes neea a aa we n eee Voe a eana a anden vader a Tala ANIG E Re 338 HTML Based Help irii oeie en eenaa becaceuadeccdsecceas edecdsdelalaeted colviad detidon eat 339 Gontiguring Sec reClientson is ieipi na eier an a a aee a aa aaa T a a ai 340 Configuring SCV Granularity for VPN Communities cccceseeeeseeeeeaeeeeens 340 Configuring block_Scv_client_CONnNe ction cccccceeccceecceeeeeeseeeeseeeeeeeeeeeaes 340 Configuring Selective Routing ccccccccecceceeceseeeeeeeeeeeeeeeeeeeeeseeeeseeeeeaeeeags 341 Configuring Desktop Security Policy Expiration Time cccccssececeeseeeeeeeeaes 342 Configuring Hot Spot Hotel Registration ccccccccsecccseeceseeeeseeeeeeeeeeeaeeeeaes 343 Configuring Enable Logging sa1 i2 ccaec chee tee ctsaten feand ej ssheewvaeeacticereiveds 344 Table of Contents 11 Configuring NAT Traversal arsine a e a a a Sane ad eiai 345 Enable Disable Switching Modes iori iiron atirei eni iaa aaa a a aaas i 347 Add HTML Help to Package srini e a aaea a a a
490. nt machine or one user for all machines and generate a certificate for each client machine user The steps are the same as those required to define users and their certificate see VPN for Remote Access Configuration on page 283 Add users that correspond to the client machines to a user group and add the user group to the Remote Access VPN community Configuring Office Mode and L2TP Support 1 2 3 Configure Office Mode For detailed instructions see Configuring Office Mode on page 314 In the gateway object Remote Access page check Support L2TP Select the Authentication Method for the users e To use certificates choose Smart Card or other Certificates encryption enabled e To use a username and a shared secret password choose MD5 challenge 4 For Use this certificate select the certificate that the gateway presents in order to authenticate itself to users This certificate is used if certificates are the chosen Authentication Method for users in step 3 Preparing the Client Machines 1 512 In the Windows Services window of the client machine make sure that the IPSec Policy Agent is running It should preferably be set to Automatic Make sure that no other IPSec Client such as SecuRemote SecureClient is installed on the machine Configuring Remote Access for Microsoft IPSec L2TP Clients Placing the Client Certificate in the Machine Certificate Store Oe es OP Oe a ye SS
491. nternet Protocol IP on 50 Smart Card Removal Detection If a NAT device is detected during the initial negotiation communication between gateway and client switches to UDP port 4500 Port 4500 is used for the entire VPN session Ss Note NAT T packets or the packets of any other protocol need to return to the client through the same interface they came in on While the recommended deployment is to place the Connectra gateway in a public DMZ with a single interface for all traffic it is also possible to deploy Connectra with inbound and outbound interfaces the default route being the outbound route towards the Internet Endpoint Connect only connects to the Connectra gateway s default outbound interface Smart Card Removal Detection If remote users authenticate through a Smart Card and the smart card or smart reader is removed from the USB port the client detects that the certificate is no longer available and disconnects from the site A VPN tunnel has disconnected Smart card was removed message is displayed to the user To configure this behavior On the gateway ae 2 Open SFWDIR conf trac_client_1 ttm for editing Locate the line disconnect_on smartcard removal gateway default client decide Replace Client_decide with either TRUE or FALSE If leave the decision to the client then on the client a Open programfiles checkpoint endpoint connect trac defaults for editing b Loc
492. nts and users can be issued by the same CA or a different CA The users and the client machines are defined separately as users in SmartDashboard Certificates can be issued by e The Internal Certificate Authority ICA on the Security Management server or Solution Working with L2TP Clients e An OPSEC certified Certificate Authority The certificates must use the PKCS 12 format which is a portable format for storing or transporting private keys and certificates The certificates are transferred to and stored on the client machine Authenticating the Client Machine During IKE The Microsoft IPSec L2TP client machine needs a certificate to authenticate itself to the security gateway during IKE negotiation It is possible to have only one certificate for all client machines but you will then not be able to identify the machine that the user logged on from For example SmartView Tracker would show user bob machine generic_laptop rather than user bob machine bob_laptop The computer account we call it the machine account must use PKI and must be in the RemoteAccess community It is not affected by the authentication scheme in the Remote Access tab in the GUI It may or may not be a good idea to use the same certificate and machine user for all clients You can use an internal CA certificate with no problem for this user It makes no difference if the authentication tab is defined or not The user account is more
493. o Create Profile only The profile will be created according to the setting you have pre defined in the wizard and you will be returned to the main Packaging Tool window Chapter 20 Packaging SecureClient 483 Creating a Preconfigured Package 484 e Yes Create profile and generate package If you choose this option the profile you ve created will be saved and you will be taken to the package generation wizard For instructions regarding this wizard proceed to Generating a Package on page 484 You can always create packages from a saved profile at a later time Generating a Package This section describes how to generate a SecureClient package according to the settings defined in a package profile Preparation If you have not already prepared a base package do so now as follows 1 Obtain an original SecureClient installation package This package will be the base package upon which the Packaging Tool will create the new custom SecureClient package Copy the clean SecureClient package to an empty directory If the package is zipped or tarred you should unpack the package to the empty directory Once you have a base package proceed as follows 3 Run the SecureClient package generation wizard You can run the wizard immediately after creating a new package profile by selecting Yes Create profile and generate package or from the main Packaging Tool window by highlighting a previously created profile an
494. o be defined as the VPN domain e VPN Site Community member plus VPN domain A typical VPN site would be the branch office of a bank e VPN Community The collection of VPN tunnels links and their attributes e Domain Based VPN Routing VPN traffic based on the encryption domain behind each gateway in the community In a star community this allows satellite gateways to communicate with each other through center gateways e Route Based VPN Traffic is routed within the VPN community based on the routing information static or dynamic configured on the Operating Systems of the gateways Figure 4 3 VPN Terminology VPN community The methods used for encryption and ensuring data integrity determine the type of tunnel created between the gateways which in turn is considered a characteristic of that particular VPN community Chapter 4 Introduction to Site to Site VPN 65 The Check Point Solution for VPN Ss Security Management server can manage multiple VPN communities which means communities can be created and organized according to specific needs Note Defining services in the clear in the community available in gateway to gateway communities is not supported if one of the internally managed members is of version earlier than NG FP3 Remote Access Community A Remote Access Community is a type of VPN community created specifically for users that usually work from remote locations outside of the corporate LAN This ty
495. o confirm the setting 356 7 Enabling Endpoint Connectivity Locate the endpoint_vpn_client_settings for_gateway property Select the row and right click Select Edit and click OK to confirm the setting Select the endpoint_vpn_connectivity_method property Select Edit and change the value to IPSEC Select the endpoint_vpn_enable property Select Edit and change the value to True Save changes Exit GuiDBEdit Open SmartDashboard You will be prompted to download a new version of SmartDashboard Using the new SmartDashboard configure the gateway for Endpoint connectivity See Configuring the Gateway Using SmartDashboard on page 358 Install the policy Chapter 17 Endpoint Connect 357 Configuring the Gateway Using SmartDashboard Configuring the Gateway Using SmartDashboard In This Section Obligatory Settings page 358 Endpoint Connect Advanced Settings page 363 Obligatory Settings In SmartDashboard 1 Open the General Properties window for the gateway 2 Enable VPN x General Properties Check Point Gateway General Properties Additional Products Topology Machine RAT Name Corporate gw Color E E VPN IP Address 143 100 75 1 Get address Dynamic Address E Remote Access Authentication Comment Corporate Gateway Logs and Masters Capacity Optimization Cooperative Enforceme Secure Internal Communication E Advanced gt Communication DN Platform Hardware
496. object that represents the IP pool NAT addresses for that gateway The IP pool can be a network group or address range For an address range for example e On the network objects tree right click Network Objects branch gt New gt Address Range The Address Range Properties window opens e On the General tab enter the first IP and last IP of the address range e Click OK In the network objects tree Address Ranges branch the new address range appears On the gateway object where IP pool NAT translation is performed Gateway Properties window NAT page IP Pools for Gateways section select either or both e Use IP Pool NAT for VPN client connections e Use IP Pool NAT for gateway to gateway connections e In the Allocate IP Addresses from field select the address range you created e Decide after how many minutes unused addressees are returned to the IP pool e Click OK Edit the routing table of each internal router so that packets with an a IP address assigned from the NAT pool are routed to the appropriate gateway Chapter 28 Multiple Entry Point for Remote Access VPNs 603 Configuring Preferred Backup Gateway Configuring Preferred Backup Gateway In SmartDashboard 1 Click Manage gt Remote Access gt Connection Profiles 2 Select existing profile and click Edit or click New gt Connection Profile The Connection Profile Properties window is displayed Figure 28 2 Connection Profile Properties Page
497. ocalhost configure terminal SSeS am Enable OSPF and provide an OSPF router ID localhost config router ospf 1 localhost config router ospf router id 170 170 1 10 Define interfaces IP s on which OSPF runs Use the cluster IP as defined in topology and the area ID for the interface IP localhost config router ospf network 10 0 1 10 0 0 0 0 area 0 0 0 0 localhost config router ospf network 10 0 1 20 0 0 0 0 area 0 0 0 0 Redistribute kernel routes this is only here as an xample please s the dynamic routing book for more specific commands concerning redistribution of routes localhost config router ospf redistribute kernel localhost config router ospf exit localhost config exit s2 es Write configuration to disk localhost write memory IU0 999 Configuration written to etc gated ami localhost quit Enabling Dynamic Routing Protocols on VTIs Table 6 7 Dynamic Routing on GWb SSSSSs55 Launch the Dynamic Routing Module GWb expert Enter expert password You are in expert mode now Expert GWb cligated localhost gt enable localhost configure terminal a ae Enable OSPF and provide an OSPF router ID localhost config router ospf 1 localhost config router ospf router id 180 180 1 1 Sa Seess Define interfaces IP s on which OSPF runs Use the cluster IP as defined in topology and the area ID for the interface IP localhost config router ospf
498. oft IPSec L2TP client This authentication is in addition to the client machine authentication in step 3 This identification can happen via two methods e 6A Certificate e An MD5 challenge whereby the user is asked to enter a username and a password pre shared secret 8 The security gateway allocates to the remote client an Office Mode IP address to make the client routable to the internal network The address can be allocated from all of the Office Mode methods 9 The Microsoft PSec L2TP client connects to the gateway and can browse and connect to locations in the internal network Behavior of an L2TP Connection When using an PSec L2TP client it is not possible to connect to organization and to the outside world at the same time This is because when the client is connected to the gateway all traffic that leaves the client is sent to the gateway and is encrypted whether or not it is intended to reach the protected network behind the gateway The gateway then drops all encrypted traffic that is not destined for the encryption domain of the gateway security Gateway Requirements for IPSec L2TP In order to use Microsoft IPSec L2TP clients the security gateway must be set up for remote access The setup is very similar to that required for remote access using SecuRemote SecureClient and involves creating a Remote Access community that includes the security gateway s and the user groups An additional requirement is to con
499. ollow the instructions in the wizard to complete the installation During installation the ActiveSync service prompts users to install the software on the device 3 Click OK to install the new version Existing configuration settings are not lost during upgrade but transferred to the new version Uninstall To uninstall the MSI package 1 Click Start gt Settings gt Control Panel gt Add Remove Programs 2 Highlight Check Point SecureClient Mobile and then click Remove 3 Follow the instructions in the wizard to complete the uninstallation If you want to remove the client from the device see Uninstall on page 440 to follow the CAB Package uninstall procedure Chapter 19 SecureClient Mobile 441 Configuring SecureClient Mobile Configuring SecureClient Mobile In order for SecureClient Mobile clients to work in centrally managed mode the following configuration is required a A 442 Configure a remote access community that includes all the supporting gateways Enable load sharing and high availability features for each gateway Configure Office Mode for each gateway Define a topology for remote access for each gateway Set global properties for SecureClient Mobile neo properties Establish connectivity settings Define a security policy Advanced properties can be set with GuiDBEdit tool Enable and configure support for SecureClient Mobile on each gateway Install a SecureClient Mobile License SKU
500. on delete the name s of the unwanted file s Save the file Continue to Creating a CAB Package on page 473 Chapter 19 SecureClient Mobile 471 Client Deployment Overview 472 Exporting the Client Configuration The administrator can provide all users with customized settings that are pre configured on a SecureClient Mobile installation package This is done by exporting an existing client configuration into a config file that is then added to a customized client CAB package This customized package can then be installed upgraded to the connecting devices To export the client configuration l 2 Install the client on a handheld device Configure a client with the required configuration for example configure the client s firewall options and connection to the gateways You can now export the database with the current client configuration settings To export the database locate the database c file on the client and in the global properties section of database c change the value of the property neo allow client db export tO true Copy the database c file to the client folder Restart the client In SecureClient Mobile select Menu gt Help gt Export db This exports the current settings to the startup c file which contains the nonconfidential data in the database Replace the startup c file that is located in the conf folder of the preconfigured package This file may be edited manually using a text
501. on all interfaces e check that IP forwarding is not enabled e check that non TCP IP protocols are not installed Using SCV with these clients is limited to these tests only and does not offer the complete SCV functionality described above It is possible to configure the gateway to rely on these tests to determine the SCV status of the client however this is somewhat misleading since it doesn t offer an indication about the security level of the user s desktop in the parameters that were not covered by these basic tests In general it is recommended to upgrade earlier clients to the latest versions in order to benefit from the enhancements added to the SCV mechanism in the new versions 528 Configuring SCV Configuring SCV In This Section Server Side Configuration page 529 Client Side Configuration page 530 SCV Policy Syntax page 530 Server Side Configuration l First you need to configure several general parameters regarding SCV Open your SmartDashboard and go to Policy gt Global Properties and select the Remote Access gt Secure Configuration Verification SCV tab This tab has several options Apply Secure Configurations on Simplified Mode specifies whether all remote access rules in the simplified policy mode should have the SCV flag turned on Upon Verification failure specifies the action that should be performed when the client fails one or more SCV checks The options are to Block the client s
502. on appears when the client disconnects false true client_decide neo disconnect _when_in_en c domain If the client is connected to a site and an interface appears with an IP address located within one of the VPN encryption domains the client disconnects A message balloon appears when the client disconnects false true client_decide Table 19 2 Gateway Properties Property neo_enable Description A gateway property which activates neo support false true Valid Values Default value in bold neo user auth methods Client authentication methods certificate certificate with enrollment legacy mixed neo encryption methods Client encryption methods RC4 3DES only 3DES or 460 Table 19 2 Gateway Properties Advanced Configuration Property eo upgrade mode Description Client upgrade mode Valid Values Default value in bold no upgrade ask user force upgrade which the client sends keep alive packets in seconds neo upgrade version The client required a number in version hexadecimal format neo upgrade url Client download absolute URL neo keep alive timeout The frequency with 10 MAX_INT 20 default neo package id The gateway allows only clients with these package IDs to connect comma separated list neo user re auth timeout The session validity timeout in minutes 10 14
503. on configuration proceed as follows Note that the order is important 8 In the Connect window click Properties 9 Configuring Remote Access for Microsoft IPSec L2TP Clients In the Networking tab select the L2TP server 10 In the Security tab choose Advanced gt Settings and select Use extensible Authentication protocols or Allow these protocols If you select Use extensible Authentication protocols Choose either MD5 challenge or Smart Card or other Certificates encryption enabled Make the same choice as made on the gateway If you select Allow these protocols Choose Unencrypted password PAP For more information see Configuring Office Mode and L2TP Support on page 512 11 Click OK to save the configured settings and to return to the Connect window 12 In the Connect window enter the user name and password or select a certificate Configuring User Certificate Purposes To configure the CA to Issue Certificates with Purposes 1 If using the ICA run the ICA Management Tool for more details about the tool see the chapter The Internal Certificate Authority ICA and the ICA Management Tool in the Security Management Server Administration Guide and in the Configure the CA page e Change the property IKE Certificate Extended Key Usage property to the value 1 to issue gateway certificates with the server authentication purpose e Change the property IKE Certificate Extended Ke
504. onfiguration 583 SecuRemote SecureClient and Secure Domain Logon SDL SecuRemote SecureClient and Secure Domain Logon SDL The Problem When a SecuRemote SecureClient user logs on to a domain controller the user has not yet entered his or her SecuRemote SecureClient credentials and so the connection to the domain controller is not encrypted The Solution When the Secure Domain Logon SDL feature is enabled then after the user enters the OS user name and password but before the connection to the domain controller is started SecuRemote Client User Authentication window is displayed When the user enters the SecuRemote SecureClient credentials the connection to the domain controller takes place over an encrypted tunnel Enabling and Disabling Secure Domain Logon To enable Secure Domain Logon SDL select Enable Secure Domain Logon from the SecuRemote SecureClient Passwords menu Note the following e For Windows NT and Windows 2000 e SDL can only be enabled by the administrator and only if the machine is configured as part of a domain e You must reboot after enabling or disabling SDL e f you are using WINS see WINS Connect Mode Only on page 585 configure WINS before enabling SDL e Do not change the machine domain configuration when Secure Domain Logon is enabled 584 SecuRemote SecureClient and Secure Domain Logon SDL Domain Controller Name Resolution If SecuRemote SecureClient is configur
505. onfiguration Verification 553 Configuring SCV 554 Mismatch message to be displayed when the SecureClient s build does not match the local scv s configuration EnforceBuild 9x Operand gt Operator for comparing the local scv s build number with the client build number on Windows 9x platforms SecureClient 9x BuildNumber 52030 SecureClient build number for windows 9x platforms EnforceBuild NT Operand Operator for comparing the local scv s build number with the client build number on WindowsNT platforms SecureClient NT BuildNumber 52030 SecureClient build number for WindowsNT platforms EnforceBuild 2K Operand gt Operator for comparing the local scv s build number with the client build number on Window 2000 platforms SecureClient 2K BuildNumer 52030 SecureClient build number for Windows 2000 platforms EnforceBuild XP _Operand gt Operator for comparing the local scv s build number with the client build number on Windows XP platforms SecureClient XP Buildnumber 52030 SecureClient build number for Windows XP platforms sc_ver_scv does not support the begin or and the begin and syntax See also Expressions and Labels with Special Meanings 12 user_policy_scv Parameters logged on to policy server true false Specifies whether the user has to be logged on to a Policy Server to be considered SCVed policy refresh rate 168
506. onnected e TrAuthInformation mAuthInfo the authentication scheme for the given site e TrConn mConnHandle the connection handle TrConnConnect Connects to the site according to the given connection handle Also checks to see whether the user cancels the action at any point Prototype TRAPI CPAPI TrStatus TrConnConnect IN TrConnStruct connStruct 394 Client Functions Communicating with Service Arguments Argument IN OUT Meaning connStruct in Specifically only the connhandle and authentication information inside the STRUCT are required TrConnCance lConnect Cancels the connection to the given site Prototype TRAPI CPAPI TrStatus TrConnCancelConnect TrConn connHandle Arguments Argument IN OUT Meaning n Handle of the site to cancel connHandle TrConnCreate Creates a new site according to the data given in connStruct and returns a connection handle Prototype TRAPI CPAPI TrStatus TrConnCreate IN TrConnStruct connStruct Arguments Argument IN OUT Meaning n the STRUCT that contains the display name IP address of the site s gateway and the FQDN connStruct TrConnDelete Deletes a site according to the given connection handle Prototype TRAPI CPAPI TrStatus TrConnDelete TrConn connHandle Chapter 18 Endpoint Connect API 395 Client Functions Communicating with Service 396 Arguments Argument IN OUT
507. ontrol and encryption Table 13 1 An example Encrypt rule in a Traditional Rule Base Source Destination Service Action Track Install On Net_A Net_A My_Services Encrypt Log Gateway 1 Net_E Net_E Gateway 3 A connection that matches an Encrypt rule is encrypted or decrypted and forwarded by the gateways enforcing the policy Chapter 13 Traditional Mode VPNs 253 VPN Domains and Encryption Rules 254 Sometimes a connection may match the encrypt rule but will not be encrypted Consider the following rule Table 13 2 An Encrypt rule where encryption does not take place Source Destination Service Action Track Install On X Y My_Services Encrypt Log Policy Targets 1 If the source or the destination are behind the security gateway but are not in the VPN Domain of the gateway the connection is dropped For example referring to Figure 13 1 and Table 13 2 if Source X is in Net_C and Destination Y is in Net_D gateway 1 drops the connection This is because the Action says Encrypt but the connection cannot be encrypted because the source is not in the VPN Domain of gateway 1 If the source and destination are inside the VPN Domain of the same gateway In this case the connection is accepted in the clear For example referring to Figure 13 1 and Table 13 2 if Source X is in Net_A and Destination Y is in Net_B the connection originates at X and reaches the gateway w
