Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
TM
TRADEMARKS:
Please refer to http://www.checkpoint.com/copyright.html for a list of our trademarks For third party notices, see http://www.checkpoint.com/3rd_party_copyright.html.
Contents
Preface
Who Should Use This Guide.............................................................................. 16 Summary of Contents ....................................................................................... 17 Section 1 Connectra Gateway....................................................................... 17 Section 2: SecureClient Mobile .................................................................... 18 Section 3: Endpoint Connect ....................................................................... 19 Related Documentation .................................................................................... 20 More Information ............................................................................................. 22 Feedback ........................................................................................................ 23
Connectra Gateway
Chapter 1 Introduction to Connectra
Overview of Connectra ...................................................................................... 28 Connectra Applications..................................................................................... 30 Connectra Management .................................................................................... 31 SSL Network Extender...................................................................................... 32 SSL Network Extender Network Mode ........................................................... 32 SSL Network Extender Application Mode....................................................... 32 Commonly Used Concepts ................................................................................ 33 Authentication............................................................................................ 33 Authorization.............................................................................................. 33 Endpoint Compliance Scanner ..................................................................... 33 Secure Workspace....................................................................................... 34 Protection Levels ........................................................................................ 34 Session...................................................................................................... 35 Connectra Security Features ............................................................................. 36 Server Side Security Highlights .................................................................... 36 Client Side Security Highlights..................................................................... 37 User Workflow ................................................................................................. 38 Signing In .................................................................................................. 38 First time Installation of ActiveX and Java Components .................................. 39 Language Selection..................................................................................... 40 Initial Setup ............................................................................................... 40 Accessing Applications ................................................................................ 40 Getting Started With Connectra ......................................................................... 42
Chapter 2
Table of Contents
Protection Levels ............................................................................................. 45 Using Protection Levels ............................................................................... 45 Defining Protection Levels ........................................................................... 46 Web Applications............................................................................................. 48 What is a Web Application? ......................................................................... 48 Connectra Web Applications ........................................................................ 49 Web Applications of a Specific Type ............................................................. 49 Configuring Web Applications ...................................................................... 50 File Shares...................................................................................................... 60 What is a File Share? .................................................................................. 60 File Share Viewers ...................................................................................... 60 Configuring File Shares ............................................................................... 60 Using the $$user Variable in File Shares....................................................... 64 Citrix Services ................................................................................................. 66 Understanding Citrix Services ...................................................................... 66 Citrix Deployments Modes - Unticketed and Ticketed ..................................... 66 Citrix features Supported by Connectra ......................................................... 68 Configuring Citrix Services ........................................................................... 71 Web Mail Services ........................................................................................... 78 Connectra Web Mail Services ....................................................................... 78 Web Mail Services User Experience .............................................................. 79 Incoming (IMAP) and Outgoing (SMTP) Mail Servers ...................................... 80 Configuring Mail Services ............................................................................ 80 Native Applications .......................................................................................... 84 DNS Names .................................................................................................... 85 Why Use DNS Name Objects? ...................................................................... 85 DNS Names and Aliases .............................................................................. 85 Where DNS Name Objects are Used ............................................................. 86 Defining the DNS Server used by Connectra .................................................. 86 Configuring DNS Name Objects.................................................................... 86 Using the Login Name of the Currently Logged in User ........................................ 88
Chapter 3
Single Sign On
Introduction to Single Sign On .......................................................................... 90 Supported SSO Authentication protocols............................................................ 91 HTTP Based SSO............................................................................................. 92 HTTP Based SSO Limitation ........................................................................ 92 Web Form Based SSO ...................................................................................... 93 Application Requirements for Easy Configuration ........................................... 94 Web Form Based SSO Limitations ................................................................ 94 Application and Client Support for SSO ............................................................. 95 Connectra Applications that Support SSO ..................................................... 95 Applications that Support Web Form SSO ..................................................... 95 Connectra Client Support for SSO................................................................. 95 Basic Configuration of SSO............................................................................... 96 Basic Configuration of Web Form SSO .......................................................... 97 Advanced Configuration of SSO......................................................................... 98 Configuring the Single Sign On Method......................................................... 98
Configuring Login Settings ........................................................................... 99 Advanced Configuration of Web Form SSO ....................................................... 102 Sign In Success or Failure Detection........................................................... 102 Credential Handling .................................................................................. 103
Chapter 4
Table of Contents
Chapter 5
Two-Factor Authentication
Introduction to Two-Factor Authentication........................................................ 158 The SMS Service Provider............................................................................... 159 SMS Authentication Granularity ...................................................................... 160 Basic Two-Factor Authentication Configuration ................................................. 161 Obtaining the SMS provider credentials ...................................................... 161 Configuring the Phone Directory ................................................................. 161 Basic SmartDashboard Configuration of Two-Factor Authentication................ 164 Testing Two-Factor Authentication.............................................................. 165 Advanced Two-Factor Authentication Configuration ........................................... 166 Advanced Two-Factor Authentication Configuration Options .......................... 166 Two-Factor Authentication Per Gateway (Central management only) ............... 169 Two-Factor Authentication Per Application .................................................. 170
Chapter 6
Authorization
Identity and Access Management .................................................................... 174 Authorization in Connectra.............................................................................. 175 Configuring Access To Applications ................................................................. 177
Chapter 7
Chapter 8
Introduction to Hostname Translation ......................................................... 239 Link Translation Per Gateway or Per Application .......................................... 240 How Hostname Translation Works............................................................... 240 Configuring Link Translation ...................................................................... 242 Portal Access with Hostname Translation .................................................... 245 Link Translation Issues.............................................................................. 246 Connectra Server Certificates .......................................................................... 247 Overview of Server Certificates ................................................................... 247 Obtaining and Installing a Trusted Server Certificate .................................... 247 Connectra Self-Signed Certificates.............................................................. 250 Viewing Connectra Certificate Details.......................................................... 252 Session Settings ............................................................................................ 254 Simultaneous Logins to the Portal .............................................................. 254 Session Timeouts...................................................................................... 258 Roaming .................................................................................................. 258 Tracking................................................................................................... 258 Securing Authentication Credentials ........................................................... 258 Changing the IP Address of a Connectra Gateway or Cluster ............................... 260 At the local machine ................................................................................. 260 Using SmartDashboard .............................................................................. 260 VPN Client and Portal Connectivity in a Single Gateway..................................... 261 Web Data compression ................................................................................... 262 Understanding Web Data compression ........................................................ 262 Configuring Data Compression.................................................................... 263
Chapter 9
Table of Contents
The Sticky Decision Function.......................................................................... 283 Failover ........................................................................................................ 284 What is a Failover?.................................................................................... 284 What Happens When Failover Occurs? ........................................................ 284 When Does a Failover Occur? ..................................................................... 285 Cluster Member Priority............................................................................. 286 What Happens When a Cluster Member Recovers? ....................................... 286 How a Recovered Cluster Member Obtains the Security Policy....................... 286 How Connectra Applications Behave Upon Failover ...................................... 287 Hardware Requirements and Compatibility ....................................................... 289 Connectra Cluster Hardware Requirements .................................................. 289 Connectra Cluster Hardware Compatibility ................................................... 290 Example configuration of a Cisco Catalyst Routing Switch............................. 291 Basic Connectra Cluster Configuration ............................................................. 293 Cluster Configuration Deployment Tips ................................................... 293 Configuring Cluster Member IP Addresses ................................................... 294 If the Switch is Incapable of Forwarding Multicast ....................................... 294 SmartDashboard Configuration of a Single Cluster Interface Cluster............... 295 Adding a Server Certificate to a New Cluster Member ................................... 301 Advanced Connectra Cluster Configuration ....................................................... 303 SmartDashboard Configuration of a Dual Cluster Interface Cluster ................. 303 IP Address Migration................................................................................. 306 Changing the IP Address of a Connectra Cluster or Single Gateway ................ 306 Setting Up the Default Gateway if the Virtual IP is on a Different Subnet than the Physical IPs........................................................................................... 307 Removing a Member from a Cluster ............................................................ 307
Chapter 10
Troubleshooting Connectra
Troubleshooting Web Connectivity ................................................................... 310 Troubleshooting Outlook Web Access .............................................................. 311 Troubleshooting Checklist.......................................................................... 311 Unsupported Feature List .......................................................................... 312 Common OWA problems ............................................................................ 312 1. Authentication...................................................................................... 313 2. Authorization........................................................................................ 315 3. Security Restrictions ............................................................................. 318 4. Performance Issues............................................................................... 320 5. Saving File Attachments ........................................................................ 324 Troubleshooting File Shares ............................................................................ 325 Troubleshooting Citrix .................................................................................... 326 Troubleshooting Checklist.......................................................................... 326 Common Connectra Citrix problems ............................................................ 327 Troubleshooting SSL Network Extender Connectivity ......................................... 341 General SSL Network Extender Issues......................................................... 341 SSL Network Extender Application Mode Issues........................................... 341 Ensuring Application Connectivity with Web Intelligence ................................... 343
10
Chapter 11
Chapter 13
Chapter 14
Table of Contents
11
Authentication Timeout ............................................................................. 382 Connectivity Settings ..................................................................................... 383 Connect Mode .......................................................................................... 383 Automatic Dialup Initiation ........................................................................ 385 Automatic Disconnect ............................................................................... 386 Encryption Methods .................................................................................. 387 Routing All Traffic To the Gateway (Hub Mode) ................................................ 388 Firewall Policy ............................................................................................... 389 Configuration and Version Management ........................................................... 392 Certificates ................................................................................................... 394 Certificate Nickname................................................................................. 394 Management of Internal CA Certificates ...................................................... 394 Importing a Certificate in the Device........................................................... 395 Topology Update............................................................................................ 396 Advanced Configuration.................................................................................. 397 Configuring a Non-Centrally Managed Gateway ............................................ 397 SecureClient Mobile Database Properties .................................................... 399
Chapter 15
Chapter 16
12
Chapter 17
Chapter 19
Index........................................................................................................... 501
Table of Contents
13
14
Preface
Preface
P
page 16 page 17 page 20 page 22 page 23
In This Chapter
Who Should Use This Guide Summary of Contents Related Documentation More Information Feedback
15
16
Summary of Contents
Summary of Contents
This guide contains the following sections and chapters:
Chapter 6, Authorization
Chapter
Preface
17
Description ClusterXL Connectra gateway cluster provide high availability and load sharing to ensure reliable and high performance operation of Connectra. Guidelines for findinng solutions for specific issues. Areas covered include Web Connectivity, Outlook Web Access, File Shares, Citrix and SSL Network Extender Connectivity, and ensuring application connectivity with Web Intelligence. Command line reference for the Connectra SecurePlatform operating system.
18
Chapter
Preface
19
Related Documentation
Related Documentation
This release includes the following documentation related to managing Connectra NGX R66 from SmartCenter version NGX R66:
TABLE P-1 VPN-1 Power documentation suite documentation
Description Contains an overview of NGX R66 and step by step product installation and upgrade procedures. This document also provides information about Whats New, Licenses, Minimum hardware and software requirements. Explains all available upgrade paths for Check Point products from VPN-1/FireWall-1 NG forward. This guide is specifically geared towards upgrading to NGX R66. Explains SmartCenter Management solutions. This guide provides solutions for control over configuring, managing, and monitoring security deployments at the perimeter, inside the network, at all user endpoints. Describes how to control and secure network access; establish network connectivity; use SmartDefense to protect against network and application level attacks; use Web Intelligence to protect web servers and applications; the integrated web security capabilities; use Content Vectoring Protocol (CVP) applications for anti-virus protection, and URL Filtering (UFP) applications for limiting access to web sites; secure VoIP traffic. This guide describes the basic components of a VPN and provides the background for the technology that comprises the VPN infrastructure.
Upgrade Guide
20
Related Documentation TABLE P-1 VPN-1 Power documentation suite documentation (continued)
Description Explains how to monitor and audit traffic, and generate detailed or summarized reports in the format of your choice (such as list, vertical bar, pie chart) for all events logged by Check Point VPN-1 Power, SecureClient and SmartDefense. Explains how to install and configure SecurePlatform. This guide will also teach you how to manage your SecurePlatform machine and explains Dynamic Routing (Unicast and Multicast) protocols. Explains the Provider-1/SiteManager-1 security management solution. This guide provides details about a three-tier, multi-policy management architecture and a host of Network Operating Center oriented features that automate time-consuming repetitive tasks common in Network Operating Center environments.
Chapter
Preface
21
More Information
More Information
For additional technical information about Check Point products, and for the latest version of this document, see the Check Point Support Center at http://support.checkpoint.com/.
22
Feedback
Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments to: cp_techpub_feedback@checkpoint.com
Chapter
Preface
23
Feedback
24
Connectra Gateway
1
page 28 page 30 page 32 page 33 page 36 page 38 page 42
27
Overview of Connectra
Overview of Connectra
Check Point Connectra is a comprehensive and unified remote access solution that makes corporate applications and network resources securely available to mobile and remote users. Remote and mobile employees, contractors, business partners and customers can access network resources and applications through either a lightweight VPN client or simply through a Web browser. By unifying SSL and IPSec VPN technologies into a single gateway and management console Connectra provides flexible access for end users and simple, streamlined deployment for IT. Connectra offers administrators tight access controls to help ensure that only authorized users using clean hosts will gain access to corporate resources. To that end Connectra features multiple strong authentication methods and tight integration with directory services, as well as comprehensive endpoint security capabilities enabling malware scans, compliance checks, and a virtual Secure Workspace providing session confidentiality on both managed and unmanaged endpoints such as laptops, home PCs, internet kiosks and more. Connectra can be deployed as either a turnkey appliance, as software on open servers, or as a virtual appliance on VMware ESX Server. Connectra gateways can be managed either standalone or centrally through a single Check Point SMART management console, reducing the administration time required to configure, monitor, update and audit remote access policies. Benefits: Increases productivity by allowing workers to work anywhere, anytime Provides secure and flexible remote access tailored to user needs Includes tight, uniform access controls across all access methods Ensures only safe endpoints are allowed to access network Safeguards confidentiality of corporate information Protects internal network and applications from attack Provides the multiple deployment choices including as a virtual appliance Helps ensure business continuity Unified IPsec and SSL solution reduces Total Cost of Ownership (TCO)
28
Overview of Connectra
Comprehensive endpoint security Integrated Intrusion Prevention Superior user experience, with intelligent auto-connect, location awareness, and roaming Strong authentication methods including innovative SMS One-Time Password Flexible deployment options, including deployment on VMware ESX Best-in-class performance and scalability
Chapter 1
Introduction to Connectra
29
Connectra Applications
Connectra Applications
Connectra provides the remote user with access to the various corporate applications, including, Web Applications, File Shares, Citrix services, Web Mail and Native Applications. A Web application can be defined as a set of URLs that are used in the same context and that is accessed via a Web browser, for example inventory management, or HR management. A file share defines a collection of files, made available across the network by means of a protocol, such as SMB for Windows, that enables actions on files, such as opening, reading, writing and deleting files across the network. Connectra supports Citrix client connectivity to internal MetaFrame servers. In this type of deployment, Connectra functions as a Secure Gateway. Connectra supports Web Mail services including: Built-in Web Mail: Web Mail services give users access to corporate mail servers via the browser. Connectra provides a front end for any email server that supports the IMAP and SMTP protocols. Other Web-based mail services, such as Outlook Web Access (OWA) and IBM Lotus Domino Web Access (iNotes). Connectra relays the session between the client and the OWA server.
Connectra supports any Native Application, via the SSL Network Extender. A Native Application is any IP-based application that is hosted on servers within the organization. When a user is allowed to use a native application, Connectra launches SSL Network Extender and allows users to employ native clients to connect to native applications, while ensuring that all traffic is encrypted.
Remote users initiate a standard HTTPS request to the Connectra Gateway, authenticating via username/password, certificates, or some other method such as SecurID. Users are placed in groups and these groups are given access to a number of applications. For information about Web Applications, File Shares, Citrix services, Web Mail see Applications for Clientless Access on page 43. For information about Native Applications, see Native Applications for Client-Based Access on page 107.
30
Connectra Management
Connectra Management
Centrally managed Connectra gateways are managed by a SmartCenter server that can manage other Check Point gateways. Locally managed Connectra is a standalone, self-managed Connectra gateway. All Connectra related configuration is performed from the Connectra tab of SmartDashboard. Connectra users are shown in SmartConsole, along with real-time counters, and history counters for monitoring purposes. SmartDefense Updates are downloaded using the SmartDefense tab of SmartDashboard. A Connectra-specific SmartDefense profile is used for all Connectra related SmartDefense configuration. Connectra supports SNMP. Status information regarding Check Point products can be obtained using a regular SNMP Network Management Station (NMS) that communicates with SNMP agents on Connectra gateways. See Working with SNMP Management Tools in the SmartCenter Administration Guide.
Chapter 1
Introduction to Connectra
31
32
Authentication
All remote users accessing the Connectra portal must be authenticated by one of the supported authentication methods. As well as being authenticated through the internal Connectra database, remote users may also be authenticated via LDAP, RADIUS, ACE (SecurID), or certificates. Note - Centrally managed Connectra only: For information about Authentication schemes, and configuration of authentication servers, see the Authentication chapter of the Firewall and SmartDefense Administration Guide. LDAP, see the SmartDirectory (LDAP) and User Management chapter in the SmartCenter Administration Guide.
Authorization
Authorization determines if and how remote users access the internal applications on the corporate LAN. If the remote user is not authorized, he/she will not be granted access to the services provided by the Connectra gateway. After being authenticated, the user will attempt to use an application. To access a particular application, the user must be authorized to do so. The user must belong to a group that has been granted access to the given application. In addition, the user must satisfy the security requirements of the application, such as authentication method and endpoint health compliance. For more information, refer to Authorization on page 173.
Chapter 1
Introduction to Connectra
33
Secure Workspace
malware, Endpoint Security On Demand ensures compliance with corporate security policies and protects enterprises from threats emanating from unsecured client computers that can result in data loss and identity theft. When end users access the Connectra Portal for the first time, an ActiveX component that scans the client computer. If the client computer successfully passes the scan (i.e. there are no malware threats and has an approved antivirus application), the user is granted access to the Connectra portal. The scan results are presented both to the Connectra gateway and to the end user. When Endpoint Security On Demand detects such threats, it either rejects the connection or allows the user to choose whether or not to proceed, according to the Endpoint Compliance policies. The system administrator defines policies that determine which types of threats to detect and what action to take upon their detection. For more information, refer to Endpoint Compliance Enforcement on page 180.
Secure Workspace
End-users can utilize Check Points proprietary virtual desktop that enables data protection during user-sessions, and enables cache wiping, after the sessions have ended. Secure Workspace protects all session-specific data accumulated on the client side. It uses protected disk space and file encryption to secure files created during the access session. Afterwards, it cleans the protected session cache, eliminating any exposure of proprietary data that would have been inadvertently left on public PCs. For more information, refer to Secure Workspace on page 215.
Protection Levels
Protection Levels balance between connectivity and security. The Protection Level represents a security criterion that must be satisfied by the remote user before access is given. For example, an application may have a Protection Level, which requires users to satisfy a specific authentication method. Out of the box, Connectra has three pre-defined Protection Levels Permissive, Normal and Restrictive. It is possible to edit Protection Level settings, and define new Protection Levels. For more information, refer to Protection Levels on page 45.
34
Session
Session
Once authenticated, remote users are assigned a Connectra session. The session provides the context in which Connectra processes all subsequent requests until the user logs out, or the session ends due to a time-out. . For more information refer to Session Settings on page 254.
Chapter 1
Introduction to Connectra
35
36
For more information, refer to Configuring SSL Network Extender Advanced Options on page 117.
Chapter 1
Introduction to Connectra
37
User Workflow
User Workflow
In This Section:
Signing In First time Installation of ActiveX and Java Components Language Selection Initial Setup Accessing Applications The user workflow comprises the following steps: 1. Signing In and selecting the portal language 2. On first-time use, installation of ActiveX and Java Components. 3. Initial Setup 4. Accessing Applications page 38 page 39 page 40 page 40 page 40
Signing In
Using a browser, the user types in the URL, assigned by the system administrator, for the Connectra Gateway. Tip Various popup blockers may interfere with various aspects of portal functionality. You should recommend to users that they configure popup blockers to allow popups from Connectra.
If the Administrator has configured Secure Workspace to be optional, users can choose to select it on the sign in page. Users enter their authentication credentials and click Sign In. Before Connectra gives access to the applications on the LAN, the credentials of remote users are first validated. Connectra authenticates the users either through its own internal database, LDAP, RADIUS or RSA ACE/Servers. Once the remote users have been authenticated, and associated with Connectra groups, access is given to corporate applications. Note - If the Endpoint Compliance Scanner is enabled, the user may be required to pass a verification scan on his/her computer, before being granted access to the Connectra Sign In page, which ensures that his/her credentials are not compromised by 3rd party malicious software.
38
Once the first of these components is installed, any other components are installed in the same way. For example, if the Endpoint compliance Scanner was installed using Java on Internet Explorer, Secure Workspace and SSL Network Extender are also installed using Java. Note - To install using ActiveX after a component was installed using Java, delete the browser cookies.
Chapter 1
Introduction to Connectra
39
Language Selection
Language Selection
The user portal can be viewed in several languages. The default language is English. To use non-English languages, a language pack may be required. To install a language pack, see the release notes for that language pack. Supported languages include: Bulgarian Chinese Simplified Chinese Traditional English Finnish French German Italian Japanese Polish Romanian Russian Spanish
Initial Setup
The user may be required to configure certain settings, such as application credentials. In addition, the user can define additional favorites for commonly used applications.
Accessing Applications
After the remote users have logged onto the Connectra gateway, they are presented with a portal. The user portal enables access to the internal applications that the administrator has configured as available from within the organization, and that the user is authorized to use.
40
Accessing Applications
Figure 1-1
Connectra Portal
Chapter 1
Introduction to Connectra
41
42
43
Introduction to Applications
Introduction to Applications
Giving remote users access to the internal network exposes the network to external threats. A balance needs to be struck between connectivity and security. In all cases, strict authentication and authorization is needed to ensure that only the right people gain access to the corporate network. Defining an application is about deciding which internal LAN applications to expose to what kind of remote user. Connectra provides secure remote access to applications on the corporate LAN. See the following location for guideline on configuring Connectra applications: Web Applications on page 48. File Shares on page 60. Citrix Services on page 66. Web Mail Services on page 78. chapter 4, Native Applications for Client-Based Access on page 107.
44
Protection Levels
Protection Levels
Protection Levels are predefined sets of security settings that offer a balance between connectivity and security. Protection Levels allow Connectra administrators to define application protections for groups of applications with similar requirements. Connectra comes with three default Protection Levels Normal, Restrictive, and Permissive. You can create additional Protection Levels and change the protections for existing Protection Levels.
Figure 2-1
Chapter 2
45
2. Click New to create a new Protection Level or double-click an existing Protection Level to modify it. The Protection Levels window opens, displaying the General Properties page. Figure 2-3
Protection Level Window
3. Enter a unique name for the Protection Level (for a new Protection Level only), select a display color and optionally add a comment in the appropriate fields. 4. Click on Authentication in the navigation tree and select one or more authentication methods from the available choices. Users accessing an application with this Protection Level must use one of the selected authentication schemes. 5. If required, select User must successfully authenticate via SMS.
46
6. Click Endpoint Security in the navigation tree and select one or both of the following options: Applications using this Protection Level can only be accessed if the endpoint machine complies with the following Endpoint compliance policy. Also, select a policy. This option allows access to the associated application only if the scanned client computer complies with the selected policy. Applications using this Protection Level can only be accesses from within Secure Workspace. This option requires Secure Workspace to be running on the client computer.
7. Click OK to close the Protection Level window 8. Install the Security Policy.
Chapter 2
47
Web Applications
Web Applications
In This Section
What is a Web Application? Connectra Web Applications Web Applications of a Specific Type Configuring Web Applications page 48 page 49 page 49 page 50
48
Directories
Services
Example
Any
HTTP, HTTPS
Tip - You can define an application using a DNS name suffix, such as *.example.com, rather than a specific DNS name. This means that every URL ending with example.com is included in this application. In this case, the match is only for *.example.com, not *.*.example.com. Also, *.a.b will match to c.a.b, but not to c.d.a.b. The same host with a different directory (Table 2-2) constitutes a separate Web application: Table 2-2 Name
Web Application With The Same Host, Different Directory
Directories
Services
Example
/wwserver/
HTTP, HTTPS
Chapter 2
49
The following Domino Web Access features are not supported: Working offline Notebooks with attachments. Color button in the Mail Composition window. Text-alignment buttons in the Mail Composition window. Decline, Propose new time and Delegate options in meeting notices. Online help (partial support is available).
50
In This Section
Web Application General Properties Page Web Application Authorized Locations Page Web Application Link in Portal Page Using the Login name of the Currently Logged In User Web Application Single Sign-On Page Web Application Protection Level Page Web Application Link Translation Page Completing the Configuration of the Web Application Configuring a Proxy per Web Application Configuring Connectra to Forward Customized HTTP Headers page 51 page 52 page 53 page 54 page 55 page 55 page 57 page 58 page 58 page 58
Fill in the fields on the page: Name is the name of the application. Note that the name of the application that appears in the user portal is defined in the Link in Portal page. This application has a specific type: Select this option if the Web application is of one of the following types:
Chapter 2
51
Domino Web Access is a Web application that provides access to a number of services including mail, contacts, calendar, scheduling, and collaboration services.
Note 1. Domino Web Access requires its files to be temporarily cached by the client-side browser. As a result, the endpoint machine browser caching settings of the Connectra Endpoint Compliance Profile do not apply to these files. 2. To allow connectivity, the cross site scripting, command injection and SQL injection Web Intelligence protections are disabled for Domino Web Access.
Outlook Web Access (OWA) is a Web-based mail service, with the look, feel and functionality of Microsoft Outlook. OWA functionality encompasses basic messaging components such as email, calendaring, and contacts.
Fill in the fields on the page: Host or DNS name on which the application is hosted. Allow access to any directory gives the user access to all locations on the application server defined in Servers.
52
Allow access to specific directories restricts user access to specific directories. For example /finance/data/. The paths can include $$user, which is the name of the currently logged-in user. Note 1. For an Outlook Web Access application, the following are typical default paths: Private Mailboxes: /exchange/ Graphics and Controls: /exchweb/ Client access to Exchange Server 2007: /owa/ Public Folders: /public/ 2. When two or more overlapping applications are configured (for example, one for any directory and one for a specific directory on the same host), it is undefined which application settings take effect
Application paths are case sensitive improves security. Use this setting for UNIX-based Web servers that are case sensitive. Services that are allowed are typically http for cleartext access to the Web application, and https for SSL access.
Fill in the fields on the page: Add a link to this Web application/file share in the Connectra portal (Web Application without a specific type). If you do not enter a link, users will be able to access the application by typing its URL in the user portal, but will not have a pre-configured link to access it. This application requires a link in the Connectra portal (Web Application with a specific type), otherwise it cannot be accessed. Link text (multi-language) is shown in the Connectra Portal. Can include $$user, which represents the username of the currently logged-in user. If more than one link is configured with the same (case insensitive) name, only one of them will be shown in the portal.
