How to configure SecureClient, Office Mode, Certificates, and Remote Access Communities
Check Point Next Generation Feature Pack 3 How to configure SecureClient, Office Mode, Certificates, and Remote Access Communities in NG FP-3. Author: Joe Green Security Engineer Check Point Software Technologies, Inc. 5757 W. Century Blvd. Los Angeles, CA 90045 [email protected] Check Point Software Technologies 12/13/2002 Check Point Next Generation Feature Pack 3 Introduction: The purpose of this document is to provide an understanding of how to configure Check Point NG FP3 to work with SecuRemote/Client. Although this document will focus on SecureClient, some of the concepts can be applied to SecuRemote. Background: In the past few years, an increasing number of users have switched from dial- up to broadband services. Whether they are on the road or at home, users are staying connected to the Internet for longer periods of time. Using a VPN client without Firewall technology does not make sense in today’s environment. In addition to that, depending on users to keep their own personal firewalls up to date and configured properly is not realistic or secure. It is a must to be able to manage these policies centrally. This guide will provide an understanding of how that is done. Differences: Even though SecuRemote and SecureClient share the same code for installation, the two products have very different capabilities. SecuRemote provides authentication and encryption only for the remote user. SecureClient provides all of that plus a personal firewall that can be centrally managed via the Smart Center or Smart Center Pro. SecureClient also includes several other features including, OfficeMode, Secure Configuration Verification, a Packaging Tool, etc. Overview: This document will focus on how to set up SecureClient to work with VPN Communities and NG FP3. The Gateway that SecureClient will be connecting to will be an NG FP3 Gateway being managed by a separate physical Management Server. Note: The gateway CAN be a cluster object. Gateway Clusters can be Policy Servers. Lab set up: The map below represents the test bed for this document. Note: The S-Box introduces an additional hop in the network. There can be problems when using OfficeMode and SecureClient on the same subnet as the Gateway. Components Installed: On the VPN-1 Pro Gateway, the Policy Server code was selected as an additional component during installation. The Management Server does not need the Policy Server code in this configuration. Check Point Software Technologies 12/13/2002 Check Point Next Generation Feature Pack 3 Licensing: In this scenario, the following licenses would be required: One SecureClient license for the total # of users that will be us ing the client (not concurrent). This SecureClient license is applied to the Management Station and the Policy Server licenses are applied to the Gateways. These licenses are tied to the Management station’s I.P. and pushed out through SecureUpdate. Starting in NG FP3, there is a SecuRemote license included with the Policy Server License. Last, FP3 has a built in 15 day trial license for all the products. Configuration: (The steps below assume you have already deployed NG FP-3 in a distributed configuration like the diagram above.) This document also assumes that you have established SIC, are able to push a policy, etc. Using the Check Point SmartDashboard (formerly know as the Policy Editor), you need to configure the following things: 1. Configure your remote users and their group. 2. Configure your OfficeMode network. 3. Configure your VPN-1/Firewall object (Gateway). 4. Set up the Remote Access Community (RAC). 5. Configure your Rulebase for the Firewall and for the SecureClient users. 6. Test your set up. Configuring your user and their group: This is more of a convenience to do up front. When you configure your VPN-1 Gateway object and check the box for Policy Server, it requires you to specify your user group under the Authentication branch. So, start by configuring the user and the ir group. In our example, we are using the user “jgreen” and the group “Remote-Users” (don’t forget to set your users parameters, e.g. password, encryption, etc). To create a user and their group, start by clicking on the users tab in the “Objects Tree”. Then, right click on Users , and select “New User”, “default”. Give the user their name, authentication scheme, password, etc. We are using VPN-1 password in our example. After the user is configured, create the group by right clicking on the “Groups ” branch and selecting “New Group”. See figures 1.1 and 1.2 Check Point Software Technologies 12/13/2002 Check Point Next Generation Feature Pack 3 Fig. 1.1 Fig. 1.2 (This image shows the Authentication scheme and the Policy Server user group, which will be referenced later.) Configuring your OfficeMode Network: Now you need to configure the network address that we will use for OfficeMode I.P. addresses. This network object is simply an address space that the VPN-1 Gateway will issue IP addresses from. Note: Do not make this network part of your encryption domain. For this document, our OfficeMode network is called “Office-Mode-Network”. To Check Point Software Technologies 12/13/2002 Check Point Next Generation Feature Pack 3 create, click on the Network Objects tab