508. onversion of Auth Encrypt Rules page 726 How the Converter Handles Disabled Rules page 727 After Running the Wizard page 727 717 Introduction to Converting to Simplified VPN Mode 718 Building VPNs using Simplified Mode has many benefits Simplified Mode makes it possible to maintain and create simpler and therefore less error prone and more secure VPNs Simplified Mode separates the VPN definitions from the Access Control Security Policy This makes it easier to understand the VPN topology of an organization and to understand who is allowed to securely communicate with who In addition such as VPN routing are supported only with a Simplified Mode Security Policy In order to manage all existing policies in a unified way and utilize the latest features of the current release it is recommended to convert Traditional Mode Security Policies to Simplified Mode For new policies it is recommended to use Simplified Mode the default option A security policy configured in Traditional Mode can be converted to the Simplified VPN Mode using the Security Policy Converter Wizard After using the converter wizard it is possible to greatly simplify many security policies by moving rules and grouping rules together The process is simple and both automatic and manual changes are explained here in detail The intention is to give you the confidence to move your Traditional VPN Policies to the Simplified VPN Mode To start the converter wi
509. or implicit cleanup rules are automatically appended at the end of both the inbound and outbound policies e The outbound implicit rule allows all connections originating from the SecureClient machine thus allowing connections which do not match any of the previous rules e The inbound implicit rule blocks all connections destined to the SecureClient machine which do not match any of the previous rules on the assumption that what is not explicitly allowed is to be rejected 492 Desktop Security Solution User Granularity You can define different rules for remote users based on location and user groups Location For example you can define a less restrictive policy for a user connecting from within the organization e g a user with SecureClient installed on his laptop connecting from within the organization and a more restrictive policy for the same user connecting from outside the organization from a hotel room This is done in the user s security Rule Base by configuring the location of the users for which the rule should be implemented User Groups For example you can define restrictive rules for ordinary users but allow system administrators more access privileges In addition you can define rules to be enforced for all remote users by not specifying a specific user group but rather all users Rules do not specify individual users but rather user groups Because SecureClient does not know to which groups
510. or Windows XP users and another for Windows 98 users The administrator can save all the profiles in a central database To allow the client to connect to the organization from the moment it is installed the administrator can specify Partial Topology information for a site that is the IP address of the site or of its Security Management server This information is included in the package The first time the user connects to and authenticates to the site the site s full topology is downloaded to the client The SecureClient package can also include scripts to be run after the installation of SecureClient The MSI Packaging Solution MSI is a standard file format for application distribution in a Windows environment Once a profile is created it is saved and may be distributed to SecuRemote and SecureClient users The MSI package installs SecuRemote SecureClient Extended View with default settings and can be customized using the command line based tool cpmsi_tool Split Installation When used with 3rd party software distribution systems the connection to the distribution server is broken once the SecuRemote SecureClient kernel is installed the result is that the distribution server is not aware that the installation ended In order to resolve such cases a Split Install feature is available Creating a Preconfigured Package Creating a Preconfigured Package In This Section Creating a New Package Profile page 483 Generatin
511. or can be configured to check the version and service pack of Internet Explorer The script looks as follows RegMonitor type plugin parameters begin_or orl keynexist Software Microsoft Internet Explorer string Software Microsoft Internet Explorer Version gt 6 begin_and and1 string Software Microsoft Internet Explorer Version gt 5 5 string Software Microsoft Windows CurrentVersion Internet Settings MinorVersion gt SP2 string Software Microsoft Windows CurrentVersion Internet Settings MinorVersion lt SP9 end and and1 begin_and and2 string Software Microsoft Internet Explorer Version gt 5 5 string Software Microsoft Windows CurrentVersion Internet Settings MinorVersion gt SP2 string Software Microsoft Windows CurrentVersion Internet Settings MinorVersion lt SP9 end_and and2 end or orl begin_admin admin send_log alert mismatchmessage Your IE must be at least version 5 5 with SP2 send admin 9 SCVMonitor Parameters e scv_version gt 541000076 Configuring SCV Represents the SCV product s build number This is the version of the DLLs in charge of the SCV checks This number differs from the build number of SecureClient SCV products can be upgraded and maybe updated without updating SecureClient The string is an operator followed by the DLL s version number in the format vvyshhhbbb
512. or other Security Gateway running a Visitor Mode Server Internet SecureClient q All required VPN connectivity IKE IPsec etc between the Client and the Server is tunneled inside this TCP connection This means that the peer gateway needs to run a Visitor Mode TCP server on port 443 Note e Even if the remote location s gateway in Figure 31 5 is not a Check Point product a gateway from another vendor Visitor mode will still tunnel a connection through it e While in Visitor Mode you can not define a new site e Topology update takes place only if the last connection used a profile that enabled Visitor Mode Enforcement Module limiting connections to ports 80 and 443 Chapter 31 Resolving Connectivity Issues 685 Overcoming Restricted Internet Access 686 Number of Users To obtain optimal performance of the Visitor Mode server e Minimize the number of users allowed Visitor Mode if performance degrades e Increase the number of sockets available on the OS by editing the appropriate values for example the socket descriptor on Linux systems Allocating Customized Ports The organization decides that it would like to use a customized port for the Visitor Mode Server other than the typically designated port 443 In this scenario another port that is mutually agreed upon by all the remote locations and the home organization can be used for Visitor Mode This solution works well with business partners the
513. order M1 M2 M3 giving the highest priority to M1 and the lowest priority to M3 Satellite S2 can be configured to try the gateways in the following order M2 M3 but not to try M1 Each of these priorities constitutes a MEP rule in the MEP manual priority list window as shown in Figure 12 5 Chapter 12 Multiple Entry Point VPNs 237 Explicit MEP 238 Figure 12 5 MEP Rules MEP manual priority list Add Rule Bemove Rule Cancel Help The MEP manual priority list window is divided into the default rule and rules which provide exceptions to the default rule The default MEP rule takes effect when e No MEP rules are defined e When the source of the connection cannot be found in the Exception priority rules The Exception priority rules section contains three priority levels primary secondary and tertiary While there are only three priority levels e The same priority can be assigned to several central gateways e The same rule can be assigned to several satellite gateways e A priority level can be left blank In Figure 12 6 in the second MEP rule central gateways M3 and M1 have equal priority The same rule is being applied to satellites S2 and S3 Figure 12 6 Sample MEP rules Explicit MEP When more than one gateway is assigned the same priority level which gateway will be chosen is resolved according to the Advanced settings See Advanced Settings on page 239 Advanced Settings
514. orward Secrecy PFS refers to the condition in which the compromise of a current session key or long term private key does not cause the compromise of earlier or subsequent keys Security gateways meet this requirement with a PFS mode When PFS is enabled a fresh DH key is generated during IKE phase II and renewed for each key exchange However because a new DH key is generated during each IKE phase I no dependency exists between these keys and those produced in subsequent IKE Phase negotiations Enable PFS in IKE phase II only in situations where extreme security is required Chapter2 IPSEC amp IKE 49 Overview 50 The DH group used during PFS mode is configurable between groups 1 2 5 and 14 with group 2 1042 bits being the default Note PFS mode is supported only between gateways not between gateways and remote access Clients Compression IP compression is a process that reduces the size of the data portion of the TCP IP packet Such a reduction can cause significant improvement in performance IPsec supports the Flate Deflate IP compression algorithm Deflate is a smart algorithm that adapts the way it compresses data to the actual data itself Whether to use IP compression is decided during IKE phase II IP compression is not enabled by default IP compression is important for SecuRemote SecureClient users with slow links For Example dialup modems do compression as a way of speeding up the link Security gateway en
515. ost config router ospf redistribute kernel localhost config router ospf exit localhost config exit s2 es Write configuration to disk localhost write memory IU0 999 Configuration written to etc gated ami localhost quit Configuring Anti Spoofing on VTIs Configuring Anti Spoofing on VTIs In SmartDashboard Select Manage gt Network Objects Select the Check Point gateway and right click Edit In the Properties list click Topology Click Get gt Interfaces to read the interface information on the gateway machine Select an interface click Edit a ae Pe a In the Interface Properties window click Topology VPN Tunnel Interface Properties faeces General Topology Multicast Restrictions Topology IP Addresses behind peer gateway that are within reach of this interface Not Defined C Dont check packets from Spoof Tracking None Log O Aet 7 In the IP Addresses behind peer gateway that are within reach of this interface section select e Not Defined to accept all traffic e Specific to choose a particular network The IP addresses in this network will be the only addresses accepted by this interface Chapter6 Route Based VPN 151 Configuring Anti Spoofing on VTIs 8 In the Perform Anti Spoofing based on interface topology section select Don t check packets from to ensure anti spoof checks do not take place for addresses from certain internal networ
516. outed into the VPN tunnel using the IP routing mechanism of the Operating System Gateway objects are still required as well as VPN communities and access control policies to define which tunnels are available However VPN encryption domains for each peer gateway are no longer necessary The decision whether or not to encrypt depends on whether the traffic is routed through a virtual interface The routing changes dynamically if a dynamic routing protocol OSPF BGP is available on the network SecurePlatform Pro The administrator runs a daemon on the gateway to publish the OS Note For NGX R60 and above the dynamic routing suite has been incorporated into changed routes to the network When a connection that originates on GWb is routed through a VTI to GWc or servers behind GWc and is accepted by the implied rules the connection leaves GWb in the clear with the local IP address of the VTI as the source IP address If this IP address is not routable return packets will be lost The solution for this issue is e configure a static route on GWb that redirects packets destined to GWc from being routed through the VTI e not including it in any published route e adding route maps that filter out GWc s IP addresses Having excluded those IP addresses from route based VPN it is still possible to have other connections encrypted to those addresses i e when not passing on implied rules by using domain based VPN definitions T
517. outing protocols to use VTls A dynamic routing protocol daemon running on the security gateway can exchange routing information with a neighboring routing daemon running on the other end of an IPSec tunnel which appears to be a single hop away Route Based VPN is supported using SecurePlatform and Nokia IPSO 3 9 platforms only and can only be implemented between two gateways within the same community VPN Tunnel Interface VTI VPN Tunnel Interface VTI A VPN Tunnel Interface is a virtual interface on a security gateway that is associated with an existing VPN tunnel and is used by IP routing as a point to point interface directly connected to a VPN peer gateway The VPN routing process of an outbound packet can be described as follows An IP packet with destination address X is matched against the routing table The routing table indicates that IP address X should be routed through a point to point link which is the VPN Tunnel Interface that is associated with peer gateway Y The VPN kernel intercepts the packet as it enters the virtual tunnel interface The packet is encrypted using the proper IPsec Security Association parameters with peer gateway Y as defined in the VPN Community and the new packet receives the peer gateway Y s IP address as the destination IP Based on the new destination IP the packet is rerouted to the physical interface according to the appropriate routing table entry for Y s address The opposite
518. p and running Permanent Tunnels are constantly kept active and as a result make it easier to recognize malfunctions and connectivity problems Administrators can monitor the two sides of a VPN tunnel and identify problems without delay Each VPN tunnel in the community may be set to be a Permanent Tunnel Since Permanent Tunnels are constantly monitored if the VPN tunnel is down then a log alert or user defined action can be issued A VPN tunnel is monitored by periodically sending tunnel test packets As long as responses to the packets are received the VPN tunnel is considered up If no response is received within a given time period the VPN tunnel is considered down Permanent Tunnels can only be established between Check Point gateways The configuration of Permanent Tunnels takes place on the community level and Overview e Can be specified for an entire community This option sets every VPN tunnel in the community as permanent e Can be specified for a specific gateway Use this option to configure specific gateways to have permanent tunnels e Can be specified for a single VPN tunnel This feature allows configuring specific tunnels between specific gateways as permanent Permanent Tunnels in a MEP Environment In a Multiple Entry Point MEP environment VPN tunnels that are active are rerouted from the predefined primary gateway to the backup gateway if the primary gateway becomes unavailable When a Perman
519. page define the VPN Domain select either e All IP Addresses behind gateway based on Topology information or e Manually defined Either select an existing network or group from the drop down list or create a new network or group by clicking New In the VPN page Certificate List area Add a certificate issued by the certificate authority defined in step 1 For details see Enrolling with a Certificate Authority on page 107 Still on the VPN page click Traditional mode configuration The Traditional mode IKE properties window opens e In the Support authentication methods area select Public Key Signatures To specify that the gateway will only use certificates issued by the CA specified in step 1 click Specify and select the CA e Select IKE Phase 1 encryption and data integrity methods or accept the checked defaults Repeat step 2 to step 8 for each gateway taking part in the VPN Defining the Encrypt Rule 10 In the Security Rule Base define the Encrypt rule s 11 If you wish to change the IKE Phase 2 properties for this rule double click the Encrypt action and make the required changes Configuring Traditional Mode VPNs Configuring VPN with Externally Managed Gateways Using Certificates Obtain Information from the Peer Administrator Obtain the gateway topology and VPN Domain information about the externally managed gateways from the peer administrator You must also agree on authentication encryption a
520. page 517 General Configuration Procedure Establishing a Remote Access VPN for Microsoft IPSec L2TP clients requires configuration to be performed both on the security gateway and on the client machine The configuration is the same as setting up Remote Access for SecuRemote SecureClients with a few additional steps It is highly recommended to read and understand Chapter 14 Introduction to Remote Access VPN before configuring Remote Access for Microsoft PSec L2TP clients The general procedure is as follows 1 Using SmartDashboard configure a Remote Access environment including generating authentication credentials normally certificates for the users Generate certificates to authenticate the client machines Configure support for Office Mode and L2TP on the security gateway On the client machine place the user certificate in the User Certificate Store and the client machine certificate in the Machine Certificate Store 5 On the client machine set up the Microsoft IPSec L2TP client connection profile Chapter 22 Layer Two Tunneling Protocol L2TP Clients 511 Configuring Remote Access for Microsoft IPSec L2TP Clients Configuration details are described in the following sections Configuring a Remote Access Environment 1 Follow the instructions in VPN for Remote Access Configuration on page 283 Defining the Client Machines and their Certificates 1 Define a user that corresponds to each clie
521. partner simply agrees to open a port for the visitor Mode connections If the chosen port is not represented by a pre defined service in SmartDashboard this service must be created in order for the port to be used If a port has been mutually agreed upon and there is a proxy configure the proxy to allow traffic destined to this port Note All partner gateways must agree on the same allocated port since the visitor Mode server on the peer gateway will be listening on only one port Visitor Mode and Proxy Servers Visitor Mode can still be utilized in instances where the remote location runs a proxy server In this scenario the remote user enables Visitor Mode connections to pass through the proxy server Overcoming Restricted Internet Access Figure 31 6 Incorporating a Proxy Server Using port 443 or other Security Gateway running TCP Server Intemet Remote location s Gateway SecureClient U s Remote location s Proxy server Visitor Mode When the Port 443 is Occupied By an HTTPS Server If the designated port is already in use for example reserved for HTTPS connections by a Server at the organization s gateway a log is sent Visitor Mode Server failed to bind to XXX Xxx xxx xxx yy either port was already taken or the IP address does not exist to Security Management server If the peer gateway is already running a regular HTTP server that also listens on the standard HTTPS port 443 then it must be set up
522. pe of community ensures secure communication between users and the corporate LAN For more information see Introduction to Remote Access VPN on page 269 VPN Topologies 66 The most basic topology consists of two gateways capable of creating a VPN tunnel between them Security Management server s support of more complex topologies enables VPN communities to be created according to the particular needs of an organization Security Management server supports two main VPN topologies e Meshed e Star Meshed VPN Community A Mesh is a VPN community in which a VPN site can create a VPN tunnel with any other VPN site in the community The Check Point Solution for VPN Figure 4 4 Basic Meshed communityp Security Gateway Security Security Gateway 7 Gateway mm _ D Security Security Gateway Gateway Star VPN Community A star is a VPN community consisting of central gateways or hubs and satellite gateways or spokes In this type of community a satellite can create a tunnel only with other sites whose gateways are defined as central Figure 4 5 Star VPN community p Satellite Gateway Satellite a NN G Gateway Satellite Gateway M Gateway A satellite gateway cannot create a VPN tunnel with a gateway that is also defined as a satellite gateway Central gateways can create VPN tunnels with other Central gateways only if the Mesh center gateways option has been sel
523. peer gateways are involved it is possible to configure a different preferred ISP for each group of peer gateways Chapter 11 Link Selection 221 Early Versions Compatibility Resolving Mechanism Early Versions Compatibility Resolving Mechanism 222 When connecting with gateways that are pre NGX the Early Versions Compatibility Resolving Mechanism effects the Link Selection method If an R7O security gateway is configured with a Link Selection method not available in previous versions the pre NGX gateway will not be able to resolve which IP address to use to connect By configuring the Early Versions Compatibility Resolving Mechanism the R70 gateway assigns a method to the pre NGX gateway that it is familiar with so it can resolve the IP address of the R70 security gateway See Configuring the Early Version Compatibility Resolving Mechanism on page 228 Configuring Link Selection Configuring Link Selection In This Section Resolving Addresses via Main and Single IPs page 223 Resolving Addresses using DNS lookup page 224 Resolving Addresses via Probing page 224 Configuring Outgoing Route Selection page 225 Configuring For Responding Traffic page 225 Configuring Source IP Address Settings page 226 Configuring On Demand links page 227 Configuring the Early Version Compatibility Resolving Mechanism page 228 Outgoing Link Tracking page 228 Link Selection is configured on each gateway in the VPN gt Link Sele
524. pened to the SecureClient i e allow a service in the inbound policy unless the user has a specific server running on that port Even if you do allow connections to be opened to the client be very careful about who is allowed to open the connection and from where A restrictive policy e g allow only POP3 IMAP and HTTP and block all the rest will make it more difficult for your users to work If you allow only specific services in the outbound policy and block all the rest every time you will find out that a certain service is needed by your users you will have to change the outbound policy and make sure the clients poll the new policy The best way to implement the outbound policy is to use rules only to block specific problematic services such as Netbus and allow the rest Outbound connections to the encryption domain of the organization are always encrypted even if the outbound rule for the service specifies accept Keep in mind that the implied rules see Implied Rules on page 492 may allow or block services which were not explicitly handled in previous rules For example if your client runs a server on his machine you must create an explicit rule allowing the connection to the client s machine If you do not the connection will be blocked by the inbound implicit block rule Desktop Security Considerations Avoiding Double Authentication for Policy Server When using Policy Server High Availability it is poss
525. plements gateways in a cluster load sharing or primary backup first to respond high availability configuration it is important that the client performs DNS resolution each time it connects to the site Providing e A site is defined by a DNS resolvable name rather than IP address e The DNS server is configured for DNS based Geo Cluster name resolution then Multiple Entry Point MEP for gateway redundancy can be implemented by the DNS server See Disabling DNS based Geo Cluster Name Resolution on page 377 for related information Hub Mode Hub mode is configured in two places 1 In Global Properties gt Remote Access gt Endpoint Connect tlobal Properties x Endpoint Connect Firewall NAT Network Add Authentication Authentication Settings HEN Enabl d caching 7 VPN 1 UTM Edge nable password caching No Remote Access Cache password for 14400 minutes VPN Basic i 420 i VPN Advance Re authenticate user every minutes VPN IKE Pha VPN IPSEC P Connectivity Settings Certificates Secure Configu Connect mode Configured on endpoint client x SSL Network E ae Configured dpoint client i Configure SecureClient Mc Location Aware Connectivity onfigured on endpoint client Lonhigure Endpoint Conne Disconnect when connectivity to network is lost Configured on endpoint client x Early Versions C Hot Spot Hotel Disconnect wh
