Check Point Next Generation Feature Pack 3

How to configure Microsofts Active

Directory to work with Check Point NG FP-3
and SecureClient.

Author:
Joe Green
Security Engineer
Check Point Software Technologies, Inc.
5757 W. Century Blvd.
Check Point Software Technologies
12/16/2002

Check Point Next Generation Feature Pack 3

Los Angeles, CA 90045
jgreen@us.checkpoint.com
This document assumes the following.
1. You have an understanding of installing and configuring Check Point NG in a
distributed environment (Management and Module installed separately). Note:
Active Directory Integration CAN work in a Stand Alone deployment.
2. You have a basic understanding of Active Directory and Windows 2000.

Internal LAN
172.16.1.x /24
.200

External LAN
10.1.1.x /24

.254
Management Server
Active Directory Server

.254

.253

Remote Users LAN

192.168.10.x /24
SBox

.1

SecureClient

In the above configuration, the Check Point Management server is also the Active
Directory Server. In a real world deployment, these two applications probably would not
be running together. However, it provides an easy way to learn this set-up with the
minimum amount of computers in a lab. Note: This document can be followed even if
your Active Directory Server is on a separate computer. It will mention the different steps
needed and how to perform those actions.
The DNS domain used in the above configuration is laxlab.com
The Management Servers FQDN is msad.laxlab.com
The following steps provide an outline of what this document covers.
1.
2.
3.
4.
5.

Installation/Configuration of Active Directory

Installation/Configuration of Microsofts DNS Server
Installation/Configuration of Microsofts Certificate Server
Check Point configuration for LDAP
Setting up a template and managing users.

Before starting, the following should be verified:

1. Check Point NG FP3 should be installed and you should be able to push policies
without any problems. (e.g. SIC is functioning, name resolution is working, etc.)
2. All machines have IP connectivity to each other.
3. The Microsoft High Encryption Pack is installed. This can be obtained at;
http://www.microsoft.com/windows2000/downloads/recommended/encryption/default.asp

Licensing:

Check Point Software Technologies

12/16/2002

Check Point Next Generation Feature Pack 3

To integrate Check Point and LDAP together, you must have the Account Management
Module license. This license is applied to the Management Server (or CMA in Provider1). The AMM license is also included in the Smart Center Pro bundle.
Installing Microsofts Active Directory:
If you didnt install Microsofts Windows 2000 Advanced Server, you need to add Active
Directory to you Windows 2000 Server installation. Heres how.
1. From within Windows, go to the StartRun prompt, enter the command
dcpromo. The Active Directory Wizard will start and you need to provide the
following input at the prompts. (See pictures below)
a. Domain Controller for a new domain
b. Create a new domain tree
c. Create a new forest of domain trees
d. Type the full DNS name for the new domain **Note** This is the DNS
Domain that your computer belongs to. E.g. laxlab.com
e. Type in the domain netbios name (this is for earlier versions of Windows.
E.g. laxlab
f. Specify the Database and Log locations (take the defaults)
g. Enter the location for the System Volume Folder (again, take the defaults)
h. At this point in the Active Directory installation, it will warn you that it
cannot contact a DNS server for your domain (unless you have already
configured DNS). Either use the existing DNS installation or have the
wizard install it for you (having the Wizard install it is very easy).
i. Set the permissions to be compatible with your environment.
j. Set the password for the Directory Services restore and click next at the
summary screen to complete installation of Active Directory and DNS.
Note: When Active Directory finishes installing, it will ask you to reboot the
computer, dont reboot yet. If you just installed DNS for your domain, the
computer will take a long time present you with the logon screen after reboot.
The computer is trying to contact a DNS to resolve the domain that was just
created. To avoid this, make the Primary DNS server of your computer, the
local computer itself. Now, reboot.
DCPROMO:

Check Point Software Technologies

12/16/2002

Check Point Next Generation Feature Pack 3

Check Point Software Technologies

12/16/2002

Check Point Next Generation Feature Pack 3

DNS Install:

2. Upon reboot, you need to install Microsofts Certificate Server. This is required
for SSL communication between the Active Directory Server and the Check Point
Management console.
a. This is installed through the Windows Control PanelAdd/Remove
ComponentsAdd/Remove Windows Components.
b. Select the Certificate Services option and click next. Then choose the
following options.
i. Select Enterprise Root CA
Check Point Software Technologies
12/16/2002

Check Point Next Generation Feature Pack 3

ii. Fill in the CA Identifying Information fields. Note: This is the
information that will be part of your certificate.
iii. Take the Data Storage Location defaults.
iv. Certificate Server is now installed (no reboot necessary).

Certificate Server:

3. Next, you need to allow the schema to be viewed and modified by the Microsoft
Management console (MMC). This is easily done through the GUI in Windows
2000.
a. Register the schema DLL. Go to StartRun, and type regsvr32
schmmgmt.dll (you should see a message stating that the operation was
successful).
b. Go to StartRunand type mmc.
c. From within the MMC, click on the Console menu, then click
Add/Remove Snap-In
d. Click add and select Active Directory Schema, click add, click close and
click ok to return to the MMC.
e. Expand the Active Directory Schema (click on the + symbol).
Check Point Software Technologies
12/16/2002

Check Point Next Generation Feature Pack 3

f. Right click on the A.D. Schema in the MMC and select Operations Masters.
g. Place a check in the box titled The schema may be modified on this
domain controller.
h. Exit the MMC and reboot.
MMC:

4. Next, you need to delegate control of the directory so that the administrator can
make changes.
a. Go to StartProgramsAdministrative ToolsActive Directory Users
and Computers .
b. Right click on you citys domain and choose delegate control.
c. Add the administrator account (or administrators group) and check both of
the boxes in the next screen. Click ok and then exit.
Delegation:

5. To enable SSL communication between FireWall-1 and Active Directory, the

following needs to be done:
a. Got to StartProgramsAdministrative ToolsDomain Security Policy.
b. Go to Security SettingsPublic Key PoliciesAutomatic Certificate Request
Settings, right click and select New Automatic Certificate Request.
c. Select Domain Controller from the window, then select your CA.
SSL:
Check Point Software Technologies
12/16/2002

Check Point Next Generation Feature Pack 3

Check Point VPN-1 Configuration:

1. Log into the Check Point Policy Editor.
2. Go to the Policy MenuGlobal Properties.
a. From the LDAP Account Management branch, select Use LDAP
Account Management and click ok.
b. Next, go to the Manage MenuServers . Create a LDAP Account Unit
Object. Use the following parameters: (Screen shots below)
(General Tab)
i. Name=a descriptive name.
ii. Check the boxes User Management and CRL Retrieval
iii. Set the LDAP Profile type to Microsoft_AD.
(Servers Tab)
c. On the servers tab, you need to add your server and set all the necessary
parameters. (See figures below)
i. Host=your LDAP server (we are using our Mgmt. server since
A.D. and the CP Mgmt. are on the same box). If you have a
separate A.D. server, create an object for that and select that as the
Host.
ii. Login DN: cn=administrator,cn=users,dc=laxlab,dc=com
(Note:substitute yo ur DNS domain for laxlab)
iii. Enter the administrators password.
iv. Permissions (R/W, or RO, your choice).
v. Set the Early Version Compatibility (Back on the Servers tab).
(Encryption tab)
d. On the Encryption tab, set the following parameters.
i. Use SSL.
ii. Click Fetch for Fingerprint.
iii. Set Encryption to strong and strong for Min and Max.
iv. Click ok.
(Objects Management)
e. On the objects management tab, select your A.D. object and fetch the
branch.
(Authentication)
Check Point Software Technologies
12/16/2002