Chapter 2
53
URL is the link to the location of the application. Can include $$user, which represents the username of the currently logged-in user. For example, a URL that is defined as http://host/$$user appears for user aa as http://host/aa and for user bb as http://host/bb. Tooltip (multi-language) for additional information about the application. Can include $$user, which represents the username of the currently logged-in user. The text appears automatically when the user pauses the mouse pointer over the link and disappears when the user clicks a mouse button or moves the pointer away from the link.
54
Chapter 2
55
Fill in the fields on the page: Security Requirements for Accessing this Application allows you to EITHER allow access to this application to any endpoint machine that complies with the security requirements of the gateway, OR make access to the application conditional on the endpoint being compliant with the selected Endpoint Compliance Profile.
Browser Caching on the Endpoint Machine allows you to control caching of web application content in the remote users browser. Allow caching of all content is the recommended setting when using the Hostname Translation method of Link Translation. This setting allows Web sites that use ActiveX and streaming media to work with Hostname Translation. Prevent caching of all content improves security for remote users accessing a Web Application from a workstation that is not under their full control, by making sure that no personal information is stored on the endpoint machine. On the other hand, this setting prevents users opening files that require an external viewer application (for example, a Word or a PDF file), and may cause some applications relying on caching of files to malfunction.
56
Choose the Link Translation method used by Connectra to access this application. Use the method specified in the Connectra through which this application is accessed uses the method configured in the: For locally managed Connectra: Connectra gateway object Link Translation page, in the Default Translation Method section. For centrally managed Connectra: SmartDashboard Additional Settings > Link Translation page, in the Link Translation Settings on Connectra Gateways section. Using the following method is the Link translation method that will always be used for this application. Either URL Translation, which is supported by the Connectra gateway with no further configuration, or Hostname Translation, for which further configuration is required. See Preparing Connectra for Hostname Translation on page 242.
Chapter 2
57
2. In the Access to Application page, associate: User groups. Applications that the users in those user groups are allowed to access. Install On are the Connectra gateways and gateway clusters that users in those user groups are allowed to connect to.
3. From the SmartDashboard main menu, choose Policy > Install... and install the Policy on the Connectra gateways.
58
2. Add or edit the line containing CvpnAddHeader according to the following syntax:
$CLIENTIP, which is resolved to the actual IP address of the end-user's client machine. $USERNAME which is resolved to the username entered as a credential in the login page
Examples:
Chapter 2
59
File Shares
File Shares
In This Section
What is a File Share? File Share Viewers Configuring File Shares Using the $$user Variable in File Shares page 60 page 60 page 60 page 64
60
In This Section
File Share Application General Properties Page File Share Application Authorized Locations Page File Share Application Authorized Locations Page File Share Application Single Sign-On Page File Share Application Protection Level Page Completing the Configuration of the File Share Application page 61 page 61 page 61 page 63 page 63 page 64
Chapter 2
61
Fill in the fields on the page: Servers are the machine(s) or DNS Name(s) on which the file server is hosted. Choose either a single Host or DNS name, or Multiple hosts. Allow access to any file share gives the users access to all locations on the file server defined in Servers. Allow access to specific file shares restricts user access to specific shares. For example My_Share. Use only the name of a share, such as My_share, $$user, or My_share$, without any slashes. Do not specify a subdirectory inside a share. The $$user variable represents the name of the currently logged-in user. This variable provides personalized authorization for users. If $$user is defined as a file share, then if the user currently logged-in is alice, alice will be allowed access to the share named alice defined on the server, such as \\myserver\alice. Note - When two or more overlapping file share applications are configured (for example,
one for any share and one for a specific share on the same host), it is undefined which application settings are in effect.
Fill in the fields on the page: Add a link to this file share in the Connectra portal. If you do not enter a link, users will be able to access the application by manually typing its link in the portal, but will not have a pre-configured link to access it. Link text (multi-language) is shown in the Connectra Portal. Can include $$user, which represents the username of the currently logged-in user. If more than one link is configured with the same (case insensitive) name, only one of them will be shown in the portal.
62
Path is the full file path that the link will attempt to access, specified using UNC syntax. It Can be either a location of a share, or any path under the share. Can include $$user, which represents the username of the currently logged-in user. For example, a path that is defined as \\host\Pub\users\$$user appears for user alice as \\host\Pub\users\alice and for user Bob as \\host\Pub\users\Bob.
Note - The host defined here is the same host that is defined in the Authorized Locations page. However, the IP address of the host is resolved by the DNS Server that is
defined on Connectra itself (and not by the Connectra management).
Tooltip (multi-language) for additional information. Can include $$user, which represents the username of the currently logged-in user. The text appears automatically when the user pauses the mouse pointer over the link and disappears when the user clicks a mouse button or moves the pointer away from the link.
Chapter 2
63
Fill in the fields on the page: Security Requirements for Accessing this Application allows you to EITHER allow access to this application to any endpoint machine that complies with the security requirements of the gateway, OR make access to the application conditional on the endpoint being compliant with the selected Endpoint Compliance Profile.
2. In the Access to Application page, associate: User groups. Applications that the users in those user groups are allowed to access. Install On are the Connectra gateways and gateway clusters that users in those user groups are allowed to connect to.
3. From the SmartDashboard main menu, choose Policy > Install... and install the Policy on the Connectra gateways.
64
For more information about the $$user variable, see Using the Login Name of the Currently Logged in User on page 88.
Chapter 2
65
Citrix Services
Citrix Services
In This Section
Understanding Citrix Services Citrix Deployments Modes - Unticketed and Ticketed Citrix features Supported by Connectra Configuring Citrix Services page 66 page 66 page 68 page 71
66
The remote access user logs into the Connectra user portal Using the Connectra Web interface, the user is directed to the Citrix Web Interface server and then has access to the MetaFrame server.
Connectra in a Citrix Deployment - Ticketed Mode (using external STA servers)
Figure 2-5
In the Ticketed Mode scenario: The remote access user logs into the Connectra user portal. Using the Connectra Web interface, the user is directed to the Citrix Web Interface server. The user logs into the Citrix Web Interface server and is assigned a secure ticket by the Secure Ticket Authority. This ticket allows the user to access the MetaFrame server once it is verified by the Connectra Web Security Gateway. Note - Connectra implements its own Secure Ticketing authority (STA) engine, Thus, using STA servers is not necessary.
Chapter 2
67
Description When securing an access center, Check Point's proprietary agents are not required to run on the client devices. ICA Web Client for Windows based PCs (ActiveX), Versions 6.3 - 8.2. ICA Java Client for any Java-enabled browser (Applet) for UNIX, LINUX Macintosh, Windows, Versions 6.3 8.2. Citrix Program Neighborhood client, Versions 6.3 - 8.2.
Details
Predefined client with published applications, IP addresses, server names and connections options Servers supported MetaFrame Presentation Server (MPS) 3.0 MetaFrame XP server for Windows MetaFrame XP server for Solaris We recommend stage testing this server version with Connectra in non-production mode first.
68
Details We recommend stage testing this server version with Connectra in non-production mode first.
Web Interface (WI) 3.0 Server Web Interface (WI) 2.0 server NFuse 1.7 server. Multiple STA servers of versions 1.0 - 2.0. Support for Citrix STA servers. NOTE that Connectra has its own internal STA engine. Thus, using external STA servers is not necessary, but possible.
Parallel gateways
Connectra beside Citrix Secure Gateway (CSG) server. Multiple points of access. Multiple points of access into organization are possible. Connectra may serve as one such point of access. Such setup is extremely useful for integration purposes, for example. No need to alter existing configurations or Citrix servers' topology.
Seamless integration.
Firewall traversal
Connections from clients are secured with standard protocols using ports typically open on corporate firewalls. No special configuration of Citrix servers is necessary in order to set up Connectra.
Zero configuration
Chapter 2
69
Details
WI (NFuse) server configured to work in un-ticketed mode. WI (NFuse) server configured to work in ticketed mode. Single point of access to all backend servers including WI (NFuse), MetaFrame, Presentation and third party servers. Centralized management. Restricted access to Citrix backend servers. Access to specific WI (NFuse) MetaFrame, Presentation & STA servers is regulated by Connectra. Endpoint Compliance Profile configuration per Citrix-service. Enforcement of authentication strength and security scans. Single point of access protected by various intelligent defense mechanisms, SSL/TLS encryption & certificates. Advanced auditing and logging. Connectra administrator may specify specific MF, WI (NFuse) & STA servers to which access is permitted.
Connectra Web Security Gateway certificate can be issued by a custom Certificate Authority (CA). The certificate can also be self-signed.
This feature is useful for organizations that choose to utilize their own Certificate Authorities to sign server certificates.
70
In This Section
Before Configuring Citrix Services Citrix Service Web Interface (NFuse) page Citrix Service Link in Portal Page Citrix Service STA Servers Page Citrix Service MetaFrame Servers Page Citrix Service Single Sign On Page Citrix Service Protection Level Page Completing the Configuration of the Citrix Service page 71 page 72 page 72 page 73 page 74 page 75 page 75 page 76
Chapter 2
71
Fill in the fields on the page: Servers are the machine(s) or DNS Name(s) on which the Web Interface server is hosted. Choose either a single Host or DNS name, or Multiple hosts. In order to keep the environment simple, it is recommended to configure a single Web Interface (NFuse) server per Citrix Application. Services must match the settings on the Web Interface server. Select http or https, as required. Other services are NOT supported.
Fill in the fields on the page: Link text (multi-language) is shown in the Connectra Portal. If more than one link is configured with the same (case insensitive) name, only one of them will be shown in the portal. URL is the link to the location of the application, or to a subdirectory of the application.
72
Tooltip (multi-language) for some additional information. The text appears automatically when the user pauses the mouse pointer over the link and disappears when the user clicks a mouse button or moves the pointer away from the link.
Obtain the Host and the STA ID of the Secure Ticketing Authority (STA) servers from the current settings on the Web Interface (WI) server. Note - Connectra implements its own Secure Ticketing authority (STA) engine, Thus, using STA servers is not necessary.
Chapter 2
73
In this page you can either allow access to all MetaFrame Servers or restrict access to defined MetaFrame Servers. Note - If you select Restrict access to these servers only, 1. Define the servers using an IP address or Fully Qualified Domain Name (FQDN). 2. Make sure that the definition matches the configuration made on the Metaframe server farm. If you do not, Connectra may not authorize the connection. (The Metaframe server configuration affects one of the parameters in the ICA file that is received by the client).
74
Fill in the fields on the page: Security Requirements for Accessing this Application allows you to EITHER allow access to this application to any endpoint machine that complies with the security requirements of the gateway, OR make access to the application conditional on the endpoint being compliant with the selected Endpoint Compliance Profile.
Note - The Citrix architecture requires ICA files and ActiveX executables to be temporarily cached by the client-side browser. As a result, Connectra's Protection Level settings do not apply to these files.
Chapter 2
75
Obtain the Host and the STA ID of the Secure Ticketing Authority (STA) servers from the current settings on the Web Interface (WI) server. Note - Connectra implements its own Secure Ticketing authority (STA) engine, Thus, using STA servers is not necessary.
76
2. In the Access to Application page, associate: User groups. Applications that the users in those user groups are allowed to access. Install On are the Connectra gateways and gateway clusters that users in those user groups are allowed to connect to.
3. From the SmartDashboard main menu, choose Policy > Install... and install the Policy on the Connectra gateways.
Chapter 2
77
Connectra also supports the IBM Lotus Domino Web Access (DWA, formerly known as iNotes) and Outlook Web Access (OWA). DWA and OWA are configured in Connectra as Web Applications.
78
Figure 2-6
Chapter 2
79
In This Section
Web Mail Service General Properties Page Web Mail Service Link in Portal Page Web Mail Service Single Sign-On Page Web Mail Service Single Sign-On Page Completing the Configuration of the Web Mail Service Enabling LDAP Contacts Search in Web Mail Applications page 81 page 81 page 82 page 82 page 83 page 83
80
Fill in the fields on the page: Name for the mail service, for example, my_mail_server Outgoing Mail Server (SMTP) Host or DNS Name, for example, smtp.example.com Service is normally the standard predefined SMTP service.
Incoming Mail Server IMAP server type Host or DNS Name, for example, smtp.example.com Service is normally the standard predefined IMAP service.
Chapter 2
81
Fill in the fields on the page: Link text (multi-language) is shown in the Connectra Portal. If more than one link is configured with the same (case insensitive) text, only one of them will be shown in the portal. Tooltip (multi-language) for additional information. The text appears automatically when the user pauses the mouse pointer over the link and disappears when the user clicks a mouse button or moves the pointer away from the link.
Fill in the fields on the page: Security Requirements for Accessing this Application allows you to EITHER allow access to this application to any endpoint machine that complies with the security requirements of the gateway, OR make access to the application conditional on the endpoint being compliant with the selected Endpoint Compliance Profile.
82
2. In the Access to Application page, associate: User groups. Applications that the users in those user groups are allowed to access. Install On are the Connectra gateways and gateway clusters that users in those user groups are allowed to connect to.
3. From the SmartDashboard main menu, choose Policy > Install... and install the Policy on the Connectra gateways.
Chapter 2
83
Native Applications
Native Applications
Native Applications are not clientless. They require the SSL Network Extender client on the endpoint machine. See chapter 4, Native Applications for Client-Based Access on page 107.
84
DNS Names
DNS Names
In This Section
Why Use DNS Name Objects? DNS Names and Aliases Where DNS Name Objects are Used Defining the DNS Server used by Connectra Configuring DNS Name Objects page 85 page 85 page 86 page 86 page 86
Chapter 2
85
Wildcards can be used at the beginning of a domain name, but not at the end. For example, *.example.com includes www.example.com and mail.example.com. On the other hand, www.example.* is NOT valid.
86
The DNS Names window opens. 5. Click Add. The Edit DNS Name window opens. 6. Type the DNS name. Figure 2-7
Editing a DNS Name
Chapter 2
87
88
3
page 90 page 91 page 92 page 93 page 95 page 96 page 98 page 102
89
90
Chapter 3
Single Sign On
91
The user must enter his/her username and password for that application, and click OK.
92
Chapter 3
Single Sign On
93
It is recommended to use the Web form based SSO for every application that is configured to work with Web form authentication. Do not enable Web form SSO for other applications, in order to maintain performance and connectivity. Note - Web form SSO is available for Connectra NGX R66 and higher.
94
Web applications File shares Citrix services Web Mail Native applications
Chapter 3
Single Sign On
95
2. In the Single Sign On page, select an application and click Edit. The Single Sign On page of the application window opens.
3. Select Turn on single Sign On for this application. 4. Configure the sign on method for the application. The default option is: For Web applications, File Shares and Citrix Services: Prompt the users for their credentials and store them for future use For Web Mail applications this same option is called: Prompt user for credentials With this option, the application credentials are stored and reused. The portal credentials are not used to authenticate to applications.
96
To configuring Web Form SSO with default settings: In the Single Sign On page of the Connectra application, select This application uses a Web form to accept credentials from other users Note - Only enable Web form SSO for applications that use a web form to accept user credentials, in order to maintain performance and connectivity.
Chapter 3
Single Sign On
97
For configuration options that are specific to Web form SSO, see Advanced Configuration of Web Form SSO on page 102.
98
Table 3-4 summarizes the available single sign on methods. Table 3-4
Single Sign On Methods
SSO Method Turn on Single Sign On for this application - Unchecked Prompt users for their credentials, and store them for future use This application reuses the portal credentials. Users are not prompted. This application reuses the portal credentials. If authentication fails, Connectra prompts users and stores their credentials.
Single Sign On is On/Off Off Users are always prompted. On Default method On Advanced method. On Advanced method.
No Yes Yes
Yes No Yes
Chapter 3
Single Sign On
99
Windows domain
The user of this application belongs to the following Windows domain: The windows Domain or workgroup, for example LOCALDOMAIN. Specify the domain if Windows authentication is used. Integrated Windows authentication requires the domain to be forwarded along with the username and password, but if one of the Accept the portal credentials from the gateway Single Sign On methods are selected, Connectra does not know the domain because the user does not supply it with the portal credentials. Therefore, the domain is fetched from the one specified here.
User notification
Notify the users that their credentials for this application are going to be stored Users accessing the application login page for the first time see a popup message such as the following:
Allow the users to specify that their credentials for this application will not be stored
100
Users accessing the application login page for the first time see a popup message such as the following:
Administrator message
Show the following message together with the credentials prompt Show a hint to the user about the credentials they must supply. for example, whether or not they should supply the domain name and username (for example: AD/user) or just the username (for example: user). After clicking the Help me choose credentials link, the user sees the hint. The message can include ASCII characters only.
Chapter 3
You can specify different criteria for: Sign In Success or Failure Detection on page 102. Credential Handling on page 103.
102
Credential Handling
In the Single Sign On page of the Connectra application, in the Web Form section, click Edit.
Credential Handling
By default, Connectra looks for the username and password fields at the application URL. If the default settings do not work, you can either configure an automatic credential detection method, or you can manually hard-code the POST details.
Chapter 3
Credential Handling
To configure credential handling: 1. In the Single Sign On page of the Connectra application, in the Web Form section, click Edit. 2. in the Credentials Handling section, click Edit. The Credentials Handling window opens.
104
Credential Handling
Chapter 3
Credential Handling
106
107
Microsoft Exchange, Telnet and FTP, are all examples of native application servers. Authorized users can use their native clients (for example, telnet.exe, ftp.exe, or Outlook) to access these internal applications from outside the organization. A native application is defined by the: Server hosting applications. Services used by applications. Connection direction (usually client to server, but can also be server to client, or client to client). Applications on the endpoint (client) machines. These applications are launched on demand on the user machine when the user clicks a link in the user portal. They can be: Already installed on the endpoint machine, or Run via a default browser, or Downloaded from Connectra.
108
VPN Clients
VPN Clients
Three VPN clients are allowed to connect to a Connectra gateway or gateway cluster: SSL Network Extender, SecureClient Mobile, and Endpoint Connect. The SSL Network Extender client can operate in two modes: Network Mode and Applications Mode.
In This Section
SSL Network Extender SecureClient Mobile Endpoint Connect page 109 page 112 page 113
Chapter 4
Partner/ Company Telnet / SSH Microsoft Microsoft Putty VanDyke Database Clients Rational
110
Table 4-1
Partner/ Company Siebel TN3270 Ericom IBM FTP Microsoft Ipswitch GlobalSCAPE E-Mail (POP3, IMAP, SMTP) Microsoft Microsoft
Client Siebel Client PowerTerm InterConnect for Windows Personal Communications Workstation Program FTP (Command Line) WS_FTP Home/PRO CuteFTP
Outlook Express Outlook (See note below table) Eudora Thunderbird Lotus Notes
QUALCOMM Mozilla IBM Web Browser (HTTP, HTTPS, Passive FTP) Microsoft Mozilla Terminal Services Microsoft RealVNC
Chapter 4
SecureClient Mobile
Table 4-1
Partner/ Company Famatech Citrix Citrix Citrix Citrix Citrix Productivity Suites IBM
Version 2.0 2.1 6.20.985 9.0.0.32649 8.0.1672 8.2.1684 8.0.24737.0 6.0.3 6.5.3
Note - Some Anti Virus applications do not scan email when Microsoft Outlook is launched with SSL Network Extender Application Mode. This is due to the fact the mail is encrypted in SSL before the scanning takes place.
SecureClient Mobile
SecureClient Mobile is a client application for mobile devices that includes a VPN and a firewall. SecureClient Mobile enables easy customization with central management and enforcement. SecureClient Mobile's VPN is based on SSL (HTTPS) tunneling and enables handheld devices to securely access resources behind Check Point gateways. Any Native Application that can be accessed using the SSL Network Extender Network Mode client can also be accessed by SecureClient Mobile clients on handheld devices. For configuration details, see Configuring VPN Clients on page 114.
112
Endpoint Connect
Endpoint Connect
Endpoint Connect is Check Points lightweight remote access client. Providing seamless, secure VPN connectivity to corporate resources, the client works transparently with Connectra NGX R66 and higher gateways. For more information, see Chapter 18, Endpoint Connect.
Chapter 4
In This Section
Basic VPN Client Configuration Advanced VPN Client configuration Configuring SSL Network Extender Advanced Options Configuring SecureClient Mobile page 114 page 115 page 117 page 119
To configure Endpoint Connect clients settings on the gateway, see Configuring the Gateway for Endpoint Connect on page 454.
114
Chapter 4
Application Mode only specifies that the SSL Network Extender Application Mode client is downloaded to the endpoint machines irrespective of the capabilities of the endpoint machine. Network Mode only specifies that the SSL Network Extender Network Mode client is downloaded to the endpoint machines irrespective of the capabilities of the endpoint machine. The user on the endpoint machine must have administrator permissions in order to access Native Applications.
116
Chapter 4
Client uninstall upon disconnection specifies how to handle the installed SSL Network Extender Network Mode client on the endpoint machine when the client disconnects. This setting applies to all Connectra gateways that are managed by SmartCenter. Do not uninstall allows the user to manually uninstall if they wish to. Ask User allows the user to choose whether or not to uninstall. Always uninstall does so automatically, when the user disconnects.
Encryption
Supported Encryption methods defines the strength of the encryption used for communication between SSL Network Extender clients and all Connectra gateways and gateway clusters that are managed by SmartCenter. 3DES only. This is the default. The 3DES encryption algorithm encrypts data three times, for an overall key length of 192 bits. 3DES or RC4 to configure the SSL Network Extender client to support the RC4 encryption method, as well as 3DES. RC4 is a variable key-size stream cipher. The algorithm is based on the use of a random permutation. It requires a secure exchange of a shared key that is outside the specification. RC4 is a faster encryption method than 3DES.
Launch behavior
These settings define the behavior of the SSL Network Extender clients when launched on the endpoint machines. Automatically minimize client window after client connects minimizes the SSL Network extender window to the system tray on the taskbar after connecting. This makes for better usability for non-technical users.
118
Centrally managed Connectra: From the list of available gateways, select a Connectra Gateway or Connectra Cluster object and click Edit....
Chapter 4
Select SecureClient Mobile. 2. Configure Native Applications. See Configuring a Simple Native Application on page 127 and Configuring an Advanced Native Application on page 130. 3. Configure the SecureClient Mobile settings. In the Connectra tab, select the Additional Settings > VPN Clients page and click Edit under Advanced Settings SecureClient Mobile.
120
In a centrally managed Connectra, the Advanced Settings SecureClient Mobile page can also be found in Global Properties > Remote Access > SecureClient Mobile.
For information about each of the SecureClient Mobile options, see Central Management of SecureClient Mobile on page 377. 4. Install the Policy.
Chapter 4
In This Section
Application Installed on Endpoint Machine Application Runs Via a Default Browser Application Downloaded From Connectra Ensuring the Link Appears in the End-User Browser page 122 page 122 page 123 page 125
122
Chapter 4
Certified Applications
Certified applications are an integral part of Connectra, and are fully supported. The packages that are downloaded to the endpoint machine are signed by Check Point. Table 4-2 lists the available certified downloaded-from-Connectra Native Applications: Table 4-2
Downloaded-from-Connectra Certified Applications
Description Telnet terminal. Provides user oriented command line login sessions between hosts on the Internet. Secure Shell (SSH) is designed for logging into and executing commands on a networked computer. It provides secure encrypted communications between two hosts over an insecure network. An SSH server, by default, listens on the standard TCP port 22. IBM 3270 terminal emulator tailored to writing screenscraping applications. TN3270 is the remote-login protocol used by software that emulates the IBM 3270 model of mainframe computer terminal. IBM 5250 terminal emulator that interprets and displays 5250 data streams.
TN3270
TN5250
For configuration details, see Configuring Downloaded-From-Connectra Endpoint Applications on page 138.
Add-on Applications
Add-on downloaded-from-Connectra applications are third-party applications, which are supplied as-is, for which Check Point provides limited support.
124
These packages are not signed by Check Point, and when they are downloaded by end- users a popup warning informs the user that the package is not signed. If the application does not function as expected, it can be deleted or replaced. Table 4-3 lists the available downloaded-from-Connectra Native Applications: Table 4-3
downloaded-from-Connectra Add-On Applications
Description Downloaded-from-Connectra Client for Windows NT Terminal Server and Windows 2000/2003 Terminal Services. Communicates using Remote Desktop Protocol (RDP) in order to present the user's NT desktop. Unlike Citrix ICA, no server extensions are required. Runs on Java 1.1 up (optimized for 1.4), and works on Linux, Windows and Mac. An implementation of Telnet and SSH for Win32 platforms, including an Xterm terminal emulator. Downloaded-from-Connectra Jabber Client is an instant messenger based on the Jabber protocol Runs on every computer with at least Java 1.4. Graphical Java network and file transfer client. Supports FTP using its own FTP API and various other protocols like SMB, SFTP, NFS, HTTP, and file I/O using third party APIs, includes many advanced features such as recursive directory up/download, browsing FTP servers while transferring files, FTP resuming and queueing, browsing the LAN for Windows shares, and more
FTP
For configuration details, see Configuring Downloaded-From-Connectra Endpoint Applications on page 138.
Chapter 4
For example, the link will not be shown if: An endpoint application that is pre-installed on the endpoint machine (of type Already Installed) is configured, and the application is in fact not installed on the endpoint machine. A Downloaded-from-Connectra (Embedded) application requires Java, but Java is not installed on the endpoint machine.
126
General Properties
In the General Properties page, define the name of the Native Application.
Authorized Locations
Go to the Authorized Locations page.
An authorized location ensures users of the Native Application can only access the specified locations using the specified services. Host or Address Range is the machine or address range on which the application is hosted. Service is the port on which the machine hosting the application listens for communication from application clients.
Chapter 4
Add link in the Connectra portal must be selected if you want to make available to users endpoint application(s) associated with the Native Applications. Link text can include $$user, a variable that represents the username of the currently logged-in user. Tooltip for additional information. Can include $$user, which represents the username of the currently logged-in user. Path and executable name must specify one of the following:
Note - If the endpoint application is not available on the endpoint machine, the link to the
application will not be shown in the end users browser.
Full path of the application on the endpoint machines. For example, c:\WINDOWS\system32\ftp.exe The location of the application by means of an environment variable. This allows the location of the application to be specified in a more generalized way. For example %windir%\system32\ftp.exe
128
If the application is listed in the Windows Start > Programs menu, only the application name need be entered, as it appears to the user in the Start menu. For example HyperTerminal. If the location of the application is in the path of the endpoint machine, only the application name need be entered. For example ftp.exe
Parameters are used to pass additional information to the applications on the endpoint machine, and to configure the way they are launched. Can include $$user, which represents the username of the currently logged-in user.
2. In the Access to Application page, associate: User groups. Applications that the users in those user groups are allowed to access. Install On are the Connectra gateways and gateway clusters that users in those user groups are allowed to connect to.
3. From the SmartDashboard main menu, choose Policy > Install... and install the Policy on the Connectra gateways.
Chapter 4
In This Section
Configuring Connection Direction Multiple Hosts and Services Automatically Starting the Application Making an Application Available in Application Mode Automatically Running Commands or Scripts page 130 page 131 page 133 page 134 page 135
Configuring the Endpoint Application to Run Via a Default Browser page 132
Select one of the following options: Client to server: (For example, Telnet.) This is the default option. When you create a client to server application and assign it to a user group, you enable users of the group to initiate a connection to the specified server. Server to client: (For example, X11.) When you create a server to client application, the specified server can initiate a connection to all SSL Network Extender or Secure Client Mobile users currently logged on to the Connectra gateway, regardless of their group association.