526. point Connect 369 Configuring Optional Endpoint Connect Settings Configuring Optional Endpoint Connect Settings In This Section Link Selection and MEP page 370 Hub Mode page 371 Secure Configuration Verification page 373 Working with RSA Hard and Soft Tokens page 375 Configuring Logging Options for Client Users page 376 Disabling CAPI Authentication page 376 Disabling DNS based Geo Cluster Name Resolution page 377 Configuring Endpoint Compliance Checks page 378 NAT Traversal page 378 Smart Card Removal Detection page 379 Tunnel Idleness page 380 Cooperative Enforcement page 382 If you are considering migrating SecureClient users to Endpoint Connect then read the following sections before reaching a decision There are a number of important differences between SecureClient and Endpoint Connect For example e SecureClient supports link selection and multiple entry points The current release of Endpoint Connect accomplishes MEP through the use of a DNS server for configured for DNS based Geo cluster name resolution e Secure Configuration Verification SCV for Endpoint Connect is achieved through the use of Cooperative enforcement Link Selection and MEP Link Selection Because remote sites are defined on the client according to a single IP address or resolvable DNS name Link Selection is not supported Endpoint Connect ignores SecureClient link selection settings 370 Hub Mode Multiple Entry Points If a site im
527. pped Table B 6 Auth Encrypt Rule in Traditional Mode Source Destination Service Action Track All_Users alaska Net_D My_Services Client_Auth Log Since the identification of users is possible only in authentication rules and not in drop rules it is not possible to define a rule that drops connections that were not encrypted Add the Services that should not be encrypted inside the Community to the Excluded Services list For example if you have explicitly defined implied rules in the Traditional Policy See How to Authorize Firewall Control Connections in VPN Communities on page 88 Because of this Auth Encrypt rules cannot be automatically translated in such a way that the translated Rule Base is at least as restrictive as the original rule Instead the Converter wizard translates Auth Encrypt rules to a single rule and does not add a Drop rule as shown in Table B 7 This is a security problem because connections that match the Source location where the users authenticated successfully but were not encrypted may be accepted further down in the translated Rule Base if some later rule specifies Accept for the same Source Table B 7 Insecure Translated Auth Encrypt Rule in Simplified Mode Source Dest VPN Service Action Track All_Users alaska Net_D All_GwToGw My_Services Client Auth Log When the converter encounters Auth Encrypt rules it warns the administrator by displaying
528. py chkp skin2 Place logo image file in this directory Edit index css Goto company logo and replace the existing URL reference with a reference to the new logo image file Save Install Policy Note No spaces are allowed in the lt skin_name gt Configuring the Languages Option To configure the Languages Option The languages directory is located under SFWDIR conf extender on the SSL Network Extender gateways There may be two subdirectories They are e chkp contains languages that Check Point provides by default At upgrade this subdirectory may be overwritten e custom contains languages defined by the customer If custom does not exist yet create it At upgrade this subdirectory is not overwritten New languages are added in this subdirectory Chapter 30 SSL Network Extender 649 Configuring the SSL Network Extender 650 Disabling a Language 1 Enter the specific language subdirectory under custom that is to be disabled if it exists and create a file named disable This file may be empty 2 If the specific language does not exist under custom create it and then create a file within it named disable 3 Install Policy The next time that the user connects to the SSL Network Extender portal this language will not be available to him her Adding a Language 1 Enter the custom subdirectory 2 Create a folder with the desired language name Note Verify that this name is not already us
529. que IP address from the pool IP Assignment Based on Source IP Address IP addresses from the IP pool may be reserved and assigned to remote users based on their source IP address When a remote host connects to the gateway its IP address is compared to a predefined range of source IP addresses If the IP address is found to be in that range then it is assigned an Office Mode IP address from a range dedicated for that purpose The IP addresses from this reserved pool can be configured to offer a separate set of access permissions given to these remote users Office Mode Solution DHCP Server A Dynamic Host Configuration Protocol DHCP server can be used to allocate IP addresses for Office Mode clients When a remote user connects to the gateway using Office Mode the gateway requests the DHCP server to assign the user an IP address from a range of IP addresses designated for Office Mode users Security gateway DHCP requests can contain various client attributes that allow DHCP clients to differentiate themselves The attributes are pre configured on the client side operating system and can be used by different DHCP servers in the process of distributing IP addresses Security gateways DHCP request can contain the following attributes e Host Name e Fully Qualified Domain Name FQDN e Vendor Class e User Class RADIUS Server A RADIUS server can be used for authenticating remote users When a remote user connects to a gateway t
530. r User authentication Table 32 2 Source Destination Service Action Any Web server HTTPS User Auth The rule states that when any source tries to connect to the web server using HTTPS then user authentication must be performed Select User Auth as the action if you need users to be authenticated but no content security performed on incoming packets Alternatively Table 32 3 Source Destination Service Action Any Web server HTTPS URI resource Client Auth The rule states that when any source tries to connect to the web server using HTTPS then client authentication must be performed Select Client Auth as the action if users need to be authenticated and incoming packets inspected for content Configuring the Client If one of the following conditions are true e The Security Server authenticates itself to the client using a certificate which is not signed by one of the client s default Certificate Authorities or e f user authentication is required and that authentication is performed via certificates then these certificates must be supplied to the client out of band and the client s browser configured to use them Otherwise no configuration needs to be performed on the client side Chapter 32 Clientless VPN 707 Configuring Clientless VPN Configuring the Client s Browser The certificate can be installed on the client s browser in two ways 1 The client receives
531. r 1 Qos Read Only Configuration Reporting gt Field Name Walid Values Default Value E third_party_encryption boolean False use_cert string defaultCert use_clientless_vpn boolean true use_interface_IP boolean true true use_interface_IP_GW 3 boolean true true m use_service reference https services table service_object Name https Table se vpn_clients_settings_for_gateway owned object vpn_clients_settings_for_gateway vpn_clients_settings_for_gateway NULL endpoint_vpn_client_settings owned object endpoint_vpn_client_settings_f endpoint_vpn_client_settings_for_gateway N endpoint_vpn_connectivity_method string IPSec IPSec SSL IPSec endpoint_vpn_enable boolean true vpn_comp_level unumber 2 1 3 2 vpn_link_resolver_notification string none none log alert mail snmptrap useralert useral none VPN_1 boolean true VPN_allow_relay boolean False VPN_relay_if_name string WAM boolean false abacus_server boolean false abacus_server_setting owned object abacus_server NULL add_adtr_rule boolean false additional _products owned object external_products NULL allow_extranet boolean false E 4 Ready 192 168 186 1 Read Write NUM A 2 On the Tables tab select Network Objects 3 In the Object Name window select the object that represents the R65 gateway cpmodule in Figure 17 7 4 In the Field Name table a Locate the vpn_clients_settings_for_gateway b Select the row and right click c Select Edit and click OK t
532. r of hosts Configuring Tunnel Features Monitoring Tunnels The status of all VPN tunnels can be viewed in SmartView Monitor For more information on monitoring see the Monitoring Tunnels chapter in the SmartView Monitor User Guide Chapter 7 Tunnel Management 175 Configuring Tunnel Features 176 Chapter 8 Route Injection Mechanism In This Chapter Overview Automatic RIM Custom Scripts tnimon conf File Injecting Peer Gateway Interfaces Configuring RIM page 178 page 179 page 181 page 183 page 184 page 186 177 Overview Overview 178 Route Injection Mechanism RIM enables a security gateway to use dynamic routing protocols to propagate the encryption domain of a VPN peer gateway to the internal network and then initiate back connections When a VPN tunnel is created RIM updates the local routing table of the security gateway to include the encryption domain of the VPN peer RIM can only be enabled when permanent tunnels are configured for the community Permanent tunnels are kept alive by tunnel test packets When a gateway fails to reply the tunnel will be considered down As a result RIM will delete the route to the failed link from the local routing table which triggers neighboring dynamic routing enabled devices to update their routing information accordingly This will result in a redirection of all traffic destined to travel across the VPN tunnel to a pre defined alternative path Th
533. r route metrics If the primary address fails and the connection fails over to a backup the VPN tunnel will stay with the backup until the primary becomes available again Last Known Available Peer The IP address used by a gateway during a successful IKE negotiation with a peer gateway is used by the peer gateway as the destination IP address for the next IPSec traffic and next IKE negotiations initiated by the peer gateway This is only the case when the Link Selection configuration is static without probing Outgoing Route Selection For outbound traffic there are two methods used to determine which path to use when connecting with a remote peer e Operating system routing table default setting Using this method the routing table is consulted for the available route with the lowest metric and best match for the VPN tunnel negotiation e Route based probing This method also consults the routing table for an available route with the lowest metric and best match However before a route is chosen it will be tested for availability using RDP probing The gateway then selects the best match highest prefix length active route with the lowest metric This method is recommended when there is more than one external interface Route based probing enables use of On Demand Links ODL which are triggered upon failure of all primary links A script is run to activate an On Demand Link when all other links with higher priorities become
534. ral Gateways page Add the central gateways e On the Central Gateways page select Mesh central gateways if you want the central gateways to communicate e On the Satellite Gateways page click Add to add the satellite gateways Chapter 4 Introduction to Site to Site VPN 79 Configuring Site to Site VPNs Confirming a VPN Tunnel Successfully Opens To confirm a VPN tunnel has successfully opened 1 Edit a rule in the Security Policy Rule base that encrypts a specific service between Member gateways of a VPN community for example FTP Select log as the tracking option Open an appropriate connection in this example FTP session from a host behind the first gateway to an FTP server behind the second 4 Open SmartView Tracker and examine the logs The connection appears as encrypted as in Figure 4 11 Figure 4 11 Sample log 4 fw log All Records Y Source Port Information BE LE NewYok Om ondon NewYork IKE Main Mode completion BE Le New ork Om London gt IKE Quick Mode completion EE Le NewYork Aw ftp London NewYork gt Total records 446 7A 80 Configuring a VPN with External Gateways Using PKI Configuring a VPN with External Gateways Using PKI Configuring a VPN with external gateways those managed by a different Security Management server is more complicated than configuring a VPN with internal gateways managed by the same Security Management server This is because
535. rc C on page 608 Do not manually edit Global properties keep alive true false Specifies whether the security gateway will maintain session key information for the Client to allow encrypted back connections at any time This property can also be controlled in SmartDashboard Global Managers keep alive interval 20 When keep_alive is true SecuRemote will ping the security gateway every n seconds where n is the number specified by the keep_alive_interval property This property can also be controlled in SmartDashboard Global Topology Ss Note Bold indicates the default value Global Managers or Gateway indicates the location in Userc C See Structure of Userc C on page 608 Do not manually edit Global properties topology over IKE true false Specifies whether New Site in SecuRemote will use IKE to authenticate the user If this property is set to true IKE will be used either using Hybrid Authentication i e any authentication method chosen in the Authentication tab of the user properties or using certificates If this property is set to False SSL will be used as in version 4 1 and users will need IKE pre shared secret or certificate configured to define a new site Global Managers encrypt_db true false Specifies whether the topology information in userc C is maintained in encrypted format Global silent _topo_ update true false Used for backwards compatibility
536. re Monitor IPv6 Configuration Show Configuration Summary 2 Click Config Configuring Unnumbered VTIs 3 On the Configuration page click Check Point Firewall 1 Configuration Security and Access Configuration tH Users Groups GAAA Network Access and Services Voyager Web Access SSL Certificate Tool SSH Secure Shell DPsec Misc Check Point FireWall 1 H 4 On the next page click FWVPN Configuration Notice The system must be rebooted after enabling the FireWall 1 package before this page becomes effective Run ifwd daemon to monitor interface changes on off Apply 5 On the FWVPN Tunnel Configuration page enter the name of the gateway you want to connect to in the Peer GW Object Name field Chapter 6 Route Based VPN 157 Configuring Unnumbered VTIs Select a proxy interface from the Proxy drop down menu FWVPN Tunnel Configuration Persistent Tunnels Interface Active Logical Name Peer Gateway IP Address Destination Encapsulation Status Delete Create anew FWVPN tunnel interface with Peer GW Object Name Proxy eth s3p1c0 xf 6 Click Apply 7 The new interface is now listed on the FWVPN Tunnel Configuration page FWVPN Tunnel Configuration a c Success Apply successful Persistent Tunnels Logical Peer IP Name Gateway Address Interface Acti
537. ress is required to reinitiate the IKE negotiation with a packet that includes that number If the peer does not reside at these IP addresses this unique number will never reach the peer This will thwart an attacker who is pretending to send IKE requests from many IP addresses IKE DoS attack protection is not available for third party gateways Under heavy load third party gateways and clients such as Microsoft PSec L2TP clients may be unable to connect Chapter2 IPSEC amp IKE 55 IKE DOS Protection 56 Using Puzzles to Protect Against IKE DoS Attacks Stateless protection is appropriate where the IKE packet appears to come from an identified source that is a machine that is allowed to initiate IKE negotiations such as a Check Point Security Gateway An unidentified source is an IP address that the receiving gateway does not recognize such as a SecuRemote SecureClient or a Check Point Security Gateway with a dynamic IP address An attacker may well have control of many unidentified IP addresses and may be able to reply to stateless packets from all these addresses Therefore if an attack comes from an unidentified source another approach is required The gateway can require that the source of the IKE request solves a computationally intensive puzzle Most computers can solve only a very few of these puzzles per second so that an attacker would only be able to send very few IKE packets per second This renders a DoS attack i
538. rets 1 In Policy gt Global Properties gt Remote Access gt VPN Basic select Pre Shared Secret For SecuRemote SecureClient users 2 Deselect Hybrid Mode For each user go to the Encryption tab of the User Properties window select IKE and click Edit to display the IKE Phase 2 Properties window 4 In the Authentication tab enable Password Pre Shared Secret and enter the pre shared secret into the Password Pre shared secret and Confirm Password fields 5 Inform the user of the password out of band Defining an LDAP User Group See LDAP and User Management in the Security Management Server Administration Guide 290 VPN for Remote Access Configuration Defining a User Group In SmartDashboard create a group for remote access users Add the appropriate users to this group Defining a VPN Community and its Participants 1 On the VPN Communities tree double click Remote_Access_Community The Remote Access Community Properties window opens i On the Participating Gateways page Add gateways participating in the Remote Access Community 3 On the Participating User Groups page Add the group that contains the remote access users Defining Access Control Rules Access control is a layer of security not connected with VPN The existence of a remote access community does not mean that members of that community have free automatic access to the network Appropriate rules need to be created
539. rface definition ip ospf network point to point Table 6 5 Dynamic Routing on member_GWA1 ae per Launch the Dynamic Routing Module member GWal expert Enter expert password You are in expert mode now Expert member GWal cligated localhost gt enable localhost configure terminal A Enable OSPF and provide an OSPF router ID localhost config router ospf 1 localhost config router ospf router id 170 170 1 10 FER Define interfaces IP s on which OSPF runs Use the cluster IP as defined in topology and the area ID for the interface IP localhost config router ospf network 10 0 1 10 0 0 0 0 area 0 0 0 0 localhost config router ospf network 10 0 1 20 0 0 0 0 area 0 0 0 0 Redistribute kernel routes this is only here as an xample please s the dynamic routing book for more specific commands concerning redistribution of routes localhost config router ospf redistribute kernel localhost config router ospf exit localhost config exit 2 S See Write configuration to disk localhost write memory IU0 999 Configuration written to etc gated ami localhost quit Chapter6 Route Based VPN 147 Enabling Dynamic Routing Protocols on VTIs Table 6 6 Dynamic Routing on member_GWA2 148 Sa Launch the Dynamic Routing Module member GWa2 expert Enter expert password You are in expert mode now Expert member GWa2 cligated localhost gt enable l
540. rform upgrade type eTrArgTypelnt32 val an integer represents whether the user wishes to upgrade 1 for upgrade O for no_upgrade default_text NULL TR NOTIFICATION ICS NO COMP TANCE End point failed the endpoint compliance test 400 Notification Identifiers NotificationID TR NOTIFICATION AUTH SUPPLY _CREDS Meaning and Format Supply authentication credentials The number of arguments depends on the authentication scheme l GW type eTrArgTypeStr val a string representing the gateway s name default_text NULL Authentication type TrAuthType type eTrArgTypelnt32 val an integer represents the authentication type default_text NULL Number of parameters type eTrArgTypelnt32 val an integer represents the number of parameters e g 2 for username password 1 for certificate dn 3 for username pin passcode default_text NULL Param number type eTrArgTypeStr val a string representing the parameter e g username or passcode etc default_text NULL Chapter 18 Endpoint Connect API 401 Notification Identifiers NotificationID Meaning and Format TR_NOTIFICATION_CLIENT_CRED Authentication credentials sent from the client Bee to the service The number of arguments depends on the authentication scheme 1 Gateway type eTrArgTypeStr val a string representing the gateway s ip address
541. rify that the IP address of the backup gateway is not included in the VPN domain of the primary b For each backup gateway define a VPN domain that does not overlap with the VPN domain of any other backup gateway Note There must be no overlap between the VPN domain of the primary gateway and the VPN domain of the backup gateway s that is no IP address can belong to both If required configure IP pool NAT or RIM to handle return packets To configure IP pool NAT see Configuring IP Pool NAT on page 250 To configure RIM see Configuring RIM on page 186 Load Distribution 1 In the Global Properties window VPN gt Advanced page select Enable load distribution for Multiple Entry Point configurations Site to Site connections Checking this options also means that in MEP configurations the remote VPN peer randomly selects a MEPed gateway to work with 2 Define the same VPN domain for all the gateways Chapter 12 Multiple Entry Point VPNs 249 Configuring MEP Configuring IP Pool NAT To configure IP pool NAT 1 In Global Properties gt NAT page select Enable IP Pool NAT 2 Set tracking options for address exhaustion and for address allocation and release Then 3 For each gateway create a network object that represents the IP pool NAT addresses for that gateway The IP pool can be a network group or address range For example e On the network objects tree right click Network Objects branch gt
542. rity Management server e Other OPSEC certified PKI solutions CA Hierarchy CAs are often arranged in an hierarchical structure where multiple CAs are subordinate to root authority or root CA A subordinate CA is a Certificate Authority certified by another Certificate Authority Subordinate CA s can issue certificates to other more subordinate CAs forming a certification chain or hierarchy PKI and Remote Access Users The Check Point Suite supports certificates not only for gateways but for users as well For more information see Introduction to Remote Access VPN on page 269 for information about user certificates PKI Deployments and VPN Following are some sample CA deployments Simple Deployment internal CA CA of an external Security Management server CA services provided over the Internet CA on the LAN Simple Deployment Internal CA When the VPN tunnel is established between gateways managed by the same Security Management server each peer has a certificate issued by the Security Management server s ICA Chapter 5 Public Key Infrastructure 93 Supporting a Wide Variety of PKI Solutions 94 CA of An External Security Management server If a Check Point Security Gateway is managed by an external Security Management server for example when establishing a VPN tunnel with another organization s VPN modules each peer has a certificate signed by its own Security Management server s ICA Figure
543. rk that is shared by all the gateways into a single group and assign that group as the VPN domain To display all overlapping encryption domains use the vpn overlap encdom command For more information see VPN Command Line Interface on page 711 On the Properties window of each gateway network object Topology page gt VPN Domain section select Manually defined and define a VPN domain for all gateways some of which will be overlapping Configuring MEP Primary Backup 1 Ss 5 In the Global Properties window VPN gt Advanced page select Enable Backup Gateway In the network objects tree Groups section create a group consisting of gateways that act as backup gateways On the Properties window of the network object selected as the Primary gateway VPN page select Use Backup Gateways and select the group of backup gateways from the drop down box This gateway now functions as the primary gateway for a specific VPN domain Define the VPN for the backup gateway s Backup gateways do not always have a VPN domain of their own They simply back up the primary If the backup gateway does not have a VPN domain of its own the VPN domain should include only the backup gateway itself a On the Properties window of the backup network object Topology page gt VPN Domain section select Manually defined b Select a group or network that contains only the backup gateway If the backup does have a VPN domain a Ve
