Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Author:
Joe Green
Security Engineer
Check Point Software Technologies, Inc.
5757 W. Century Blvd.
Check Point Software Technologies
12/16/2002
Internal LAN
172.16.1.x /24
.200
External LAN
10.1.1.x /24
.254
Management Server
Active Directory Server
.254
.253
.1
SecureClient
In the above configuration, the Check Point Management server is also the Active
Directory Server. In a real world deployment, these two applications probably would not
be running together. However, it provides an easy way to learn this set-up with the
minimum amount of computers in a lab. Note: This document can be followed even if
your Active Directory Server is on a separate computer. It will mention the different steps
needed and how to perform those actions.
The DNS domain used in the above configuration is laxlab.com
The Management Servers FQDN is msad.laxlab.com
The following steps provide an outline of what this document covers.
1.
2.
3.
4.
5.
Licensing:
DNS Install:
2. Upon reboot, you need to install Microsofts Certificate Server. This is required
for SSL communication between the Active Directory Server and the Check Point
Management console.
a. This is installed through the Windows Control PanelAdd/Remove
ComponentsAdd/Remove Windows Components.
b. Select the Certificate Services option and click next. Then choose the
following options.
i. Select Enterprise Root CA
Check Point Software Technologies
12/16/2002
Certificate Server:
3. Next, you need to allow the schema to be viewed and modified by the Microsoft
Management console (MMC). This is easily done through the GUI in Windows
2000.
a. Register the schema DLL. Go to StartRun, and type regsvr32
schmmgmt.dll (you should see a message stating that the operation was
successful).
b. Go to StartRunand type mmc.
c. From within the MMC, click on the Console menu, then click
Add/Remove Snap-In
d. Click add and select Active Directory Schema, click add, click close and
click ok to return to the MMC.
e. Expand the Active Directory Schema (click on the + symbol).
Check Point Software Technologies
12/16/2002
4. Next, you need to delegate control of the directory so that the administrator can
make changes.
a. Go to StartProgramsAdministrative ToolsActive Directory Users
and Computers .
b. Right click on you citys domain and choose delegate control.
c. Add the administrator account (or administrators group) and check both of
the boxes in the next screen. Click ok and then exit.
Delegation:
3. Log back into the Check Point Policy Editor and make sure you have the Object
List window pane open. Go to the users tab in the Objects Tree and double click
on the Active Directory Server.
4. You should now see all of your users.
GUI:
You are now done incorporating Microsofts Active Directory with NG FP-3. The next
section will explain how to incorporate that with SecureClient.
Integrating SecureClient with Active Directory:
The theory behind utilizing Active Directory for the user database is that you do not have
to recreate any users and their passwords. Users that already exist in the directory can
now use that username and password for authentication. This dramatically reduces the
overhead associated with managing a separate user database.
Notice that we specify the group by using the syntax cn=Secure -Client-Users (without
the quotes). Also note that the LDAP Group name is VPN-Users . This will be the group
we use in the source of the Remote Access rule(s).
Click ok to save all of your changes and open up your VPN-1 Gateway object. You need
to click on the Authentication branch and set the appropriate user group for association
with the Policy Server.
Next, you need to make sure that the properties for your users template are set correctly.
This template will hold the properties for things like encryption, password method, etc. In
our example, we are using the template default (you can have multiple templates).
Here are some of the properties of that template and also the properties of a user linked to
that template. Remember, the template was tied to the LDAP Account Unit.
(Template)
(User)
(User)
When integrating with MS AD, you specify the password on the template as VPN-1
Firewall-1 password. When you open up a user and click on their auth tab, you see that
it is picking up the properties from the template.
Now, you need to create the rule that allows Remote Access and set up your SecureClient
Policy. Below is a screen shot of how the rule base would appear.
The rule we are concentrating on is rule #1. This rule shows our LDAP-Group as the
source (remember, this is the group created in the Check Point GUI , not in A.D.). Our
LDAP group references our A.D. group and also references the Account Unit (which
references the user template, etc.). Make sense?
Next, you would configure your Remote Access Community, the SecureClient rule base,
push the Policy, etc. All of those steps are outlined in the How to Configure
SecureClient in NG FP-3 guide.
Please make sure and review the Check Point SmartView Tracker (formerly the Log
Viewer). It contains a lot of useful information especially when testing out a new
configuration.
Please send any comments, or corrections to jgreen@us.checkpoint.com.
Please contact your local reseller for additional help. Dont have a reseller? Contact your
local Check Point representative. Dont have a local Check Point representative? Find
one at www.checkpoint.com or by calling a Check Point regional office in your area.
Contact information for Check Point offices and Resellers is available on our web site.
Thank you.