130
Client to client: (For example, running Remote Administration from one client to another.) When you create a client to client Native Application and assign it to a user group, you enable users of that group to initiate a connection to all of the SSL Network Extender or Secure Client Mobile users currently logged on to Connectra, regardless of their user group association. Note - A Client to Client Native Application does not require configuration of a destination address.
Chapter 4
132
Run via default browser is used to define a link to any URL. The link appears in the Connectra portal, and launches the current Web browser (the same browser as the Connectra portal). The link can include $$user, which represents the username of the currently logged-in user. This option has a similar user experience to a Web Application with a URL: The application is opened in a Web browser. However, Connectra Web applications perform Link Translation on the URL and encrypt the connection over SSL, while the Run via default browser option with SSL Network Extender does not perform link translation, and encrypts using SSL Network Extender. You may prefer to define a Native Application rather than a Web Application for convenience, or because some Web sites have problems working with Link Translation.
4. Click Add or Edit. The Edit Endpoint Application window opens. 5. Click Advanced.... The Advanced window opens.
Automatically start this application allows you to configure a Native Application to run a program or command automatically, after connecting to or disconnecting from SSL Network Extender (either Network mode or Application mode). When more than one Native Application is defined for automatic connection or disconnection, the applications run in the alphabetical order of the names of the Native Applications. When SSL Network Extender is disconnected option should not be used to launch applications that require connectivity to the organization. Note that this problem only occurs with SSL Network Extender Application Mode. In Network Mode, applications automatic start of applications when SSL Network Extender is disconnected works correctly.
134
6. Select Show link to this application in SSL Network Extender Application Mode. The option SSL Network Extender application mode compatibility allows you to make an application available to Application Mode clients. Users that connect using the SSL Network Extender Application Mode client are able to see a link to the application and launch it. Use this option if the application works well in Application Mode. Note - If this option is NOT selected, users: 1. Who connect with Application Mode do not see it in their list of applications. 2. With SecureClient Mobile clients on handheld devices are unable to connect to the application.
It is possible to configure a Native Application to run a program or command automatically, after connecting to or disconnecting from SSL Network Extender (either Network mode or Application mode).
Chapter 4
One example of how automatically running a command can be useful is to mount or unmount a network drive. Giving users access to network drives is a convenient way of providing access to internal resources. A drive can be mapped by configuring an application that invokes the Windows net use command. Note - When more than one Native Application is defined for automatic connection or disconnection, the applications run in the alphabetical order of the names of the Native Applications. For configuration details, see How to Automatically Map and Unmap a Network Drive on page 136. It is possible to extend this ability by defining a dynamic add-on downloaded-fromConnectra application that runs a script (batch file) containing a sequence of commands to execute on the endpoint machine. This script can be launched manually when the user clicks a link, or it can launch automatically after connecting to or disconnecting from SSL Network Extender. For configuration details, see How to Automatically Run a Script (Batch File) on page 137.
To automatically map (mount) and unmap (unmount) a network drive, create a Native Application that automatically maps the network drive when SSL Network Extender is launched: 1. Define a Native Application. 2. In the Endpoint Applications page of the Native Application object, select Add link in the Connectra portal. 3. Select Advanced > Edit. The Endpoint Applications - Advanced window opens. 4. Click Add or Edit. The Edit Endpoint Application window opens. 5. Configure the Edit Endpoint Application page as follows:
136
Already installed. Path and executable name: net.exe Parameters: use drive_letter: \\servename\sharename
6. Click Advanced. In the Advanced page, check When SSL Network Extender is launched. 7. Create another Native Application that automatically unmaps the network drive when SSL Network Extender is disconnected. Configure the Edit Endpoint Application page as follows: Already installed. Path and executable name: net.exe Parameters: use /DELETE drive_letter:
8. Click Advanced. In the Advanced page, check When SSL Network Extender is disconnected.
Chapter 4
4. Select Downloaded from Connectra. 5. From the Name drop-down list, select the desired downloaded-from-Connectra application. 6. Specify the Parameters for the downloaded-from-Connectra application. The parameters field is used to pass additional information to the downloaded-fromConnectra applications on the endpoint machine, and to configure the way they are launched. The $$user variable can be used here to dynamically change according to the login name of the currently logged in user.
138
See the configuration sections below for details of the required parameters : Note - In the configuration sections for certified and add-on applications, below: parameter is a compulsory parameter, [parameter] is an optional parameter, | indicates a required choice of one from many. Configuring the Telnet Client (Certified Application) on page 139 Configuring the SSH Client (Certified Application) on page 140 Configuring the TN3270 Client (Certified Application) on page 140 Configuring the TN5250 Client (Certified Application) on page 141 Configuring the Remote Desktop Client (Add-On Application) on page 141 Configuring the PuTTY Client (Add-On Application) on page 143 Configuring the Jabber Client (Add-On Application) on page 143 Configuring the FTP Client (Add-On Application) on page 144
server [port]
Telnet terminal. Provides user oriented command line login sessions between hosts on the Internet. http://javassh.org
Chapter 4
server
Secure Shell (SSH) is designed for logging into and executing commands on a networked computer. It provides secure encrypted communications between two hosts over an insecure network. An SSH server, by default, listens on the standard TCP port 22. http://javassh.org
Home page
All. Requires Java 1.3.1 or higher. Ignored IBM 3270 terminal emulator tailored to writing screenscraping applications. TN3270 is the remote-login protocol used by software that emulates the IBM 3270 model of mainframe computer terminal. http://jagacy.com
Home page
140
All endpoint machines must have Java 1.4 or higher. Optional. Can use the Configure button on the application instead. For the full list of options that can be used in the parameters field, see the Quick Start Guide http://tn5250j.sourceforge.net/quick.html.
[Server [options]]
IBM 5250 terminal emulator that interprets and displays 5250 data streams. You will be presented with a Connections screen for defining sessions. Select the configure button to define sessions when the session selection window opens. On first invocation of the emulator there are some console warning messages. These inform you that defaults files are being set up for the first run.
http://tn5250j.sourceforge.net/index.html http://tn5250j.sourceforge.net/quick.html
All. endpoint machines must have Java 1.4 or higher. Must contain the server name or its IP address.
Chapter 4
Table 4-8
Parameters usage
[options] server[:port] For example: g 800x600 -l WARN RDP_Server. The following options are available: -b Bandwidth saving (good for 56k modem, but higher latency). This option unsets the TCP 'no delay' flag. -d Windows domain you are connecting to. -f Show the window full-screen (requires Java 1.4 for proper operation). -g WIDTHxHEIGHT. The size of the desktop in pixels. -m Keyboard layout on the terminal server for different languages (for example, en-us). -l {DEBUG, INFO, WARN, ERROR, FATAL} Amount of debug output (otherwise known as the logging level). -lc Path to a log4j configuration file. -n Override the name of the endpoint machine. -u Name of the user to connect as. -p Password for the above user. -s Shell to launch when the session is started. -t Port to connect to (useful if you are using an SSH tunnel, for example). -T Override the window title.
Downloaded-from-Connectra Client for Windows NT Terminal Server and Windows 2000/2003 Terminal Services. Communicates using Remote Desktop Protocol (RDP) in order to present the user's NT desktop. Unlike Citrix ICA, no server extensions are required. Runs on Java 1.1 up (optimized for 1.4), and works on Linux, Windows and Mac.
Description
142
Table 4-8
Home page
http://properjavardp.sourceforge.net
Windows only Optional. Leaving the Parameters field empty leads PuTTY Client to opened in full graphical mode.
Home page
Chapter 4
Home page
144
In This Section
Downloaded-from-Connectra Application Requirements Example: Adding a New SSH Application Example: Adding a New Microsoft Remote Desktop Profile page 145 page 148 page 150
Single-executable applications have the following requirements: Must not require installation. Must be platform-specific for either Windows, Linux or MAC OS.
Proceed as follows: 1. Compress your downloaded-from-Connectra application file into CAB file with the same name as the original file but with a .cab extension. To compress a file into a CAB file, you can use the Microsoft Cabinet Tool cabarc.exe (which can be downloaded from the Microsoft Web site). For example
6. Select Table > Other > embedded_applications. You will now see the embedded_applications table.
146
7. In the right side pane, right-click and select New.... 8. In the Object field, enter a name for the new downloaded-from-Connectra application. 9. Specify the characteristics of the new downloaded-from-Connectra application as follows: Field Name Explanation The application name, which will appear in the drop-down list of downloaded-from-Connectra applications in SmartDashboard, in the Edit Endpoint Application window. The type of downloaded-from-Connectra application. Choose one of the options in the Valid Values list (java_applet, linux_executable mac_executable, windows_executable.). The name of the file you placed in $CVPNDIR/htdocs/SNX/CSHELL (not the .cab version). Indicate if the new downloaded-from-Connectra application requires the server name to be configured in the Parameters field of the new downloaded-from-Connectra application, in the SmartDashboard Edit Endpoint Application window. Parameters concatenated before the server_name_required_params field. Usually used when configuring a new downloaded-fromConnectra Java application. In that case, specify the Main Class name of the application. Parameters concatenated after the server_name_required_params field. Can be left blank. Leave as embedded_application.
display_name
embedded_application_type
file_name
server_name_required_params
pre_custom_params
post_custom_params
type
Chapter 4
You will now be able to see and configure the new downloaded-from-Connectra application in SmartDashboard, just as you do with the built-in downloaded-fromConnectra applications. The downloaded-from-Connectra applications appear in the Edit Network Application page of the Native Application object (Getting there: Native Application object > Endpoint applications page > Advanced: Edit > Add/Edit.
2. SSH2 Windows executable: Executable file name: WinSsh2.exe The application gets its server name as parameter. Name in SmartDashboard: Essh2 Client.
148
Proceed as follows: 1. Compress the ssh2.jar and WinSsh2.exe application files into ssh2.cab and WinSsh2.cab Do this by running:
# cabarc.exe -m LZX:20 -s 6144 N ssh2.cab ssh2.jar # cabarc.exe -m LZX:20 -s 6144 N WinSsh2.cab WinSsh2.exe
2. Assuming the IP address of the SSH2 server is 1.1.1.1, you must save the files ssh2.jar and WinSsh2.exe to $CVPNDIR/htdocs/SNX/CSHELL with the proper permissions. 3. Place the application files in $CVPNDIR/htdocs/SNX/CSHELL with the proper permissions 4. Use GuiDBEdit to configure the two new downloaded-from-Connectra applications as follows: Table 4-12 SSH2 Java Application Field Name Value Jssh2 Client
java_applet ssh2.jar
Empty
ssh2.Main
true
embedded_application
windows_executable WinSsh2.exe
Empty Empty true
embedded_application
Chapter 4
When configuring either of the new downloaded-from-Connectra applications in SmartDashboard (Jssh2 Client and Essh2 Client), the Parameters field will be: 1.1.1.1 (the SSH2 server IP in this example).
150
Chapter 4
4. In the right side pane, right-click and select New.... 5. In the Object field, enter a name for the new downloaded-from-Connectra application. Give it the name of the relevant user group. In this example: mygr1 6. Specify the characteristics of the new downloaded-from-Connectra application as follows: display_name: mygr1_RDP_Policy embedded_application_type: windows_executable file_name: mygr1.rdp
152
It is now possible to see and configure the new downloaded-from-Connectra application in SmartDashboard, just as for the built-in downloaded-from-Connectra applications.
Chapter 4
5. In the Edit Endpoint Application window, use the following settings, as shown in the screen capture: Link text (Multi-language): MS-RDP (or any other name). Path and executable name: %SystemRoot%\system32\mstsc.exe Parameters: %temp%\mygr1.rdp
6. Click OK.
Add link to the application in the Connectra portal must be unchecked. Name: mygr1_RDP_Policy (as configured in GUIdbedit.exe).
3. Click Advanced. The Advanced window opens 4. Select Automatically Start this Application: When SSL Network Extender is launched. 5. Click OK three times to save and close the Native Application.
Chapter 4
156
This chapter explains how to configure two-factor authentication via SMS. After successfully authenticating using one of the allowed gateway authentication schemes, users can be challenged to provide additional credentials, sent to their mobile communications device via an SMS message.
157
Note - Two -factor authentication is available for Connectra NGX R66 and higher.
158
Chapter 5
160
Chapter 5
1. If users authenticate via LDAP, configure the list of phone numbers on LDAP: On the LDAP server, define a phone number for each user, in the Mobile field. The following screen capture shows a phone number configured in Microsoft Active Directory.
Note - A different Active Directory field can be configured using Check Point Database Tool GUIDBEdit. Search for the string PhoneNumberAttr. 2. Configure the list of phone number on the local gateway. Note - Centrally managed Connectra only: The list of phone numbers must be configured on each Connectra gateway. For a Connectra cluster, configure the directory on each cluster member.
162
To configure a list of phone numbers on the local gateway: a. Log into the Connectra gateway using a secure console connection. b. Change to Expert mode: Type expert and then the expert mode password. c. Backup $CVPNDIR/conf/SmsPhones.lst d. Edit $CVPNDIR/conf/SmsPhones.lst, and add to it a list of usernames and phone numbers. The list must be followed by a blank line. Use the following syntax:
<username | Full DN> <phone number>
Meaning Either a username or, for users that log in using a certificate, the full DN of the certificate. All printable characters can be used in the phone number, excluding the space character, which is not allowed. Only the digits are relevant.
phone number
Example
bob +044-888-8888 CN=jane,OU=users,O=con1.example.com.qwerty +044-7777777
Chapter 5
Centrally managed Connectra only: This makes two-factor authentication a requirement for logging in to all Connectra gateways with authentication settings (configured in the Additional Settings > Authentication page of the Connectra gateways) of Use the global settings, configured in the Connectra tab, under Authentication to Connectra). Locally managed Connectra: This makes two-factor authentication a requirement for logging in to the Connectra gateway. 3. Enter the SMS Provider URL in the format provided by the provider. An example SMS provider URL is (on a single line):
https://api.example.com/http/sendmsg?api_id=$APIID&user= $USERNAME&password=$PASSWORD&to=$PHONE&text=$MESSAGE
164
The following table explains parameters used in the SMS Provider URL. The value of these parameters is automatically used when sending the SMS. Parameter Meaning The value of this parameter is the API ID. The value of this parameter is the username. The value of this parameter is the password. User phone number, as found in Active Directory or in the local file on the gateway. The value of this parameter is the message configured in the Advanced Two-Factor Authentication Configuration Options in SmartDashBoard.
4. In the SMS Provider Credentials section, enter the credentials received from the SMS provider: Username Password API ID
5. For additional configuration options, click Advanced. See Advanced Two-Factor Authentication Configuration Options on page 166. 6. Install the Policy. Select Policy > Install.
Chapter 5
166
Figure 5-1
SMS Message
SMS Message text sent to the user is Connectra one-time verification code: by default. The message can contain the template fields shown in Table 5-2. For example, the message could say: $NAME, use the verification code $CODE to enter the portal.
Template fields for the SMS provider Message
Meaning User name used in the first phase of authentication to the portal. Replaced with the One Time Password. By default, $CODE is added to the end of the message.
$NAME $CODE
Reauthentication
Number of SMS authentication attempts before the entire authentication process restarts. By default the user has 3 tries.
Country Code
Default country code for phone numbers that don't include country code. The default country code is added if the phone number stored on the LDAP server or on the local file on the gateway starts with 0.
168
Retrieve phone numbers from user record if user record is fetched from LDAP account unit. The LDAP account unit is defined in the Users and Authentication > Authentication > LDAP Account Units page of the SmartDashboard Connectra tab. Retrieve phone numbers from local file on the gateway. The phone directory on the local gateway is stored at $CVPNDIR/conf/SmsPhones.lst.
Successful two-factor authentication can be made a requirement for logging on to some but not all Connectra gateways. There are two possible approaches: Globally on, with custom settings per gateway Turn on two-factor authentication globally, and then for each Connectra gateway configure custom settings: either turn off the feature, or configure gateway-specific settings. Globally off, with custom settings per gateway Turn off two-factor authentication globally, and then for selected Connectra gateways, turn it on, while configuring custom settings for those gateways. To configure two-factor authentication Globally on, with custom settings per gateway: 1. Set up basic two-factor authentication. See Basic Two-Factor Authentication Configuration on page 161. 2. Turn on two-factor authentication in the Users and Authentication > Authentication > Authentication to Connectra page. (See Basic Two-Factor Authentication Configuration) 3. In the Authentication to Connectra page, select a gateway and click Edit The Authentication page of the Connectra Properties window opens:
Chapter 5
4. Choose one of the options: EITHER choose Use the settings configured in the Users and Authentication > Authentication > Authentication Schemes page. The global settings are used. This is the default. OR choose This gateway has its own two-factor authentication settings but do not select the checkbox. This turns off two-factor authentication for this gateway. OR choose This gateway has its own two-factor authentication settings and select the checkbox. You must then configure custom SMS Provider Credentials for this gateway (see Basic SmartDashboard Configuration of Two-Factor Authentication on page 164). Optionally, configure Advanced options (see Advanced Two-Factor Authentication Configuration Options on page 166).
5. Repeat step 3 to step 4 for all other gateways. 6. Install the policy. Select Policy > Install.
170
To configure two-factor authentication per application: 1. Set up basic two-factor authentication. See Basic Two-Factor Authentication Configuration on page 161. 2. Configure the Protection Level. See Defining Protection Levels on page 46. In the Authentication page, select User must successfully authenticate via SMS.
3. Assign the protection level to Connectra applications that require two-factor authentication. See Using Protection Levels on page 45.
If your SMS provider is working with the non-secure http protocol, edit the file $CVPNDIR/conf/cvpnd.C and replace the SmsWebClientProcArgs value with ("").
Chapter 5 Two-Factor Authentication 171
172
Chapter Authorization
In This Chapter
Identity and Access Management Authorization in Connectra Configuring Access To Applications
6
page 174 page 175 page 177
173
Authentication schemes, and configuration of authentication servers, see the Authentication chapter of the Firewall and SmartDefense Administration Guide. LDAP, see the SmartDirectory (LDAP) and User Management chapter in the SmartCenter Administration Guide.
174
Authorization in Connectra
Authorization in Connectra
Once users are authenticated (recognized and approved), Connectra allows the users to access the appropriate applications for that user. This process is called Authorization. Authorization is done by enforcing an access control policy in the Access to Applications page of the Connectra tab (Figure 6-1). Access control policies are applied to groups, not individual users. Figure 6-1
The Access to Application Table
Remote users, once authenticated, can only access those applications which have been authorized for their groups. In other words, for access to be granted, Connectra checks for: Access rights. Does the remote user belong to a group which is allowed to access the application? Security requirements. Does the remote user meet the security restrictions as expressed by the applications Protection Level?
Each Connectra gateway or gateway cluster enforces its own Access to Application policy.
Chapter 6
Authorization 175
Authorization in Connectra
For example, a Web application for ordering office supplies is less sensitive than an application that controls money transfers. All remote users can be given access to the office-supplies application, identifying themselves with a username and password. However, the money transfer application may be restricted to an exclusive group of remote users and require them to authenticate using certificates. In this way, the level of security surrounding an application is based on the applications Protection Level and the user group. The first applicable rule is matched. If necessary, change the order to ensure that the appropriate rule is matched.
176
3. Define the access to applications rules, to associate user groups, applications, and Connectra gateways: a. Go to the Access to Application page of the SmartDashboard Connectra tab. b. Click Add. The Access to Applications window opens.
c. In the User Groups tab, click Add to add one or more user groups. d. In the Applications tab, click Add to add one or more Connectra applications.
Chapter 6
Authorization 177
e. In the Install On tab, click Add to add one or more Connectra gateways or Connectra clusters. Note - *Any means all. For example, an *Any/*Any/*Any rule means all user groups can
access all the defined applications on all the defined Connectra gateways.
178
179
180
Endpoint Compliance policies can be assigned to Connectra gateways. They can also be assigned to Protection Levels, which are in turn associated with Connectra applications. If an Endpoint Compliance policy is assigned to a gateway, endpoint machines must comply with the policy before they are allowed to log in to the portal. To provide additional protection to an application, it is possible to harden the Endpoint Compliance protection that is enforced by the gateway by assigning an Endpoint Compliance policy to a Protection Level, and then assigning that Protection Level to an application. In order to access that application, the endpoint machine must comply with the policy associated with the Protection Level, in addition to the policy associated with the gateway. In either case, the scan takes place before logging in to the portal. Only one scan is performed. Compliance to policies is determined according to the results of the scan.
In This Section
Windows Security Rule Anti-Spyware Application Rule Anti-Virus Application Rule Firewall Application Rule Custom Check Rule OR Group of Rules Spyware Scan Rule page 182 page 183 page 184 page 185 page 187 page 188 page 189
Chapter 7
Endpoint computers running Windows must pass these checks in order to gain access to the network. At least one of the Hotfixes in the rule must be active on the endpoint computer in order for the endpoint to be considered compliant and be granted access to the portal. The rules also specify the action to be taken if an endpoint computer fails to comply with a rule and the error message that is presented to users in the event of non-compliance, such as remediation information.
182
Endpoint Compliance Policy Rule Types Figure 7-1 Windows Security Rule Configuration Window
Chapter 7
The rules also specify the action to be taken if an endpoint computer fails to comply with a rule and the error message that is presented to users in the event of non-compliance, such as remediation information.
Figure 7-2 Anti-Spyware Rule Configuration Window
184
For convenience, anti-virus enforcement rules are pre-configured with supported anti-virus providers. To require a non-supported anti-virus provider, use a custom check rule. The rules also specify the action to be taken if an endpoint computer fails to comply with a rule and the error message that is presented to users in the event of non-compliance, such as remediation information.
Figure 7-3 Anti-Virus Rule Configuration Window
Chapter 7
At least one of the firewall applications in the rule must be active on the endpoint computer in order for the endpoint to be considered compliant and be granted access to the portal. For convenience, firewall enforcement rules are pre-configured with supported firewall providers. To require a non-supported firewall provider, use a custom check rule. The rules also specify the action to be taken if an endpoint computer fails to comply with a rule and the error message that is presented to users in the event of non-compliance, such as remediation information.
Figure 7-4 Firewall Rule Configuration Window
186
Custom check rules can be configured to check for specific versions and modification dates. The rules also specify the action to be taken if an endpoint computer fails to comply with a rule, and the error message that is presented to users in the event of non-compliance, such as remediation information.
Chapter 7
Endpoint Compliance Policy Rule Types Figure 7-5 Custom Check Rule Configuration Window
OR Group of Rules
An OR Group of Rules rule includes a list of previously defined rules. An endpoint satisfies a rule of type OR Group of Rules if it satisfies one or more of the rules included in the OR Group of Rules rule. The rules also specify the action to be taken if an endpoint computer fails to comply with a rule and the error message that is presented to users in the event of non-compliance, such as remediation information.
188
Endpoint Compliance Policy Rule Types Figure 7-6 OR Group of Rules Rule Configuration Window
Chapter 7
Customizable protection is available for a wide variety of spyware threats, as shown in Table 7-1:
Table 7-1 Spyware Types
Description Software that change the users dialup connection settings so that instead of connecting to a local Internet Service Provider, the user connects to a different network, usually a toll number or international phone number. Programs that replicate over a network for the purpose of disrupting communications or damaging software or data. Programs that record user input activity (keystrokes or mouse activity). Some keystroke loggers transmit the recorded information to third parties. Tools that facilitate unauthorized access to a computer and/or extraction of data from a computer. Commercially developed software that allows remote system access and control. Malicious programs that masquerade as harmless applications. Programs that display advertisements, or record information about Web use habits and forward it to marketers or advertisers without the users authorization or knowledge. Any unsolicited software that secretly performs undesirable actions on a users computer and does not fit any of the above descriptions. Software that record what a users monitor displays. Cookies that are used to deliver information about the users Internet activity to marketers. Software that modifies or adds browser functionality. Browser plug-ins change the default search page to a pay-per-search site, change the user's home page, or transmit the browser history to a third party.
Other
It is possible to define an exception list of spyware software. For example, you can specify that a specific spyware signature is not blocked (see Excluding a Spyware Signature from a Scan on page 206).
190
The rules also specify the action to be taken if an endpoint computer fails to comply with a rule and the error message that is presented to users in the event of non-compliance, such as remediation information.
Figure 7-7 Spyware Scan Rule Configuration Window
Note - Connectra NGX R62CM and R62 have a Malware Protection option to Attempt to disable detected processes. This option is not available in NGX R66 and above. The Endpoint Compliance component of Endpoint Security On Demand in NGX R66 and above only collects information. It does not change anything on the client machine.
Chapter 7
3. A description in the info field of the log. Two logging levels are available to the administrator: (For configuration details, see Configuring Endpoint Compliance Logs on page 204.) Summary: only one log entry per scan is written to SmartView Tracker. The log entry shows endpoints that do not comply with the Endpoint Compliance policy. The date and time of the scan, the source IP, and the Endpoint Compliance scan ID are logged. Details: In addition to the Summary mode information, this adds a log entry for each non-compliant rule. For example, in the case of a Spyware Scan rule that screens for tracking cookies, a log entry is generated that contains the following fields: A. Malware name: unwantedexample. B. Malware type: 3rd party cookie. C. Description: symptom type: URL. Symptom value: cookie:bob@unwantedexample.net.
192
Workflow for Endpoint Compliance Configuration Figure 7-8 Example Endpoint Compliance Log
Chapter 7
There are different types of rules for different security applications. The Endpoint Compliance policy configuration tool comes with a number of predefined rules which can be edited to match the needs of the organization. 4. Assign Policies to gateways To make access to the portal conditional on passing an Endpoint Compliance scan, assign a policy to a gateway. 5. Assign Policies to Applications To make access to applications conditional on passing an Endpoint Compliance scan: a. Assign a policy to a Protection Level. b. Assign Protection Levels to Connectra applications. 6. Complete the Endpoint Compliance Configuration Configure tracking options for the endpoint scan results, then save and install the security policy
194
Advanced Approach A more advanced approach is appropriate if there is one application (or a small number of applications) that has stricter security requirements than other applications. These additional requirements are specified in a separate Endpoint Compliance policy, which is enforced in addition to the gateway policy. To access the Connectra portal, all users must fulfil the threshold security requirements of the gateway policy. Users clicking a link in the portal to an application with additional security requirements are only allowed access to the application if they fulfill those additional requirements. For example: Resource Gateway A Web App P Web App Q File Share R Endpoint Compliance policy Low Security Rely on gateway requirements High Security Rely on gateway requirements
Very Advanced Approach Where most or every application has its own endpoint security requirements, it is possible to define an individual Endpoint Compliance policy for each application. In this scenario, there are no gateway security requirements: All users are able to access the portal. However, when clicking a link to an application, users are only allowed access if they fulfill the requirements for that application. If no requirements are configured for the application, users are allowed to access it. For example: Resource Gateway A Web App P Web App Q File Share R Endpoint Compliance policy None Low Security High Security Medium Security
Chapter 7
1 2 3 4
Default Windows Security rule Anti-Virus applications check Firewall applications check Spyware Scan rule
196
Configuring the Endpoint Compliance Policy Figure 7-9 Example Output of ICSinfo
Chapter 7
The Endpoint Compliance policy configuration tool opens at the Policies page.