544. roperties moisia e sides See dea Nis Judo bee hh veh aiaa 255 Internally and Externally Managed GatewayS scccssccssccesceeeeseeeeeeeeeeseeeeeeeneees 256 Considerations for VPN Creation cccccccccseeeeceeceeeeeeeeeeeeeeeeeeaeeeeeeeeaeeeeeesaaeees 257 Choosing the Authentication Method cccccssccccssceceeeceseeeeeeeeeeaeeeeseeseeaes 257 Choosing the Certificate AUtHOTity ccccceccessccceeeeeeseeeeseeeeseeeeeaeeeeseeeeeans 257 Configuring Traditional Mode VPNs Editing a Traditional Mode Policy Configuring VPN Between Internal Gateways using ICA Certificates 259 VPN Between Internal Gateways Using Third Party CA Certificates 260 Configuring VPN with Externally Managed Gateways Using Certificates 261 Configuring a VPN using a Pre Shared Secret ccccccsecccsseeeseeeeeseeeeeaeeeeaes 263 Table of Contents 9 Remote Access VPN Chapter 14 Introduction to Remote Access VPN Need for Remote Access VPN c cccecsececeeeeeeneeecaeeeecaeeeeaeeesaaeeeaaeeeeaaeeseaeeeans 270 The Check Point Solution for Remote ACCESS cccccceeeeeceeceeeeeeeeaeeeeeeesaneeees 271 Enhancing SecuRemote with SecureClient Extensions ccccecceseeeeeeeeeees 272 Establishing a Connection Between a Remote User and a Gateway 273 Remote ACCeSS COMMUNILY ccccceecccseeceseeceseeeeeeceeeeesesseeeeseeesseeeseeeeaes 274 Identifying Elements of the Network to
545. routing protocol must be enabled on all participant gateways For more information on virtual interfaces see Configuring a Virtual Interface Using the VPN Shell on page 730 In Figure 6 5 e Gateway 1 has a virtual interface configured for the VPN tunnel linked with gateway 2 and another virtual interface for the VPN tunnel linked with gateway 3 e Host 1 behind gateway 1 initiates a multicast session destined to the multicast group address which consists of Host 2 behind gateway 2 and to Host 3 behind gateway 3 Routing Multicast Packets Through VPN Tunnels Figure 6 5 MultiCasting Security Gateway 2 Security 7 Host 1 Gateway 1 To enable multicast service on a security gateway functioning as a rendezvous point add a rule to the security policy of that gateway to allow only the specific multicast service to be accepted unencrypted and to accept all other services only through the community Corresponding access rules enabling multicast protocols and services should be created on all participating gateways For example Figure 6 6 Sample Rules i E Multicast_Gateways E Multicast_Gateways 2 oO Sample_Host jm Multicast_Group_Address hy Sample_Community E Multicast_Service_Group D accept Chapter 6 Route Based VPN 161 Routing Multicast Packets Through VPN Tunnels 162 Chapter Tunnel Management In This Chapter Overview Permanent Tunnels VPN Tunnel Sharing Configuring Tunnel Features
546. rs the connection is not encrypted The gateway s Security Policy controls access to resources behind the gateway protects the security gateway and the networks behind it Since the remote client is not behind the gateway it is not protected by the gateway s Security Policy Remote access using SecureClient can be protected by a Desktop Security Policy See Desktop Security on page 489 Client Gateway Authentication Schemes Authentication is a key factor in establishing a secure communication channel among gateways and remote clients Various authentication methods are available for example e Digital certificates e Pre shared secrets e Other authentication methods made available via Hybrid mode The Check Point Solution for Remote Access Digital Certificates Digital Certificates are the most recommended and managable method for authentication Both parties present certificates as a means of proving their identity Both parties verify that the peer s certificate is valid i e that it was signed by a known and trusted CA and that the certificate has not expired or been revoked Digital certificates are issued either by Check Point s Internal Certificate Authority or third party PKI solutions Check Point s ICA is tightly integrated with VPN and is the easiest way to configure a Remote Access VPN The ICA can issue certificates both to security gateways automatically and to remote users generated or initiate
547. rs access the SSL Network Extender for the first time they are prompted to download an ActiveX component that scans the end user machine for Malware The scan results are presented both to the gateway and to the end user SSL Network Extender access is granted denied to the end user based on the compliance options set by the administrator ESOD Policy per User Group Since there are many different kinds of threats to your network s security different users may require different configurations in order to guard against the increasing number and variety of threats The ability to configure a variety of ESOD policies enables the administrator to customize the software screening process between different user groups Screened Software Types ESOD can screen for the Malware software types listed in the following table Table 30 1 Screened Software Types Software Type Description Worms Programs that replicate over a computer network for the purpose of disrupting network communications or damaging software or data Trojan horses Malicious programs that masquerade as harmless applications Hacker tools Tools that facilitate a hacker s access to a computer and or the extraction of data from that computer Chapter 30 SSL Network Extender 631 Commonly Used Concepts Table 30 1 Screened Software Types Software Type Keystroke loggers Description Programs that record user input activity that is mouse or key
548. rsions split DNS is not used by default when in Office Mode Global FTP NL enforce 0 1 2 Indicates the strictness of the FTP inspection O no check 1l default check Multiple newline characters allowed 2 strict check no multiple newline characters allowed Global show disabled profiles true false In connect mode if the IKE timeout expires and this property is TRUE disconnect instead of erasing the passwords Global post_connect_ script Specify full path for a script that SecuRemote SecureClient will run after a connection has been established Connect Mode only Managers post_connect_script_show window true false Specifies whether or not the post connect script will run in a hidden window Managers list_style How the site icons are presented in the main frame window Global mac_xlate true false Needs to be set to true to support Split DNS where traffic to the real DNS server may not be routed the same way as traffic to the split DNS server The most common scenario is real DNS server on the same subnet as the client Split DNS modifies the IP destination of the packet but not the MAC destination With mac_xlate set to true the MAC destination address is set to the address of the default gateway Global Chapter 29 Userc C and Product ini Configuration Files 621 Userc C File Parameters 622 mac _xlate interval How frequently a check is mad
549. rtProvisioning 2 Edit the vpn route conf file so that this network object appears in the router column the center gateway of the star community Chapter 5 Domain Based VPN 123 Configuring Domain Based VPN 124 3 Install this vpn_route conf file on all LSM profiles that participate in the VPN community Configuration via Editing the VPN Configuration File For more granular control over VPN routing edit the vpn_route conf file in the conf directory of the Security Management server The configuration file vpn_route conf is a text file that contains the name of network objects The format is Destination Next hop Install on Gateway with tabbed spaces separating the elements Consider a simple VPN routing scenario consisting of Hub and two Spokes Figure 5 3 All machines are controlled from the same Security Management server and all the security gateways are members of the same VPN community Only Telnet and FTP services are to be encrypted between the Spokes and routed through the Hub Figure 5 3 Filtering Telnet and FTP Spoke A Hub Spoke B Although this could be done easily by configuring a VPN star community the same goal can be achieved by editing vpn_route conf Table 5 1 Destination Next hop router interface Install On Spoke_B_VPN_Dom Hub_C Spoke_A Spoke_A_VPN_Dom Hub_C Spoke_B In this instance Spoke_B_VPN_Dom is the name of the network object group that contains spoke B s VP
550. rties NAT tab are not necessary e Close the network object properties window Configuring Office Mode 2 Open the gateway object through which the remote users will connect to the internal network and select the Remote Access gt Office Mode page Enable Office Mode for either all users or for a certain group Check Point Gateway Alaska_RND_GW E xj General Properties Topology NAT VPN Remote Access Office Mode Clientless VPN Extranet Authentication LDAP Account Manage UserAuthority Server Logs and Masters Capacity Optimization Advanced Office Mode C Do not offer Office Mode Offer Office Mode to group Office Mode Method Manual using IP pool Allocate IP from network Optional Parameters Automatic using DHCP Use specific DHEP server Virtual IF address for DHEP server replies MAC address for DHCP allocation Unique per machine IP Lease Duration IP lease duration 16 4 minutes Multiple Interfaces o J Support connectivity enhancement for gateways with multiple external interfaces Anti Spoofing IV Perform Anti Spoofing on Office Mode addresses Additional IP Addresses for Anti Spoofing None Cancel Help Figure 15 3 Office Mode page e n the Allocate IP from network select the IP Pool network object you have previously created e IP lease duration specify the duration in which the I
551. rties 4 Interface Resolving mechanisms J force_udp_encapsulation_gw IPsec amp Encryption Remote Access VPN J udp_encapsulation_by_qm_id Check Point CA properties G Firewall 1 vpn_restrict_client_phase2_id none Ne User Defined desktop_ike_p2_prop_size small I ike_support_transport_mode Cancel Help 3 Select either e ie_proxy_replacement If option is selected windows proxy replacement is always performed even if visitor mode is not enabled e ie_proxy_replacement_limit_to_tcpt If this option is selected then proxy replacement takes place only when visitor mode is enabled When SecureClient performs an update the policy regarding windows proxy replacement is downloaded and put into effect On SecureClient Alternatively these two properties can be set in the userc c file on the remote client le proxy replacement true ie proxy replacement limit _to_tcpt true 696 Chapter 32 Clientless VPN In This Chapter The Need for Clientless VPN page 698 The Check Point Solution for Clientless VPN page 699 Special considerations for Clientless VPN page 702 Configuring Clientless VPN page 704 697 The Need for Clientless VPN The Need for Clientless VPN 698 While VPN and SecuRemote technologies provide a comprehensive solution to the problem of securing and protecting data there are instances where the administrator needs to enable secure communication with client machines th
552. rtificate can have one or more purposes such as client authentication server authentication IPSec and email signing Purposes appear in the Extended Key Usage extension in the certificate The certificates used for IKE authentication do not need any purposes For the user authentication the Microsoft I PSec L2TP client requires that e The user certificate must have the client authentication purpose e The gateway certificate must have the server authentication purpose Most CAs including the ICA do not specify such purposes by default This means that the CA that issues certificates for PSec L2TP clients must be configured to issue certificates with the appropriate purposes in the Extended Key Usage extension It is possible to configure the ICA on the Security Management server so that the certificates it issues will have these purposes For OPSEC certified CAs it is possible to configure the Security Management server to create a certificate request that includes purposes in the Extended Key Usage extension It is also possible to configure the Microsoft PSec L2TP clients so that they do not validate the gateway s certificate during the L2TP negotiation This is not a security problem because the client has already verified the gateway certificate during IKE negotiation Chapter 22 Layer Two Tunneling Protocol L2TP Clients 509 Considerations for Choosing Microsoft IPSec L2TP Clients
553. rtified by another Certificate Authority Subordinate CAs can issue certificates to other more subordinate CAs in this way forming a certification chain or hierarchy The CA at the top of the hierarchy is the root authority or root CA Child Certificate Authorities of the root CA are referred to as Subordinate Certificate Authorities With the CA options on the Servers and OSPEC Applications tab you can define either a Certificate Authority as either Trusted or Subordinate Subordinate CAs are of the type OPSEC and not trusted Supporting a Wide Variety of PKI Solutions Enrolling a Managed Entity Enrollment means obtaining a certificate from a CA that is requesting that the CA issue a certificate for an entity The process of enrollment begins with the generation of a key pair A certificate request is then created out of the public key and additional information about the module The type of the certificate request and the rest of the enrollment process depends on the CA type The case of an internally managed gateway is the simplest because the ICA is located on the Security Management server machine The enrollment process is completed automatically To obtain a certificate from an OPSEC Certified CA Security Management server takes the module details and the public key and encodes a PKCS 10 request The request which can include SubjectA ltName for OPSEC certificates and Extended Key Usage extensions is delivered to the CA man
554. rue client_decide neo disconnect when _idle_ timeout Disconnect when idle timeout in minutes 1 default MAX_INT 458 Advanced Configuration Table 19 1 VPN Properties Property Description Valid Values Default value in bold neo user approve server f Requests user approval of server once always p Finger Print FP before the never client enters its credentials The client_decide server FP is part of the gateway certificate provided in the SSL interaction with the client The following options are available Once If the FP is seen for the first time by the client and not stored in the client database Always Prompts the user to approve the FP for every connection Never Always accepts the FP Chapter 19 SecureClient Mobile 459 Advanced Configuration Table 19 1 VPN Properties Property neo allow site creation Description Enables the client to connect to a new gateway When this flag is set to false the client can only connect using the list of gateways configured in the client setup package Valid Values Default value in bold false true client_decide neo block conns on erase passwords Blocks a connection upon the removal of passwords If set to true when the user clears the Remember Password option in the Options dialog or selects the Erase Passwords menu option the tunnel is automatically disconnected A message ballo
555. rue line However in a deployment consisting of multiple gateways for example in a cluster load sharing or primary backup high availability configuration it is important that the client performs DNS resolution each time it connects to the site Based on geographical proximity or the load sharing requirements of the gateway the DNS server might return to the client a different IP address each time the IP address of the nearest available gateway This IP address may not be the same as the IP address cached during the first connect operation Resolving DNS names each time e Enables DNS to be used for High availability the IP address of the backup gateway is returned when the primary fails to respond e Adds to the client a functionality similar to MEP Multiple Entry Points Note This is not a regular cluster environment as the two or more gateways are not synchronized Chapter 17 Endpoint Connect 377 Configuring Endpoint Compliance Checks 378 Configuring Endpoint Compliance Checks While Endpoint Compliance scanner provides an effective endpoint compliance check when connecting it might prove resource intensive to the gateway For improved speed it is recommended to scan only for the presence of antivirus and firewall software NAT Traversal When a remote user initiates a VPN IPSec encrypted session with the gateway during the initial negotiation both gateway and remote client attempt to detect wheth
556. rver for your LAN These settings will not apply to dial up or YPN connections Address proxy host Port 8080 Advanced I Bypass proxy server for local addresses a Now Secure Client can read any of the settings shown in Figure 31 7 but only if e SecureClient is connected to a LAN or WLAN not dial up e Secure Domain Logon SDL is not enabled Note Visitor mode attempts to connect to the proxy server without authenticating If a user name and password is required by the proxy the error message proxy requires authentication appears Windows Proxy Replacement If SecureClient is on a LAN WLAN and a proxy server is configured on the LAN SecureClient replaces the proxy settings so that new connections are not sent to the VPN domain via the proxy but go directly to the LAN WLAN s gateway This feature works with and without Visitor Mode SecureClient must be on a WAN WLAN and not using a dial up connection Configuring Remote Access Connectivity When SC replaces the proxy file it generates a similar plain script PAC file containing the entire VPN domain IP ranges and DNS names to be returned as DIRECT This file is stored locally since the windows OS must receive this information as a plain script PAC file This file replaces the automatic configuration script as defined in Internet Explorer m Automatic configuration Automatic configuration may override manual settings To ensure
557. rvices None lt port number gt an integer services that can be configured by denoting a port number the administrator which will not be considered as user initiated whose traffic will be excluded lt port number protocol gt a combination of port number and protocol for more specific exclusion Note this has to be within quotes lt icmp gt the icmp protocol will be excluded on all ports Chapter 16 SecuRemote SecureClient 349 Configuring Idle Detection Table 16 3 Sample Configuration Set Ss 350 idleness detection excluded services 53 1 75 0 tep icmp sactive true stimeout 30 Note SecureClient Control connections are automatically ignored by the idle detections mechanism As a result these items do not need to be configured separately Chapter Endpoint Connect In This Chapter Introduction Enabling Endpoint Connectivity Configuring the Gateway Using SmartDashboard Configuring Optional Endpoint Connect Settings Using the Packaging Tool 17 page 351 page 356 page 358 page 370 page 385 This chapter explains how to configure the security gateway to work with the Endpoint Connect client Introduction Endpoint Connect is Check Point s new lightweight remote access client Providing seamless secure IPSec and SSL VPN connectivity to corporate resources the client works transparently with security gateways a
558. s behind the security gateway with non unique IP addresses using an internal DNS server The Solution The simplest solution is to use Connect Mode and Office Mode Otherwise use the split DNS feature by defining a SecuRemote DNS Server The SecuRemote DNS Server is an object that represents an internal DNS server that can be used to resolve internal names with unregistered RFC 1981 style IP addresses It is best to encrypt the DNS resolution of these internal names Not all DNS traffic should be encrypted as this would mean that every DNS resolution would require authentication Configuring the SecuRemote DNS Server 1 Create a new SecuRemote DNS Server from the Objects Tree Figure 27 2 Figure 27 2 Create a SecuRemote DNS Server ajala Fjale Ep Servers and OPSEC Applications B A Servers RADIUS LDAP Account Unit Certificate Authority note DNS EMEP pSecuRemote DNS E OPSEC Applications New SecuRemote DNS El OPSEC Applicatior Sort gt 2 In the SecuRemote DNS Properties window e General tab Configure the general settings of the SecuRemote DNS Server as well as the host on which the SecuRemote DNS Server e Domains tab Add new domains or edit and remove existing domains 592 Resolving Internal Names with the SecuRemote DNS Server Figure 27 3 Domain tab Domain Suffix Checkpoint com Domain Match Case Match only suffix Match up to p labels precedi
559. s Administrator privileges to install the ActiveX component To allow users that do not have Administrator privileges to use the SSL Network Extender the Administrator can use his her remote corporate installation tools such as Microsoft SMS to publish the installation of the SSL Network Extender as an MSI package in configuring the SSL Network Extender To prepare the SSL Network Extender MSI package 1 Move the extender cab file located in SFWDIR conf extender to a Windows machine and open the file using WinZip 2 Extract the cpextender msi and use as an MSI package for remote installation On Windows Vista Mac and Linux it is possible to install SSL Network Extender for users that are not administrators if the user knows the admin password In this case perform a regular SSL Network Extender installation and supply the administrator password when asked Chapter 30 SSL Network Extender 651 SSL Network Extender User Experience SSL Network Extender User Experience In This Section Configuring Microsoft Internet Explorer page 652 About ActiveX Controls page 653 Downloading and Connecting the Client page 653 Uninstall on Disconnect page 665 Using SSL Network Extender on Linux Mac Operating Systems page 665 Removing an Imported Certificate page 670 This section describes the user experience including downloading and connecting the SSL Network Extender client importing a client certificate and uninstall on disco
560. s Community whether inside or outside of the VPN communities is allowed 575 576 User Groups as the Destination in RA communities User groups can be placed in the destination column of a rule This makes e Configuring client to client connections easier e Configuring back connections between a remote client and a gateway possible Figure 26 2 shows a directional rule for remote access communities which allows return back connections Figure 26 2 Directional rules in a Remote Access Community NO SOURCE DESTINATION YP SERVICE ACTION Remote_Users Any x Any Trafficdgp Remote_Access_Community Any D accept To include user groups in the destination column of a rule e The rule must be directional e n the VPN column the Remote Access community must be configured as the endpoint destination Configuring Directional VPN with Remote Access Communities Configuring Directional VPN with Remote Access Communities To configure Directional VPN with Remote Access communities 1 In Global Properties gt VPN page gt Advanced gt Select Enable VPN Directional Match in VPN Column 2 Right click inside the VPN column of the appropriate rule and select Edit or Add Direction from the pop up menu The VPN Match Conditions window opens 3 Click Add The Directional VPN Match Conditions window opens From the drop down box on the right select the source of the connection From the drop down box on
561. same as its name in SmartDashboard e Several groups can register to the same xml file e Each group must appear only once in the ics group file e Only groups that are listed in the ics group file will use their specific xml files Groups that are not listed in the ics group file will try to use the default policy located in the request xml file If the request xml file does not exist an error will be returned e The default xml file request xml cannot appear in the ics group file After creating the ics group file or after any change has been made install policy Run cpstop and then cpstart on the security gateway Each user should be assigned the specific URL that matches his group The URL should be in the format https hostIP lt groupName gt ics html For example all users belonging to group1 will surf to the assigned URL https 10 10 10 10 group1 ics html For troubleshooting tips see Troubleshooting on page 672 Chapter 30 SSL Network Extender 645 Configuring the SSL Network Extender Load Sharing Cluster Support The SSL Network Extender provides Load Sharing Cluster Support To provide Load Sharing Cluster Support 1 Double click the Gateway Cluster Object on the Network Object tab of the Objects Tree The Gateway Cluster Properties window is displayed Note A Load Sharing Cluster must have been created before you can configure use of sticky decision function 2 Select Cluster XL The Clus
562. se the following command eps track authorized host e Connect to the host when there is no firewall Endpoint Security server connection Drops any connection from the hosts when the Endpoing Security server defined specifically for the firewall is unreachable This feature is turned off by default To turn it on use the following command Chapter 17 Endpoint Connect 383 Cooperative Enforcement eps_connect_host_integrity down e Connect a host while waiting for status reply from the Endpoint Security server pending state This feature instructs the firewall module to allow the connection from any host during the compliance validation period This option is useful when the Endpoint Security server is loaded with compliance requests and the timeout for such replies increases In this case any connecting host will be able to open an outside connection That is the firewall will allow traffic even when an answer from the Endpoint Security server has not been received The connection will be dropped only if this host is not authorized To enable this feature use the following command eps_connect_host_pending e Track authorized hosts Supplies a log entry regarding a successful host authorization by the Endpoint Security server with Endpoint Security Client installed Any further traffic from this host will not be logged by this log type To prevent excessive logs from being written to the Security Management server this log t