Check Point Next Generation Feature Pack 3

f. On the authentication tab, make sure and select what template you want
to use.
Check Point LDAP Configuration:

Optional Configuration: Extending the Schema:

There are certain attributes that can be defined for users in Check Point VPN-1 and not
Active Directory. It is possible in a production environment that a customer will not want

Check Point Software Technologies

12/16/2002

Check Point Next Generation Feature Pack 3

to extend the Schema of the Active Directory server. This operation is not necessary. By
extending the schema you gain the benefit of having these Check Point attributes:
1. Time and date the user can log in.
2. Source and destination of the user.
3. Ike Properties.
4. Account lockout.
5. Password expiration.
6. LDAP Server templates.
7. etc.
You still have the ability to control some of these things through the Active Directory
database. Regardless, if you do not extend the schema, you will still be able to use those
users.
Schema Extension (Optional):
Close the Policy Editor and extend the Active Directory schema. Note: This is done from
the management console.
g. Using Wordpad, open the file $FWDIR\lib\ldap\schema_microsoft_ad.ldif
and replace all instances of DOMAINNAME with you domain name. e.g.
dc=laxlab, dc=com. (Use Edit menuReplace) Save and Exit.
h. *Important* Before you run the ldapmodify command, you must be able
to resolve the hostname of the A.D. Server. This is crucial if the A.D.
Server is on a separate computer! Modify your
\Winnt \system32\drivers\etc\hosts file and add entries for the A.D. Server.
E.g.
172.16.1.200
msad
172.16.1.200
msad.laxlab.com
i. Next (from the DOS prompt), using the ldapmodify command (all on one
line), run the command:
E.g. ldapmodify c h msad.laxlab.com D
cn=administrator,cn=users,dc=laxlab,dc=com w password f
c:\winnt\fw1 \ng\lib\ldap\schema_microsoft_ad.ldif
Note: In the above syntax, substitute your hostname and DNS Domain Name for
msad.laxlab.com.
The output of the ldapmodify command should look like;
[Begin example]
adding new entry CN=fw1auth-method,CN=Schema,CN=Configuration,dc=laxlab,dc=com
adding new entry CN=fw1auth-server,CN=Schema,CN=Configuration,dc=laxlab,dc=com
adding new entry CN=fw1pwdlastmod,CN=Schema,CN=Configuration,dc=laxlab,dc=com
adding new entry CN=fw1skey-number,CN=Schema,CN=Configuration,dc=laxlab,dc=com
adding new entry CN=fw1skey-seed,CN=Schema,CN=Configuration,dc=laxlab,dc=com
adding new entry CN=fw1skey-passwd,CN=Schema,CN=Configuration,dc=laxlab,dc=com
adding new entry CN=fw1skey-mdm,CN=Schema,CN=Configuration,dc=laxlab,dc=com

Check Point Software Technologies

12/16/2002

Check Point Next Generation Feature Pack 3

adding new entry CN=fw1expiration-date,CN=Schema,CN=Configuration,dc=laxlab,dc=com

adding new entry CN=fw1hour-range-from,CN=Schema,CN=Configuration,dc=laxlab,dc=com
adding new entry CN=fw1hour-range-to,CN=Schema,CN=Configuration,dc=laxlab,dc=com
adding new entry CN=fw1day,CN=Schema,CN=Configuration,dc=laxlab,dc=com
adding new entry CN=fw1allowed-src,CN=Schema,CN=Configuration,dc=laxlab,dc=com
[End example]

3. Log back into the Check Point Policy Editor and make sure you have the Object
List window pane open. Go to the users tab in the Objects Tree and double click
on the Active Directory Server.
4. You should now see all of your users.
GUI:

You are now done incorporating Microsofts Active Directory with NG FP-3. The next
section will explain how to incorporate that with SecureClient.
Integrating SecureClient with Active Directory:
The theory behind utilizing Active Directory for the user database is that you do not have
to recreate any users and their passwords. Users that already exist in the directory can
now use that username and password for authentication. This dramatically reduces the
overhead associated with managing a separate user database.