3. Either create a new Endpoint Compliance policy or edit an existing policy. To create an Endpoint Compliance policy click New Policy. The Policies > New Policy page opens. To edit an existing policy, select the policy and click Edit. The Policies > Edit Policy page opens. 4. Give the policy a Name, and a Description. The description can be long and detailed. 5. This step applies only to Endpoint Compliance policies that include Spyware Scan rules (Note that a Spyware Scan rule is different from an Anti-Spyware rule): If an endpoint machine has a valid anti-spyware of anti-virus application, you may consider they do not need to undergo an Endpoint Security On Demand Spyware Scan. If that is the case, select Bypass malware scan if endpoint meets Anti-Virus or Anti-Spyware requirements.
Note - This option is grayed out if there is no Spyware Scan rule in the policy.
6. Either add previously defined Endpoint Compliance rules, or create new rules or edit previously defined rules. There are different types of rules for different security applications. It is possible to have multiple rules of the same type, each with different settings. See Endpoint Compliance Policy Rule Types on page 181.
198
To add a previously defined rule, click Add. The Add Enforcement Rules page opens. Select a rule and click OK.
To create a rule, click New Rule, and select the rule type To edit a previously defined rule, select the rule and click Edit.
8. Click OK. This takes you back to the Edit Policy or the New Policy page. 9. Click OK. This takes you back to the Policies page. 10. Click OK. This completes the configuration of the Endpoint Compliance Policies, and takes you back to the Endpoint Security On Demand > Endpoint Compliance page. After the Endpoint Compliance policies are configured, Endpoint Compliance can be configured to make use of the polices.
In This Section
Configure the Endpoint Compliance Policy or Policies Enable the Endpoint Compliance Scan page 200 page 200
Basic Approach: Configuring a Common Policy for the Portal and all Applications page 201 Advanced Approach: Configuring a Threshold Policy for the Portal, Hardened for Specific Applications page 201
Chapter 7 Endpoint Security On Demand 199
Very Advanced Approach: Configuring Individual Policies for Each Application page 202 Configuring Endpoint Compliance Logs Configuring Advanced Endpoint Compliance Settings Completing the Endpoint Compliance Configuration Excluding a Spyware Signature from a Scan Preventing an Endpoint Compliance Scan Upon Every Login page 204 page 205 page 205 page 206 page 208
2. Enable Scan endpoint machine when user connects. 3. Choose one of the following approaches: Basic Approach: Configuring a Common Policy for the Portal and all Applications. Advanced Approach: Configuring a Threshold Policy for the Portal, Hardened for Specific Applications Very Advanced Approach: Configuring Individual Policies for Each Application.
200
Basic Approach: Configuring a Common Policy for the Portal and all Applications
To make access to the portal and all applications conditional on passing an Endpoint Compliance scan, assign a policy to the gateway: 1. Enable the Threshold policy: to access any application via this gateway, the endpoint must comply with the following policy option. 2. From the drop-down list, select the Endpoint Compliance policy to be used for all applications accessed via this gateway. 3. Click OK. 4. This takes you back to the Endpoint compliance page. 5. Maintain all applications with their default Endpoint compliance settings. In the Additional Settings > Protection Level page of the application, ensure This application relies on the security requirements of the gateway is selected. 6. Continue with Configuring Endpoint Compliance Logs on page 204.
Advanced Approach: Configuring a Threshold Policy for the Portal, Hardened for Specific Applications
To configuring a threshold Endpoint Compliance policy for the portal, hardened for specific Connectra applications, define a policy for the gateway. Then, for application that require hardened endpoint security, assign a Protection Level to the application. 1. In the Endpoint Compliance page of the gateway, Enable the Threshold policy: to access any application via this gateway, the endpoint must comply with the following policy option. 2. From the drop-down list, select the default Endpoint Compliance policy to be used for applications accessed via this gateway. 3. Centrally managed Connectra only: Click OK.
Chapter 7
4. In the Connectra tab Endpoint Compliance page, select the application that requires hardened endpoint security.
5. Click Edit. The Connectra application opens at the Additional Settings > Protection Level page. (Connectra applications are defined in the Applications section of the Connectra tab.)
6. Select the second option (This application has additional...). 7. From the drop-down list, select a Protection Level for this application. To define a new Protection Level, click Manage. For details, see Defining Protection Levels on page 46. 8. Click OK. 9. Continue with Configuring Endpoint Compliance Logs on page 204.
202
To configure an individual policy for each application: 1. In the Endpoint Compliance page of the gateway, enable the No threshold option. 2. Centrally managed Connectra only: Click OK. 3. In the Connectra tab Endpoint Compliance page, select the application that requires hardened endpoint security.
4. Click Edit. The Connectra application opens at the Additional Settings > Protection Level page. (Connectra applications are defined in the Applications section of the Connectra tab.)
5. Select the second option (This application has additional...), and from the drop-down list, select a Protection Level with the required Endpoint compliance policy for this application. To define a new Protection Level, click Manage. For details, see Defining Protection Levels on page 46.
Note - If This application relies on the security requirements of the gateway is selected for the Connectra application, users are allowed to access the application without any Endpoint Compliance requirements.
Chapter 7
6. Repeat steps step 3 to step 5 for all Connectra applications that requires hardened endpoint security. 7. Click OK.
The Tracking options are as follows: Summary: only one log entry per scan is written to SmartView Tracker. The log entry shows endpoints that do not comply with the Endpoint Compliance policy. The date and time of the scan, the source IP, and the Endpoint Compliance scan ID are logged. Details: In addition to the Summary mode information, this adds a log entry for each non-compliant rule. For example, in the case of a Spyware Scan rule that screens for tracking cookies, a log entry is generated that contains the following fields: a. Malware name: unwantedexample. b. Malware type: 3rd party cookie. c. Description: symptom type: URL. Symptom value: cookie:bob@unwantedexample.net.
204
In this window you can decide whether or not to allow access to the gateway and applications if the Endpoint Compliance scanner is not supported on the endpoint operating system. The supported operating system of the Endpoint Compliance scanner are: Windows, Mac, and Linux. For details, see the operating system compatibility table in the Connectra release notes. To configure advanced operating system-specific settings, see SecureKnowledge solution sk34989.
Chapter 7
Configuring Endpoint Compliance Figure 7-10 Endpoint Compliance Configuration Summary (Centrally Managed Connectra)
206
When Endpoint Security On Demand detects the spyware (irrespective of the action configured in the Spyware Scan rule), the name of the spyware (something like Win32.megaspy.passwordthief) is included in the report. 4. Make a note of the name of the spyware. 5. Open SmartDashboard. 6. In the Connectra tab, select Endpoint Security On Demand > Endpoint Compliance. 7. Click Edit Policies. 8. Select the policy that is applicable to the clients, and click Edit. 9. Select the Spyware Scan rule from the list and click Edit.
Chapter 7
11. Type the Name of the spyware obtained in step 3, and a Description.
12. Click OK three times to close the Endpoint Compliance policy editor. 13. Install the policy (Policy > Install).
208
3. Select the Web content zone used by the endpoint computer for remote connections from the Security Settings window. 4. Click Custom Level. 5. Enable the following options in the Security Settings window and then click OK: Download signed ActiveX controls Run ActiveX controls and plug-ins
Chapter 7 Endpoint Security On Demand 209
6. Select the Privacy tab. Select the Medium setting and then click Advanced. 7. Enable Override automatic cookie handling and then enable Accept in the 1st party cookies section. 8. Click OK.
The Endpoint Compliance Scanner is installed on the endpoint machine, by using ActiveX (for Windows with Internet Explorer), or Java. For more details see First time Installation of ActiveX and Java Components on page 39. To logon to the Connectra Portal with the Endpoint Compliance scanner enabled, perform the following steps: 1. Enter the Connectra Portal URL in your browser. 2. If using the Endpoint Compliance scanner for the first time on a particular endpoint computer, you are prompted to download and install the Check Point Deployment Agent ActiveX or Java control.
210
3. Some warnings may appear, regarding the Connectra site server certificate, and the downloaded applet. 4. During the scan, a progress bar is displayed.
5. If the endpoint computer successfully passes the Endpoint compliance scan, the Connectra Portal login screen appears.
Chapter 7
If the endpoint computer fails to pass the scan, Endpoint Security On Demand displays a result screen showing the potentially harmful software and security rule violations detected during the scan.
Click on a potentially harmful software item to display a short description of the detected malware, what it does and recommended removal method(s). If the Continue Anyway button appears, you can continue and log on to the Connectra Portal without removing the malware or correcting the security rule violation. If there is no Continue Anyway button, you must remove the detected malware or correct the security rule violation before you can log on to the Connectra Portal. When you have corrected the problem, click Scan again to repeat the scan.
6. When the Connectra Portal login page appears, you can log on normally.
Note - The scan results are presented to the user, and to the administrator as log entries in the Traffic Log. Each log entry lists the username, his/her user group, the source computer, malware name, malware type and malware description.
212
Chapter 7
214
Secure Workspace
Secure Workspace
In This Section
Introduction to Secure Workspace Enabling Secure Workspace Applications Permitted by Secure Workspace SSL Network Extender in Secure Workspace Secure Workspace Policy Overview Configuring the Secure Workspace Policy Secure Workspace End-User Experience page 215 page 216 page 217 page 219 page 219 page 221 page 226
Chapter 7
5. Select either of the following options: Allow user to choose whether to use Secure Workspace Users must use Secure Workspace
216
In this window you can decide whether or not to allow access to the gateway and applications if Secure Workspace is not supported on the endpoint operating system. The supported operating system for Secure workspace is Windows. For details, see the operating system compatibility table in the Connectra release notes. To configure advanced operating system-specific settings, see SecureKnowledge solution SK34989.
Chapter 7
Applications Permitted by Secure Workspace Table 7-2 Applications Permitted by Secure Workspace by Default
Process Name Application DW20.EXE, dwwin.exe Dr. Watson igfxsrvc.exe iedw.exe unsecapp.exe ieuser.exe ieinstal.exe conime.exe runner.exe sndvol.exe SearchIndexer.exe Acrobat.exe acrodist.exe acrotray.exe telnet.exe hypertrm.exe Putty.exe SecureCRT.exe ptw32.exe pcsfe.exe ftp.exe internat.exe Mstsc.exe Vncviewer.exe radmin.exe WISPTIS.EXE MSOHELP.EXE MSTORDB.EXE Intel video card driver process Internet Explorer Microsoft Windows process Internet Explorer Internet Explorer Microsoft Console IME (Input Method Editor) CShell ActiveX component Microsoft Windows Volume Control Content indexing service Adobe Acrobat Writer Adobe Acrobat Distiller Acrobat Traybar Assistant Microsoft Telnet Client Microsoft HyperTerminal Putty SecureCRT TN3270 Telnet Client TN3270 Telnet Client Microsoft FTP Client Predefined Application Microsoft Remote Desktop VNC Viewer RAdmin Predefined Application Predefined Application Predefined Application Description A process offers support proper application crash handling. A process offers support video card functional. Microsoft Internet Explorer web browser A process offers support towards compatibility issues. Microsoft Internet Explorer web browser Microsoft Internet Explorer web browser A process is used when the locale of the computer is set to a non-western language. A CShell process required on Windows Vista. A process associated with the Microsoft Windows OS. A Windows Vista service to index modified content. A process is used to create and print PDF documents. A process is used to create and print PDF documents. A process provides a shortcut to additional configuration options for Adobe products and is used to create PDF documents. A terminal emulation program for TCP/IP networks. A Windows utility that offers Telnet facilities. Free implementation of Telnet and SSH client. Telnet and SSH client implementation from VanDyke Software, Inc. TN3270 telnet client. IBM Personal Communications Session Manager. A TN3270 telnet client. Microsoft FTP Utility process that provides basic FTP access. Windows process that provides multi-lingual features in Microsoft Windows. This program is important for the stable and secure running of the computer and should not be terminated. Allows initiation of terminal services commands via command line. Remote administration tool process from TWD Industries. Remote Administrator Server from Famatech Corp. Process is installed alongside Microsoft office or comes packaged with Windows update. This process handles Windows Ink Services and often runs with Adobe Acrobat Reader. Microsoft Office 2003 suite process. Microsoft Office 2003 suite process. Microsoft Windows Image Mastering API process, used for CD recording. This program is important for the stable and secure running of endpoint computers and should not be terminated. Microsoft Office Picture Manager process. Check Point Secure Workspace executable. This executable should be allowed in order to enable Secure Workspace to start. Microsoft Windows OS process that offers additional functions to the Local Area Network. Microsoft Windows OS process that offers additional functions to the Local Area Network. Generic Host Process for Win32 Services, an integral part of Microsoft Windows OS. It manages 32-bit DLLs and other services and cannot be stopped or restarted manually. Process that executes DLLs and places their libraries into memory. This program is important for the stable and secure running of the computer. Windows Installer Component process. This program is important for the stable and secure running of the computer. Microsoft Windows OS process that verifies a COM object before the COM object is instantiated by Windows Explorer. Adobe Acrobat Reader process. This process starts automatically when opening a PDF file and collects information about this file. Microsoft Office InfoPath process used by Microsoft Office to open and edit XML files. Sun Microsystems Java Runtime component Sun Microsystems Java Runtime component Microsoft Java Virtual Machine Command Line Interpreter Microsoft Java Virtual Machine Command Line Interpreter Microsoft Windows OS process. Process is initiated when launching online Help in Windows 2000 or later versions. Windows Media Player component. A process associated with the Microsoft Windows OS. Microsoft Windows Volume Control. A process associated with the Microsoft Windows OS. Check Point SNX Application Mode component. Microsoft Office Suite process that activates the Alternative User Input Text Input Processor (TIP) and the Microsoft Office XP Language Bar. Microsoft Synchronization Manager. Process associated with Internet Explorer. Microsoft Windows OS process that allows display or modification of the network configuration of a computer that is currently running. Microsoft Notepad Microsoft Calculator Microsoft Wordpad Microsoft Paint Microsoft MS Office Word
imapi.exe OIS.EXE CPSWS.exe net.exe net1.exe svchost.exe rundll32.exe msiexec.exe verclsid.exe AcroRd32Info.exe MSOXMLED.exe java.exe javaw.exe jview.exe wjview.exe helpctr.exe unregmp2.exe sndvol32.exe STAProxy.exe ctfmon.exe mobsync.exe netsh.exe notepad.exe calc.exe wordpad.exe mspaint.exe winword.exe
Predefined Application Predefined Application Check Point Secure Workspace Predefined Application Predefined Application Predefined Application Predefined Application Predefined Application Predefined Application Predefined Application Predefined Application Predefined Application Predefined Application Predefined Application Predefined Application Predefined Application Predefined Application Predefined Application Predefined Application Predefined Application Predefined Application Predefined Application Microsoft Notepad Microsoft Calculator Microsoft Wordpad Microsoft Paint Microsoft Word
218
Administrators can add to the list of Approved Applications, and can add to, edit or delete applications from the list. For some applications, you may also need to define locations where the application is allowed to save files that remain after Secure Workspace shuts down. These locations are called Allowed Save locations. There is no need to define locations for files that are not needed after Secure Workspace shuts down. Temporary files are deleted when the Secure Workspace is closed. Secure Workspace includes a built-in FireWall that allows you define Outbound FireWall Rules. These are the IP addresses and ports that approved applications are allowed to access. By default, desktop applications are allowed access to all addresses and ports. Note that settings for the approved applications, save locations and outbound fireWall rules independent. For example, the save locations are nor restricted to a particular application, and similarly, outbound firewall rules apply to all applications.
Chapter 7
For details of Program Advisor, see the Endpoint Security Administrator Guide, available from http://support.checkpoint.com. If the Program Advisor is used, the sequence of Secure Workspace checks is as follows: 1. User selects a program to run in Secure Workspace. 2. Secure Workspace checks the policy. If the program is not allowed by the Secure Workspace policy, program execution is blocked. 3. If the program is allowed by the policy, Secure Workspace queries the Program Advisor server about the program. 4. Program Advisor returns one of three responses about the application: Trusted, Untrusted, or Unknown. 5. Secure Workspace allows or blocks the application according to the Program Advisor responses, in one the following ways, as defined in the policy: Allow Trusted only. Allow Trusted and Unknown.
220
Chapter 7
222
Chapter 7
Add Application
Add shortcut to the Start Menu adds a shortcut to the application to the Start Menu in the Secure Workspace. The shortcut is only added if the application exists on the client computer. MD5 hash is the signature of the application. It is possible to add several hashes, for example: one for each version of the application. The ICSinfo tool (see Using the ICSInfo Tool on page 196) can be used to calculate the hash function of an application. Alternatively, MD5 calculators are freely available on the Internet.
Note - Check point Program Advisor is a more maintainable and reliable way of checking the security and integrity of programs than manually adding MD5 hashes.
224
The Secure Workspace policy that is configured in SmartDashboard is applicable for all Connectra gateways. To configure a Secure workspace policy that is applicable per gateway, see SecureKnowledge solution sk34939.
Chapter 7
226
2. Secure Workspace is installed on the endpoint machine by using ActiveX (for Windows with Internet Explorer), or Java. For more details see First time Installation of ActiveX and Java Components on page 39.
.
Chapter 7
The principal difference is that Secure Workspace only allows users to work with a limited number of pre-approved applications and files and, by default, does not allow users to print, customize the desktop or perform any system configuration activities. Since most users only use Secure Workspace to work with the Connectra Portal, these functions are rarely needed.
228
Likewise, if a users attempts to save a file to a real desktop folder without Secure Workspace permissions, an error message appears.
Note - During an Secure Workspace session, SSL Network Extender cannot toggle between the Network Mode and the Application Mode. User can change the mode, but must start a new Secure Workspace session after doing so.
Chapter 7
A confirmation and reminder to save open files appears. Click Yes, close it now to continue closing Secure Workspace.
230
To configure automatic updates: 1. On the SmartDashboard Connectra tab, select Endpoint Security On Demand > Endpoint Compliance Updates from the navigation tree. 2. Select Enable Automatic Updates. 3. In the Update Configuration section, click Configure. The Automatic Updates window opens.
4. On the User Center Credentials tab, enter your User Center email address and password.
Chapter 7
a. To install updates from the Download Center, select the Check Point web site option. b. To install updates from your SmartCenter server, select the My local SmartCenter server option. If you wish to install updates from Download Center when the SmartCenter server is unavailable, enable the indicated option. c. Select the interval, in minutes, after which Endpoint Security On Demand checks for available downloads. 6. In the Tracking Configuration tab, select the various tracking options from the lists. You can select logging events or a variety of alert types.
232
7. If there is a proxy server between the SmartCenter and the User Center, select the Proxy tab, and enter the proxy host name or IP address, and the proxy port number (for example: 8080).
8. Click OK to complete the definition. 9. Install the policy on the Connectra gateways.
Chapter 7
234
page 236 page 239 page 247 page 254 page 262 page 260 page 261
235
Portal Settings
Portal Settings
In This Section
Portal Customization Alternative Portal Configuration page 236 page 238
Portal Customization
It is possible to configure the look and feel of the default Connectra end user portal. There is a default end user portal for each Connectra gateway or cluster. To customize the Connectra end user portal, proceed as follows: 1. In the SmartDashboard Connectra tab, select the Portal Settings > Portal Customization page. 2. Centrally managed Connectra only: Select a Connectra gateway or cluster object and click Edit. The Portal Customization page opens.
236
Portal Customization
Localization
Default language (can be changed by user) localizes the end user portal to the selected language.
Clicking the logo redirects to this URL is a URL that can serve as a starting point. Often used for the URL of the organizations intranet home page.
Traffic to Portal
Service is the TCP port (or port range) on which Connectra listens for communication from clients. Machine's interfaces are the IP addresses of the interfaces on which Connectra listens for client connections to the Connectra portal.
Chapter 8
3. In the User Groups tab, specify user groups that may access the alternative user portal. 4. In the Install On tab, specify the Connectra gateways and gateway clusters that host the alternative portal. 5. In the Sign-In Home Page tab, choose an alternative portal for users, in place of the Connectra user portal that users reach by default. URL is the location of the alternative user portal for the user group(s) specified in the User Groups tab.
238
Link Translation
Link Translation
In This Section
Introduction to Hostname Translation Link Translation Per Gateway or Per Application How Hostname Translation Works Configuring Link Translation Portal Access with Hostname Translation Link Translation Issues page 239 page 240 page 240 page 242 page 245 page 246
Hostname Translation is an optional feature, which is disabled by default and requires additional (one time) configuration. For most Connectra deployments, Hostname Translation works well with its default configuration. In order to use Hostname Translation, it is necessary to add a record to your organizations DNS server. Additionally, defining a wildcard SSL certificate for the Connectra gateway is strongly recommended.
Chapter 8
240
https://c-ds1q-itfgppae7oq.ssl.example.com/path
Note that the seemingly random character string c-ds1q-itfgppae7oq represents the destination URL.
https://ssl.example.com/Web/path,CVPNHost=www.example.com,CVPNProtoc ol=http
Chapter 8
address. This wildcard includes all sub-domains of the parent domain, such as a.ssl.example.com and b.ssl.example.com. The parent domain ssl.example.com must also be defined as a separate DNS record.
Warning - If the DNS server is not configured to resolve wildcard Connectra host names, users will be unable to connect to Connectra, because the portal changes to a subdomain as well: portal.ssl.example.com.
242
Chapter 8
d. Create or select a DNS Name object that specifies the parent DNS names of the Connectra gateway. Do not include the wildcard prefix (i.e. "*.") in the DNS name. For example configure "ssl.example.com" as the DNS Name object. For further information, see DNS Names on page 85. 2. Configure the default link translation method used by Connectra: In the Translation method used by Connectra section, select the default link translation method for accessing Web applications. This method is used unless a different method is specified in the application itself. Select either URL translation or Hostname Translation.
3. Configure the Link Translation method used by the application: a. In the Link Translation Method Settings on Applications section, select an application and click Edit. The Link Translation page of the Connectra application opens.
b. Select the Translation methods. Either Use the method specified in the Connectra through which this application is accessed (as chosen in step 2), or Select the method that will always be used to access this application.
244
d. Select the appropriate Cookies Handling Mode: On the gateway is the default setting. All HTTP cookies that are sent to clients by internal Web servers are stored on Connectra, and are not passed on to the client's browser. On the endpoint machine can be used if the default setting causes the JavaScript (from the internal servers, that runs on the client browser) that handles HTTP cookies to fail. With this setting, Connectra passes HTTP cookies to the browser.
e. Click OK twice. 4. Examine the Link Translation configuration summary on the Link Translation page.
Chapter 8
246
Chapter 8
3. Click Enter to encrypt the private key file (default). 4. The following output appears:
csr_gen : /opt/CPcvpn-R66/bin/csr_gen : Executing <openssl req -new -newkey rsa:1024 -out server1.csr -keyout server1.key -days 365 -config /opt/CPcvpn-R66/conf/openssl.cnf> Generating a 1024 bit RSA private key .....................................++++++ ............++++++ writing new private key to 'server1.key' Enter PEM pass phrase:
248
5. If you chose to encrypt the private key file in step 3, enter a password and confirm. You will see the following message:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.
6. Fill in the requested data according to the instructions presented. All fields are optional except, Common Name, which is required. This field must contain the Connectra Fully Qualified Domain Name (FQDN), which is the name that must be used by end-users to access Connectra on the Web. For example: sslvpn.example.com. 7. The following message appears:
csr_gen : Operation Succeeded Your Private Key File is : server1.key Your CSR File is : server1.csr
8. Send the CSR file to a trusted certificate authority, retaining the .key private key file. Be sure to request a Signed Certificate in PEM format.
2. Install the certificate using the *.crt certificate file together with the *.key key file that was generated by CSR_gen. a. If a previous signed certificate file exists, back up the following directory: $CVPNDIR/var/ssl. b. Execute the following command to install the signed certificate:
Chapter 8
An installed and configured Connectra has a default self-signed server certificate. It is possible to generate and install a new self-signed certificate.
250
When the script runs, the following occurs by default: 1. The old certificates are backed up to $CVPNDIR/var/ssl/old_certs/. 2. Certificate files are created in $CVPNDIR/var/ssl. The options for running this script are as follows. All options can be combined:
Description Backup existing certificates, and create a self-signed certificates with the server IP as subject. Backup existing certificates, and create a self-signed certificate with mymodule.example.com as subject. Backup existing certificates, and create a self-signed wildcard certificate with *.mymodule.example.com as subject. (You must supply a subject when creating wildcard certificate). Display the usage message.
mymodule.example.com
-w mymodule.example.com
Command
Description Override existing certificates without backup. Backup existing certificates with the base name mycert (if it exists), and create new certificate files in the $CVPNDIR/var/ssl directory with the names mycert.* (instead of default names server.*). This option has no affect on the Connectra server certificate. Certificates with base names other than mycert are not affected.
o t mycert
Chapter 8
252
To view the Connectra certificate details, browse to the Connectra gateway, at https://<Connectra IP address or FQDN>:443. The SSL certificate of the Connectra gateway is presented in a browser popup. For example:
Chapter 8
Session Settings
Session Settings
This section discusses Connectra session related parameters and best practices.
In This Section
Simultaneous Logins to the Portal Session Timeouts Roaming Tracking Securing Authentication Credentials page 254 page 258 page 258 page 258 page 258
In This Section
Configuring Simultaneous Login Prevention Tracking of Simultaneous Logins Simultaneous Login Issues page 255 page 256 page 257
254
The options are: User is allowed several simultaneous logins to the Portal Simultaneous login detection is disabled. This is the default option. User is allowed only a single login to the portal selected Inform user before disconnecting his previous session not selected The earlier user is disconnected and the later user is allowed. The earlier user is logged out. For Connectra portal users, the following message appears: Your Connectra session has timed out. would you like to sign in again now?. The later user is not informed that an earlier user is logged in.
User is allowed only a single login to the portal selected Inform user before disconnecting his previous session selected
Chapter 8
The later user is informed that an earlier user is logged in, and is given the choice of either canceling the logon and retaining the existing session, or of logging in and terminating the existing session. If the existing session is terminated, the user is logged out with the message: Your Connectra session has timed out. would you like to sign in again now?.
256
SecureClient Mobile users can be logged off by another user, and can log off other users. However, the Inform user before disconnecting his previous session option does not work, because no message can be sent to those users. User can be logged off, but cannot log off other users.
Chapter 8
Session Timeouts
Session Timeouts
Once authenticated, remote users work in a Connectra session until they log out or the session terminates. Security best practices provide for limiting the length of active and inactive Connectra sessions to prevent abuse of secure remote resources.
Note - Connectra uses the system time to keep track of session timeouts. Changing the system time may disrupt existing session timeouts. Therefore, it is recommended to change the system time during low activity hours.
Connectra provides two types of session timeouts, both of which are configurable. Re-authenticate users every is the maximum session time. When this period is reached, the user must login once more. The default value is 60 minutes. Changing this timeout affects only future sessions, not current sessions. Disconnect idle sessions after is the disconnection time-out if the connection remains idle. The default value is 15 minutes. When users connect via SSL Network Extender, this timeout does not apply.
Roaming
The Roaming option allows users to change their IP addresses during an active session. By default, user requests are denied if sent from a different IP address than that used for login.
Note - Users connected via SSL Network Extender can always change IP address while connected, irrespective of the roaming setting.
Tracking
Configure Connectra to log session activity, including login attempts, logouts, timeouts, activity states and license expiration warnings.