563. security gateway which serves as a repository for the Desktop Security Policy SecureClient machines download their Desktop Security Policies from the Policy Server When a SecureClient connects to the organization s gateway to establish a VPN it can connect to a Policy Server as well and retrieve its Desktop Security Policy and begin enforcing it SecureClient can accept encrypt or drop connections depending on their Source Destination and Service Figure 21 1 Retrieving the Desktop Security Policy from a Policy Server Security Management Server SecureClient successfully dowloads the policy from the policy server Gateway amp olicy server Ppomcy Security Gateway Chapter 21 Desktop Security 491 Desktop Security Solution The Desktop Security Policy The Desktop Security Policy is divided into two parts e inbound rules enforced on connections destined to the SecureClient machine e outbound rules enforced on connections originating from the SecureClient machine A rule in a Desktop Security Policy specifies the following e source e destination e service e action accept drop encrypt e track log alert Connections to machine inside the organization i e all the machines in the VPN domain of the gateway are automatically encrypted even if the rule allowing them to pass is an accept rule Implied Rules In addition to the inbound and outbound rules explicitly defined by the administrat
564. sed directly or imported to the CAPI store and accessed from there If for security reasons you do not wish users to authenticate using certificates within the CAPI store l 2 On the gateway open the SFWDIR conf trac_client_1 ttm file for editing Modify the enable_capi attribute to FALSE enable capi gateway map false false true true client_ decide client decide default true By default the value is TRUE Modify the default true line Disabling DNS based Geo Cluster Name Resolution Disabling DNS based Geo Cluster Name Resolution Ss Each time Endpoint Connect connects to the security or Connectra gateway the client performs by default DNS name resolution For a deployment consisting of a single gateway there is no need to perform DNS resolution every time the first time the client connects it caches the IP address of the gateway and reuses it on each subsequent connect operation In this kind of deployment the default behavior of the client can be safely modified To prevent the gateway from performing name resolution each time Connect connects 1 On the gateway open the SFWDIR conf trac_client_1 ttm file for editing 2 Modify the enable_gw_resolving attribute to FALSE enable gw_resolving gateway map false false true true client_ decide client decide default true By default the value is TRUE Modify the default t
565. ses to access network resources This is difficult to adjust without knowing the a remote client s IP address in advance e When assigned with a non routable IP address a conflict may occur either with similar non routable addresses used on the corporate LAN or with other clients which may receive the same IP address while positioned behind some other hiding NAT device For example if a SecuRemote SecureClient user receives an IP of 10 0 0 1 which is entered into the headers of the IPSec packet The packet is NATed The packet s new source IP is 192 168 17 5 The gateway decapsulates the NATed IP and decrypts the packet The IP address is reverted to its original source IP of 10 0 0 1 If there is an internal host with the same IP the packet will probably be dropped if anti spoofing is turned on If there is no duplicate IP and the packet is forwarded to some internal server the server will then attempt to reply to an non existent address e Two remote users are assigned the same IP address by an ISP for example two users are accessing the organization from hotels which provide internal addresses and NAT them on the outbound Both users try to access the internal network with the same IP address The resources on the internal network of the organization may have difficulty distinguishing between the users Office Mode Solution Office Mode Solution In This Section Introducing Office Mode page 301 How Office Mode Works page
566. should be accessible through the OS PATH variable The script is not part of the package and should be transferred to the client separately Chapter 20 Packaging SecureClient 485 Configuring MSI Packaging Configuring MSI Packaging To customize a profile used for remote users save the msi file provided by Check Point Once the file is saved configurable files may be extracted from the file customized and then placed back into the file To edit one of the configurable files 486 1 Use cpmsi_tool lt SC MSI package name gt out lt file name gt to extract the file from the package Customize the file Use cpmsi_ tool lt SC MSI package name gt in lt file name gt to insert the file back into the package The configurable files are product ini userc c userc set reg ini SecuRemoteAuthenticate wav SecuRemoteConnected wav SecuRemoteDisconnected wav SecuRemoteFailed wav logo bmp logging bat install boot _policy bat collect bat scvins bat scvuins bat msfw bat harden bat Configuring MSI Packaging Add and Remove Files in Package To add new files to the package Cc To remove a newly added file Cc pmsi_tool lt SC MSI package name gt add lt file name gt pmsi_tool lt SC MSI package name gt remove lt file name gt Installation Command Line Options The following are the command line parameters Table 20 1 Installation Command Lines
567. sport and force_udp_encapsulation is true a random source port is used for IKE packets and another random source port is used for UDP encapsulation packets Global uencapport 2746 Specifies the port to be used on the UDP encapsulated packets when using UDP encapsulation Gateway ChangelKEPort true false If true do not bind to port 500 Instead use router port and use address translation to make it seem as if the connection originated from port 500 This parameter allows other client applications such as Nokia and Microsoft to use that port Note if the port is taken another port will be used Global send clear traffic between encryption domains true false if true and the source and the destination are behind encryption domains not same domains packets will be sent clear This feature is enabled only if a single site is defined Managers send clear except for non unique true false If true send clear traffic between encryption domains will not function for IP addresses which are defined as NAT private addresses send clear except for specific addresses true false If true send_clear_traffic_between_encryption_domains will not function for IP addresses which are defined in send_clear_except_for_address_group Managers send clear except for address group Address group specification for send clear except for specific addresses Managers dns _ encryp
568. ss client connects all possible destination IP addresses receive an RDP session to test the route The first IP to respond is chosen and stays chosen until the next time the client reconnects IP addresses you do not wish to be probed i e internal IP addresses may be removed from the list of IP s to be probed see Resolving Addresses via Probing on page 224 For both the probing options one time and on going a Primary Address can be assigned Primary Address When implementing one of the probing methods on a gateway that has a number of IP addresses for VPN one of the IP addresses can be designated as a Primary Address As a result peers assign the primary address IP a higher priority even if other interfaces have a lower metric Enabling a primary address has no influence on the IP selected for outgoing VPN traffic If the remote access client connects to a peer gateway that has a primary address defined then the remote access client will connect to the primary address if active regardless of network speed latency or route metrics If the primary address fails and the connection fails over to a backup the VPN tunnel will stay with the backup until the primary becomes available again Chapter 25 Link Selection for Remote Access Clients 569 Link Selection for Remote Access Scenarios Link Selection for Remote Access Scenarios Link Selection may be used in different infrastructures This section describes scenar
569. stribution to end point users To create a preconfigured package 1 Open the Endpoint Connect client in administration mode e Click on AdminMode bat file in c Program Files Checkpoint Endpoint Connect Or e From acommand prompt run c Program Files Checkpoint Endpoint Security trgui exe admin 2 Right click the client icon in the system tray and select VPN Options The VPN Options window opens showing the administration tab Chapter 17 Endpoint Connect 385 Using the Packaging Tool f 9 Options E x ENDPOINT CONNECT I El Check Point TECHNOLOGIES LTD Sites Advanced Administration Packaging Input MSI Package Path fl Browse JT Override previous configuration when upgrading Generate Note this will modify the input package to contain the current configuration Close Help 3 Using the options on the Site and Advanced tabs configure e Site definitions e Authentication method e Logging e Proxy server settings e Always connect mode e VPN tunneling 4 On the Administration tab a Select a folder for the new package b Decide whether to override the previous configuration when upgrading c Click Generate to create the msi package in the designated folder 5 Distribute this package to Endpoint Connect users Users can download the package directly from the gateway by entering the following URL into a browser hitps lt gateway ip gt CSHELL CheckPointEndpointConnect
570. sts it publishes the DN of the Supporting a Wide Variety of PKI Solutions CRL namely the entry in the Directory under which the CRL is published or the LDAP URI If the extension does not exist VPN attempts to locate the CRL in the entry of the CA itself in the LDAP server ocsP Online Certificate Status Protocol OCSP enables applications to identify the state of a certificate OCSP may be used for more timely revocation information than is possible with CRLs and may also be used to obtain additional status information When OCSP client issues a status request to an OCSP server acceptance of the certificate in question is suspended until the server provides a response In order to use OCSP the root CA must be configured to use this method instead of CRL This setting is inherited by the subordinate CA s CRL Prefetch Cache Since the retrieval of CRL can take a long time in comparison to the entire IKE negotiation process VPN stores the CRLs in a CRL cache so that later IKE negotiations do not require repeated CRL retrievals The cache is pre fetched e every two hours e on policy installation e when the cache expires If the pre fetch fails the previous cache is not erased Note The ICA requires the use of a CRL cache An administrator can shorten the lifetime of a CRL in the cache or even to cancel the use of the cache If the CRL Cache operation is cancelled the CRL must be retrieved for each subsequent IKE nego
571. t true false Overwrites the encrypting attribute received in the topology in the dnsinfo section May be relevant for workarounds prior to version NG FP3 Global disable split dns when in om true false Disable split DNS when in Office Mode Global disable split dns when disconnected true false Disable split DNS when disconnected Global disconnect_on_IKE SA expiry true false In connect mode if the IKE timeout expires and this property is true disconnect instead of erasing the passwords Global renew users ica cert true false Specifies whether users be able to renew their certificates explicitly or implicitly Managers Userc C File Parameters renew users ica cert days before 1 1000 60 How many days before expiration to start and perform an implicit renewal Managers upgrade fpl and below users ica cert true false Whether or not to implicitly renew certificates that were issued before NG FP2 Managers ike negotiation timeout 36 Determines the maximum time in seconds that the IKE engine will wait for a response from the peer before timing out This is the maximum interval between successive packets and not the maximum negotiation lifetime Managers phase2 proposal large small Determines the size of the proposal sent by the client in Quick Mode packet 1 This property is for backwards compatibility NG FP3 and higher clients use p
572. t Conne Disconnect when connectivity to network is lost Configured on endpoint client x Early Versions C Hat Spot Hotel Disconnect when device is idle Configured on endpoint client 7 SmartDirectory LD A a QoS Security Settings SmartMap Route all traffic through gateway No nd UserAuthority Management High Configuration and Version Settings ConnectControl OSE Open Securit Stateful Inspection Log and Alert Reporting Tools OPSEC SmartCenter Acces Nan Lninne IP yal gt Client upgrade mode ask user 7 Cancel Help For Location Aware Connectivity select Yes from the drop down box Save the policy and close SmartDashboard Connect to Security Management server using GuiDBedit the Check Point Database tool On the Tables tab under Global Properties gt properties gt firewall_properties locate the la_use_gw_topology_to_identify_location property Chapter 17 Endpoint Connect 367 Endpoint Connect Advanced Settings 368 192 168 186 128 Check Point Database Tool File view Objects Fields Search Queries Help Table Administrators i E Desktop Global Properties al properties Large Scale Manager Managed Objects Network Objects OPSEC Other es Policies le Provider 1 B s E Read Only Configuration Reporting fal Services H H endpoint_vpn_initiate_dialup
573. t Gateway Authentication Schemes page 276 Advanced Features page 279 VPN 1 SecuRemote Check Point s Remote Access VPN solution enables you to create a VPN tunnel between a remote user and your organization s internal network The VPN tunnel guarantees e Authenticity by using standard authentication methods e Privacy by encrypting data e Integrity by using industry standard integrity assurance methods SecuRemote SecureClient extends VPN functionality to remote users enabling users to securely communicate sensitive information to networks and servers over the VPN tunnel using LAN wireless LAN and various dial up including broadband connections Users are managed either in the internal database of the security gateway or via an external LDAP server After a SecuRemote user is authenticated a transparent secured connection is established SecuRemote works with e Check Point Security Gateways e VPN 1 and UTM 1 Edge gateways Chapter 14 Introduction to Remote Access VPN 271 The Check Point Solution for Remote Access 272 Enhancing SecuRemote with SecureClient Extensions SecureClient is a remote access client that includes and extends SecuRemote by adding a number of features e Security features e Connectivity features e Management features Security Features e A Desktop Security Policy See Desktop Security on page 489 e Logging and Alerts e Secure Configuration Verification SCV see Sec
574. t descibes the various aspects of VPN sharing and Permanent Tunnels Preface 23 Section 2 Site to Site VPN 24 Chapter Chapter 8 Route Injection Mechanism Description Route Injection Mechanism RIM enables a Check Point Security Gateway to use dynamic routing protocols to propagate the encryption domain of a Check Point Security Gateway to the internal network and then initiate back connections Chapter 9 Wire Mode Describes how Wire Mode improves connectivity by allowing existing connections to fail over successfully by bypassing firewall enforcement Chapter 10 Directional VPN Enforcement Explains how to control the direction of VPN traffic between gateways Chapter 11 Link Selection Explanation of how the Link Selection feature is used to determine which interface is used for incoming and outgoing VPN traffic as well as the best possible path between gateway modules Chapter 12 Multiple Entry Point VPNs Description of how the Multiple Entry Point MEP feature provides a high availability and load sharing solution for VPN connections between peer gateways Chapter 13 Traditional Mode VPNs Explanation of Traditional Mode VPNs and how to configure Section 3 Remote Access VPN Section 3 Remote Access VPN This section explains how to ensure secure communication between gateway modules and remote access clients Chapter
575. t is disconnected A message balloon explains why Chapter 29 Userc C and Product ini Configuration Files 611 Userc C File Parameters 612 open full diagnostic tool true false When set to false SC will open only log view of diagnostic When set to true SC will open full diagnostic In any case the full diagnostic tool will open from the start menu tt_failure show notification true false If fail connect _on tt failure is false meaning that a connection will succeed even though tt failed then a string notification of tt failure will show in the connecton progress details because of this flag simplified client route all traffic true false This attribute determines whether the Simplified Client performs connections using route all traffic or not scv_allow sr clients true false If set to true SecuRemote clients which by default are not SCV verified will send a verified state to the enforcing gateway use profile ps configuration true false Set to true to enable remote users to connect to one Gateway and logon to a Policy Server behind another gateway force_route_all_in_profile true false If set to true profiles created by the user will have the route all traffic option selected and grayed in the profile creation edit dialog Global enable mode switching true fales If set to true client has the option to switch between Extended View and Compact View Hot Spot Registration en
576. ta on a private or public network IKE Internet Key Exchange is a key management protocol standard IKE enhances IPSec by providing additional features flexibility and ease of configuration Site to Site VPN At the center of VPN is the encrypted tunnel or VPN link created using the IKE IPSec protocols The two parties are either Check Point Security Gateways or remote access clients The peers negotiating a link first create a trust between them This trust is established using certificate authorities PKI or pre shared secrets Methods are exchanged and keys created The encrypted tunnel is established and then maintained for multiple connections exchanging key material to refresh the keys when needed A single gateway maintains multiple tunnels simultaneously with its VPN peers Traffic in each tunnel is encrypted and authenticated between the VPN peers ensuring integrity and privacy Data is transferred in bulk via these virtual physical links VPN Communities There are two basic community types Mesh and Star A topology is the collection of enabled VPN links in a system of gateways their VPN domains hosts located behind each gateway and the remote clients external to them In a Mesh community every gateway has a link to every other gateway as shown in Figure 1 1 Chapter 1 Overview 39 The Basic Check Point VPN Solution Figure 1 1 Check Point Security Gateways in a Mesh community Security Gateway ain Security
577. tch Condition Match traffic reaching from or leaving to or both these Communities El Al Site To Site VPN Communities he These VPN Communities OK Cancel Help 3 Click Add Chapter 10 Directional VPN Enforcement 205 Configuring Directional VPN The Directional VPN Match Conditions window opens x Match on traffic reaching the Gateway from Match on traffic leaving the Gateway To x Any Traffic amp All_Communities Cancel Help From the drop down box on the left select the source of the connection From the drop down box on the right select the connection s destination Click OK 206 Chapter 11 Link Selection In This Chapter Overview page 208 Using Link Selection page 209 Link Selection Scenarios page 215 On Demand Links ODL page 218 Link Selection and ISP Redundancy page 219 Early Versions Compatibility Resolving Mechanism page 222 Configuring Link Selection page 223 207 Overview Overview 208 Link Selection is a method used to determine which interface is used for incoming and outgoing VPN traffic as well as the best possible path Using the Link Selection mechanisms the administrator can focus individually on which IP addresses are used for VPN traffic on each gateway Configuration settings for remote access clients can be configured together or separately from the Site to Site configuration For more information see Link Selection for Remote Acc
578. te frequency If the client is disconnected the client attempts to update the policy after a connection is made client_ decide 462 Table 19 3 Firewall Properties Advanced Configuration Property neo route all traffic _through_gateway Description Routes all traffic through a gateway in hub mode This flag sets the routing in the IP routing table to send all traffic to the connected gateway which results in all traffic leaving the machine except for specific routes to be encrypted and possibly re routed from the gateway to the outside Internet It allows for the inspection of all client data received that is examined by the connected gateway This will only work if the gateway also supports routing all traffic To configure the gateway see Route All Traffic Hub Mode on page 452 Valid Values Default value in bold false true client_ decide Chapter 19 SecureClient Mobile 463 Advanced Configuration Table 19 3 Firewall Properties Property Description Valid Values Default value in bold neo implicit disconne Retry to establish tunnel 1 MAX_INT ct timeout until this timeout elapse in 2 default minutes neo clear _in_activesy Enables clear traffic during false true ne ActiveSync When set to true if the device is cradled for example when ActiveSync is activated to a PC using Bluetooth the client automatically disconnects and the
579. te in the Certificates List and click Complete Browse to the folder where you stored the issued certificate select the certificate and verify the certificate details Close the network object and Save Enrolling through a Subordinate CA When enrolling through a subordinate CA Supply the password of the subordinate CA which issues the certificate not the CA at the top of the hierarchy The subordinate CA must lead directly to a trusted CA Certificate Revocation All CA Types A certificate issued by the Internal Certificate Authority it is revoked when the certificate object is removed Otherwise certificate revocation is controlled by the CA administrator using the options on the Advanced tab of the CA object In addition the certificate must be removed from the module To remove the certificate proceed as follows 1 2 Open the VPN tab of the relevant Network Object In the Certificate List field select the appropriate certificate and click Remove A certificate cannot be removed if Smart Center server infers from other settings that the certificate is in use for example that the module belongs to one or more VPN communities and this is the module s only certificate Chapter 5 Public Key Infrastructure 111 Configuration of PKI Operations Certificate Recovery and Renewal 112 When a certificate is revoked or becomes expired it is necessary to create another one or to refresh the existing one
580. ted CA Without this flag both the gateway and the client must trust exactly the same CA Global is subnet support true false If turned on IPsec SA will be valid for a subnet otherwise it will be valid for a specific address Gateway ISAKMP hybrid support true false If turned on when the authentication pop up appears the user will have the option to choose between Hybrid mode and certificates as an authentication mode Otherwise the user will have the option to choose between certificates and pre shared secret Gateway resolve multiple interfaces true false If resolve_interface_ranges static interface resolving is disabled or failed and this property is turned on then dynamic interface resolving will be done when addressing this gateway In this case the interfaces of the gateway will be probed once Gateway interface resolving ha true false If dynamic interface resolving is used see resolve_multiple_interfaces and this property is turned on the interfaces of the gateway will be probed per connection to see if they are live Gateway Userc C File Parameters e isakmp ipcomp support true false If the peer gateway is a least NG and the client is SecureClient and not SecuRemote then If the client is in send small proposal mode and this property is turned on then IP compression will be proposed If the client is in send large proposal mode then IP compression