in the Objects Tree and go to the “Networks” branch. Then, right click and select “New Network ”. See figure 2.1 Fig. 2.1 Configuring your VPN-1/Firewall-1 Object: Launch the SmartDashboard GUI and locate your VPN-1 Gateway Object. (Ours is called SPLAT) See Figure 3.1 Fig. 3.1 Check Point Software Technologies 12/13/2002 Check Point Next Generation Feature Pack 3 Double click on your gateway or right click and select edit. The screen in figure 3.2 should appear. Fig 3.2 Notice that the I.P. address on the general tab is the external I.P. of the gateway, this is important for OfficeMode. Also, note that VPN-1 Pro and SecureClient Policy Server products are checked under “Check Point Products”. Make sure that you go through all of the screens and completely configure your gateway. For SecureClient to work, you need to assign a user group to the Policy Server. This is done under the Authentication branch (See Figure 1.2 above). You can configure your user group directly from the authentication screen if you wish. Note: Make sure the authentication scheme you are using for your users is checked on the Authentication tab of the Gateway object. While you have your Gateway object open, click on the Remote Access branch. The following screen should appear. See Figure 3.3 Check Point Software Technologies 12/13/2002 Check Point Next Generation Feature Pack 3 Fig. 3.3 Click on the Radio button “Allow Office Mode to all users ” and select “Manual”, then select your Office Mode network. Next, click on the “Optional Parameters ” button and enter any DNS/WINS information you would like to pus h out to the client. You have to select pre-defined hosts here. So, if needed, create objects that represent the physical DNS/WINS servers beforehand. See Fig. 3.4 Note: If you want to incorporate an existing DHCP server, please refer to the “DesktopSecurity.pdf” included with the FP-3 documentation. Check Point Software Technologies 12/13/2002 Check Point Next Generation Feature Pack 3 Fig. 3.4 Before closing your Gateway object, make sure you have defined all of the IKE parameters (if needed). The default certificate for IKE is generated automatically for you. Configuring your Remote Access Community (RAC): Next, you need to make your Gateway object a member of the RAC. To do this, click on the VPN Manager tab in the SmartDashboard. See figure 4.1 (You don’t see the VPN manager tab? That’s because you are in “Traditional Mode”. Create a new Policy – FileàNew, and create a “Simplified Mode” policy.) There is a converter available to convert polices from Traditional to Simplified Mode if needed. Check Point Software Technologies 12/13/2002 Check Point Next Generation Feature Pack 3 Fig 4.1 Here, you will double click to open the RAC and set the properties. You need to add your gateway object and set the user group. See figures 4.2 and 4.3. Fig. 4.2 Fig 4.3 Now, we need to configure our Security Rulebase and our SecureClient Rulebase (the personal firewall). Check Point Software Technologies 12/13/2002 Check Point Next Generation Feature Pack 3 Configuring the Rulebases: When using “Simplified Mode” Policies, there is no Client Encrypt in the action column. There is no “Encrypt” action either. The encryption properties are taken care of via the community or under Global properties. So, here is how our remote access rule would look in NG FP-3. See figure 5.1 Fig 5.1 Notice that our first rule is our Remote-Users accessing the internal network via the Remote Access Community and the action is accept. That’s all there is to the remote access rule. Next, we need to configure the SecureClient Rulebase (the remote users firewall policy). Here is what ours looks like. See figure 5.2 Check Point Software Technologies 12/13/2002 Check Point Next Generation Feature Pack 3 Fig. 5.2 This is a simple Rulebase, but easy to explain. The inbound rules control traffic going inbound to the client. The outbound rules control traffic originating from the client. So, we allow our internal network to communicate to the users with encrypted traffic and everyone else gets dropped. We also allow our remote users to communicate to the internal network with encrypted traffic and we allow them to go anywhere else without encryption. NOTE: When you specify specific user groups in the rules, those rules apply when you are logged onto the Policy Server. When you specify the group “All Users”, those rules still apply when you log off of the Policy Server. This is how you can control things like Split Tunneling, etc. Remote Access Properties: Last, you need to configure the encryption properties for all your remote access users. This can be left as the default or you can customize it. This is done under the PolicyàGlobal Properties àRemote Access menu in the SmartDashboard. See figures 6.1 and 6.2 Check Point Software Technologies 12/13/2002 Check Point Next Generation Feature Pack 3 Fig. 6.1 Fig. 6.2 Check Point Software Technologies 12/13/2002 Check Point Next Generation Feature Pack 3 Before proceeding, Install your Policy and save all the changes. Now, it’s time to configure the client and test everything out. Client side configuration: For this, you need to either manually install the client or use the SecureClient Packaging Tool for an automated installation. Once you have the client installed, you