258
or for example, choosing Firefox from a menu), receive the authentication credentials of the earlier session and browse directly to the Connectra portal without re-entering the login credentials.
Tip - To ensure their authentication credentials are not stolen by others, you should recommend to users that they log off or close all browser windows after they have finished using the browser.
Chapter 8
Using SmartDashboard
5. Edit the Connectra object or the Connectra cluster object, and update the IP address in the following pages: General Properties Cluster Members (Connectra cluster only) Topology Portal Customization VPN Clients
260
The other possible configuration is for Connectra to listen for both portal and SSL Network Extender traffic on port 443. This requires separate IP addresses for the portal and for SSL Clients, but allows access to users who are in locations that prevent access to port 444, and only allow access to port 443
Chapter 8
262
Note - In a Connectra cluster, perform the following steps on every cluster member.
1. Log in to the Connectra console. 2. Enter Expert mode. 3. Save a backup copy of $CVPNDIR/conf/cvpnd.C 4. Edit the file $CVPNDIR/conf/cvpnd.C 5. To add compression support, add the bolded word (including the minus).
#DeflateCompressionLevel 9
Chapter 8
To change the mime types that are compressed modify the list:
264
265
All cluster members are aware of the sessions tracked through each of the other cluster members. The cluster members synchronize their sessions and status information across a secure synchronization network. Connectra gateway clusters are supported for centrally managed Connectra gateways. Locally managed Connectra clusters are not supported.
266
High Availability The ability to maintain a session when there is a Failure by having another cluster member to take over the connection, without any loss of connectivity. Only the Active cluster member provides service, and the others do not. One of the cluster members is configured as the Active gateway. If a Failover occurs on the Active gateway, one of the other cluster members assumes its responsibilities. Active Up When the High Availability cluster member that was Active and suffered a Failure becomes available again, it returns to the cluster, not as the Active cluster member but as one of the standby cluster members. Primary Up When the High Availability cluster member that was Active and suffered a Failure becomes available again, it resumes its responsibilities as the Primary cluster member. Hot Standby Also known as Active/Standby. Means the same as High Availability. Load Sharing In a Load Sharing Cluster, all cluster members share the workload of providing service. Load Sharing provides High Availability, gives transparent Failover to any of the other cluster members when a Failure occurs and provides enhanced reliability and performance. Load Sharing is also known as Active/Active. Critical Device A device which the administrator has defined to be critical to the operation of the cluster member. A critical device is also known as a Problem Notification (pnote). Critical devices are constantly monitored. If a critical device stops functioning, this is defined as a Failure. A device can be hardware, or a process. The fwd and cphad processes are predefined by default as critical devices. The Security Policy is also predefined as a critical device. The administrator can add to the list of critical devices using the cphaprob command. State Synchronization The technology that maintains connections after Failover. It works by replicating Connectra kernel tables.
Chapter 9
Load Sharing
Secured interface An interface on a secure network. The synchronization network should be secured because of the sensitivity of the data that passes across it. One way of securing a network is to ensure that all interfaces connected to it are in a single locked room. Connecting the synchronization interfaces via a cross cable is another way of securing an interface.
Load Sharing
In a Load Sharing deployment, all the cluster members are active at all times (Active/Active operation). Load Sharing brings significant performance advantages. Putting to work multiple Connectra gateways instead of a single gateway provides linear performance increases for CPU intensive tasks. If any individual Connectra cluster member becomes unreachable, transparent failover occurs to the remaining operational cluster member, thus providing High Availability. All sessions are shared between the remaining cluster members without interruption.
High Availability
In a High Availability Connectra cluster deployment, only one cluster member is active (Active/Standby operation). In the event that the active cluster member becomes unreachable, all sessions are re-directed to a designated backup without interruption. In a High Availability cluster, each cluster member is given a priority. The highest priority cluster member serves as the Connectra gateway in normal circumstances. If this cluster member fails, control is passed to the next highest priority cluster member. If that cluster member fails, control is passed to the next cluster member, and so on. Upon cluster member recovery, it is possible to Maintain current active Cluster Member (Active Up), or to Switch to higher priority Cluster Member (Primary Up).
268
The High Availability mode is equivalent to the ClusterXL High Availability New mode in VPN-1. The Load Sharing mode is equivalent to the ClusterXL Load Sharing Unicast mode in VPN-1. Features common to both Connectra ClusterXL modes are: Fail-safe operation. VLAN Tagging Support. Cluster members are synchronized. One machine in cluster receives packets from router. Cluster answers ARP requests for a MAC address using Unicast. Cluster Control Protocol (CCP) can use Multicast (by default) or Broadcast.
The differences between the Connectra clustering modes are: Feature Performance Load sharing operation Number of members that deal with network traffic High Availability Mode Good No 1 Load Sharing Mode Very Good Yes n
Chapter 9
Geo clustering is distinct from normal gateway clustering, and used in different scenarios. While normal clustering is used for gateways in close proximity, geo-clustering applies to remote gateways. Unlike normal clustering, geo-clustering does not provide for replication of the gateway's configuration.
270
Chapter 9
272
Chapter 9
Cluster Interfaces
Connectra cluster members have a unique IP and MAC addresses for each physical interface. The Connectra cluster has a virtual cluster interface with a routable IP address. Connectra clients access the Connectra portal via the cluster interface, not the member interfaces. The IP address (or addresses) of the cluster interface do not belong to any real cluster member interface. Running the ifconfig command on the cluster members shows only the member interfaces, not the cluster interfaces. This is because the operating system does know about the cluster interfaces. To get information about the cluster interfaces,
274
you need to use run the ClusterXL commands cphaprob state (used to monitoring cluster status) and cphaprob -a if (used to monitor the state of the cluster interfaces). For information about cluster monitoring and troubleshooting commands, see the ClusterXL Administration Guide.
Chapter 9
Figure 9-2
The data subnet of the members can be either The same as the Cluster interface subnet (in Figure 9-1. 192.168.10.0). This is the default option. Different than the Cluster Interface subnet (in Figure 9-2, the cluster interface subnet is 10.0.0.0, and the member data subnet is 192.168.10.0). This options requires member networks to be configured.
276
Enable a Connectra cluster to replace a single Connectra gateway in a pre-configured network, without the need to allocate new addresses to the cluster members. Allow organizations to use only one routable address for the Connectra Cluster. This saves routable addresses.
Chapter 9
278
When a failover event occurs in a non-pivot member, its handled sessions are redistributed between active cluster members, providing High Availability capabilities. When the pivot member encounters a problem, a regular failover event occurs, and, in addition, another member assumes the role of the new pivot. The pivot member is always the active member with the highest priority. This means that when a former pivot recuperates, it will again become the pivot. See Figure 9-1 on page 274 for an example of a typical Connectra cluster configuration.
Example
In this scenario, we use a Load Sharing Connectra cluster as the gateway between the user's computer and the Web server. 1. The user requests a session from tier client computer 10.10.0.34 (the Web server).
192.168.10.78
to
2. A router on the 192.168.10.x network recognizes 192.168.10.100 (the cluster's virtual IP address) as the gateway to the 10.10.0.x network. 3. The router issues an ARP request to
192.168.10.100.
4. The pivot member intercepts the ARP request, and responds with the MAC address that corresponds to its own unique IP address of 192.168.10.1. 5. When the Web server responds to the user requests, it recognizes as its gateway to the Internet. 6. The Web server issues an ARP request to
10.10.0.100. 10.10.0.100
7. The pivot member intercepts the ARP request, and responds with the MAC address that corresponds to its own unique IP address of 10.10.0.1. 8. The user's request packet reaches the pivot member on interface
192.168.10.1.
9. The pivot decides that the second member should handle this packet, and forwards it to 192.168.10.2. 10. The second member recognizes the packet as a forwarded one, and processes it. 11. Further packets are processed by either the pivot member, or forwarded and processed by the non-pivot member. 12. When a failover occurs on the pivot, the second member assumes the role of pivot.
Chapter 9
13. The new pivot member sends gratuitous ARP requests to both the 192.168.10.x and the 10.10.0.x networks. These requests associate the virtual IP address of 192.168.10.100 with the MAC address that correspond to the unique IP address of 192.168.10.2, and the virtual IP address of 10.10.0.100 with the MAC address that correspond to the unique IP address of 10.10.0.2. 14. Traffic sent to the cluster is now received by the new pivot, and processed by the local gateway (as it is currently the only active gateway in the cluster). 15. When the first gateway recovers, it re-assumes the role of pivot, by associating the cluster IP addresses with its own unique MAC addresses.
280
Whenever the cluster detects a problem in the active member that is severe enough to cause a failover event, it passes the role of the active member to one of the standby Connectra gateways (the member with the currently highest priority). Any open sessions are recognized by the new active Connectra gateway, and are handled according to their last known state. Upon the recovery of a member with a higher priority, the role of the active Connectra gateway may or may not be switched back to that member, depending on the configuration settings. It is important to note that the cluster may encounter problems in standby Connectra gateways as well. In this case, these Connectra gateways are not considered for the role of active members, in the event of a failover. See Figure 9-1, Example Connectra Clustering Topology, on page 274 for an example of a typical Connectra cluster configuration.
Example
This scenario describes a user logging from the Internet to a Web server behind the Firewall cluster. 1. The user requests a session from (the Web server).
192.168.10.78
(his computer) to
10.10.0.34
2. A router on the 192.168.10.x network recognizes 192.168.10.100 (the cluster's virtual IP address) as the gateway to the 10.10.0.x network. 3. The router issues an ARP request to
192.168.10.100.
4. The active member intercepts the ARP request, and responds with the MAC address that corresponds to its own unique IP address of 192.168.10.1. 5. When the Web server responds to the user requests, it recognizes as its gateway to the Internet. 6. The Web server issues an ARP request to
10.10.0.100. 10.10.0.100
7. The active member intercepts the ARP request, and responds with the MAC address that corresponds to its own unique IP address of 10.10.0.1. 8. All traffic between the user and the Web server is now routed through the active member. 9. When a failover occurs, the standby member concludes that it should now replace the faulty active member.
Chapter 9
10. The stand-by member sends gratuitous ARP requests to both the 192.168.10.x and the 10.10.0.x networks. These requests associate the virtual IP address of 192.168.10.100 with the MAC address that correspond to the unique IP address of 192.168.10.2, and the virtual IP address of 10.10.0.100 with the MAC address that correspond to the unique IP address of 10.10.0.2. 11. The stand-by member has now switched to the role of the active member, and all traffic directed through the cluster is routed through this Connectra gateway 12. The former active member is now considered to be down, waiting to recover from whatever problem that had caused the failover event
282
Chapter 9
Failover
Failover
In This Section
What is a Failover? What Happens When Failover Occurs? When Does a Failover Occur? Cluster Member Priority What Happens When a Cluster Member Recovers? How a Recovered Cluster Member Obtains the Security Policy How Connectra Applications Behave Upon Failover page 284 page 284 page 285 page 286 page 286 page 286 page 287
What is a Failover?
A failover occurs when a cluster member is no longer able to perform its designated functions. When this happens another cluster member in the Connectra cluster assumes the failed cluster members responsibilities. In a Load Sharing configuration, if one Connectra cluster members goes down, its sessions are distributed among the remaining cluster members. All cluster members in a Load Sharing configuration are synchronized, so no sessions are interrupted.
284
To tell each Connectra cluster member that the other cluster members are alive and functioning, the Cluster Control Protocol (CCP) maintains a heart beat between cluster members. If a certain predetermined time has elapsed and no message is received from a cluster member, it is assumed that the cluster member is down and a failover occurs. At this point another cluster member automatically assumes the responsibilities of the failed cluster member. Note that more than one cluster member may encounter a problem that will result in a failover event. In cases where all cluster members encounter such problems, the Connectra cluster will try to choose a single member to continue operating. The state of the chosen member will be reported as Active Attention. This situation lasts until another member fully recovers. For example, if a cross cable connecting the cluster members malfunctions, both members will detect an interface problem. One of them will change to the Down state, and the other to Active Attention.
It should be noted that a Connectra cluster member may still be operational but if any of the above checks fail in the cluster, then the faulty member initiates the failover because it has determined that it can no longer function as a cluster member.
Chapter 9
286
local policy to the policy on the management component of the cluster member. If the policy on the administration component of the cluster member is more up to date than the one on the cluster member, that policy will be retrieved. If the cluster member does not have a local policy, it retrieves one from the administration component of the cluster member. This ensures that all cluster members use the same policy at any given moment.
Application Web browsing through the user portal Domino Web Access Outlook Web Access File Shares
User experience upon failover User is unaware of failover. However, if the failover happens while a user is clicking a link or waiting for a server response, user may be disconnected and may need to refresh the page.
Web Mail
No
If failover occurs while a user is clicking a link or waiting for a server response, user sees an error page. By clicking the link Go to the login page the user returns to the Inbox, and the original session is lost. User is disconnected, and the Citrix session is lost. User must actively re-establish a connection. Re-scan may be required if user logs out of the portal, or needs to log in again. User is unaware of failover. However, if the failover happens while a user is clicking a link or waiting for a server response, user may be disconnected and may need to refresh the page. If user is in the middle of a multi-challenge login he/she is redirected to the initial login page.
Citrix
No
Yes Yes
No
Chapter 9
Table 9-1
Application SSL Network Extender Network Mode SSL Network Extender Application Mode
User experience upon failover The user may notice the connection stalling for a few seconds, as if there was a temporary network disconnection. SSL Network Extender remains open and in a connected state. However, connections of applications using the VPN tunnel are lost. Some applications (such as Outlook) try to reopen lost connections, while others (Telnet for example) are closed (or exit). Network Mode Survives failover. Application Mode Does not survive failover.
No
Mode dependant
288
Explanation Connectra clusters do not support IGMP registration (also known as IGMP Snooping). You should disable this feature in switches that rely on IGMP packets to configure their ports. In situations where disabling IGMP registration is not acceptable, it is necessary to configure static CAMs in order to allow multicast traffic on specific ports. Certain switches have an upper limit on the number of broadcasts and multicasts that they can pass, in order to prevent broadcast storms. This limit is usually a percentage of the total interface bandwidth. It is possible to either turn off broadcast storm control, or to allow a higher level of broadcasts or multicasts through the switch. If the connecting switch is incapable of having any of these settings configured, it is possible, though less efficient, for the switch to use broadcast to forward traffic, and to configure the cluster members to use broadcast CCP (described in If the Switch is Incapable of Forwarding Multicast on page 294).
Chapter 9
Explanation When running Connectra clusters, the Cluster interface (virtual) IP address is mapped to the MAC address of the active member. The router needs to be able to learn this MAC through regular ARP messages.
Routers
Cisco 7200 Series Cisco 1600, 2600, 3600 Series
Routing Switch
Extreme Networks Blackdiamond (Disable IGMP snooping) Extreme Networks Alpine 3800 Series (Disable IGMP snooping) Foundry Network Bigiron 4000 Series Nortel Networks Passport 8600 Series Cisco Catalyst 6500 Series (Disable IGMP snooping, Configure Multicast MAC manually)
Switches
Cisco Catalyst 2900, 3500 Series Nortel BayStack 450 Alteon 180e Dell PowerConnect 3248 and PowerConnect 5224
290
no ip igmp snooping
Console> (enable) set cam permanent 01-40-5e-28-0a-64 1/1,2/1,2/3,2/8-12 Permanent multicast entry added to CAM table. Console> (enable)
Determining the MAC addresses which needs to be set is done by using the following procedure: On a network that has a cluster virtual IP address of x.y.z.w: If y<=127, the multicast MAC address would be 01:00:5e:y:z:w. For example: 01:00:5e:5A:0A:32 for 192.90.10.50. If y>127, the multicast MAC address would be 01:00:5e:(y-128):z:w. For example: 01:00:5e:28:0A:32 for 192.168.10.50 (168-128=40 = 28 in hex). For a network x.y.z.0 that does not have a cluster virtual IP address, such as the sync, you would use the same procedure, and substitute fa instead of 0 for the last octet of the MAC. For example: 01:00:5e:00:00:fa for the 10.0.0.X network.
Chapter 9
292
SmartDashboard Configuration of a Single Cluster Interface Cluster page 295 Adding a Server Certificate to a New Cluster Member page 301
Licensing
Ensure all cluster members are licensed for the same number of users. They do not necessarily have to have identical licenses. Connectra cluster members must run the same software version.
Interface Configuration
The synchronization interfaces of the cluster members reside on the SAME subnet. The data interfaces of the cluster members must reside on the SAME subnet, DIFFERENT from the synchronization subnet. Use different interfaces for the data and synchronization networks. The recommended setting is to use eth0 for data and eth1 for synchronization.
Chapter 9
Physical Connectivity
Synchronization in a two-member cluster can be done using a cross-cable between the two members. A cluster with more than two members requires a switch/hub for synchronization.
Configuration
Cluster member clocks must be synchronized. Use an NTP server or manually synchronize the clocks. Connectra clients access Connectra via two IP address/port combinations: one for the Connectra portal and another for SSL Network Extender. If you wish to use the same IP address for both, configure the portal to listen on port 443 and SSL Network Extender to listen on port 444.
Administration
Cluster members become active after the Security Policy is installed.
294
To configure a Connectra cluster with a single cluster interface, proceed as follows: Define a new Connectra cluster object. Go to the SmartDashboard Connectra tab, and in the Connectra Gateways page select New > Connectra Cluster.
Chapter 9
Figure 9-4
Fill in the fields on the page: IP address of the Connectra cluster. Use the main cluster virtual IP address, such as the portal virtual IP address used in Portal page. Version of Connectra. The same version must be installed on all the cluster members. OS is the Operating System. All cluster members must have the same OS.
296
Figure 9-5
2. Click Add... to add cluster members to the cluster. Cluster members exist solely inside the Gateway Cluster object. For each cluster member: In the Cluster Members Properties window define a Name and IP Address. Choose an IP address that is routable from the SmartCenter server so that the Security Policy installation will be successful. This can be an interface used in the cluster, or a dedicated management interface. Click Communication, and Initialize Secure Internal Communication (SIC). Enter the same Activation Key used when performing initial configuration of the newly installed Connectra gateway (in the Establish trust with a SmartCenter server section of the First Time Configuration Wizard.
Chapter 9
Figure 9-6
Cluster Mode
High Availability allows organizations to maintain a connection when there is a failure in a cluster member, without Load Sharing between cluster members. Only one machine is active (Active/Standby operation). Load Sharing distributes traffic within a cluster of gateways so that the total throughput of multiple machines is increased. All functioning machines in the cluster are active, and handle network traffic (Active/Active operation). If any cluster member becomes unreachable, transparent failover occurs to the remaining operational cluster members, thus providing High Availability. All connections are shared between the remaining cluster members without interruption.
298
3. In the cluster member interfaces columns (with the symbol), define the topology for each cluster member interface. To automatically read the interface settings for a member, click Get Topology at the top of a column. To automatically read the interface settings for all members, click Get all members topology. 4. In the cluster interfaces column (with the symbol), define the topology for each virtual cluster interface. To automatically define the cluster interfaces, click Copy topology to cluster interfaces. Alternatively, in a virtual cluster interface cell, right click and select Edit Interface. The Interface Properties window opens. Name the virtual interface, and define an IP Address (in Figure 9-3 on page 295, 192.168.10.50). In the Member Networks tab, define the member network and its netmask if necessary.
5. In the Network Objective column, define the purpose of the network by choosing one of the options from the drop-down list 6. To define a new network, click Add Network.
Chapter 9 Connectra Gateway Clusters 299
The Network Objectives are explained in the following table: Network Objective Single Cluster Interface Meaning This network contains IP addresses of the: Cluster interface (virtual interfaces that represent the cluster as a whole, rather than the individual cluster members). Cluster member machine interfaces in the same direction as the cluster interface. A cluster interface with two IP addresses. (A cluster interface represents the cluster as a whole, rather than the individual cluster members). A Dual Cluster Interface is required where the Connectra user portal and SSL Network Extender have different IP addresses (in which case they must be in the same subnet and use the same port). Having separate IPs for the portal and for SSL Network Extender is useful to allow access to clients that are in locations which prevent client access to port 444, and only allow access to port 443. Sync Non-Monitored Private Cluster member machine interfaces in the same direction as the Dual Cluster Interface.
To add a Dual Cluster Interface, Click to Edit and enter a name and IP for each IP address. This is a synchronization network. It is recommended that a secure and dedicated network is used for synchronization. VLANs cannot be used in the synchronization network.
300
Chapter 9
302
Chapter 9
Figure 9-9
To configure a Connectra cluster with a Dual Cluster Interface, follow the procedure described in SmartDashboard Configuration of a Single Cluster Interface Cluster on page 295, with the differences illustrated in the following figures.
304
Figure 9-10 General Properties and Cluster Members Pages- Dual Cluster Interface
Chapter 9
IP Address Migration
Figure 9-12 Listening For Traffic- SSL Clients and Portal Pages- Dual Cluster Interface
IP Address Migration
If you wish to provide High Availability or Load Sharing to an existing standalone Connectra gateway configuration, it is recommended to take the existing IP addresses from the current gateway, and make these the cluster virtual addresses, when feasible. It is possible to define a one member Connectra cluster as part of the migration to clustering.
Using SmartDashboard
Edit the Connectra object or the Connectra cluster object, and update the IP address in the following pages: General Properties Cluster Members (Connectra cluster only) Topology
306
Setting Up the Default Gateway if the Virtual IP is on a Different Subnet than the Physical IPs
Setting Up the Default Gateway if the Virtual IP is on a Different Subnet than the Physical IPs
When Connectra is set up as a cluster, the Cluster Interface (virtual) IP address may have to be defined on a subnet that is different from the ones on which the cluster member physical IPs are defined. If the default gateway resides on the subnet of the virtual IP address, its subnet is also different from the subnets of the physical IP, and must be defined as follows: Perform the following on each cluster member in turn: 1. Log in to the Connectra local Web interface. 2. In the Device > Network > Routing page, define a new network routing rule (New > Route) to the desired subnet. Define the fields as follows: Destination IP address is the IP address of the desired subnet. Destination Netmask is the netmask of the desired subnet. Interface is the interface that should be used to access the default gateway Gateway should be left empty. Important! Metric should be kept as the default value.
3. Click Apply. 4. Define the new default gateway (New > Default Route). 5. Click Apply.
308
309
310
If you have problems with Outlook Web Access (OWA) after deploying Connectra: 1. Read the relevant sections in the Connectra administration guide. See Web Applications on page 48. 2. Check the Connectra release notes for additional information. 3. Go over the Troubleshooting Checklist. 4. Look for a description that matches your issues in Common OWA problems on page 312.
Troubleshooting Checklist
Verification
Reproduce the scenario without Connectra and ensure the problem does not occur.
Connectivity
Make sure that: 1. The Connectra machine has a network route to all relevant Microsoft Exchange servers and relevant server ports are accessible. Usually port 80 or 443. HTTP and/or HTTPS protocols must be traversable towards Microsoft Exchange servers. 2. Connectra users have a network route to the Connectra machine.
Configuration
Make sure that: 1. The Outlook Web Access version is supported by Connectra. See Unsupported Feature List on page 312. 2. Client-side browsers are supported by OWA and by Connectra. See Unsupported Feature List on page 312.
Chapter 10
3. OWA Services are configured to use protocols acceptable by the servers in question. For example, if an Exchange server is configured to accept HTTPS traffic only, the corresponding OWA Web application on Connectra must utilize HTTPS. 4. SSL Network Extender is turned off. 5. Security restrictions are disabled. See 3. Security Restrictions on page 318 6. Users are authorized to access all necessary resources. 7. OWA services are configured with correct paths.
(*) These products and platforms have not been tested with Connectra. However, Connectra has been successfully integrated in such environments. Tip - According to Microsoft, only the following OWA configuration supports non-IE browsers: OWA 2000 / 2003 running on Microsoft Exchange 2003 using Outlook Web Access Basic scheme.
If you must utilize one of these features, use SSL Network Extender.
312
1. Authentication
Tip -
Check your traffic logs for errors. The logs may help you to pinpoint the problem.
1. Authentication
After users log in to Connectra, and attempt to access an OWA application, they are required by OWA to provide authentication credentials. Outlook Web Access has two authentication schemes: the regular HTTP-based authentication (HBA), which is the default, and Form-Based authentication (FBA). In addition, Connectra supports single sign-on (SSO) through HBA. Hence, there are three possible authentication schemes when accessing OWA through Connectra.
In This Section
HBA problems FBA Problems Single Sign On Problems page 313 page 314 page 315
HBA problems
If an internal Web Server requests Integrated Windows Authentication (NTLM) or any other HTTP-based authentication, Connectra either displays dialog box requesting login credentials, or tries to use the users portal credentials, depending on the configuration of the Connectra Web application. HBA-related problems may result from: Client-side popup-blocker software The use of IIS web-based password management services
Chapter 10
1. Authentication
FBA Problems
Some authentication issues that occur in older versions of Connectra are rectified in later versions. See Authorization Use Case on page 316 for a similar problematic scenario.
314
2. Authorization
2. Authorization
The authorization mechanisms of Connectra allow administrators to grant access to various resources on a per-path, per-host and per-port basis. Connectra views Outlook Web Access as a Web application with special properties, connecting to a special web server. Authorization-related problems may result from: 1. Discrepancies in the Configuration of the OWA Web Application versus the setup in Microsoft Exchange server. 2. Alternative References to OWA. 3. Insufficient User permissions or failure to apply pertinent user permissions.
Chapter 10
2. Authorization
User experiences may vary widely. However, most authorization failures will result in the following error page:
Cause:
The Microsoft Exchange server side component (IIS or other) is configured to accept both HTTP and HTTPS traffic, whereas the Connectra OWA Web application is configured to authorize HTTP traffic only.
316
2. Authorization
Explanation:
The Form Based Authentication setting on the Microsoft Exchange server requires clients to use SSL, which means that some server-side component (be it IIS or other) must also accept SSL traffic. The following message is displayed to the Microsoft Exchange administrator upon FBA configuration:
This means that IIS is likely to be configured to work over SSL. However, in complex cases such as SSL encryption being off-loaded to another source, and the IIS server itself allowing HTTP traffic, the Connectra administrator may not be aware of the need to authorize HTTPS traffic. As a result, discrepancies may occur.
Tip -
When FBA is in use, always set the OWA Web application to allow HTTPS traffic.
Solution:
Match the OWA Web application configuration defined on Connectra with actual deployment.
Chapter 10
3. Security Restrictions
User experiences may vary. In some cases the problem may result in a run-time JavaScript error or even apparent halting of OWA (see Insufficient User permissions for more information):
3. Security Restrictions
Connectra utilizes many built-in security features that screen inner networks from external threats. In addition, the Connectra endpoint security features protect the endpoint devices. Occasionally, protection mechanisms may hamper legitimate user activities. To eliminate this possibility, switch off all security features during troubleshooting. Install the Security Policy from the SmartDashboard after making these changes. User experiences may vary widely so they are not detailed here.
318
3. Security Restrictions
STEP #1:
To reduce the number of false-positives: In SmartDashboard, in the SmartDefense tab, go to Web Intelligence and turn all Application Layer Protection Level settings to Low. In the ASCII Only Request protection, uncheck Block non ASCII characters in form fields. Install the Security Policy from SmartDashboard.