581. tened nee 301 Introddic ing Office MOd r 22 2 s62 28ers esd edeeese ved e Tbld tabi a a eaat 301 HOW OFFICE Mode WOLkS a vast deaneddacinadvendsadanbasvetvian ted 302 Assigning IP Addresses saci vtec jesvte chests desctwadevacs ae ada ddaa a dTa aik 304 10 IP Address Lease Curation isminin ara ai aia a 306 Using Name Resolution WINS and DNS cccccecccceeececeeeeeaeeeeseeeeeaeeeanees 306 ATES POOTIM Oi Hace cals EA E ation stun eae te Sega EE 307 Using Office Mode with Multiple External Interfaces ccccccccseeceeeeeeeenees 307 Office Mode Per Site sorae dex cree saceresenaataes s sebadee teats padgus a E EEA 308 Enabling IP Address per USer cit onin sax eoero i isancud suensed samethl ae igocessbubes 310 The ProBlemiiccccssticevsadedaatihecs inves sneha a haneha era EEA Na E Ey 310 TRESOLUTIOM n r naa aa a e a e a e a a A A e NG 310 Office Mode Considerations cccccceeececeeceeeeeeeecaeeeeeeecaeeeeeesaeeeeeeeaeneeeeesaaegs 313 IP pool Versus DHCP 2 tvics ced nceaddcateenddadeon dd bes l inbena Eee e padae Seadoteaczneeearss 313 Routing Table Modifications cccccccecceseeccceeeecaeeceseeeeseeeeeeeeeeaeeeeaeeesnees 313 Using the Multiple External Interfaces Feature ccccccccssscesseeeaeeeeeeeeenees 313 Contiguring Omice Modes 22h 2 a a a attend tcgddes added Looted la Watt lntdec da ded 314 Office Mode IP Pool Configuration cccccsecccceeecceeeceeeeceseeeeeaeeeeeaeeeeaes
582. ter XL tab is displayed 3 Click Advanced The Advanced Load Sharing Configuration window is displayed Figure 30 2 Advanced Load Sharing Configuration window Advanced Load Sharing Configuration Use sharing method based on lEs Ports O IPs Ml Use Sticky Decision Function Note Please refer to the on line help before changing the default values cance He 4 Select Use Sticky Decision Function When the client connects to the cluster all its traffic will pass through a single gateway If that member gateway fails the client will reconnect transparently to another cluster member and resume its session 5 Select Gateway Cluster Object gt Remote Access gt Office Mode When defining Office Mode for use with Load Sharing Clusters only the Manual using IP pool method is supported 646 Figure 30 3 Advanced Load Gateway Cluster Properties Corporate Cluster 2 General Properties Cluster Members 3rd Party Configuration Topology NAT VPN Remote Access Office Mode Clientiess VPN SSL Network Extender Authentication SmartView Monitor Logs and Masters Capacity Optimization Advanced Office Mode Oo not offer Office Made Offer Office Mode to group lt Allow Office Mode to all users Office Mode Method Allocate IP address by sequentially trying the checked methods until success From ipassignment conf located in FWDIR conf always tried first From the RADIUS ser
583. ternally the Washington gateways build VPN tunnels using 3DES Chapter 4 Introduction to Site to Site VPN 69 The Check Point Solution for VPN 70 Special Condition for VPN Gateways Individually gateways can appear in many VPN communities however two gateways that can create a VPN link between them in one community cannot appear in another VPN community in which they can also create a link For example Figure 4 8 Special condition _ A N Pa i i London New York X I LONDON I NY MESH us one a am lt l l s Paris Pi S 7 N a The London and New York gateways belong to the London NY Mesh VPN community To create an additional VPN community which includes London New York and Paris is not allowed The London and New York gateways cannot appear together in more than one VPN community Two gateways that can create a VPN link between them in one community can appear in another VPN community provided that they are incapable of creating a link between them in the second community For example The Check Point Solution for VPN Figure 4 9 Three VPN communities i e A AT N A London My Paris STAR In Figure 4 9 The London and New York gateways appear in the London NY mesh These two gateways also appear as Satellite gateways in the Paris Star VPN community In the Paris Star satellite gateways London
584. teway is authenticated If the system Administrator has sent the user a fingerprint it is strongly recommended that the user verify that the root CA fingerprint is identical to the fingerprint sent to him her The system Administrator can view and send the fingerprint of all the trusted root CAs via the Certificate Authority Properties window in SmartDashboard Chapter 30 SSL Network Extender 663 SSL Network Extender User Experience 664 9 If the user is using a proxy server that requires authentication the Proxy Authentication pop up is displayed The user must enter his her proxy username and password and click OK 10 If you are connected with Windows Vista a Windows Firewall message will appear Click Unblock You may work with the client as long as the SSL Network Extender Connection window shown below remains open or minimized to the System tray Figure 30 19Client connected Check Point E TECHNOLOGIES LTO 2004 Check Point Software Technologies Ltd Once the SSL Network Extender is initially installed a new Windows service named Check Point SSL Network Extender and a new virtual network adapter are added This new network adapter can be seen by typing ipconfig all from the Command line Note The settings of the adapter and the service must not be changed IP assignment renewal and release will be done automatically Both the virtual network adapter and the Check Point SSL Network Extender service
585. teways This feature is disabled when more than one site is defined in SecuRemote SecureClient When the Client Has a Private Address If the send clear traffic between encryption domains property is enabled a problem can arise when the gateway s VPN domain includes private addresses where the meaning of private is specified in the Non Unique IP Address Ranges page of the Global Properties window If the SecuRemote SecureClient connects from outside the VPN domain for example from a hotel and is assigned by the ISP or a NAT device a private IP address which happens to be in the gateway s VPN domain then SecuRemote SecureClient will not encrypt when connecting to the VPN domain and the connection will be dropped because it is in the clear You can configure SecuRemote SecureClient to encrypt this traffic as follows e To encrypt traffic from private addresses enable the send clear except for non unique property in objects 5 0 C e To encrypt traffic from specific IP addresses proceed as follows Chapter 27 Remote Access Advanced Configuration 581 Preventing a Client Inside the Encryption Domain from Encrypting 582 1 Define a group consisting of those addresses 2 Enable the send clear except for specific addresses property in objects 5 0 C 3 Set send clear except for address group to the name of the group defined in step 1 Note This feature is disabled when more than one site
586. the use of manual settings disable automatic configuration I Automatically detect settings IV Use automatic configuration script Address J ttp iiproxy_path proxy pac Proxy server B Use a proxy server for your LAN These settings will not apply to dial up or YPN connections idres i Ports Advanced Jass proxy server For a Special Considerations for Windows Proxy Replacement Sensitive information regarding the site s IP Address and DNS settings are contained in SecureClient s userc c file For this reason the file is obfuscated by an algorithm that hides the real content but does not encrypt it When the proxy replacement feature is used the same information is written to the plain text PAC file For this reason administrators should be aware that the Windows Proxy Replacement feature exposes the VPN domain by writing Site IP addresses and DNS settings as Java Script code in this plain text PAC file which can be viewed by any end user Configuring windows Proxy Replacement Windows proxy replacement is configured either on the gateway or SecureClient Client On the gateway 1 Global Properties gt SmartDashboard Customization 2 Click Configure Chapter 31 Resolving Connectivity Issues 695 Configuring Remote Access Connectivity The Advanced Configuration window opens ITT x SecuRemote SecureClient Remote Access YPN VPN Advanced Properties VPN IKE prope
587. the IKE SA must be renegotiated The IPSec SA is valid for an even shorter period meaning many IKE phase II s take place The period between each renegotiation is known as the fetime Generally the shorter the lifetime the more secure the IPSec tunnel at the cost of more processor intensive IKE negotiations With longer lifetimes future VPN connections can be set up more quickly By default IKE phase occurs once a day IKE phase II occurs every hour but the time out for each phase is configurable The IPSec lifetime can also be configured according to Kilo Bytes by using DBedit to edit the objects 5 0 c file The relevant properties are under the community set e ike_p2_use_rekey_kbytes Change from false default to true e ike_p2_rekey_kbytes Modify to include the required rekeying value default 50000 Perfect Forward Secrecy The keys created by peers during IKE phase II and used for IPsec are based on a sequence of random binary digits exchanged between peers and on the DH key computed during IKE phase I The DH key is computed once then used a number of times during IKE phase II Since the keys used during IKE phase II are based on the DH key computed during IKE phase there exists a mathematical relationship between them For this reason the use of a single DH key may weaken the strength of subsequent keys If one key is compromised subsequent keys can be compromised with less effort In cryptography Perfect F
588. the Nokia platform web user interface to a port other than 443 7 On SecurePlatform perform one of the following procedures To change the webui port run webui enable lt port number gt For example webui enable 444 To disable the webui port run webui disable To change a Voyager port on a Nokia platform run voyager e x S lt port number gt x represents the encryption level For more information run voyager h 9 Select Remote Access gt Office Mode 10 Configure office mode as described in Chapter 15 Office Mode on page 299 Note Office mode support is mandatory on the gateway side 11 Configure users and authentication Load Sharing Cluster Support SecureClient Mobile provides load sharing cluster support To enable load sharing cluster support Chapter 19 SecureClient Mobile 445 Configuring SecureClient Mobile 1 Double click the Gateway Cluster Object from the Network Object tab of the Objects Tree The Gateway Cluster Properties window opens S Note A load sharing cluster must be created before you can configure the sticky decision function 2 Select Cluster XL The Cluster XL tab opens 3 Click Advanced The Advanced Load Sharing Configuration window opens Figure 19 2 Advanced Load Sharing Configuration window Advanced Load Sharing Configuration Use sharing method based on lEs Ports OlPs M Use Sticky Decision Function Note Please refer to the on line he
589. the client The gateway uses a certificate signed by a Certificate Authority that the client trusts 6 A secure channel is established between the security gateway and the client Chapter 32 Clientless VPN 699 The Check Point Solution for Clientless VPN 700 Communication Phase In Figure 32 1 the VPN Security Server opens a connection to the web server The client connects to the server via the security gateway From now on all connections from the client to the security gateway are encrypted Every packet is sent encrypted to the gateway The gateway decrypts the packets and forward the packets in clear to the web server From the client s perspective the client and web server appear to be communicating directly but in fact the SSL secure channel terminates at the gateway Figure 32 1 Communication phase Web Server J Clear text not encrypted Client Security Gateway Content Security with Clientless VPN Since the security gateway now sees the packet in clear the packet can be inspected for content if content security is required User Authentication Users can authenticate if this is required Consider the example the employee needing to read company email from an Internet cafe Typically 1 The user is presented with a pop up window requesting a user name and password 2 The user supplies login details 3 The gateway verifies the user name and authenticates the password Alternativel
590. the client features without upgrading the corporate infrastructure For additional information on how to configure SSL Network Extender mode on a Check Point Security Gateway refer to the VPN User Guide For additional information on how to configure SSL Network Extender mode on a Connectra gateway refer to the Connectra Web Security Gateway guide SecureClient Mobile is supported on the Windows Mobile 2003 SE 5 0 operating system 422 Connectivity Features Connectivity Features When users access their organization from remote locations it is essential that not only are the normal requirements of secure connectivity met but also the following requirements of remote clients e Secure Connectivity Secure connectivity is guaranteed by the combination of authentication confidentiality and data integrity procedures employed for every connection e Application Connectivity The remote client must be able to access the organization from various locations even if it is behind a NAT device proxy or firewall The range of applications available must include web mail push VoIP and file sharing applications in addition to other more specialized applications required by the corporation Once authenticated remote users begin a session The session provides the context for which all encrypted traffic is processed until the user logs out disconnects or the session ends due to a timeout e Usability There are several options that enable
591. the closest gateway to destination by VPN domain Shared Secret Random selection for load distribution Advanced VPN Pre eee K Gel ite Mode Manually set priority list Set Select the closest gateway to source first to respond Tracking Log Return packet routing Returning packets can be routed according to IP pool NAT which is configured per gateway or by using the route injection mechanism configured under Tunnel Management Cancel Chapter 12 Multiple Entry Point VPNs 247 Configuring MEP 248 2 Select an entry point mechanism e First to respond e By VPN domain e Random selection e Manual priority list If By VPN domain or Manually set priority list is selected click Advanced to resolve how more than one gateway with equal priority should be selected I x When the chosen mechanism returns more than one optional entry point use the following method to make the final selection Random selection Cancel Help If Manually set priority list is selected click Set to create a series of MEP rules 3 Select a tracking option if required Configuring Implicit MEP First to Respond in an Overlapping Encryption Domain When more than one gateway leads to the same overlapping VPN domain they are considered MEPed by the remote VPN peer and the first gateway to respond to the probing protocol is chosen To configure first to respond define that part of the netwo
592. the domain where the internal names are defined This instructs the Client as per what suffix to add when it addresses the DNS server e g example com 6 Install the Policy Make sure that all the internal routers are configured to route all the traffic destined to the internal address space you had reserved to Office Mode users through the security gateway For instance in the example above it is required to add routes to the class C sub network of 10 130 56 0 through the gateway s IP address In addition to the steps mentioned for the gateway side configuration a few configuration steps have to be performed on the client side in order to connect to the gateway in Office Mode See Office Mode Configuration on SecureClient on page 323 Configuring Office Mode Configuring IP Assignment Based on Source IP Address The settings for the IP Assignment Based on Source IP Address feature are configured by editing a plain text file called user def This file is located in the FWDIR conf directory of the Security Management server which manages the enforcement modules used for remote access A range of source IP addresses must be defined along with a corresponding range of Office Mode addresses The FWDIR conf user def file can contain multiple definitions for multiple modules The first range defined per line is the source IP address range The second range defined per line is the Office Mode IP address range Figure 15 4 IP
593. the startup c file in a package When there are conflicting settings that is one setting is configured differently in two locations the settings configured in the highest priority location are applied For example if n o remember user password is set to true in dbedit and false in the TTM file SecureClient Mobile treats the property as true Route All Traffic Hub Mode When Hub Mode is enabled the gateway agrees to act as a VPN router for the client All connections the client opens either to the internal network or to other parts of the Internet pass through the gateway The packets are encrypted between the client and the gateway but pass in clear between the gateway and the client s peer In addition if the final destination of the connection is a machine behind another gateway and a VPN link is defined between both gateways the connection is routed along this link To enable Hub Mode in SmartDashboard 1 On the gateway open the Remote Access page and select Allow SecureClient to route traffic through this gateway 2 Click Policy gt Global Properties gt Remote Access gt SecureClient Mobile and select Yes in the Route all traffic through gateway drop down menu Alternatively use the GUIDBEdit tool set the property neo route all traffic _through_ gateway to true QE Note For more options refer to sk31873 and sk31367 452 Client Side Configuration Client Side Configuration Connecting to a Site
594. thin client is downloaded as an ActiveX component installed and then used to connect to the corporate network using the SSL protocol It is much easier to deploy a new version of the SSL Network Extender client than it is to deploy a new version of other conventional clients How the SSL Network Extender Works How the SSL Network Extender Works The SSL Network Extender solution comprises a thin client installed on the user s Desktop Laptop and an SSL enabled web server component integrated into the Security gateway To enable connectivity for clients using the SSL Network Extender a security gateway must be configured to support SecuRemote SecureClient in addition to a minor configuration specific to SSL Network Extender The SSL Network Extender may be installed on the user s machine by downloading it from a gateway R55 HFA10 or higher Chapter 30 SSL Network Extender 629 Commonly Used Concepts Commonly Used Concepts This section briefly describes commonly used concepts that you will encounter when dealing with the SSL Network Extender It is strongly recommended that you review the Remote Access VPN section of this book before reading this guide In This Section Remote Access VPN page 630 Remote Access Community page 630 Office Mode page 630 Visitor Mode page 631 Endpoint Security on Demand page 631 Remote Access VPN Refers to remote users accessing the network with client software such as SecuRemote
595. this suffix Chapter 14 Introduction to Remote Access VPN 287 VPN for Remote Access Configuration Configure Certificates Using Third Party PKI 288 Using third party PKI involves creating e A certificate for the user and e A certificate for the gateway You can use a third party OPSEC PKI certificate authority that supports the PKCS 12 CAPI or Entrust standards to issue certificates for security gateways and users The gateway must trust the CA and have a certificate issued by the CA For users managed on an LDAP server the full distinguished name DN which appears on the certificate is the same as the user s name But if the user is managed on the internal database the user name and DN on the certificate will not match For this reason the user name in the internal database must be either the full DN which appears on the certificate or just the name which appears in the CN portion of the certificate For example if the DN which appears on the certificate iS CN John OU Finance O Widget Enterprises C US The name of the user on the internal database must be either e John or e CN John OU Finance O Widget Enterprises C US Note The DN on the certificate must include the user s LDAP branch Some PKI solutions do not include by default the whole branch information in the subject DN for example the DN only includes the common name This can be rectified in the CA configuration To use a third party PKI solution
596. tiation thus considerably slowing the establishment of the VPN tunnel Because of these performance implications it is recommend that CRL caching be disabled only when the level of security demands continuous CRL retrieval Chapter 5 Public Key Infrastructure 99 Supporting a Wide Variety of PKI Solutions 100 Special Considerations for the CRL Pre fetch Mechanism The CRL pre fetch mechanism makes a best effort to obtain the most up to date list of revoked certificates However after the cpstop cpstart commands have been executed the cache is no longer updated The gateway continues to use the old CRL for as long as the old CRL remains valid even if there is an updated CRL available on the CA The pre fetch cache mechanism returns to normal functioning only after the old CRL expires and a new CRL is retrieved from the CA In case there is a requirement that after cpstop cpstart the CRL s will be updated immediately proceed as follows e After executing cprestart run crl_zap to empty the cache or e In Global Properties gt SmartDashboard Customization gt Configure gt Check Point CA properties gt select flush_crl_cache_file_on_install x Check Point CA properties SecuRemote SecureClient VPN Advanced Properties Check Point CA properties 4 E FireWall 1 cert_req_ext_key_usage 0 SmartCenter User Defined inai V flush_crl_cache_file_on_install IT flush_crl_cach
597. tion and determines whether to send a log to the Security Management server and the client s diagnostic tool specifying that the client is not SCVed The word type should be replace by the type of log to send such as log alert Alert means sending a log to the Security Management server while log means sending the log to the remote client s diagnostic tool e mismatchmessage Message This expression is used as part of the begin_admin admin end admin section and specifies that a popup message should be shown on the remote user s desktop indicating the problem The text in the inverted commas Message should be replaced by a meaningful text which should instruct the client about the possible sources of the problem and the action he should perform Chapter 23 Secure Configuration Verification 533 Configuring SCV For example browser major version 5 browser minor version 0 browser version operand gt begin_admin admin send_log alert mismatchmessage The version of your Internet Explorer browser is old For security reasons users with old browsers are not allowed to access the local area network of the organization Please upgrade your Internet Explorer to version 5 0 or higher If you require assistance in upgrading or additional information on the subject please contact your network administrator send admin In this example if the user s IE browser s
598. tion from the installation dialogs Chapter 29 Userc C and Product ini Configuration Files 623 Product ini Parameters Table 29 1 Parameters for Product ini Parameter bold indicates the default ShowRestart 0 1 Meaning Determine whether Do you want to restart dialog will be shown RestartAfterInstall 0 1 O Do no restart after installation 1 Restart after installation ShowRebootWarning 0 1 Suppress the message The installation will complete after reboot IncludeBrandingFiles 0 1 Determines whether the files authmsg txt and logo bmp used for customizing the Authentication dialog will be copied during installation See the userc C options section for more details on use ext _auth_msg and use_ext logo bitmap EnableSDL 0 1 Sets the value of Secure Domain Logon SDL during installation If the value is 1 SDL will be enabled during installation SdlNetlogonTimeout Seconds 0 Set timeout for the operating system Net Logon if O do not change the current value Support3rdPartyGina 0 1 SecuRemote Client NG allows using third party GINA DLLs for authentication If this property is not selected the Windows GINA DLL will be used by default Enabling this property may conflict with SDL operation if a third party GINA DLL is used En ablePolicyView 0 1 Enable the Policy View in the SecureClient Diagnostics application En ableLogView 0 1 Enable t