Check Point Software Technologies

12/16/2002

Check Point Next Generation Feature Pack 3

Note: Before proceeding, you should have SecureClient configured, tested, and working
with standard user authentication. That way, you wont be troubleshooting two different
issues if there is a problem. If you do not understand how to configure FP-3 and
SecureClient, please see the white paper How to configure SecureClient in NG FP-3
located on the configuration Documents page of the Check Point public web site.
To utilize Active Directory for authenticating your remote users, you must first start by
creating an External Group. To do this, follow the instructions below.
1. Launch the SmartDashboard GUI and click on the Users Icon (See Figure
above). To see the users, make sure you have the Objects Tree and Objects
List open (these can be opened by clicking on the View Menu and
selecting the corresponding options).
2. You should see a branch on the left entitled LDAP Groups . You need
to right click on that and select New LDAP Group. Set the properties
as follows:
a. Enter a descriptive name (ours is VPN-Users ).
b. Select the account unit you wish to use (this should be the Account
Unit you already created).
c. Select the groups scope.

Check Point Software Technologies

12/16/2002

Check Point Next Generation Feature Pack 3

Notice that in the screen shot above, we have selected All Account -Units Users . This
means that a user that exists anywhere in the Active Directory database can authenticate.
If you would like to control this at a more granular level, you can create a new group in
Active Directory that contains only certain users you want to have remote access.
Example:
In this scenario, we create a new group on the AD Server and call it Secure -Client Users . In this group, we place all the A.D. users who we want to give remote access to.
We then create a new LDAP Group in SmartDashboard and give it the following
properties.

Notice that we specify the group by using the syntax cn=Secure -Client-Users (without
the quotes). Also note that the LDAP Group name is VPN-Users . This will be the group
we use in the source of the Remote Access rule(s).
Click ok to save all of your changes and open up your VPN-1 Gateway object. You need
to click on the Authentication branch and set the appropriate user group for association
with the Policy Server.

Check Point Software Technologies

12/16/2002

Check Point Next Generation Feature Pack 3

Next, you need to make sure that the properties for your users template are set correctly.
This template will hold the properties for things like encryption, password method, etc. In
our example, we are using the template default (you can have multiple templates).
Here are some of the properties of that template and also the properties of a user linked to
that template. Remember, the template was tied to the LDAP Account Unit.

(Template)

(User)

Check Point Software Technologies

12/16/2002

Check Point Next Generation Feature Pack 3

(User)
When integrating with MS AD, you specify the password on the template as VPN-1
Firewall-1 password. When you open up a user and click on their auth tab, you see that
it is picking up the properties from the template.
Now, you need to create the rule that allows Remote Access and set up your SecureClient
Policy. Below is a screen shot of how the rule base would appear.

Check Point Software Technologies

12/16/2002

Check Point Next Generation Feature Pack 3

The rule we are concentrating on is rule #1. This rule shows our LDAP-Group as the
source (remember, this is the group created in the Check Point GUI , not in A.D.). Our
LDAP group references our A.D. group and also references the Account Unit (which
references the user template, etc.). Make sense?
Next, you would configure your Remote Access Community, the SecureClient rule base,
push the Policy, etc. All of those steps are outlined in the How to Configure
SecureClient in NG FP-3 guide.
Please make sure and review the Check Point SmartView Tracker (formerly the Log
Viewer). It contains a lot of useful information especially when testing out a new
configuration.
Please send any comments, or corrections to jgreen@us.checkpoint.com.
Please contact your local reseller for additional help. Dont have a reseller? Contact your
local Check Point representative. Dont have a local Check Point representative? Find
one at www.checkpoint.com or by calling a Check Point regional office in your area.
Contact information for Check Point offices and Resellers is available on our web site.
Thank you.

Check Point Software Technologies

12/16/2002