STEP #2:
If Step #1 did not solve the problem, try the following: Modify the Endpoint Compliance page of the Connectra Web Application to Allow caching of all content. In SmartDashboard, in the Smart defense tab, go to Web Intelligence and In the HTTP Protocol Inspection > HTTP Methods protection, uncheck Block standard Unsafe HTTP methods. In the Malicious Code > General HTTP Worm Catcher protection, disable the htr worm pattern.
See IIS web-based password management services on page 314 for more details.
STEP #3:
If Step #2 did not cure the problem, try the following steps in order: 1. Switch off all Web Intelligence protections. 2. Switch off all SmartDefense protections. 3. Switch off all Endpoint Security features (in the Connectra tab, under Endpoint Security On Demand > Endpoint Compliance). 4. Install the Security Policy from SmartDashboard.
Chapter 10
4. Performance Issues
4. Performance Issues
Performance issues may occur with OWA for the following reasons: 1. Connectra Logging Issues. 2. OWA over SSL or OWA with Form Based Authentication Enabled. 3. Slow Network Problems. 4. Latency Overhead Problems. 5. Authorization Problems. 6. SSL Time-out Problems.
Solution:
1. Turn off Debug logs and Trace logs. 2. Purge existing Debug logs and Trace logs. To turn off Debug logs and Trace logs: 1. Modify $CVPNDIR/conf/httpd.conf. 2. Set the LogLevel parameter to emerg. 3. Make sure the following lines are commented. Commented lines are preceded by #:
320
4. Performance Issues
To purge existing Debug logs and Trace logs: 1. Empty or delete all httpd*.log files located in $CVPNDIR/log directory 2. Empty or delete the mod_ws.log file located in $CVPNDIR/log directory 3. Empty or delete the mod_ws_boa.log file located in $CVPNDIR/log directory 4. Delete all files located under $CVPNDIR/log/trace_log directory 5. Repeat for each Connectra cluster member (if any).
This option is normally used if the Microsoft Exchange server is configured to accept SSL-encrypted traffic (HTTPS). This is the case if OWA is configured to use Form Based Authentication (FBA). Upon enabling FBA, the Exchange administrator is prompted by the IIS to change the Web application to work over SSL. Configuring OWA to use SSL inside secure networks may cause degradation in performance and browsing experience.
Chapter 10 Troubleshooting Connectra 321
4. Performance Issues
With Connectra in such a topology, the amount of SSL negotiations grows considerably. SSL negotiations are very CPU-intensive, hence the performance degradation.
Solution:
Change the topology to use HTTP instead of HTTPS inside secure networks. Use a machine with a faster CPU.
Solution:
Minimize the latency overhead by increasing the performance of Connectra. You can do this by using a machine with a faster CPU.
Authorization Problems
Problems may occur due to failure to apply proper user permissions. For more details, see the Insufficient User permissions section.
322
4. Performance Issues
Solution:
Do one of the following 1. If feasible, upgrade Internet Explorer by following the instructions in the relevant Microsoft articles below. 2. Alternatively, configure Connectra so that it does not use keep-alive packets when communicating with those hosts or paths. See the following Microsoft articles for more information: http://telanis.cns.ualberta.ca/ http://support.microsoft.com/kb/183110/ http://support.microsoft.com/?kbid=831167 http://support.microsoft.com/?scid=kb;EN-US;Q305217
To configure Connectra to work without keep-alive packets to specific locations: 1. Supply additional LocationMatch directives for each host used by the Web Application in question. All directives go in the $CVPNDIR/conf/includes/Main.virtualhost.conf file, in the VirtualHost section. For more information, see: http://httpd.apache.org/docs/2.0/mod/core.html#locationmatch
<LocationMatch "CVPNHost=<IP or DNS namedelimited by dots>"> SetEnv nokeepalive </LocationMatch>
For example:
<LocationMatch "CVPNHost=208\.77\.188\.166"> SetEnv nokeepalive </LocationMatch> ........ <LocationMatch "CVPNHost=myhost\.example\.com|CVPNHost=myhost"> SetEnv nokeepalive </LocationMatch>
Chapter 10
2. Run the cvpnrestart command. 3. Repeat for each Connectra cluster member (if any).
Bulletin1H.PDF,CVPNHost=192.168.201.6,CVPNProtocol=http,CVPNOrg=full,CVPN Extension=.PDF
To solve this, configure the Web Application to use Hostname Translation. See Configuring Link Translation on page 242.
324
Chapter 10
Troubleshooting Citrix
Troubleshooting Citrix
Note - This Citrix troubleshooting section pertains to Citrix-related issues occurring when
working through Connectra without the use of SSL Network Extender.
If you have any problems with Citrix following the deployment of Connectra, take the following steps: 1. Read the relevant section on Citrix Services. See Understanding Citrix Services on page 66. 2. Read Connectras release notes for additional information. 3. Go over the Troubleshooting Checklist on page 326. 4. Look for problem description in Common Connectra Citrix problems on page 327.
Troubleshooting Checklist
Connectivity
Make sure that: 1. Connectra has a network route to all WI (NFuse) servers intended to be used and relevant server ports are accessible. Usually ports 80 or 443. HTTP and/or HTTPS protocols must be traversable towards WI (NFuse) servers. 2. Connectra has a network route to all MetaFrame servers intended to be used and relevant server ports are accessible. Usually ports 1494 or 2598. ICA protocol must be traversable towards MetaFrame servers. 3. Connectra machine has a network route to all STA servers intended to be used, if any, and port 80 on STA servers is accessible, and HTTP protocol is traversable. 4. Connectra users have a network route to the Connectra machine.
326
Configuration
Make sure that: 1. Citrix servers and clients are of those versions supported by Connectra. 2. All necessary STA servers are configured with corresponding Citrix Services on Connectra. 3. Connectra's server certificate is issued to Connectra's Fully Qualified Domain Name (such as www.example.com), is properly configured, and is trusted by the client-side.
Chapter 10
Organizations may choose to act as their own CA. To do so, they must install and use their own certificate-generating service. Microsoft provides such a service with Microsoft Certificate Services, an optional Windows component. When using your own certificate server, the responsibility for distributing your CA root certificate to clients falls upon you. Tip Independent Citrix Architecture (ICA) allows automatic root-certificate distribution for Citrix Java clients 8.2 and earlier, deployed through the WI (NFuse) portal.
In such a case, root-certificate distribution becomes transparent for both Connectra administrators and users.
or
Cause Your Connectra's server certificate is issued to an IP address instead of an FQDN. Solution Make sure Connectra's server certificate is issued to an FQDN that fully matches the FQDN of the Connectra server. Make sure the FQDN of the Connectra server is routable from the client side.
328
Cause Your Connectra's server certificate is issued by a private Certification Authority (CA), which is not trusted by the client-side browser. This includes Connectra's self-signed certificate. Solution Set Connectra to use a server certificate signed by a publicly trusted CA. See Obtaining and Installing a Trusted Server Certificate on page 247.
Chapter 10
Cause In order of likelihood: Connectra's server certificate is issued to an FQDN that is not routable from the client side. Connectra's server certificate is issued to an FQDN that does not match the FQDN of Connectra. There is more than one machine with the specified FQDN, either rightfully or due to DNS problems or asymmetric routing problems.
Solution Make sure Connectra's server certificate is issued to an FQDN that fully matches the FQDN of the Connectra server. Make sure that the FQDN of the Connectra server is routable from the client side.
330
Cause Connectra's server certificate is issued to a host-name (such as example) instead of an FQDN (such as www.example.com). Solution Make sure Connectra's server certificate is issued to an FQDN that fully matches the FQDN of the Connectra server. Make sure the FQDN of the Connectra server is routable from the client side.
Cause In order of likelihood: Connectra's server certificate have not yet become valid. This often happens when administrators issue the new server certificate and immediately afterwards try to test valid Citrix operation. Because of small time differences between server and client machines, the certificate may still be considered invalid. Connectra's server certificate is out of date and needs to be renewed.
Solution Make sure your client machines' time and date settings are in synch with Connectra's time & date settings. If necessary, replace Connectra's server certificate with a valid one.
Chapter 10
Cause In order of likelihood: Connectra's server certificate is issued to a host-name host-name (such as example) instead of an FQDN (such as www.example.com). The client-side machine has an unclean environment. For example, ICA Web Client had previously been installed and you are trying to install the ICA Java Client or vice versa.
Solution 1. Make sure Connectra's server certificate is issued to an FQDN that fully matches the FQDN of the Connectra server. Make sure the FQDN of the Connectra server is routable from the client side. 2. Uninstall all Citrix (ICA) clients (from Add >Remove Programs) 3. Delete the browser cache and ActiveX objects (In Internet Explorer, Tools > Internet Options) 4. Remove the \Program Files\Citrix folder 5. Re-deploy the ICA client from the Web Interface (NFuse) server.
332
2. Security Restrictions
Connectra utilizes many built-in security features that effectively screen the inner networks from external threats. In addition, Connectra's endpoint security features guard customers' privacy on each particular client device. Note - Occasionally, protection mechanisms may hamper legitimate user activities. In order to eliminate this possibility, Check Point recommends switching off all security features during troubleshooting. User experiences may vary widely so they are not detailed here. Try the following steps in order: 1. Modify the Endpoint Compliance page of the Connectra Web Application to Allow caching of all content. This could be especially helpful in the following cases: when working with non-standard ICA clients. when working with non-standard client versions. when using the MetaFrame Presentation Server Client Packager.
2. Switching off Web Intelligence protections. 3. Switching off SmartDefense protections. 4. Switching off Endpoint Security protections.
Chapter 10
Cause In order of likelihood: Connectra's configuration of the Citrix Service lacks STA server configuration, or the STA configuration is invalid. Connectra encountered a problem while connecting to an STA server The STA protocol version is not supported by Connectra
Solution Make sure Connectra's configuration of the Citrix Service includes STA servers' configuration, exactly matching the configuration of the WI (NFuse) server in question. Make sure all relevant STA servers are up and functioning. Make sure all relevant STA servers are routable from Connectra.
334
Cause In order of likelihood: Connectra encountered a problem while connecting to an STA server Connectra's configuration of the Citrix Service has an invalid STA server configuration The STA protocol version is not supported by Connectra
Solution Make sure Connectra's configuration of the Citrix Service includes STA servers' configuration, exactly matching the configuration of the WI (NFuse) server in question. Make sure all relevant STA servers are up and functioning. Make sure all relevant STA servers are routable from Connectra.
4. Java Packages
When using Java clients, it is possible to specify what packages will be used by the Java client. Java packages are modules capable of supporting various added functionalities of the client. For example, SSL/TLS, ICA Encryption, or Seamless Windows. Note - Connectra enforces some of the added functionalities of the Java client, for example, SSL/TLS encryption and ICA encryption. Connectra is capable of adding the enforced packages automatically, however, in various non-standard cases (for example. custom-designed applets), this might not be sufficient.
Chapter 10 Troubleshooting Connectra 335
Cause The WI (NFuse) server is configured to deploy ICA Java clients without [some] package. In this example, Java client is lacking the ICA Encryption package. Solution Configure the WI (NFuse) server to deploy ICA Java clients together with the required package.
336
Cause Causes may vary. In one particular case, the WI (NFuse) server was configured to deploy ICA Java clients without the SSL package. Solution Make sure that WI (NFuse) server is configured to deploy ICA Java clients together with the SSL and ICA Encryption packages. Try selecting all possible packages and then one by one determine which one is lacking.
Chapter 10
5. JVM Environments
When using Java clients, a Java Virtual Machine (JVM) is required to run on the endpoint. Each particular version of Citrix Java client has a certain matrix of JVMs it supports and JVMs it does not support. Each particular JVM may also need to be configured in a certain way, in order for ICA Java client to function properly. When introducing Connectra into a Citrix topology, all traffic between the ICA clients and Connectra becomes SSL-encrypted. This changes the way ICA Java client interacts with a JVM. It might be that particular versions of ICA Java clients must work with a different JVM when utilizing SSL/TLS. Connectra and Citrix administrators should be mindful of this fact and make sure Java clients are able to utilize SSL/TLS before introducing Connectra into Citrix topology. If at any point during Connectras introduction into the Citrix deployment, ICA Java client malfunctions or fails to deploy, make sure the JVM requirements are up to Citrix specifications. Tip According to Check Point findings:
1. Citrix Java clients 8.2 and earlier, utilizing SSL in IE - function only using Microsoft JVM - this is a Citrix restriction, not Connectra's. 2. Citrix Java clients 9.0 and later, utilizing SSL in IE - function only using SUN JVM - this is a Citrix restriction, not Connectra's. 3. Please note that ICA clients 9.x or later are supported only through the use of the SSL Network Extender Network mode client. This is because Citrix changed the underlying communication protocol and canceled backward compatibility.
338
After clicking the aaa icon, the user gets the following window:
Cause The URL under the aaa icon has not been configured as a Web application in Connectra, therefore, access to this URL has been blocked by Connectra.
Chapter 10
Solution Make sure that such URLs are accessible via Connectra by configuring corresponding Web applications in the SmartDashboard Connectra tab.
340
4. When trying to launch the Lotus Notes 6.0 and 6.5 client with SSL Network Extender Application Mode without having the Lotus server configured on the DNS server, a connection will not be established. It is required to have the server configured on the organization's DNS server or in the hosts file on the user's machine. 5. For some applications (Rational ClearQuest is one), connections stay idle for a time, and when communication is resumed after a connection timeout, reset (RST) packets are sent to the client and server. Without this RST they may hang or behave unexpectedly. Connectra records all TCP connections with a certain timeout. The default timeout is one hour. When this timeout is reached, the connection is deleted from Connectra. By default, Connectra does not send a RST packet upon TCP connection expiration. As a workaround, either change this setting so that a RST is sent upon expiration of a connection, or change the timeout for the specific service. To change the setting, follow the instructions in SecureKnowledge solution sk31904.
342
Chapter 10
Table 10-1 Automatically Disabled Web Intelligence protections Per Application (continued) Detected Connectra Application File Shares via the Web-based file viewer Outlook Web Access Disabled Protection(s) Web Mail SQL Injection SQL Injection Command Injection, Block WebDAV HTTP methods Block Unsafe HTTP methods (only the OPTIONS, PUT, and DELETE methods are disabled) SQL Injection Command Injection
Note - The HTTP method TRACE is always blocked by Connectra, irrespective of the
protections configured in Web Intelligence.
344
345
346
Managing SecurePlatform
Managing SecurePlatform
This section provides information on how to manage your Connectra system, using the SecurePlatform Command Shell. The Command Shell provides a set of commands required for configuration, administration and diagnostics of various system aspects. SecurePlatform Command Shell uses standard shell command line editing conventions. SecurePlatform Shell includes two permission levels (Modes): Standard and Expert.
Standard Mode
Standard Mode is the default mode when logging in to a SecurePlatform system. In Standard Mode the SecurePlatform Shell provides a set of commands required for easy configuration and routine administration of a SecurePlatform system. Standard Mode displays this prompt: [hostname]#, where hostname is the host name of the machine.
Expert Mode
Expert Mode provides the user with full system root permissions and a full system shell. Switching from Standard Mode to Expert Mode requires a password. The first time you switch to Expert mode you will be asked to select a password. Until then, the password is the same as the one you set for Standard Mode. To exit Expert Mode run the command exit. Expert Mode displays this prompt: [Expert@hostname]# where hostname is the host name of the machine. Note - Expert Mode should be used with caution. The flexibility of an open shell with a root permission exposes the system to the possibility of administrative errors.
Chapter 11
348
Secure Shell
Secure Shell
Connectra enables SSH access, allowing secured, authenticated and encrypted access to the SecurePlatform system. SSH (or Secure SHell) is a protocol for creating a secure connection between two systems. In the SSH protocol, the client machine initiates a connection with a server machine. The following safeguards are provided by SSH: After an initial connection, the client can verify that it is connecting to the same server during subsequent sessions. The client can transmit its authentication information to the server, such as a username and password, in an encrypted format. All data sent and received during the connection is transferred using strong encryption, making it extremely difficult to decrypt and read.
The SSH service runs by default. Granular control of permitted IP addresses that are allowed access to the SecurePlatform system using SSH can be set using the Connectra administration portal. SSH login is allowed using the Standard Mode account user name and password only.
Chapter 11
This section describes commonly used SecurePlatform shell commands. These commands are required for configuration, administration and diagnostics of various system aspects. Note - All commands are case sensitive.
350
format (.tgz). Backup files saved locally are kept in /var/CPbackup/backups. The restore command line utility is used for restoring SecurePlatform settings and/or product configuration from backup files. Note - Only administrators with Expert permission can directly access directories of a Connectra system.
backup
Backup the system configuration. The backup command, run by itself, without any additional flags, will use default backup settings and will perform a local backup. Syntax:
backup [-h] [-d] [--purge DAYS] [--sched [on hh:mm <-m DayOfMonth> | <-w DaysOfWeek>] | off] [[--tftp <ServerIP> [<Filename>]] | [--scp <ServerIP> <Username> <Password> [<Filename>]] | [--file <Filename>]]
restore
Restore the system configuration. Syntax:
restore [-h] [-d][[--tftp <ServerIP> <Filename>] | [--scp <ServerIP> <Username> <Password> <Filename>] | [--file <Filename>]]
snapshot
This command creates a snapshot file. The snapshot command, run by itself, without any additional flags, will use default backup settings and will create a local snapshot.
Chapter 11
Syntax:
snapshot [-h] [-d] [[--tftp <ServerIP> <Filename>] | [--scp <ServerIP> <Username> <Password> <Filename>] | [--file <Filename>]]
revert
Reboot the system from a snapshot file. The revert command, run by itself, without any additional flags, will use default backup settings and will reboot the system from a local snapshot. Syntax:
revert [-h] [-d] [[--tftp <ServerIP> <Filename>] | [--scp <ServerIP> <Username> <Password> <Filename>] | [--file <Filename>]]
cpadminip
In SecurePlatform expert mode, you may limit access of administrators to specific IPs or networks. Note - In SecurePlatform machines, SSH access to the Connectra gateway is also governed
by this setting.
Syntax:
352
Parameters: Table 11-1 cpadminip Parameters parameter meaning Adds an IP or network to the list of allowed addresses. Removes an IP or a network from the list of allowed addresses. If True, would allow to connect from any address. If False, would allow only addresses, specified in the list of allowed addresses. Shows the allowed IPs (all, or a list).
cpstart
cpstart starts all the Check Point applications running on a machine (other than cprid, which is invoked upon boot and keeps on running independently). cpstart implicitly invokes fwstart (or any other installed Check Point product, such as etmstart and uagstart).
When this command is invoked from an SSH shell prompt, the connection to Connectra is reset, because the resulting policy installation resets all connections to the machine. Syntax: cpstart
cpstop
cpstop stops all the Check Point applications running on a machine (other than cprid, which is invoked upon boot and keeps on running independently). cpstop implicitly invokes fwstop (or any other installed Check Point product, such as etmstop and uagstop).
Syntax: cpstop
Chapter 11
cplic
Show, add or remove Check Point licenses. Syntax: cplic { put | del | print | check }
ping [-dfnqrvR] [-c count] [-i wait] [-l preload] [-p pattern] [-s packetsize]
354
12
357
358
Note - If the gateway is a Connectra NGX R66, SecureClient Mobile cannot connect at all unless the gateway is configured for SecureClient Mobile support (see Setting Up SecureClient Mobile Support for Connectra Gateways on page 366) and is not affected by the Endpoint Security On Demand and Secure Workspace settings. In this case, if the gateway is licensed for SecureClient Mobile, enforcement mode is available. If the gateway is not licensed for SecureClient Mobile, enforcement mode is not available, but SecureClient Mobile will be allowed to connect to the gateway. All configuration instructions in this book are for Central Enforcement. For information on configuring SSL Network Extender on a VPN-1 gateway, see the VPN Administration Guide. For information on configuring SSL Network Extender on a Connectra gateway, see the Connectra Web Security Gateway Administration Guide. In a Central Managed deployment, the enforcement policy is defined centrally on the SmartCenter or Provider-1 CMA, using SmartDashboard, and the enforcement policy is installed from there onto the gateways.
Chapter 12
Seamless Connectivity: If SecureClient Mobile's VPN connection drops, such as when entering an elevator, or the user moves Internet connectivity between interfaces, the client seamlessly reconnects the VPN tunnel. Automatic Connectivity: SecureClient Mobile can be configured to automatically connect to the last-connected gateway, to initiate a dialup connection in the absence of another Internet connection, or to connect to a gateway upon application request. Usability: SecureClient Mobile menus and visual elements are designed for user friendliness, minimal user intervention, and seamless connectivity. API: SecureClient Mobile can respond to third-party applications through a programmable and extensible interface.
360
Chapter 12
362
13
This chapter describes how to install SecureClient Mobile in a Check Point VPN-1 and a Connectra environment.
363
Gateway Setup
Gateway Setup
In This Section
Overview Requirements for Central Management Setting Up SecureClient Mobile Support for VPN-1 Gateways page 364 page 365 page 367
Overview
Gateway support for Central Enforcement for the current version of SecureClient Mobile is built-in on the Connectra NGX R66 gateway, and may be included in future HFAs for other versions of Connectra and for VPN-1 NGX R65 gateways as well. In these deployments, no further gateway setup is required. SecureClient Mobile support can be added to gateways of the following versions: VPN-1 NGX R60 HFA_04 or later VPN-1 NGX R61 HFA_01 or later VPN-1 NGX R62 or later Connectra NGX R62 or later
Install SecureClient Mobile support on these gateways as follows: 1. Obtain a SecureClient Mobile installation zip file. 2. Extract the zip file, and locate the three .ttm files. 3. Copy the three .ttm files to the gateway, into:
$FWDIR/conf
If the filenames already exist on the gateway, replace them with the new ones. 4. Overwrite the .ttm files default values with the values you configured by logging into SmartDashboard and initiating Install Policy on the gateway. Earlier versions of VPN-1 or Connectra do not support Enforcement Mode. However, SecureClient Mobile can connect to these gateways in SSL Network Extender mode. See SecureClient Mobile Overview on page 358 for details.
364
To change a policy, find the policys property name in the list of properties in Advanced Configuration on page 397. Open the required ttm file and change the default value of the required property. Save the file and install the policy on the gateway. For example, if you want to change the neo_replace_http_proxy (in vpn_client_1.ttm) to have the value of 192.164.111.1, change neo_replace_http_proxy ( :gateway ( :default ("") to :neo_replace_http_proxy ( :gateway ( :default ("192.164.111.1"))).
If you have lower-version management (SmartCenter or Provider-1), that is capable of managing SecureClient Mobile NGX R65, you will be able to centrally manage only legacy SecureClient Mobile features. Features new to the current version of SecureClient Mobile will not be centrally manageable. With management that does not conform to SecureClient Mobile NGX R65 requirements, you cannot use SmartDashboard to centrally manage SecureClient Mobile at all. Central Enforcement of SecureClient Mobile without appropriate management, or of features that cannot be centrally managed, can be locally configured at the gateway by directly editing gateway TTM files. For details, see Managing Central Enforcement on a Non-Centrally Managed Gateway on page 398. All setup and configuration instructions in this guide assume Central Management capability for the features under discussion, except where specified otherwise.
Chapter 13
366
Chapter 13
2. In the navigation tree, select Remote Access. In the Remote Access page, select Support Visitor Mode.
Configuring Visitor Mode does not interfere with regular SecureClient user functionality, but permits SecureClient users to enable visitor mode. 3. In the navigation tree, under Remote Access, select SSL Clients. In the SSL Clients page, select SecureClient Mobile.
368
4. In the navigation tree, select VPN. Click Add, and add the gateway to a Remote Access community.
5. In the navigation tree, select Topology. Configure the VPN Domain in the same way as for SecureClient.For details, see the VPN Administration Guide. Note - To create a different encryption domain for remote access clients that connect to the gateway, click Set domain for Remote Access Community. 6. In the navigation tree, under Remote Access, select Office Mode. Configure Office Mode as described in the Office Mode chapter of the VPN Administration Guide. Note - If the gateway is in a Load Sharing Cluster, only the Manual (IP pool) method is supported. 7. If the gateway is in a Load Sharing Cluster, enable the Sticky Decision Function as follows: a. In the navigation tree, select ClusterXL. b. In the ClusterXL page, click Advanced. c. Select Use Sticky Decision Function. d. Click OK.
Chapter 13
For more information on the Sticky Decision Function, see the ClusterXL Administration Guide. 8. Click OK. 9. Install Policy. 10. Configure users in the same manner as SecureClient users are configured. For more information on configuring users, see the VPN Administration Guide. 11. If the gateway is configured for SecureClient, and you have SCV (Secure Configuration Verification) enforcement configured for SecureClient users, it is necessary to exempt VPN Clients from SCV, as follows: a. In SmartDashboard, from the Policy menu, select Global Properties. b. In the navigation tree, under Remote Access, select Secure Configuration Verification (SCV). c. Click Exceptions. The Secure Configuration Verification Exceptions window opens.
d. Select Do not apply Secure Configuration Verification on SSL clients connections. e. Click OK. 12. SecureClient Mobile uses TCP port 443 (SSL) to establish a secure connection with the VPN, and for remote administration purposes. This may conflict with SecurePlatforms or Nokias web user interfaces. Another port may be assigned to SecureClient Mobile; however, this is not recommended because most
370
proxies do not allow ports other than 80 and 443. Instead, it is recommended that you assign SecurePlatforms or Nokias web user interface to a port other than 443 as follows: On SecurePlatform, do one of the following: To change the WebUI port, run:
webui disable
On a Nokia platform, to change a Voyager port run:
Chapter 13
Client Installation
Client Installation
In This Section
Client Deployment Overview Supported Platforms Installation Prerequisites Installing SecureClient Mobile Importing Personal Certificate Uninstalling SecureClient Mobile page 372 page 372 page 373 page 373 page 375 page 375
Supported Platforms
An updated list of supported devices and operating systems can be found in the Release Notes for the current version of SecureClient Mobile.
372
Installation Prerequisites
Installation Prerequisites
This prerequisite applies to all previous versions of SecureClient Mobile. Before installing SecureClient Mobile on a Widows Mobile device, you have to install Check Point certificates into the devices Trusted Certificates and SCP Store. This allows the client installer and executables, which are signed by Check Point certificates, to be installed and run. The Check Point certificates are packaged in a small CAB installer that needs to be installed once on the target device before any Check Point product is installed. Install the certificates as follows: 1. Find cpcert.cab in the SecureClient Mobile installation zip file, in the unlock_smartphone directory. 2. Copy cpcert.cab to the device while in ActiveSync. 3. On the device, in File Explorer, tap cpcert.cab . When the installation is complete, a message appears: cpcert.cab was successfully installed on your device. Continue to Installing SecureClient Mobile, below.
Chapter 13
To install the SecureClient CAB package: 1. On the mobile device, in File Explorer, navigate to the folder where the SecureClient .cab file was placed and tap it. 2. If there is an existing installation of SecureClient Mobile, a message appears that the previous version will be removed. Tap OK to install the new version. Existing configuration settings will be kept for the new version. 3. If prompted to select an installation location, select Device (installing on storage cards is not supported).
If there is an existing installation, a message appears that the previous version will be removed. Click OK to install the new version. Existing configuration settings will be kept for the new version.