599. tionCallback This function registers with the service notifications to be sent to the client Prototype TRAPI CPAPI TrStatus TrRegisterNotificationCallback NotificationCbFunctor cb void clientOpaque int eNotificationType TR NOTIFICATION ALL Arguments Functions from Service to Client Argument NotificationCbFunctor cb IN OUT Meaning the registered callback clientOpaque client s opaque eNotificationType the notification type e TR_NOTIFICATION NETWORK_TYPE 1l lt lt 16 e TR_NOTIFICATION_CONNECTION_TY PE l lt lt 17 e TR_NOTIFICATION_SUGGEST_CONNE CT_TYPE 1 lt lt 18 e TR_NOTIFICATION_TRAC_STOP_TYPE 1 lt lt 19 e TR_NOTIFICATION LOG_TYPE 1 lt lt 20 e TR_NOTIFICATION AUTH_TYPE 1 lt lt 21 e TR_NOTIFICATION_ DOWNLOAD_TYPE 1 lt lt 22 e TR_NOTIFICATION CLIENT _TYPE 1 lt lt 23 e TR _NOTIFICATION_ICS_TYPE 1 lt lt 24 e TR _NOTIFICATION ALL 32767 lt lt 16 For example to receive only notifications of type network connection and stop notifications then eNotificationType should be equal to TR_NOTIFICATION_NETWORK_TYPE TR_NOTIFICATION_CONNECTION_TYP E TR_NOTIFICATION_TRAC_STOP_TYPE Chapter 18 Endpoint Connect API 407 Functions from Service to Client 408 TrUnregisterNotificationCallback Unregisters the notification callback Prototype TRAPI CPAPI TrStatus TrUnregisterNotificationCallback
600. tomatically used by the browser when connecting to an SSL Network Extender gateway To import a client certificate a Open the downloaded PKCS 12 file The following Certificate Import Wizard window appears 658 SSL Network Extender User Experience Figure 30 9 Certificate Import Wizard window Certificate Import Wizard Welcome to the Certificate Import Wizard This wizard helps you copy certificates certificate trust lists and certificate revocation lists from your disk to a certificate store A certificate which is issued by a certification authority is a confirmation of your identity and contains information used to protect data or to establish secure network connections A certificate store is the system area where certificates are kept To continue click Next b Click Next The following File to Import window appears Figure 30 10File to Import window Certificate Import Wizard on x File to Import Specify the file you want to import Eile name NLOCALS 1ITEMPOR 1 Content IES WDZJOLANIREGIST 1 P13 Browse Note More than one certificate can be stored in a single file in the Following Formats Personal Information Exchange PKCS 12 PFX P12 Cryptographic Message Syntax Standard PKCS 7 Certificates P7B Microsoft Serialized Certificate Store 5ST lt ac conei The P12 file name is displayed c Click Next The following Password window appears Chapter
601. top Policy command line interface Command Description dtps ver This command displays the policy server version dtps debug on off This command starts or stops the debug printouts to SFWDIR log dtps elg fwm psload lt path to desktop policy file gt lt target gt This command loads the desktop policy onto the module The target is the name of the module where the desktop policy is being loaded and should be entered as it appears in SmartDashboard This command should be run from the management For example fwm psload SFWDIR conf Standard S Server 1 fwm sdsload lt path to SDS objects file gt lt target gt This command loads the SDS database onto the module The target is the name of the module where the SDS objects file is being loaded and should be entered as it appears in SmartDashboard This command should be run from the management For example fwm sdsload SFWDIR conf SDS_objects C Server 1 Appendix B Converting a Traditional Policy to a Community Based Policy In This Chapter Introduction to Converting to Simplified VPN Mode page 718 How Traditional VPN Mode Differs from a Simplified VPN Mode page 719 How an Encrypt Rule Works in Traditional Mode page 720 Principles of the Conversion to Simplified Mode page 722 Placing the Gateways into the Communities page 723 Conversion of Encrypt Rule page 724 When the Converted Rule Base is too Restrictive page 725 Conversion of Client Encrypt Rules page 726 C
602. tor cb in the registered callback clientOpaque in client s opaque to the callback Notification Identifiers TrNotificationID Identifiers for each notification Prototype enum TrNotificationID NotificationID Meaning and Format DISCONNECTED TR NOTIFICATION NETWORK OUT The client is located outside of the VPN domain TR_NOTIFICATION NETWORK IN The client is located within the VPN domain R NOTIFICATION NETWORK NO No network available NETWORK TR NOTIFICATION CONNECTION_ Connection disconnected Disconnect reason type eTrArgTypeStr val a string representing the disconnect reason default_text NULL R NOTIFICATION CONNECTION _ ECONNECTING AH Reconnecting Reconnecting reason type eTrArgTypeStr val a string representing the reconnecting reason default_text NULL Chapter 18 Endpoint Connect API 399 Notification Identifiers NotificationID TR_NOTIFICATION TRAC STOP Meaning and Format Service is stopped TR_NOTIFICATION LOG Logs message Log string type eTrArgTypeStr val the log s string default_text NULL TR_NOTIFICATION UPGRADE Client upgrade is required upgrade string type eTrArgTypeStr val the upgrade s string default_text NULL TR_NOTIFICATION CLIENT UPGR ADE Upgrade notification sent by the client to the service Pe
603. trators need to cope with different means of implementation of the IPSec framework VPN Tunnel Sharing provides interoperability and scalability by controlling the number of VPN tunnels created between peer gateways There are three available settings e One VPN tunnel per each pair of hosts e One VPN tunnel per subnet pair e One VPN tunnel per Gateway pair Chapter 7 Tunnel Management 167 Configuring Tunnel Features Configuring Tunnel Features In This Section Permanent Tunnels page 170 Tracking Options page 174 Terminating Permanent Tunnels page 174 VPN Tunnel Sharing page 174 Monitoring Tunnels page 175 To configure Tunnel Management options proceed as follows 1 In SmartDashboard click Manage gt VPN Communities The VPN Communities window will appear 2 Select the community star or meshed to be configured and click Edit Click Tunnel Management The Tunnel Management window is displayed 168 Configuring Tunnel Features Figure 7 2 Meshed Communities Properties Tunnel Management page Heshed Comaunity Properties rseshed_saaple xi General Tunnel Management Participating Gateways VPN Properties Tunnel Management Advanced Settings IV Set Permanent Tunnels Permanent Tunnels C On all tunnels of specific Gateways Select Gateways C On specific tunnels in the community Select Permanent Tunnels IV Enable Route Injection Mechanism RIM Settings Tunnel down track Log hd Tunne
604. tunnel they need to authenticate to each other This authentication is performed either by means of certificates or with a pre shared secret Certificates are considered to be a stronger form of authentication Choosing the Certificate Authority If the gateways use certificates the certificates can be issued either by the Internal Certificate Authority ICA on the Security Management server or by a third party OPSEC certified CA The Internal CA makes it very easy to use PKI for Check Point applications such as site to site and remote access VPNs However an administrator may prefer to continue using a CA that is already used within the organization for generalized applications such as secure email and disk encryption If the gateways are both internally managed and use certificates for authentication the easiest strategy is for both gateways to present a certificate signed by the Internal CA Chapter 13 Traditional Mode VPNs 257 Configuring Traditional Mode VPNs Configuring Traditional Mode VPNs In This Section Editing a Traditional Mode Policy page 258 Configuring VPN Between Internal Gateways using ICA Certificates page 259 VPN Between Internal Gateways Using Third Party CA Certificates page 260 Configuring VPN with Externally Managed Gateways Using Certificates page 261 Configuring a VPN using a Pre Shared Secret page 263 Editing a Traditional Mode Policy An existing Traditional Mode policy will open in Traditio
605. ture use check box is selected the Server Confirmation window will not appear the next time the user attempts to login Once the user has confirmed the ESOD server an automatic software scan takes place on the client s machine Upon completion the scan results and directions on how to proceed are displayed as shown in Figure 30 6 SSL Network Extender User Experience Figure 30 6 Scan Results ESOD not only prevents users with potentially harmful software from accessing your network but also requires that they conform to the corporate antivirus and firewall policies as well A user is defined as having successfully passed the ESOD scan only if he she successfully undergoes scans for Malware Anti Virus and Firewall Each malware is displayed as a link which if selected redirects you to a data sheet describing the detected malware The data sheet includes the name and a short description of the detected malware what it does and the recommended removal method s Chapter 30 SSL Network Extender 655 SSL Network Extender User Experience The options available to the user are configured by the administrator on the ESOD server The options are listed in the following table Table 30 2 Scan Options Scan Option Description Scan Again Allows a user to rescan for malware This option is used in order to get refreshed scan results after manually removing an undesired software item Cancel Prevents the user from proceedi
606. twork Properties General tab set the DHCP address range as follows e In Network Address specify the first address that is used e g 10 130 56 0 e In Net Mask enter the subnet mask according to the amount of addresses that is used entering 255 255 255 0 for example designates that all 254 IP addresses from 10 130 56 1 until 10 130 56 254 are set aside for remote host Office Mode addresses on the DHCP server 6 Configuring Office Mode e Changes to the Broadcast Address section and the Network Properties NAT tab are not necessary e Close the network object properties window Return to the gateway object open the Remote Access gt Office Mode page In the Additional IP addresses for Anti Spoofing select the network object you have created with the IP address range you have set aside for Office Mode on the DHCP server Install the policy Make sure that all the internal routers are configured to route all the traffic destined to the internal address space you had reserved to Office Mode users through the security gateway For instance in the example above it is required to add routes to the class C sub network of 10 130 56 0 through the gateway s IP address In addition to the steps mentioned for the gateway side configuration a few configuration steps have to be performed on the client side in order to connect to the gateway in Office mode See Office Mode Configuration on SecureClient on page 323 aS
607. ually by the administrator Once the CA issues the certificate the administrator can complete the process by importing the certificate to the Security Management server A certificate can also be obtained for the gateway using Automatic Enrollment With Automatic Enrollment you can automatically issue a request for a certificate from a trusted CA for any gateway in the community Automatic Enrollment supports the following protocols e SCEP e CMPV1 e CMPV2 Note During SCEP enrollment some HTTP requests may be larger than 2K and may be dropped by the HTTP protocol inspection mechanism if enabled Web Intelligence gt OS HTTP Protocol Inspection gt HTTP Format Sizes A change of the default value will be required to enable these HTTP requests If enrollment still fails enrollment must be done manually For more information see the PS Administraton Guide Chapter 5 Public Key Infrastructure 97 Supporting a Wide Variety of PKI Solutions 98 Validation of a Certificate When an entity receives a certificate from another entity it must 1 Verify the certificate signature i e verify that the certificate was signed by a trusted CA If the certificate is not signed directly by a trusted CA but rather by a subsidiary of a trusted CA the path of CA certificates is verified up to the trusted CA 2 Verify that the certificate chain has not expired 3 Verify that the certificate chain is not revoked A CRL is retrieved to con
608. ub sets Each set has a certain purpose which was predefined for it For example one set can be used to define certain parameters another could specify certain actions that should take place in a certain event etc Sets are differentiated by their names and hierarchy in a recursive manner Each set can have a sub set and each sub set can have a sub set of its own and so on Subsets can also contain logical expressions Sets and sub sets with more than one sub sets conditions are delimited by left and 530 Configuring SCV right parentheses and start with the set sub set name Differentiation between sub sets expressions with the same hierarchy is done using the colon For example SetName SubSetNamel ExpressionNamel 1 5 ExpressionNamel 2 false SubSetName2 ExpressionName2 1 true SubSetName2_1 ExpressionName2 1 1 10 In the example above the set named SetName has two subsets SubSetName1 and SubSetName2 SubSetName1 has two conditions in it ExpressionName1_1 and ExpressionName1_2 SubSetName2 has one condition ExpressionName2_1 and one subset SubSetName2_1 in it SubSetName2_1 has one condition as well ExpressionName2_1_1 Expressions Expressions are evaluated by checking the value of the expression which corresponds to an SCV check and comparing it with the value defined for the expression the value in the parentheses For example in the browser monitor SCV chec
609. ult two predefined empty community objects One is a site to site VPN intranet community a Mesh community and the other is a remote access community If these are the only two Communities the wizard gives you the choice of simply placing all gateways into the Site to Site Community and placing all Remote Access gateways into the Remote Access Community AppendixB 723 Conversion of Encrypt Rule 724 After gateways have been placed into Communities the Encrypt rules are converted The converted rule base preserve the behavior of the Encrypt rule in Simplified VPN Mode to the greatest extent possible Encrypt rules are converted by the Conversion wizard to two rules Table B 2 A converted rule in a simplified Rule Base Src Dest VPN Service Action Track Install On X Y All_GW_to_GW My_Services Accept Log Policy Targets X Y Any My_Services Drop Log Policy Targets The first rule says that the connection is matched and is allowed if the connection originates at X and its destination is Y within any Site to Site Community The second rule says that if a connection originates at X and has the destination Y but is not encrypted or decrypted by any site to site community the connection should be dropped The second rule the Drop rule is needed where either the source or the destination are not in the VPN Domain In the Traditional policy the Encrypt rule would drop this connection If th
610. unavailable The ODL s metric must be set to be larger than a configured minimum in order for it to be considered an ODL For more information see On Demand Links ODL on page 218 Chapter 11 Link Selection 211 Using Link Selection 212 For IKE and RDP sessions Route Based probing uses the same IP address and interface for responding traffic Route Based probing is only supported on the SecurePlatform Linux and Nokia IPSO platforms Using Route Based Probing The local gateway using RDP probing considers all possible routes between itself and the remote peer gateway The gateway then decides on the most effective route between the two gateways as shown in Figure 11 1 Figure 11 1 Route Based Probing Peer Security Gateway B 192 168 30 10 192 168 30 20 192 168 40 10 192 168 40 20 Internet 192 168 10 10 192 168 20 20 192 168 20 10 Security Gateway A In this scenario gateway A has two external interfaces 192 168 10 10 and 192 168 20 10 Peer gateway B also has two external interfaces 192 168 30 10 and 192 168 40 10 For gateway A the routing table reads Table 11 1 Destination Netmask Next hop Metric 192 168 40 10 255 255 255 0 192 168 10 20 1 192 168 40 10 255 255 255 0 192 168 20 20 2 Using Link Selection For gateway B the routing table reads Table 11 2 Destination Netmask Next hop Metric 192 168 20 10 255 255 255 0 192 168 40 20 1 192 168 2
611. unnel connect to the internal interface which is part of the encryption domain The SSL Network Extender gateway allows users to authenticate themselves via certificates Therefore when connecting to the SSL Network Extender gateway the following message may appear The Web site you want to view requests identification Select the certificate to use when connecting In order not to display this message to the users two solutions are proposed 1 On the client computer access the Internet Explorer Under Tools gt Options gt Security tab select Local intranet gt Sites You can now add the SSL Network Extender gateway to the Local intranet zone where the Client Authentication pop up will not appear Click Advanced and add the gateway s external IP or DNS name to the existing list 2 On the client computer access the Internet Explorer Under Tools gt Options gt Security tab select Internet Zone gt Custom Level In the Miscellaneous section select Enable for the item Don t prompt for client certificate selection when no certificates or only one certificate exists Click OK Click Yes on the Confirmation window Click OK again Note This solution will change the behavior of the Internet Explorer for all Internet sites so if better granularity is required refer to the previous solution If the client computer has SecuRemote SecureClient software installed and is configured to work in transparent mode and
612. ure Configuration Verification on page 519 Connectivity Features e Office mode addresses see Office Mode on page 299 e Visitor mode see Resolving Connectivity Issues on page 675 e Hub mode see Hub Mode VPN Routing for Remote Clients on page 560 Management Features e Automatic software distribution see Packaging SecureClient on page 479 e Advanced packaging and distribution options see Packaging SecureClient on page 479 e Diagnostic tools The Check Point Solution for Remote Access Establishing a Connection Between a Remote User and a Gateway To allow the user to access a network resource protected by a security gateway a VPN tunnel establishment process is initiated An IKE Internet Key Exchange negotiation takes place between the peers During IKE negotiation the peers identities are authenticated The gateway verifies the user s identity and the client verifies that of the gateway The authentication can be performed using several methods including digital certificates issued by the Internal Certificate Authority ICA It is also possible to authenticate using third party PKI solutions pre shared secrets or third party authentication methods for example SecurlID RADIUS etc After the IKE negotiation ends successfully a secure connection a VPN tunnel is established between the client and the gateway All connections between the client and the gateway s
613. ure the upgrade is done using the neo upgrade mode neo upgrade version and neo upgrade_url properties Installing SecureClient Mobile Installing SecureClient Mobile SecureClient Mobile Gateway Side Installation Full SecureClient Mobile SCM support is available starting from R65 for VPN1 gateways and Security Management server and from R62 for Connectra standalone gateways For R62 Connectra gateway installation and configuration please refer to Connectra documentation For earlier gateways and Security Management server versions one should follow the below installation instructions In order to centrally manage the gateways a management patch should be installed on the Security Management server earlier than R65 although this is not mandatory If SCM support is only installed on the gateways then configuration must be applied to each gateway individually A SecureClient Mobile user can connect to a gateway that does not have SCM support installed or to a gateway with SCM support installed but not enabled through the SSL Network Extender settings Module Support SecureClient Mobile SCM support is built in on these gateway versions e R60 HFA_04 or later e R61 HFA_O1 or later e R62 or later Note After installing the HFA one further manual step is needed in most cases When HFA is installed it does not override any existing configuration files Instead the configuration file are copied to the conf folder with
614. uring that there are no popups on the LAN when disconnected Global stop connect when silent update fails true false If trying to connect in silent_update_on_connect mode and the topology update fails the connection will fail Global Userc C File Parameters go online days before expiry 0 The number of days before Entrust automatic key rollover certificate renewal Zero equals never Global go online always true false When true will attempt the LDAP entrust ini protocol after successful IKE negotiation Global implicit _disconnect_threshold 900 When losing connectivity on physical adapter SecuRemote SecureClient keeps the connected state for the amount of time in seconds specified by implicit_disconnect_threshold If the time elapses or if connectivity resumes with a different IP address SecuRemote SecureClient disconnects This is useful in network environments with frequent network disconnection such as wireless Global active test Active tests configuration Global log_all_blocked_connections Used internally to indicates the mode and reflects the state of the GUI checkbox Do not modify Global cache password Used internally to save the state of the checkbox called Remember password as per site settings Do not modify Global dns _xlate true false Turn off the split DNS feature May be needed in versions prior to NG FP3 In later ve
615. us Java and ActiveX options e Registry Monitor verifies that a certain key or value is present in the system registry RegMonitor may check not only for the existence exclusion of keys but also their content e ScriptRun runs a specified executable on SecureClient machine and tests the return code of the executable e g a script that checks whether a certain file is present and sets a return code accordingly ScriptRun can run a script which performs additional configuration checks e Anti Virus Monitor detects whether an Anti Virus program is running and checks its version Supported Anti Virus programs Norton Trend Office Scan and McAfee e CVMonitor verifies the version of the SCV product specifically the versions of the SCV DLLs installed on the client s machine e HWMonitor verifies the CPU type family and model Third Party SCV Checks SCV checks can be written by third party vendors using Check Point s OPSEC SCV SDK After these applications are installed the administrator can use these SCV checks in the SCV Policy Chapter 23 Secure Configuration Verification 525 The Secure Configuration Verification Solution Ss 526 Additional Script Elements e SCVpolicy selects SCV checks out of the ones defined in SCVNames see SCVNames on page 535 that will run on the user s desktop e CVGlobalParams is used to define general SCV parameters A network administrator can easi
616. users All communications between the remote users and the gateways VPN domains are secured authenticated and encrypted according to the parameters defined for Remote Access communications in SmartDashboard Global Properties Identifying Elements of the Network to the Remote Client SecuRemote SecureClient needs to know the elements of the organization s internal network before it can handle encrypted connections to and from network resources These elements known as a topology are downloaded from any security gateway managed by the Security Management server A site s topology information includes IP addresses on the network and host addresses in the VPN domains of other gateways controlled by the same Security Management server If a destination IP is inside the site s topology the connection is passed in a VPN tunnel When the user creates a site the client automatically contacts the site and downloads topology information and the various configuration properties defined by the administrator for the client This connection is secured and authenticated using IKE over SSL The site s topology has a validity timeout after which the client would download an updated topology The network administrator can also configure an automatic topology update for remote clients This requires no intervention by the user The Check Point Solution for Remote Access Connection Mode The remote access clients connect with gateways using Conn
617. using MEP interface resolving or interface High Availability 590 Early SecuRemote SecureClients Versions Early SecuRemote SecureClients Versions Check Point s recommended upgrade sequence is Security Management server followed by Modules followed by SecuRemote SecureClients There will then be a period of time during which earlier version SecuRemote SecureClients will be connecting to upgraded Modules If any of these SecuRemote SecureClients are Version 4 1 backwards compatibility must be enabled in the Early Versions Compatibility page under Remote Access of the Global Properties window Required policy for all desktops defines the type of policy that will be enforced on Version 4 1 Clients From NG forward the security policy applied to SecuRemote SecureClient is automatically the policy defined in the Desktop Security Rule Base For Version 4 1 Clients you must decide whether or not to enforce a policy and if yes whether or not to allow e all outgoing and all encrypted connections e only outgoing connections e only encrypted connections If you select Client is enforcing required policy an additional SCV check which verifies the Client s security policy is performed Chapter 27 Remote Access Advanced Configuration 591 Resolving Internal Names with the SecuRemote DNS Server Resolving Internal Names with the SecuRemote DNS Server The Problem The SecuRemote SecureClient must resolve the names of internal host