need to set up your site. From within the SecureClient window, click on the Site menu àMake New and enter your site information (this is the external I.P. of your Gateway, not your manager unless they are on the same box). After the site is set up, the following options need to be changed for OfficeMode to function correctly. Open up SecureClient and click on “Configure Client Mode”. See Figure 7.1 Fig. 7.1 Select Connect Mode. Fig 7.2 Fig. 7.2 Check Point Software Technologies 12/13/2002 Check Point Next Generation Feature Pack 3 You will need to restart SecureClient for this to take effect. Note: You are making this change because OfficeMode is only supported in Connect Mode. After you restart SecureClient, click on the SecureClient icon in the systray of Windows. This will bring up the connect dialog box of SecureClient FP-3. See Figure 7.3 Fig. 7.3 Before you connect, click on the “Properties button in the screen above. This will take you to the Profile screen and there will be an “Advanced” button in the middle. When you click on the advanced button, you will see the screen in Figure 7.4. Fig. 7.4 Check Point Software Technologies 12/13/2002 Check Point Next Generation Feature Pack 3 It is here that you select Support Office Mode and also configure the options for NAT traversal. Note: If you are sitting behind a NAT device or a device that does not perform Hide NAT correctly, you will probably need to check both of these boxes. Also, in SmartDashboard, under PolicyàGlobal PropertiesàRemote AccessàBasic, there is a “Support IKE over TCP” option. Make sure it is checked. Once you hit connect in the screen above (Fig. 7.3), it will prompt you for your username and password. This is the user you initially created and the password that was set for them. Test the connection with ICMP and NON-ICMP protocols (HTTP). In our example, I am testing with HTTP and connecting to an internal web server. See Figure 7.5 Fig. 7.5 If you want to use certificates, proceed to the next section. Using Certificates with SecureClient users: This is much easier than it might sound due to the Internal Certificate Authority (ICA) that is built into the management server. To use “2 factor” authentication and generate a certificate, do the following: Check Point Software Technologies 12/13/2002 Check Point Next Generation Feature Pack 3 1. Open up your user in the SmartDashboard and go to the Certificates tab. Click on the “Generate and Save” button. See figure 8.1 It will now prompt you for a password and a file location to save the certificate on your local computer. Note: On the Authentication tab for the user, you can set that to “Undefined”. Make sure and install the Policy after generating the Certificate. Fig 8.1 Once you have saved your file locally, you need to transfer it to the computer running SecureClient. You can copy the certificate to any directory you want and browse for it when you go to connect. (On the client computer) Since we are using Connect Mode, when we click “connect”, we are presented with the following screen. Fig. 8.2 Check Point Software Technologies 12/13/2002 Check Point Next Generation Feature Pack 3 Fig. 8.2 Take note that we have checked the box for “Use Certificate” and selected our certificate file. We then type in the password that was entered when the certificate was created. If you don’t want to have to browse for the certificate, you can enter your certificate into the Microsoft CAPI. The Microsoft CAPI is the Crypto API. You can do this by simply double clicking on the .p12 file (the cert) and following the Microsoft Certificate Import Wizard. Once that’s done, you can click on the drop down box in the above screen shot and it should say the name of the cert or say “certified” (depending on how you configured it). Miscellaneous notes and Troubleshooting : If you are experiencing trouble, make sure and utilize the SecureClient Diagnostics Tool that is installed by default with SecureClient. This shows a lot of information rega rding connectivity, policy, etc. Also, in SecureClient FP3, there is a built in sniffer for examining the communication from SecureClient to the remote Gateway. It is located in the $SRDIR/bin directory and it is called “srfw monitor”. The actual executable is called “srfw.exe” and the argument is “monitor”. This tool is extremely useful for troubleshooting. There are several other tools available from the command line so it is worth browsing that directory. One exa mple is the mtuadjust.exe utility that can lower you MTU if necessary. When all else fails, reboot all the systems to clear out any bad ARP entries, etc. Also, make sure you have basic connectivity, e.g. ping. You can always run fw unloadlocal to unload the Policy and ping the Firewall. Please send any comments, or corrections to [email protected]. Check Point Software Technologies 12/13/2002 Check Point Next Generation Feature Pack 3 Please contact your local reseller for additional help. Don’t have a reseller? Contact your local Check Point representative. Don’t have a local Check Point representative? Find one at www.checkpoint.com or by calling a Check Point regional office in your area. Contact information for Check Point offices and Resellers is available on our web site. Thank you. Check Point Software Technologies 12/13/2002
© Copyright 2024