Chapter 13
376
14
Most configuration procedures in this chapter assume Central Management capabilities. For details, see Requirements for Central Management on page 365.
page 378 page 379 page 383 page 388 page 389 page 392 page 394 page 396 page 397
377
Introduction
Introduction
For all Gateways that support Central Management, the settings of SecureClient Mobile can be configured from the SecureClient Mobile page of the SmartDashboard.
\
In SmartDashboard, the SecureClient Mobile page can be found by going to Global Properties > Remote Access > SecureClient Mobile. When using a SmartDashboard with the Connectra plug-in, the SecureClient Mobile page can also be found by going to the Connectra tab > Additional Settings > VPN Clients and clicking on the SecureClient Mobile Edit... button.
378
Authentication Settings
Authentication Settings
In This Section
Supported Authentication Schemes Configuring the Authentication Method Password Caching Authentication Timeout page 379 page 380 page 381 page 382
A connectivity policy downloaded to the device enables the administrator to define the amount of user interaction required to carry out the authentication process. Some of these schemes can be configured to achieve seamless authentication (no user prompt for credentials): Certificates (through CAPI). User/Pass with credential caching: As long as the password cached, the user is not prompted to re-enter it when the client authenticates. OTP with SoftID and credential caching: The client reads the token code from the SoftID application transparently and the PIN can be cached. Warning - When credential caching is enabled, the password/PIN is stored locally on the device. This poses a security threat because the password can be retrieved if the device is lost, stolen or hacked. Some of these schemes can be configured to provide 2 factor authentication: Certificates with device-login (authenticate user to device login first, then use CAPI installed certificates to authenticate the device to CA), OTP Tokens including SoftID.
Chapter 14
Note - The Certificate with enrollment feature is currently not implemented by the client. It will have the same effect as selecting Certificate option. 2. Click OK and Install Policy. Note - When a gateway is configured for both SecureClient Mobile support and for SSL
Network Extender, the SSL Network Extender setting overrides the SecureClient Mobile setting for that gateway.
SecureClient supports a secure authentication (SAA) OPSEC interface that allows third-party extensions to the standard authentication schemes. For this scheme to work Legacy scheme should be selected here. The neo_saa_guilibs property should also be updated with the SAA DLL name using the GuiDBEdit tool. For additional information, refer to Client-Gateway Authentication Schemes in the VPN User Guide.
380
Password Caching
Note - RSA SoftID is an authentication method that generates a unique, one time passcode every 60 seconds used for secure access over the Internet. The passcode is generated using the PIN and obtained automatically. SecureClient Mobile gets the passcode from SoftID by communicating directly with the SoftID application. The SoftID application must be installed on the device but does not have to be running. When the user has no PIN, either because the tokencard is new or the administrator reset the PIN, the PIN field is left blank. Once logged in, the user is directed to a page that requires a PIN to be created. This PIN is used for subsequent logins. Prior to logging in, the token file (containing the shared token) must be imported into the SoftID application. This file is required for the authentication between the Authentication server (ACE/Server) and the SoftID application. The token file is protected by the pass_phrase. The pass_phrase may be obtained from the system administrator.
Password Caching
You can centrally configure password caching on the SecureClient Mobile devices. With password caching enabled, authentication information is stored on the device, so that a user does not need to manually authenticate each time he or she connects. However, a different user using the device will be automatically authenticated. With password caching, passwords are stored for a configurable duration. Past this time limit, the user is required to re-authenticate upon connection or authentication timeout. To configure password caching: 1. In the SecureClient Mobile page, configure Enable password caching. The following options are available: No: Password caching is disabled. Yes: Password caching is enabled. Configured on endpoint client: The device configuration determines whether password caching is enabled or disabled.
2. If you selected Yes or Configured on endpoint client, configure the caching duration by setting Cache password for in minutes. 3. Click OK and Install Policy. The next time each user connects to the gateway, SecureClient Mobile will download and enforce the policy changes.
Chapter 14
Authentication Timeout
Authentication Timeout
User authentication credentials are only valid for a configurable time duration. Upon timeout, the user is disconnected from the server. SecureClient Mobile checks for authentication credentials (cached or by prompt) five minutes before the session is timed-out. Once these credentials are accepted, the time-out interval is initialized. To configure the timeout duration: 1. In the SecureClient Mobile page, configure a value for Re-authenticate user every ... minutes. 2. Click OK and Install Policy. Note - When a gateway is configured for both SecureClient Mobile support and for SSL
Network Extender, the re-authentication settings will behave according to the following:
VPN-1: If SSL Network Extender is enabled, the SSL Network Extender setting overrides the SecureClient Mobile re-authentication period. Otherwise, the SecureClient Mobile re-authentication period will be applied. Connectra pre-NGX R66: The portal session timeout setting will determine the SecureClient Mobile re-authentication period. Connectra NGX R66: The SecureClient Mobile re-authentication period will be applied. The next time each user connects to the gateway, SecureClient Mobile will download and enforce the policy changes.
382
Connectivity Settings
Connectivity Settings
The following sections describe connectivity features that can be centrally configured and enforced.
In This Section
Connect Mode Automatic Dialup Initiation Automatic Disconnect Encryption Methods page 383 page 385 page 386 page 387
Connect Mode
SecureClient Mobile can be configured to automatically establish the VPN tunnel with the last gateway to which it was connected when one of the following conditions are met: The device has a valid IP address. For example, when turning WLAN/WiFi on. The device exits standby mode or loads after a softreset/shutdown. After a condition that caused the device to automatically disconnect ceases to exist. For example, when the client has automatically disconnected as a result of putting the device in ActiveSync and has then been released from ActiveSync.
This mode of operation is recommended, as it relieves the end user from the need to manually establish the VPN tunnel. Combining this mode with automatic dialup initiation keeps the client connected at all times. This allows push protocols such as VoIP.
Chapter 14
Connect Mode
To configure the SecureClient Mobile connect mode: 1. In the SecureClient Mobile page, configure Connect mode. The following options are available: Manual: Automatic SecureClient Mobile connectivity is disabled. Always Connected: Automatic SecureClient Mobile connectivity is enabled. On application request: When an application opens a connection with a destination in the encryption domain, SecureClient Mobile automatically connects to the gateway. For more information, see Application Request Mode on page 383. Configured on endpoint client: The device configuration will determine which mode will be used.
2. Click OK and Install Policy. The next time each user connects to the gateway, SecureClient Mobile will download and enforce the policy changes.
384
add:
HKLM,Software\CheckPoint\Neo\Hook,[executable],0x00010001,0x1001
The registry change can also be included in the _setup.xml file in the SecureClient Mobile cab file as follows:
<characteristic type="HKLM\Software\CheckPoint\Neo\Hook"> <parm name="iexplore.exe" value="1" datatype="integer" /> <parm name="opera.exe" value="1" datatype="integer" />
add:
<parm name="[executable]" value="1" datatype="integer" />
Note - Some applications will require other registry values. If after following the above
procedures your application does not trigger SecureClient Mobile to initiate a connection to the gateway, contact Check Point Support. Some applications may not be compatible with Application Request Mode.
Automatic Disconnect
When the user attempts to establish a SecureClient VPN tunnel. When an established dialup connection fails, in which case SecureClient Mobile waits for a configurable time period and, if the problem has not yet been resolved, initiates dialup. The default time period is 10 seconds. To change the time period, see and configure the variable.
When a dialup connection is attempted and fails, SecureClient Mobile makes successive additional attempts, each time after waiting for a configurable time period (see below). Before each subsequent retry, the waiting time is doubled, to a maximum of 60 seconds.
To configure automatic dialup initiation: 1. In the SecureClient Mobile page, configure Automatically initiate dialup. The following options are available: No: Automatic dialup initiation is disabled. Yes: Automatic dialup initiation is enabled. Configured on endpoint client: The device configuration determines whether automatic dialup initiation is enabled or disabled.
2. Click OK, OK, and Install Policy. The next time each user connects to the gateway, SecureClient Mobile will download and enforce the policy changes.
Automatic Disconnect
SecureClient Mobile can also be configured to automatically disconnect when the connection has been idle for a defined duration. The default value is 5 minutes and can be changed by modifying the neo_disconnect_when_idle_timeout property. For more information, see Advanced Configuration on page 397. To configure Automatic Disconnect: 1. In the SecureClient Mobile page, configure Disconnect when device is idle. The following options are available: No: Automatic disconnect is disabled. Yes: Automatic disconnect is enabled.
386
Encryption Methods
Configured on endpoint client: The device configuration determines whether automatic disconnect is enabled or disabled.
2. Click OK and Install Policy. The next time each user connects to the gateway, SecureClient Mobile will download and enforce the policy changes.
Encryption Methods
There are two encryption methods available: 3DES RC4
You can configure SecureClient Mobile to support 3DES only or to support both methods. Note - When a gateway is configured for both SecureClient Mobile support and for SSL Network Extender, the SSL Network Extender setting overrides the SecureClient Mobile setting for that gateway. To configure the encryption method: 1. In the SecureClient Mobile page, configure Supported encryption methods. The following options are available: 3DES only (default) 3DES or RC4
2. Click OK, OK, and Install Policy. The next time each user connects to the gateway, SecureClient Mobile will download and enforce the policy changes.
Chapter 14
5. Click OK, OK, and Install Policy. The next time each user connects to the gateway, SecureClient Mobile will download and enforce the policy changes.
Note - For more information, see SecureKnowledge solutions sk31873 and sk31367.
388
Firewall Policy
Firewall Policy
SecureClient Mobile includes a built-in firewall, which enforces a downloaded or locally configured security policy. The firewall can separately block or enable different types of traffic: incoming or outgoing, VPN-domain (encrypted) or non-encrypted. The firewall can also block device interfaces, such as PC synchronization, Firewire, and Bluetooth. To configure the Firewall Policy: 1. In the SecureClient Mobile page, under Security Settings, configure Enable Firewall Policy. The following options are available: No: The firewall is disabled. Yes: The firewall is enabled. Configured on endpoint client: The device configuration determines whether the firewall is enabled or disabled.
Chapter 14
Firewall Policy
3. In the Firewall Settings section, select a Firewall Policy setting. The following options are available: Allow All: All traffic is allowed. The client will still be protected by implicit, non-configurable firewall rules. Outgoing Only: All outbound connections are permitted and all inbound connections are blocked. This policy will prevent incoming connections from being established from both the non-VPN hosts and VPN hosts. Outgoing and Encrypted: Permits incoming and outgoing encrypted traffic to and from the VPN domain. Also permits outgoing non-VPN connections that are initiated from the handheld. This policy is the recommended setting. Allow Encrypted Only: Only VPN traffic originating from or destined to the encryption domain are permitted (and only when the client is connected). Block All: All inbound and outgoing connections are blocked. The device will only be permitted to connect to the Gateway for the purpose of updating the client configuration. Configured on Endpoint Client: The device configuration determines the configuration of the Firewall Policy.
4. Configure Allow sync with PC. The following options are available: No: Connections to a PC with ActiveSync are disabled. Yes: Connections to a PC with ActiveSync are enabled. Configured on endpoint client: The device configuration determines whether PC synchronization is enabled or disabled.
5. Configure Allow VPN connections via PC Sync. The following options are available: No: VPN connections setup through ActiveSync are enabled. Yes: VPN connections setup through ActiveSync are disabled. Configured on endpoint client: The device configuration determines whether VPN connections setup through ActiveSync are enabled or disabled.
6. (Available when using version NGX R66 of SmartCenter and SmartDashboard) To change Interface Blocking settings, select an interface, and click Edit. In the resulting Interface Details window, configure the Interface State.
390
Firewall Policy
For interfaces other than Bluetooth, the following options are available: Disable: The interface is disabled. Enable: The interface is enabled. Configured on endpoint client: The device configuration determines whether the interface is enabled or disabled.
For Bluetooth, the following options are available: Off: The Bluetooth interface is disabled. Discoverable: The device user can initiate a Bluetooth connection, and other Bluetooth devices can discover this device. Connectable: The device user can initiate a Bluetooth connection, but other Bluetooth devices cannot discover this device. Configured on endpoint client: The device configuration determines whether the Bluetooth interface is enabled or disabled .
7. Click OK, OK, and Install Policy. The next time each user connects to the gateway, SecureClient Mobile will download and enforce the policy changes.
Chapter 14
2. (Available when using version NGX R66 of SmartCenter and SmartDashboard) Configure Enable over the air (OMA DM) client. The following options are available: No: Use of over the air methods to update client configurations are disabled. Yes: Use of over the air methods to update client configurations are enabled.
3. (Available when using version NGX R66 of SmartDashboard) Configure Enable export of client configuration. GUIdbEdit can be used to configure this setting on previous versions of the VPN-1 gateway. The following options are available: No: VPN connections setup through ActiveSync are disabled. Yes: VPN connections setup through ActiveSync are enabled. Configured on endpoint client: The device configuration determines whether the export of client configurations is enabled or disabled.
392
4. Configure Client upgrade mode. The following options are available: Do not upgrade: Do not upgrade SecureClient Mobile to the latest version available upon establishing a VPN connection. Ask user: Prompt the user to choose whether to upgrade SecureClient Mobile to the latest version available upon establishing a VPN connection. Always upgrade: Upgrade SecureClient Mobile to the latest version available upon establishing a VPN connection.
5. In the Upgrade clients to version field, enter the version number of the client configuration that will be distributed to clients. 6. In the Client download URL, enter the link where clients can download the file needed for the upgrade. 7. Click OK, OK, OK, and Install Policy. The next time each user connects to the gateway, SecureClient Mobile will download and enforce the policy changes.
Chapter 14
Certificates
Certificates
The SmartCenter server uses the same certificate for both SSL Network Extender and SecureClient Mobile clients when SSL Network Extender is enabled. In SmartDashboard, open the gateway object and select Remote Access > SSL Clients. Select the appropriate certificate from the The gateway authenticates with this certificate drop down menu.
Certificate Nickname
To view the certificate nickname: 1. In SmartDashboard, open the VPN tab of the relevant network object. 2. In the Certificates List section, the nickname is listed next to each certificate.
2. Browse to the ICA Management Tool site, https://<mngmt IP>:18265, and select Create Certificates. 3. Enter the username, and click Initiate to send a registration key to the user. When the user connects using SecureClient Mobile without a certificate, the Enrollment window opens, and the user can create a certificate by entering the registration key they received from the system administrator.. Note - The system administrator can direct the user to the URL, http://<IP>/registration.html, to receive a registration key and create a certificate even if
they do not wish to use the SSL Network Extender at that time.
394
Chapter 14
Topology Update
Topology Update
When SecureClient Mobile clients connect to a VPN-1 gateway, topology updates are downloaded or updated to the client automatically each time a user connects to a gateway, and when a user reconnects after an authentication timeout occurs. It is also updated on a regular basis, as defined by the administrator. To define the frequency with which updated site details are downloaded to the client: 1. In SmartDashboard, select Policy > Global Properties > Remote Access. 2. In Topology Update, select Update topology every ... hours. 3. Enter the frequency (in hours) with which the policy should be updated.
396
Advanced Configuration
Advanced Configuration
In This Section
Configuring a Non-Centrally Managed Gateway SecureClient Mobile Database Properties page 397 page 399
Chapter 14
There are three TTM files on each gateway. The configurable variables in each file are listed in a separate table, located in the previous section:
To configure the security policy using TTM files: 1. Open a TTM file using any text editor. 2. Set the default value for the property you are changing. For example: :neo_request_policy_update ( :gateway ( :default (true)))
or
:neo_request_policy_update ( :gateway ( :map ( :false (false) :true (true) :client_decide (client_decide) ) :default (true) ) )
3. Change the default setting, true, to create a new default setting for the security policy. 4. Save the file and select install policy. 5. The following property is used to set the policy expiration timeout for all policies, except the firewall policy: :expiry ( :gateway ( :default (100))). The following property is used to set the firewall policy expiration timeout: :expiry ( :gateway (neo_policy_expire :default (100))).
398
The tables include both variables that are configurable from SmartDashboard, and variables that are not. The values that appear in the table in Bold are the gateway default values, so if these are desired, there is no need to change the values. The client_decide value means the device user can configure the setting. The device default value appears in the table in Italics. Database Tool configuration is dependent on Central Management capabilities. For details, see Requirements for Central Management on page 365. For more information on the Database Tool, see SecureKnowledge solution SK13009. To configure client attributes with the Check Point Database Tool: 1. On a host with SmartConsole installed, run the Database executable, by default located at: C:\Program Files\CheckPoint\SmartConsole\<version>\PROGRAM\GuiDBedit.exe 2. In the Database Tools navigation tree, under Global Properties, select properties. 3. Select the firewall_properties object. 4. In the Field Name column, find mobile_remote_access_preferences. The SecureClient Mobile properties appear below this field. 5. Double-click a field and Edit its Value. Click OK. 6. To save the changes to the management database, from the File menu, select Save All. To have the changes installed on the gateway, Install Policy from SmartDashboard. Then, the next time each user connects to the gateway, SecureClient Mobile will download and enforce the policy changes.
Chapter 14
Note - There are properties which exist in the database but are not listed in the tables
below. These properties will be implemented in later releases.
Table 14-1 VPN Properties Property Description Valid Values (Gateway Default value in Italics; Device Default Value in Bold) false, true, client_decide
neo_remember_user _password
Remembers the user password/PIN (password caching). So long as the password is cached, the user should not be prompted to enter a password when the client connects, reconnects or re-authenticates. The password/PIN caching timeout (in minutes) since the user has entered their credentials. An authentication attempt after this timeout expires requires the user to re-enter their credentials.
neo_remember_user _password_timeout
400
Table 14-1 VPN Properties Property Description Valid Values (Gateway Default value in Italics; Device Default Value in Bold) false, true, client_decide
neo_clear_in_acti vesync
Enables clear traffic during ActiveSync. When set to true if the device is cradled (for example, when ActiveSync is activated to a PC using Bluetooth), the client automatically disconnects and the firewall settings permit clear traffic to exit the device to the encryption domain. This is required when the connected PC is located inside the encryption domain and the encryption of data is not necessary. A message appears when the client disconnects. Always connected. The client automatically connects to the last connected gateway: When the device has a valid IP address. When the device "wakes up" after it had low-power and after a soft-reset. When the value is application_request and an application initiates a connection to the encryption domain.
neo_always_connec ted
Chapter 14
Table 14-1 VPN Properties Property Description Valid Values (Gateway Default value in Italics; Device Default Value in Bold) 1 - MAX_INT
neo_always_connec ted_retry
The always connected retry timeout (in minutes). If an automatic connection fails, the client tries to reconnect again and again on an interval set by this value. The client also tries to reconnect after the IP address of the client changes, or if the user manually requests a connection. This flag instructs the client to automatically initiate an existing dialup connection (for example, GPRS) when the always connected flag is set to true, the user requests a connection, and there is no valid IP on the machine. Timeout for dialup successful completion (seconds) Disconnect when idle. Automatically disconnects the tunnel when the user does not interact with the device over a defined time period. A message appears when the client disconnects. Disconnect when idle timeout (in minutes).
neo_initiate_dial up
neo_disconnect_wh en_idle_timeout
1 (default) -MAX_INT; 15
402
Table 14-1 VPN Properties Property Description Valid Values (Gateway Default value in Italics; Device Default Value in Bold) once, always, never, client_decide
neo_user_approve_ server_fp
Requests user approval of server Finger Print (FP) before the client enters its credentials. The server FP is part of the gateway certificate provided in the SSL interaction with the client. The following options are available: Once: If the FP is seen for the first time by the client and not stored in the client database. Always: Prompts the user to approve the FP for every connection. Never: Always accepts the FP. Enables the client to connect to a new gateway. When this flag is set to false, the client can only connect using the list of gateways configured in the client setup package. Blocks a connection upon the removal of passwords. If set to true, when the user clears the Remember Password option in the Options dialog, or selects the Erase Passwords menu option, the tunnel is automatically disconnected. A message appears when the client disconnects.
Chapter 14
neo_allow_site_cr eation
neo_block_conns_o n_erase_passwords
Table 14-1 VPN Properties Property Description Valid Values (Gateway Default value in Italics; Device Default Value in Bold) false, true, client_decide
neo_disconnect_wh en_in_enc_domain
If the client is connected to a site and an interface has an IP address located within one of the VPN encryption domains, the client disconnects. A message appears when the client disconnects. Change the http/s proxy settings returned to applications that request access to resources inside the enc-domain while the client is connected. The value should be a URL of the format http://host:port. If the proxy requires user/pass than use the format ftp://user:pass@host:port (must be FTP although its an HTTP proxy!). A heartbeat is sent to the server even if data was sent. If no other data was sent to the server. Value should not be more than 600 (10 minutes) if SCV traversal is used.
neo_replace_http_ proxy
neo_keep_alive_ma x_timeout
10-MAX_INT 600
404
Table 14-1 VPN Properties Property Description Valid Values (Gateway Default value in Italics; Device Default Value in Bold)
neo_script_wm_con nect
Windows Mobile post connect script url (starting with http://). The file should be a Windows Mobile XML provisioning file (starting with <wap-provisioningdoc>). Note: flag must be part of a policy downloaded to the client from a server to be execute. Client does not "run" a locally defined flag (global configuration). Windows Mobile post connect script - show window while running script. Windows Mobile post connect script - MD5 of script. If MD5 of script is different then the MD5 of the script file an security warning is displayed to the user. Windows Mobile post disconnect script url (starting with http://). The file should be a Nokia XML provisioning file (starting with <wap-provisioningdoc>). Note: flag must be part of a policy downloaded to the client from a server to be execute. Client does not "run" a locally defined flag (global configuration). Windows Mobile post disconnect script - show window while running script
Chapter 14
false, true
neo_script_wm_dis connect
neo_script_wm_dis connect_show
false, true
Table 14-1 VPN Properties Property Description Valid Values (Gateway Default value in Italics; Device Default Value in Bold)
neo_script_wm_dis connect_md5
Windows Mobile post disconnect script - MD5 of script. If MD5 of script is different then the MD5 of the script file an security warning is displayed to the user. Windows Mobile run-once script url (starting with http://). The file should be a Windows Mobile XML provisioning file (starting with <wap-provisioningdoc>). Note: flag must be part of a policy downloaded to the client from a server to be execute. Client does not "run" a locally defined flag (global configuration). Windows Mobile run-once script - show window while running script Windows Mobile run-once script - MD5 of script. If MD5 of script is different then the MD5 of the script file an security warning is displayed to the user. Retry to establish tunnel until this timeout elapse (in minutes). 1 - MAX_INT; 2 false, true
neo_script_wm_run once
neo_implicit_disc onnect_timeout
406
Table 14-2 Gateway Properties Property Description Valid Values (Gateway Default value in Italics; Device Default Value in Bold) false, true certificate, certificate_with_enroll ment, legacy, mixed 3des_only, 3des_or_rc4 no upgrade, ask user, force upgrade a number in hexadecimal format 10-MAX_INT 20
neo_enable neo_user_auth_met hods neo_encryption_me thods neo_upgrade_mode neo_upgrade_versi on neo_upgrade_url neo_keep_alive_ti meout
Client encryption methods. Client upgrade mode. The client required version. Client download absolute URL. Client to server heartbeat interval (in seconds). A heartbeat is sent if no other data was sent to the server. The gateway allows only clients with these package IDs to connect (comma separated list). The session validity timeout (in minutes). The DLL name or full path that is loaded for authentication with the server. The relative URL for SAA authentication.
neo_package_id
10~1440 480
neo_saa_url
Chapter 14
Table 14-3 Firewall Properties Property Description Valid Values (Gateway Default value in Italics; Device Default Value in Bold) false, true, client_ decide client_decide, allow_all, outgoing_only, outgoing_and_encrypte d, encrypted_only, block_all false, true, client_ decide false, true, client_ decide -1 (infinite); 10-MAX_INT 525600
Enables the firewall policy. The supported firewall policies: Apply clients setting Allow-all Outgoing only Outgoing and encrypted Encrypted only Block all (never disabled) Enables ActiveSync to PC (disabled if firewall is not installed). Enables IP forwarding (when firewall is enabled). The policy expiration timeout (in minutes).
408
Table 14-3 Firewall Properties Property Description Valid Values (Gateway Default value in Italics; Device Default Value in Bold) false, true, client_ decide
neo_route_all_traf fic_through_gatewa y
Routes all traffic through a gateway (in hub mode). This flag sets the routing in the IP routing table to send all traffic to the connected gateway, which results in all traffic leaving the machine (except for specific routes) to be encrypted and possibly re-routed from the gateway to the outside Internet. It allows for the inspection of all client data received that is examined by the connected gateway. This will only work if the gateway also supports routing all traffic. To configure the gateway, seeRouting All Traffic To the Gateway (Hub Mode) on page 388. Enables clear traffic to the encryption domain when the client is disconnected. The client prevents clear traffic to the encryption domain from exiting the machine at all times except if this flag is set to true. Note: In an IPSEC client, this functionality is achieved using the VPN chain in the firewall. In SecureClient Mobile, this functionality is achieved using the firewall rule setting.
neo_allow_clear_wh ile_disconnected
Chapter 14
Table 14-3 Firewall Properties Property Description Valid Values (Gateway Default value in Italics; Device Default Value in Bold) {neo_basic_interface,n eo_ip_with_allowed_ap n_list_interface,neo_bt _interface,NULL}
neo_interface_bloc king_list
List of supported interfaces and their status and details (where available). Status can be false,true,client_decide. For BlueTooth it can also be connectable. When the list is empty all is allowed. Basic class for Interface blocking. Type of the Interface (currently only P2P and IP). State of the Interface. True = allowed, false = blocked. Class for Bluetooth blocking with profiles specified. State of the Interface. True = discoverable, false = blocked, connectable = allowed but not discoverable.
false, true, client_decide Name of the interface (= name of the object) false, true, client_decide, connectable
Table 14-4 General Properties Property Description Valid Values (Gateway Default value in Italics; Device Default Value in Bold) false, true, client_decide false, true, client_decide
Runs the client on device startup. Specifies whether the user can stop the client. If this option is set to false, the quit option does not appear in the client menu. Enables the client troubleshooting window.
neo_allow_client_ debug_logs
410
Table 14-4 General Properties Property Description Valid Values (Gateway Default value in Italics; Device Default Value in Bold) false, true, client_decide
neo_allow_client_ db_export
Enables the client to export its local database to a clear text file is used to create a customized installation package. Allow provisioning of the client through Registry Configuration Service Provider (OMA DM and XML Provisioning). Available options: Update configuration with a startup.C file Turn debug logging on/off. Run CLI commands through scm.exe. Displays the today item. Displays the taskbar icon. Displays the flash icon, which monitors VPN tunnel activity (traffic). Displays the flash icon, which monitors firewall packet dropping activity.
neo_allow_provisi oning_via_registr y
false, true
false, true, client_decide false, true, client_decide false, true, client_decide false, true, client_decide
Chapter 14
412
413
VPN Connections
VPN Connections
In This Section
Status Page Initiating a VPN Connection Closing SecureClient Mobile page 414 page 414 page 415
Status Page
SecureClient Mobile can be opened either from the Start menu or by tapping on the SecureClient Mobile icon in the bottom-right corner of the screen. The Status page is displayed in the Basic Details view. Basic Details view contains: Server: Displays the VPN servers name or IP address. VPN: Displays whether the client is connected to a VPN server. Firewall policy: Displays whether the firewall policy is enabled or disabled.