618. ustering Two or more gateways that provide the same topology and named with one DNS name SecureClient Mobile can resolve a DNS name to all of its IP addresses SCM can attempt to connect to up to 10 IP addresses per DNS name SCM attempts to connect to each IP address until it succeeds Support for this feature is transparent to any algorithm used by the DNS server for load sharing or priority ordering e g Round Robin enabling effective load sharing This type of clustering does not provide session continuation in case of a gateway failure the equivalent of MEP with fully overlapping encryption domain can be achieved using the aS Note SecureClient Mobile does not support traditional MEP Multiple Entry Points but DNS based clustering Gateway History SecureClient Mobile retains the details of the gateways to which it was previously connected This enables users to more readily access a gateway without having to re enter the gateway s information Allow Clear Traffic During ActiveSync and When Disconnected Corporate users who use SecureClient Mobile to access their corporate network from home or from the road with their mobile devices may also wish to use SecureClient Mobile in the office where network traffic encryption is not necessary SecureClient Mobile can be configured to allow clear not encrypted traffic while in ActiveSync the device is cradled to the PC which serves as a kind of NAT access the network Tr
619. uthentication tab In the Policy Server gt Users section select a group of users that is allowed to retrieve policies from this Policy Server Repeat steps 2 and 3 for each additional Policy Server Go to Policy gt Global Properties and select the Remote Access tab In Revert to default policy after select the time out for desktop security policies see Policy Renewal on page 495 for more information In the policy selection toolbar select Desktop Security Configure the inbound rules Using the Rules gt Add Rule menu item you can add rules to the policy In inbound rules the SecureClient the desktop is the destination and you can specify the users to which the rule is to be applied Configure the outbound rules In outbound rules the SecureClient the desktop is the source and you can specify the users to which the rule is to be applied Install the policy Be sure to install both the Advanced Security policy on the gateways and the Desktop Security policy on your Policy Servers Configuring Desktop Security Client Side Configuration Connect Mode 1 Double click your SecureClient icon at the bottom right side of you desktop and press Properties 2 Choose Logon to Policy Server if you wish to logon to a Policy Server automatically after connecting to a site 3 Select Support Policy Server High Availability if your site has several Policy Servers and you want SecureClient to attempt to load balance betw
620. ve Destination Encapsulation Status Delete On Unnumbered tun0c0 o oF tun0cO sample eth s3p1c0 ink FWVPN ORSIL Create anew FWVPN tunnel interface with Peer GW Object Name Proxy eth s3p1c0 moe 0 158 Configuring Unnumbered VTIs To enable dynamic routing protocols on the Nokia IPSO platform using Nokia Network Voyager see the Nokia Network Voyager Reference Guide Chapter6 Route Based VPN 159 Routing Multicast Packets Through VPN Tunnels Routing Multicast Packets Through VPN Tunnels 160 Multicast is used to transmit a single message to a select group of recipients IP Multicasting applications send one copy of each datagram IP packet and address it to a group of computers that want to receive it This technique addresses datagrams to a group of receivers at the multicast address rather than to a single receiver at a unicast address The network is responsible for forwarding the datagrams to only those networks that need to receive them For more information on Multicasting see Multicast Access Control in the Firewall Administration Guide Multicast traffic can be encrypted and forwarded across VPN tunnels that were configured using VPN tunnel interfaces virtual interfaces associated with the same physical interface All participant gateways both on the sending and receiving ends must have a virtual interface for each VPN tunnel and a multicast
621. ve one of two possible topologies meshed or star To configure an internally managed VPN meshed community create the network objects gateways first and then add them to the community 1 In the Network Objects tree right click Network Objects gt New gt Check Point gt Gateway Select Simple mode wizard or Classic mode The Check Point Gateway properties window opens a On the General Properties page after naming the object and supplying an IP address select VPN and establish SIC communication b On the Topology page click Add to add interfaces Once an interface appears in the table clicking Edit opens the Interface Properties window c In the Interface Properties window define the general properties of the interface and the topology of the network behind it d Still on the Topology page VPN Domain section define the VPN domain as either all the machines behind the gateway based on the topology information or manually defined i As an address range ii As a network iii AS a group which can be a combination of address ranges networks and even other groups There are instances where the VPN domain is a group which contains only the gateway itself for example where the gateway is acting as a backup to a primary gateway in a MEPed environment The network gateway objects are now configured and need to be added to a VPN community Note There is nothing to configure on the VPN page regarding cert
622. ver used to authenticate the user Using one of the following methods Manual using IP pool Note Define the IP Pool addresses on each cluster member O Automatic using DHCP Optional Parameters Multiple Interfaces Support connectivity enhancement for gateways with multiple external interfaces Anti Spoofing Perform Anti Spoofing on Office Mode addresses Configuring the SSL Network Extender Sharing Configuration window Customizing the SSL Network Extender Portal You can modify the SSL Network Extender Portal by changing skins and languages Configuring the Skins Option To configure the Skins Option The skin directory is located under FWDIR conf extender on the SSL Network Extender gateways There are two subdirectories They are e chkp contains skins that Check Point provides by default At upgrade this subdirectory may be overwritten e custom contains skins defined by the customer If custom does not exist yet create it At upgrade this subdirectory is not overwritten New skins are added in this subdirectory Chapter 30 SSL Network Extender 647 Configuring the SSL Network Extender Disabling a Skin 1 Enter the specific skin subdirectory under custom that is to be disabled and create a file named disable This file may be empty 2 Ifthe specific skin does not exist under custom create it and then create a file within it named disable 3 Install Policy
623. via Suerte glue e states 529 Server Side Configurations a en iapa dang dohany Pees aaar aTi ee 529 Client Side Gontigtirationis 2 22 s c6c85 la deveehedeel ea aa techie Sooube swe A a 530 SGV POliGy Syntax sasey scission daha AEA eee caadatetia cates uee A E neees 530 The local SCV Setsaas Gaden oh tee taste ee da e Soe dea Ear a notes 534 A Complete Example of a local Scv File ccccccceccseecescceeeeeeeeeseaeeeeeeeeeseees 536 COMMON Attributes eei e neea vail ae re aves yodtews iadeabvadse vi baddaes sade athaed 542 Chapter 24 VPN Routing Remote Access The Need tor VPN ROUTING is stots or ape denen is a a a aa 558 Check Point Solution for Greater Connectivity and Security ccccccsseeeeeeeeees 559 Hub Mode VPN Routing for Remote Clients ccccececceeeeeeesaeeeeeeeseeeeees 560 Configuring VPN Routing for Remote Access VPN cccccseeeeeaeeeeseceseeeeeseeees 564 Enabling Hub Mode for Remote Access clients c cccccseecceseeeeaeeeeeneeeeaees 564 Configuration of Client to Client Routing by Including the Office Mode Range of Table of Contents 15 Addresses in the VPN Domain of the Gateway ccccsecseeecneeeeeeeeeeaeeeaees 565 Client to Client via Multiple Hubs Using Hub Mode cccccseeeeeseeeeeeeeeees 565 Chapter 25 Link Selection for Remote Access Clients OVENVIGW E AE EAE E eee ee el Se eee T TAT 568 IP Selection by Remote Peers cccccceeccesceeecee
624. vice page 217 Gateway with a Single External Interface This is the simplest case In Figure 11 2 the local gateway has a single external interface for VPN Figure 11 2 Single IP for VPN Check Point Security Gateway Now consider configuration for the local gateway in terms of e How peer gateways select an IP on the local gateway for VPN traffic Since there is only one interface available for VPN e For determining how remote peers discover the local gateways IP for VPN select Main address or choose an IP address from the Selected address from topology table drop down menu e If the IP address is located behind a static NAT device select Statically NATed IP Chapter 11 Link Selection 215 Link Selection Scenarios 216 To configure see Resolving Addresses via Main and Single IPs on page 223 Gateway with a Dynamic IP Address DAIP A VPN tunnel negotiation with a DAIP gateway can only be initiated using DNS resolving since the IP address of the DAIP gateway cannot be known in advance The peer gateway can then resolve the DAIP gateways IP address by using its hostname The hostname can be entered on the Link Selection page or can be derived from the global properties page Without DNS resolving a DAIP gateway can only initiate a connection The second connection can be initiated by the peer gateway as long as the IP address of the DAIP gateway has not changed To configure see Resolving Addresses usi
625. w Encrypted Only Only VPN traffic originating from or destined to the encryption domain are permitted and only when the client is connected The administrator can also define a few other rules to apply on the client firewall 1 2 oP A policy to allow disallow ActiveSync device to PC sync communications This is useful when it is required that the users do not sync their device with an unauthorized PC A policy to drop all non encrypted traffic destined to the VPN domain This is mostly combined with Hub Mode and Allow Encrypted Only to achieve maximum security and stop address leak prevention A policy that disables packet forwarding on the device This disables IP Forwarding done by the device IP stack to disable the usage of the device as a router Configure these features using the neo enable firewall policy neo firewall policy neo enable activesync neo enable ip forwarding neo policy expire and neo allow clear while disconnected properties Chapter 19 SecureClient Mobile 431 Connectivity Policy Connectivity Policy 432 Allows the admin to define the way the client operates its connectivity features This includes the Always connected Disconnect in ActiveSync Hub Mode as described above Some other properties include ability to connect to a new gateway that was not pre defined by the admin the requirement for gateway finger print approval etc General GUI Policy General GUI Policy Al
626. whether to attempt IKE over TCP or not Managers Chapter 29 Userc C and Product ini Configuration Files 615 Userc C File Parameters 616 suppress ike keepalive true false If the IPsec keepalive is turned on and the value of the property suppress_ike_keepalive is false empty UDP packets will be sent to the gateway destination port 500 The UDP keepalive packets are sent only if there is an IKE SA with the peer and if UDP encapsulation was chosen Managers default _phasel_dhgrp This field indicates which DH group to use for IKE phase 1 before the client has a topology If the flag does not exist group 2 will be used Global to_expire true false Whether or not to have a timeout for the phase2 IKE authentication This property can also be controlled in SmartDashboard Managers expire 120 Timeout of IKE phase2 This property can also be controlled in SmartDashboard Managers ICA ip address The IP address of the Internal CA Global allow capi true false Allow the disabling of CAPI storage to Internal CA registration Global allow p12 true false Allow the disabling of p12 file storage to Internal CA registration Global trust_whole certificate chain true false This attribute improve connectivity where there is a Certificate hierarchy and the CA trusted by the gateway is a subordinate CA not necessarily a direct subordinate of the client trus
627. wntime The Check Point Solution The Check Point Solution Wire Mode was designed to improve connectivity by allowing existing connections to fail over successfully by bypassing firewall enforcement Traffic within a VPN community is by definition private and secure In many cases the firewall and the rule on the firewall concerning VPN connections is unnecessary Using Wire Mode the firewall can be bypassed for VPN connections by defining internal interfaces and communities as trusted When a packet reaches a gateway the gateway asks itself two questions regarding the packet s 1 Is this information coming from a trusted source 2 Is this information going to a trusted destination If the answer to both questions is yes stateful inspection is not enforced and the traffic between the trusted interfaces bypasses the firewall when the VPN Community to which both gateways belong is designated as Wire Mode enabled Since no stateful inspection takes place the possibility of packets being discarded does not exist The VPN connection is no different from any other connection along a dedicated wire This is the meaning of Wire Mode Since stateful inspection no longer takes place dynamic routing protocols which do not survive state verification in non wire mode configuration can now be deployed Wire Mode thus facilitates Route Based VPN For information on Route Based VPN see Route Based VPN on pag
628. y 480 minutes VPN IKE Pha VPN IPSEC P Connectivity Settings Certificates Secure Configu Connect mode Configured on endpoint client x SSL Network E z os y fi SecureClient Mc Location Aware Connectivity v Configure Endpoint Conne Disconnect when connectivity to network is lost Configured on endpoint client x Early Versions C Hat Spot Hotel Disconnect when device is idle Configured on endpoint client x SmartDirectory LD 5 a QoS Security Settings SmartMap Route all traffic through gateway No iw UserAuthority Management High Configuration and Version Settings ConnectControl OSE Open Securit Stateful Inspection Log and Alert Reporting Tools OPSEC SmartCenter Acces Nan Lniane IP val gt Client upgrade mode The window is divided into four sections e Authentication Settings e Connectivity Settings e Security Settings e Configuration and Version Settings JAsk user x Cancel Help Chapter 17 Endpoint Connect 363 Endpoint Connect Advanced Settings 364 Authentication Settings Use the settings in this section to configure password caching and how often the user needs to re authenticate If you do not open this window and configure options then the client s default value takes affect Table 17 4 Default Authentication values Option SmartDashboard Endpoint Connect default value default value Enable password caching No No Cache password for 1440 minutes
629. y Now create a third VPN community a VPN mesh consisting of the London and New York gateways Figure 4 6 Two stars and mesh _ _ _ Pa London New York I Ni MESH eT l Pd London Ne NewYork STAR STAR The Check Point Solution for VPN Topology and Encryption Issues Issues involving topology and encryption can arise as a result of an organization s policy on security for example the country in which a branch of the organization resides may have a national policy regarding encryption strength For example policy says the Washington gateways should communicate using 3DES for encryption Policy also states the London gateways must communicate uses DES as the encryption algorithm In addition the Washington and London gateways as shown in Figure 4 7 need to communicate with each other using the weaker DES Consider the solution in Figure 4 7 Figure 4 7 Different means of encryption in separate Mesh communities se me j Washington ri Mesh 4 All Gateways in Washington communicate with all the Gateways in the London star a DES S l l London Star with meshed z N center Z 4 r r ies ae In this solution gateways in the Washington mesh are also defined as satellites in the London star In the London star the central gateways are meshed Gateways in Washington build VPN tunnels with the London gateways using DES In
630. y from the remote client s perspective its peer belongs to the VPN domain of the gateway Note Including the Office mode address range within the VPN domain of a gateway is only possible with NG with Application Intelligence Chapter 24 VPN Routing Remote Access 563 Configuring VPN Routing for Remote Access VPN Configuring VPN Routing for Remote Access VPN Common VPN routing scenarios can be configured through a VPN star community but not all VPN routing configuration is handled through SmartDashboard VPN routing between gateways star or mesh can be also be configured by editing the configuration file FWDIR conf vpn_route conf VPN routing cannot be configured between gateways that do not belong to a VPN community Enabling Hub Mode for Remote Access clients 1 On the Remote Access page of the Gateway properties window Hub Mode configuration section select Allow SecureClient to route all traffic through this gateway 2 On the Properties window of the Remote Access community Participating Gateways page set the gateway that functions as the Hub On the Participant User Groups page select the remote clients 4 Create an appropriate access control rule in the Security Policy Rule Base VPN routing traffic is handled in the Security Policy Rule Base as a single connection matched to one rule only 5 Configure the profile on the remote client to route all communication through the designated gateway 56
631. y the user can authenticate through the use of certificates The Check Point Solution for Clientless VPN User certificates Clientless VPN supports the use of certificates for user authentication The client s certificate is validated during the SSL phase In addition the client s identification details are extracted from the certificate and then processed during the user authentication phase In this way the user does not have to enter a user name and password or keep authenticating on each connection Authentication is handled through the certificates Chapter 32 Clientless VPN 701 Special considerations for Clientless VPN Special considerations for Clientless VPN 702 There are a number of considerations for Clientless VPN e Which certificate does the gateway present e How many Security Servers should be run e What level of encryption is required Certificate Presented by the Gateway This consideration is related to the certificate the gateway presents to the client in order to authenticate itself during the SSL negotiation The easiest option from the client side is for the gateway to present to the client a certificate signed by a CA that the client is configured to trust by default for example a certificate supplied by Verisign This requires no configuration on the client side But if the company has a policy that requires a much higher level of security it might be preferable for the certificate to come from a
632. y Usage to the value 2 to issue user certificates with the client authentication purpose If using an OPSEC certified CA to issue certificates use the DBedit command line or the graphical Database Tool to change the value of the global property cert_req ext_key usage to 1 This will cause the Security Management server to request a certificate that has purposes Extended Key Usage extension in the certificate Using SmartDashboard issue a new certificate for the security gateway In the VPN page in the Certificate List section click Add A new Certificate Properties window opens Look at the certificate properties and check that the Extended Key Usage Extension appears in the certificate In the Remote Access page of the security gateway object in the L2TP Support section select the new certificate Chapter 22 Layer Two Tunneling Protocol L2TP Clients 515 Configuring Remote Access for Microsoft IPSec L2TP Clients To Configure the Microsoft IPSec L2TP Clients so they do not Check for the Server Authentication Purpose The following procedure tells the Microsoft PSec L2TP Client not to require the Server Authentication purpose on the gateway certificate 1 In the client machine right click on the My Network Places icon on the desktop and select Properties 2 In the Network and Dial up Connections window double click the L2TP connection profile Click Properties and select the Security tab Select A
633. y and security Check Point Solution for Greater Connectivity and Security Check Point Solution for Greater Connectivity and Security VPN routing provides a way of controlling how VPN traffic is directed VPN routing can be implemented with gateway modules and remote access clients Configuration for VPN routing is performed either directly through SmartDashboard in simple cases or by editing the VPN routing configuration files on the gateways in more complex scenarios Figure 24 1 Simple VPN routing t gt Security Gateway A Internet Security Gateway B In Figure 24 1 one of the host machines behind gateway A needs to connect with a host machine behind gateway B For either technical or policy reasons gateway A cannot open a VPN tunnel with gateway B However both gateways A and B can open VPN tunnels with gateway C so the connection is routed through gateway C As well as providing enhanced connectivity and security VPN routing can ease network management by hiding a complex network of gateways behind a single Hub Chapter 24 VPN Routing Remote Access 559 Check Point Solution for Greater Connectivity and Security Hub Mode VPN Routing for Remote Clients VPN routing for remote access clients is enabled via Hub Mode In Hub mode all traffic is directed through a central Hub The central Hub acts as a kind of router for the remote client Once traffic from remote access clients is directed through
634. ype is turned off be default This type of log can be activated with the following command eps track authorized host e Enforce external interface By default cooperative enforcement only checks clients that arrive from the internal gateway s interface This parameter enables checking of all remote clients that open VPN connections to the gateway s external interface The option is turned off by default To enable this feature use the following command ps_enforce external if Note This option must be set for Endpoint Clients to successfully connect with the gateway e Track dropped connections By default any connection that is dropped as a result of a SAM rule is not tracked 384 Using the Packaging Tool When activated the SmartView Tracker will issue a log of any dropped connection from an unauthorized client that is according to EPS definitions To track any connection that is dropped as a result of a SAM rule use the following command eps_ track _dropped_conn For further information see the Endpoint Security documentation available on your R7O installation CD or visit the Check Point support center https supportcenter checkpoint com Using the Packaging Tool Endpoint Connect supports a special administration mode that enables the creation of preconfigured packages The administrator opens one instance of the client configures all settings then saves the client as an msi package for further di
635. zard save the Policy and from the SmartDashboard main menu select Policy gt Convert to gt Simplified VPN How Traditional VPN Mode Differs from a Simplified VPN Mode Ss A Traditional Mode Security Policy differs from a Simplified Mode Policy in the following ways In Traditional VPN Mode a single rule with the Encrypt rule action deals with both access control and encryption VPN properties are defined per gateway In Simplified VPN Mode the Security Rule Base deals only with access control In other words the Rule Base determines only what is allowed VPN properties on the other hand are dealt with per VPN community VPN communities are groups of gateways The community defines the encryption methods for the VPN All communication between community members is encrypted and all other communication is not encrypted Simplified VPN Mode and communities are described in Chapter 4 Introduction to Site to Site VPN The simplified VPN policy makes it easier for the administrator to configure a VPN However Traditional policies allow VPNs to be created with greater granularity than Simplified policies because e Whether or not to encrypt can be defined per rule source destination and service e Simplified policies requires all the connections between two gateways to encrypted using the same methods using the Community definitions What this means is that after running the wizard some manual optimization of th
Download Pdf Manuals
Related Search