More Details view contains: Office mode IP: Displays the Virtual Network Adapter IP address that was assigned by the server. Duration: Displays the duration of the current session. Sync to PC: Displays whether the PC Sync Policy is allowed or disallowed.
414
4. When prompted, enter your credentials. Note - If you connected to a gateway previously, then tap Connect on the toolbar to connect to the most recently connected gateway. The user may be prompted for authentication credentials five minutes before the session is timed-out. Once these credentials are accepted, the time-out interval is initialized. If the user does not provide valid credentials in time, the client is disconnected from the server. The user must reconnect and re-authenticate the client manually. The user can also manually end its session by disconnecting the client.
Chapter 15
Client Configuration
Client Configuration
In This Section
Connectivity Options Configuring Display Settings Firewall Policy Controlling Device Connections page 416 page 417 page 418 page 418
Connectivity Options
Tap Menu > Manage... > VPN Client and scroll down to the Connectivity section. The options are: Connect Mode: Determines when SecureClient Mobile will initiate a VPN connection. The options are: Manual: VPN connections will not be initiated automatically. App. Request: Applications requiring access to resources through the VPN will be able to initiate a VPN connection. To configure App. Request behavior for email accounts or the Opera web browser, tap the Configure App. Request button. Always Connected: SecureClient Mobile will automatically establish a connection to the last connected gateway under the following circumstances: (a) the device has a valid IP address, (b) when the device "wakes up" from a low-power state or a soft-reset, or (c) after a condition that caused the device to automatically disconnect ceases to exist (i.e. Device is out of PC Sync or Disconnect is not idle). Don't connect in PC Sync (cradle): Forces the VPN connection to terminate when the device is connected to a PC using ActiveSync (USB, Bluetooth). This setting is unrelated to performing ActiveSync with an Exchange Server. Initiate dialup: When selected, the client will initiate a GPRS dialup connection before attempting to establish the VPN connection. Note that if a local IP address is already available through any network interface, then the GPRS dialup is not initiated.
416
Route all traffic to gateway: Operates the client in Hub Mode, sending all traffic to the VPN server for routing, filtering, and processing. If this is set, the firewall policy should also be set to 'Allow Encrypted Only'. Disconnect when device is idle: When the device is idle (screen or keys untouched), disconnect the VPN connection and allow the device to go into stand-by mode, if necessary.
To prevent SecureClient Mobile from running automatically at device startup, uncheck Run client on device startup found at the bottom of the VPN Client configuration page.
Note - The administrator has the ability to prevent the user from changing these settings.
Play sound effects: Selecting this option enables the SecureClient Mobile sound effects including Connect and Disconnect notifications. Show Today Item: Select this option to display SecureClient Mobile in the Today Item menu. Show Taskbar icon: Select this option to display the SecureClient Mobile icon on the taskbar when the client is running.
Chapter 15 SecureClient Mobile Client Configuration 417
Firewall Policy
Rotate icon on VPN activity: By selecting this option, the key in the icon displayed on the taskbar rotates when information is in the process of being sent or received. Flash icon on firewall packet drop: Select this option to display the lock in the icon on the taskbar, which flashes when packets are dropped.
Firewall Policy
Tap Menu > Manage... > Network Control. In the Firewall section, click the Enable firewall policy checkbox to enforce the Firewall settings listed. The options for Allowed traffic enforcement are: Allow all: All traffic is allowed. The client will still be protected by implicit firewall rules. Outgoing only: All outbound connections are permitted and all inbound connections are blocked. This policy will prevent incoming connections from being established from both the non-VPN hosts and VPN hosts. Outgoing and encrypted: Permits incoming and outgoing encrypted traffic to and from the VPN domain. Also permits outgoing non-VPN connections that are initiated from the handheld. This policy is the recommended setting. Encrypted only: Only VPN traffic originating from or destined to the encryption domain are permitted. Block all: All network traffic is blocked. The device will only be permitted to connect to the Gateway for the purpose of updating the client configuration.
Note - The administrator has the ability to prevent the user from changing these settings.
To enable the device to connect to unknown types of interfaces, tap the Allow Unknown type of interfaces checkbox. To configure which Bluetooth functions SecureClient Mobile will allow, select one of the modes listed in the Bluetooth policy dropdown box. The options listed are: Off: SecureClient Mobile will block all Bluetooth functionality. Connectable: SecureClient Mobile will allow Bluetooth connections but will not allow the device to advertise its presence. Discoverable: SecureClient Mobile will allow the device to advertise its presence and connect to other Bluetooth devices.
Chapter 15
Troubleshooting
Troubleshooting
In This Section
Enabling Log Files Viewing Network Configuration Error Messages page 420 page 420 page 421
420
Error Messages
Error Messages
Table 15-1 provides a list of error messages, their possible causes and a suggested solutions. Table 15-1 Error Messages Troubleshooting Error Message Cannot find the server (server name). Please check the server name and try again. Error while negotiating with the server (server name). Please try again. You are not permitted to access the server. Possible Cause There is an error resolving the server name. Error in client-server negotiation. The user is not authorized. Solution Check the server name and verify that the IP address is valid. Try to connect again.
Check that the user certificate is installed and is valid. Connect the device to a network. Check that your dialup settings are configured properly.
Your device is not connected to any network. Your device is not connected to any network. Dialup connection is not available.
The network is not available for connection. The network is not available for connection and dialup cannot be initiated. The settings may not be configured properly. Wrong credentials supplied.
Ensure that the credentials are current and retry. If the credentials are cached, use the clear passwords button.
Chapter 15
Error Messages
Table 15-1 Error Messages Troubleshooting Error Message User is not permitted to have an office mode IP address. Possible Cause The user attempting to connect is not configured to have an office mode IP address and therefore the connection failed. Invalid certificate provided. Solution Ensure that the user is configured to receive an office mode IP address.
The certificate provided is invalid. Please provide the username and password.
Either install a new user certificate or connect with a username and password. Try to reconnect.
There is no connection to the server, and the client disconnected. Server validation failed and therefore the connection failed. Another client has connected to the gateway with the same credentials. The client's Firewall policy is configured to block all network traffic.
Security warning! Server fingerprint has changed during connection. Contact your administrator. Possible identity theft. User credentials used from another client. Client Disconnected. Client firewall policy is set to Block all. Client has disconnected.
422
Additional Resources
Additional Resources
For additional resources on setting up SecureClient Mobile, refer to: How to add your own root certificate via CAB file. How to add root certificates to Windows Mobile 2003 Smartphone and to Windows Mobile 2002 Smartphone. Windows Mobile 5.0 Security Model FAQ. ActiveSync 4.x Troubleshooting Guide.
Chapter 15
Additional Resources
424
425
426
Package Customization
Package Customization
The administrator obtains the SecureClient Mobile distribution package from the Check Point Download Center. The distribution package is located in a .zip file, which contains the following folders and files: Folder/File client_api client_pkg tools unlock_smartphone Explanation SecureClient Mobile API plus sample code. SecureClient Mobile components for package customization. SecureClient Mobile tools (for instance MSI package and MSI packaging tool). This folder contains the Check Point certificate. Installing cpcert.cab enables the device to trust Check Point software, and successfully deploy SecureClient Mobile on locked Windows Mobile devices. Readme file. Sample provisioning scripts. Latest version of the TTM files for the client in case you want to update the TTM files on the gateway.
The unpacked client files are the same as those in the CAB package. The administrator can customize and package these files into a new CAB or MSI file package before distributing it to users. The customized package can include predefined topology and credentials, a default firewall policy and other settings. During version upgrades, the installer retains the existing client policies and credentials that were not predefined in the upgrade package. The administrator can client upgrade using the neo_upgrade_mode, neo_upgrade_version and neo_upgrade_url flags. When the client is installed on a PocketPC 2003 or Windows Mobile 5.0 device, another applet, called Certificate Import Wizard, is also installed. This applet enables you to import PKCS#12 certificates to the device. The CAB and MSI packages can be edited by the administrator to customize the settings for SecureClient Mobile. The administrator can edit the package : Adding a file to the CAB package, for example, a user certificate file or a Secure Authentication (SAA) plug-in. For additional information, refer to Adding a File to a CAB Package on page 428.
Chapter 16
Deleting a file from the CAB package, for example, the Cert_import utility may not be needed for some configurations. For additional information, refer to Deleting a File from a CAB Package on page 429. Preconfiguring the client database parameters. For additional information, refer to Exporting the Client Configuration on page 429. Defining the client installation version. For additional information, refer to Defining the Client Installation Version on page 430.
428
e. Click OK, OK, and Install Policy. 2. When using a previous of SmartDashboard, allow exporting of the configuration by using GUIdbEdit to change the neo_allow_client_db_export value to true. 3. Connect SecureClient Mobile on a device to the gateway in order to download the policy. 4. Configure SecureClient Mobile on the device with the required configuration to be exported. For example, configure the clients firewall options and connection to the gateways. 5. Copy the database.C file to the client folder. 6. Restart the client. 7. In SecureClient Mobile, select Menu > Help & Tools > Export db. This exports the current settings to the startup.C file, which contains the nonconfidential data in the database. 8. Replace the startup.C file that is located in the conf folder of the preconfigured package. This file may be edited manually using a text editor in order to add or remove flags. Note - Exporting startup.C will also export the global property neo_allow_client_db_export with the value set to true. To restrict users from exporting the client configuration, edit the startup.C and remove the property or set it to false.
430
2. Edit the package by exporting the client configuration and removing and/or adding files (for additional information, refer to Adding a File to a CAB Package on page 428, Deleting a File from a CAB Package on page 429 and Exporting the Client Configuration on page 429). 3. Copy the Cabwiz.exe and the Cabwiz.ddf files to the SCM folder created when extracting the SecureClient_Mobile_Setup_<build number>.zip file (this file was originally extracted from the SecureClient Mobile distribution .zip file). 4. Copy the makecab.exe from the Windows system directory (by default: C:\WINDOWS\system32) to the SCM folder. 5. Run the Cabwiz SecureClient_Mobile_Setup_<build number>.inf file. The created CAB package has a .cab extension.
2. Save the distribution .zip file to your local machine and extract its contents. One of the files is the SecureClient Mobile MSI file. 3. Run /tools/neo_msi_tool.exe SecureClient_Mobile.MSI SecureClient_Mobile.CAB Neo
\Program Files\CheckPoint\SecureClient_Mobile
2. Connect to the gateway. During the connection process, the defined SAA plug-in popup opens. In the event you receive the following error message, "Configuration Error: Failed to load SAA plug-in," use the client login page (username-password) to connect. Once connected, quit and relaunch the client again.
432
Chapter 16
434
435
Introduction
Introduction
This appendix describes the API functions that are exported by the neo_api.dll file. The function prototypes are defined in the neo_api.h file. In order to use the client API, download the client zip file which contains the neo_api.dll, the header file neo_api.h, and the API usage sample neo_test.cpp. Note - The client API is C based. Exported functions must have a C-style declaration. If you wish to access these API functions from C++, use the extern C declaration.
436
NEOERR_SUCCESS NEOERR_CLIENT_NOT_RUNNING NEOERR_CLIENT_NOT_RESPONSDING NEOERR_INVALID_ARGS NEOERR_BUFFER_TOO_SMALL NEOERR_INVALID_STATE NEOERR_ACCESS_DENIED NEOERR_GENERAL_FAIL NEOERR_OUT_OF_RESOURCE NEOERR_INTERNAL_ERROR
Appendix 17
Functions
Functions
neo_api_version
This function retrieves the API version.
neo_client_version
This function retrieves the client version and version string.
Prototype NEOERR neo_client_version( ulong* ver, char* version, ulong cbversion ) Arguments
argument IN/OUT OUT OUT IN meaning Contains the client version. Buffer that holds the client version string. Version buffer length.
neo_set_log_file
This function turns on/off the logging and determines the log file name, maximum file size, file cycling, and logging level.
Prototype NEOERR neo_set_log_file( const char* filename, ulong size_kb, ulong cycle, ulong lvl )
438
Functions
Arguments
argument IN/OUT IN IN IN meaning Gives a name to the log file. Determines the maximum size of the log file in KB. The number of files that are created before starting again at logfile0. The upper limit for the number of possible files is 20. Severity level of logs required (1-5, 1 = critical and 5 = low).
lvl
IN
neo_log_outln
Write the given line to the log file. A level is also assigned to the logging action of this line.
neo_api_init
This function initializes a connection with the client for command processing.
Appendix 17
Functions
Arguments
argument IN/OUT IN IN meaning The API version in use. The application used to communicate with the client.
api_version application_name
neo_api_fini
This function terminates the connection with the client for command processing. This should be called before exiting the application.
neo_set_user_passwd
This function is called to set the username and password to be used the next time the client attempts to authenticate to the active gateway. Note - For this function to work, the neo_remember_user_password property must be set to true and the neo_remember_user_password_timeout property must be set to >0.
440
Functions
Arguments
argument user passwd IN/OUT IN IN meaning The username used by the client. The password used by the client.
neo_set_cert_passwd
This function is called to set the password for the certificate used for connecting to the gateway. This functionality is not implemented in this client version. Note - For this function to work, the neo_remember_user_password property must be set to true and the neo_remember_user_password_timeout property must be set to >0.
Prototype NEOERR neo_set_cert_passwd( const char *cert_cn, const char *passwd ) Arguments
argument IN/OUT IN IN meaning Thew certificate identifier name. The password used for the certificate.
cert_cn passwd
neo_get_state
This function is called to retrieve the state of the client.
Appendix 17
Functions
Arguments
argument IN/OUT OUT meaning An object that defines the state of the client
state
neo_get_last_message
This function is called to retrieve the last client message (for example, error, failure).
message messagecb
neo_clear_passwds
This function is called to clear all saved credentials.
neo_get_gateway_list
This function is called to retrieve a list of gateways known and available to the client.
442
Functions
Arguments
argument IN/OUT OUT OUT meaning Pointer to a list of gateways available to the client. The number of gateways in the list.
gateways num
neo_free_gateway_list
This function is called to delete the list of available gateways for the client.
gateways
The following functions are called to set the Read/Write configuration parameters.
neo_get_property_int
This function retrieves the value of the int property name.
name value
neo_get_property_str
This function retrieves the value of the str property name.
Appendix 17
Functions
Prototype NEOERR neo_get_property_str( const char* name, char* value, ulong valuecb ) Arguments
argument IN/OUT IN OUT IN meaning The name of the property. The value of the property. The size, in bytes, of value buffer.
neo_set_property_int
This function assigns a value to a int property name.
name value
neo_set_property_str
This function assigns a value to a str property name.
444
Functions
Arguments
argument IN/OUT IN IN meaning The name of the property. The value of the property.
name value
neo_connect_gw
This function is called to connect to a gateway using the DNS name. If the port is not 443, use name:port. If the gateway is NULL, connect to the last active gateway.
gw
neo_disconnect_gw
This function is called to disconnect from the gateway.
neo_register_state_change_callback
This function is called to register for notification on tunnel state changes. Each pair <func, opaque> can be registered only once.
Appendix 17
Functions
Arguments
argument IN/OUT IN IN meaning Called when the tunnel state changes. An opaque object that is transferred to func.
func opaque
neo_unregister_state_change_callback
This function is called to unregister for notification on tunnel state changes.
func opaque
446
18
page 450 page 454 page 465
This chapter explains how to configure the Connectra gateway to work with Endpoint Connect.
449
Introduction
Introduction
Endpoint Connect is Check Points new lightweight remote access client. Providing seamless, secure (IPSec) VPN connectivity to corporate resources, the client works transparently with Connectra, the Check Point remote access gateway solution.
Capabilities
Resident on the users desktop or laptop, Endpoint Connect provides various capabilities for connectivity, security, installation and administration.
450
Capabilities
Connectivity
Network Layer Connectivity An IPSec VPN connection to the Connectra gateway for secure encrypted communication. If the network connection is lost, the client seamlessly reconnects without user intervention. Intelligent Auto detect and connect Whenever the Connectra gateway or clients location changes, Endpoint Connect autodetects the best method to establish a connection, using either NAT-T or Visitor mode, intelligently auto-switching between the two modes as necessary. Smart location awareness Endpoint Connect intelligently detects whether it is inside or outside of the VPN domain (Enterprise LAN), and automatically connects or disconnects as required. Proxy detection Proxy servers between the client and the Connectra gateway are automatically detected, authenticated to, and replaced when no longer valid. Transparent Network and Interface Roaming If the IP address of the client changes, for example if the client is using a wireless connection then physically connects to a LAN that is not part of the VPN domain, interface roaming maintains the logical connection. Multiple Sites Endpoint Connect connects to any one of a number of user defined gateways. Dead Gateway Detection If the client fails to receive an encrypted packet within a specified time interval, it sends a special tunnel test packet to the Connectra gateway. If the tunnel test packet is acknowledged, then the gateway is active. If number of tunnel test packets remain unacknowledged, the gateway is considered inactive or dead.
Security
Endpoint Security on Demand Provides a full, effective end point compliance check (for required software updates, anti virus signatures, presence of malware) when connecting, and repeat scans at specified time intervals. Clients that fail the initial scan when connecting gain access to remediation sources.
Chapter 18 Endpoint Connect 451
Full IPSec VPN Internet Key Change (version 1) support for secure authentication.
Support for strong authentication schemes such as: a. Username and passwords (including cached passwords) b. SecurID c. Challenge-Response d. CAPI software and hardware tokens
Hub Mode Increases security by routing all traffic, such as traffic to and from the Internet, through the Connectra gateway, where the traffic can be inspected for malicious content before being passed to the client.
Visitor Mode When the client needs to connect through a gateway that limits connections to port 80 or 443, encrypted (IPSec) traffic between the client and the gateway is tunneled inside a regular TCP connection.
Administration
VPN components. The clients intelligent auto-detect and disconnect features make it ideal for remote unmanned devices that need multiple High Availability options, such as embedded Windows ATMs. For such scenarios, Endpoint Connect offers a native Command Line Interface and OPSec API for configuration and monitoring, as well as the ability to be installed and run as a service.
Administration
Unified Central Management Advanced User Management Unified updates Regulatory Compliance with Advanced Monitoring, Logging and Reporting DLL version numbers collected in a special file for troubleshooting purposes.
Chapter 18
454
2. Select Endpoint Connect. 3. In the VPN Client Traffic section, select which services and interfaces handle client traffic. 4. In the Advanced section, click Edit.... The Advanced window opens.
In this window, advanced settings for all VPN clients are configured, for example the Office Mode settings. Enable Office Mode when the remote client may be working with an IP address that clashes with an IP address on the network behind the Connectra gateway. When working with Office Mode, Endpoint Connect takes an Office IP address from the same reserved pool of IP addresses as SecureClient Mobile or SSL Network Extender. For an explanation of all options, click Help. 5. Select Public IP address that VPN Clients Connect to if the IP address of the Connectra gateway is hidden behind a NAT address or resolved using DNS. 6. On the Connectra tab > Additional Settings > VPN Clients page > Advanced Settings for Endpoint Connect Client page > click Edit.... The Endpoint Connect Advanced Settings window opens:
Chapter 18
The window is divided into four sections: Authentication Settings Connectivity Settings Security Settings Configuration and Version Settings
Authentication Settings
Use the settings in this section to configure password caching, and how often the user needs to re-authenticate. If you do not open this window and configure options, then the clients default value takes affect: Table 18-1 Default Authentication values Option Enable password caching Cache password for Reauthenticate user every SmartDashboard default value No 1440 (minutes) 480 (minutes) Endpoint Connect default value No 1440 480
456
Connectivity Settings
Use the settings in this section to determine connect and disconnect options. Connect mode covers whether the user should manually connect each time, the user is always connected, or whether the decision can be made on the client side. If the decision is left to the client, the user can select the Enable Always Connect option on the Settings tab of the site properties window. If you do not open this window, then default values apply: Table 18-2 Default Connectivity values Option Connect mode Location Aware Connectivity Disconnect when no connectivity to network Disconnect when device is idle SmartDashboard default value Client decide Client decide Client decide Client decide Endpoint Connect default value Yes Yes No No
Chapter 18
2. Select the criteria by which the client determines whether it is within the internal network: Client can access its defined domain controller Client connection arrives from within the following network If necessary, click Manage to define a new Simple Group, Group With Exclusion, or Network. 3. Click Advanced....
458
Use these options to identify external networks. For example, create a list of wireless networks or DNS suffixes that are known to be external. Or cache (on the client side) names of networks that were previously determined to be external. Selecting one or more of these options enhances the performance of location awareness.
Security Settings
Use the settings in this section to determine whether or not traffic to and from Endpoint Connect is routed through the Connectra gateway, and therefore subject to content inspection. If the system administrator decides to Route all traffic through gateway, all outbound traffic on the client is encrypted and sent to the Connectra gateway but only traffic directed at site resources is passed through; all other traffic is dropped. If this option is not selected, only traffic directed at site resources is encrypted and sent to the gateway. All other outbound client traffic passes in the clear.
Chapter 18
For the Connectra gateway to act as a hub for content inspection of all inbound and outbound client traffic, regardless of destination, the administrator needs to a define a network application that includes the range: 0.0.0.1 > 255.255.255.254. If you do not open this window, then default values apply:
Table 18-3 Default Security Settings Option Route all traffic through gateway SmartDashboard default value No Endpoint Connect default value No
Note - All of the above settings for Endpoint Connect are also available through Global Properties > Remote Access > Endpoint Connect.
460
For remote users to successfully use RSAs softID: 1. Create a remote users group on the Ace Server 2. Distribute the SDTID token file (or several tokens) to the remote users out of band. 3. Instruct remote users on how to import the tokens.
If an email address is not defined in trac.client_1.ttm, clicking Collect Logs in the Options > Advanced window collects all the client logs into a single CAB file, which the user can save and then send to the network administrator as an attachment.
Chapter 18
462
However, in a deployment consisting of multiple Connectra gateways, for example in a cluster (load sharing) or primary-backup (high availability) configuration, it is important that the client performs DNS resolution each time it connects to the site. Based on geographical proximity or the load-sharing requirements of the gateway, the DNS server might return to the client a different IP address each time: the IP address of the nearest available gateway. This IP address may not be the same as the IP address cached during the first connect operation. Resolving DNS names each time: Enables DNS to be used for High availability (the IP address of the backup gateway is returned when the primary fails to respond) Adds to the client a functionality similar to MEP (Multiple Entry Points) Note - This is not a regular cluster environment, as the two or more Connectra gateways are
not synchronized.
NAT Traversal
When a remote user initiates a VPN (IPSec encrypted) session with the Connectra gateway, during the initial negotiation, both gateway and remote client attempt to detect whether the traffic between them passed through a NAT device. For a number of reasons NAT is incompatible with IPSec: IPSec assures the authenticity of the sender and the integrity of the data by checking to see that the data payload has not been changed in transit. A NAT device alters the IP address of the remote client. The Internet Key Exchange (IKE) protocol used by IPSec embeds the clients IP address in its payload, and this embedded address, when it reaches the Connectra gateway, will fail to match the source address of the packet, which is now that of the NAT device. When addresses dont match, the Connectra Gateway drops the packet. TCP and UDP checksums in the TCP header are sometimes used to verify the packets integrity. The checksum contains the IP addresses of the remote client and gateway, and the port numbers used for the communication. IPSec
Chapter 18 Endpoint Connect 463
NAT Traversal
encrypts the headers with the Encapsulating Security Payload (ESP) protocol. Since the header is encrypted, the NAT device cannot alter it. This results in an invalid checksum. The Connectra gateway again rejects the packet. The Endpoint Connect Client resolves these and other NAT related issues by using NAT-Traversal (NAT-T) as a way of passing IPSec packets through the NAT device. On the Connectra gateway, default ports are: Internet Key Exchange (IKE) - User Datagram Protocol (UDP) on port 500 Note - only IKEv1 is supported IPsec NAT-T - UDP on port 4500 Encapsulating Security Payload (ESP) - Internet Protocol (IP) on 50
If a NAT device is detected during the initial negotiation, communication between gateway and client switches to UDP port 4500. Port 4500 is used for the entire VPN session. Note - NAT-T packets (or the packets of any other protocol) need to return to the client
through the same interface they came in on. While the recommended deployment is to place the Connectra gateway in a public DMZ with a single interface for all traffic, it is also possible to deploy Connectra with inbound and outbound interfaces, the default route being the outbound route towards the Internet. Endpoint Connect only connects to the Connectra gateways default outbound interface.
464
2. Right-click the client icon in the system tray, and select VPN Options. The VPN Options window opens showing the administration tab:
3. Using the options on the Site and Advanced tabs, configure: Site definitions Authentication method Logging Proxy server settings Always-connect mode
Chapter 18 Endpoint Connect 465
VPN tunneling
4. On the Administration tab: a. Select a folder for the new package b. Decide whether to override the previous configuration when upgrading c. Click Generate to create the .msi package in the designated folder. 5. Distribute this package to Endpoint Connect users. For a direct link to the .msi package to appear on the Native Applications page of the Connectra portal, place the .msi file in the $CVPNDIR/htdocs/SNX/ folder.
466
19
page 468 page 469 page 470 page 479 page 485
This section covers the OPSEC API for embedded custom client integrations. The API contains functions exported by the TrAPI.dll library, an API infrastructure employed to transfer messages between the client and the tracsrvwrapper service. The API exposes functions that form synchronic actions, for example retrieving the status for a specific connection. The API also contains functions that enable the client to register to receive various notifications from the service. Because the notifications can arrive at any time, these functions are considered asynchronic. API calls to the client block the client until the function completes. When the API calls any API function, the API infrastructure sends the corresponding message to the service and waits for the services response. Function prototypes are defined in the TrAPITypes.h header file. To use the client API, first download the client zip file from the Check Point Support Center. The zip file contains the library file TrAPI.dll, and the header files TrAPITypes.h and TrAPI.h.
467
Use these functions to print the stack when a process terminates unexpectedly.
468
TrRegisterErrorCallback
Chapter 19
Meaning... Function failed because the user failed the end point compliance test. Function failed because proxy authentication failed Function failed because proxy authentication credentials were not presented.
470
TrAPIInit
The first function called after loading TrAPI.dll. Only run once and before calling any other function. If the service goes down, the function needs to be initialized again.
TrAPIInitDebug
This function creates logs.
Prototype TRAPI_CPAPI TrStatus TrAPIInitDebug(TrString filename,int max_size, int max_files,int TopicLevel); Arguments
Argument IN/OUT in in in in Meaning... The name of the log file. Maximum size of log in Bytes. Maximum number of files. The number of topics the logs should contain.
TrAPIDebug
This function writes a text message to the log file.
Prototype TRAPI_CPAPI void TrAPIDebug(const char *TopicNames,int TopicLevel,int err, const char *fmt,...);
Chapter 19
Arguments
Argument IN/OUT in in in in Meaning... the names of topics used in the logs. the number of topics. Error level number, for example fatal error=1, informative error message=5. The text message to be inserted in the log file.
TrStart
Starts the service.
TrStop
Stops the service.
TrIsTracActive
Checks whether the trac service is active.
TrConnEnum
Ennumerates all configured sites. Returns a connection handle according to the given index, starting from zero. When there are no more sites in the list, a NULL value is returned.
472
Arguments
Argument IN/OUT in Meaning... the connection handle representing the connection for the site
connIndex
TrConnGetInfo
According to a given connection handle, this function retrieves information from the connection STRUCT.
Chapter 19
Arguments
Argument IN/OUT in out Meaning... The handle for the connection The connection information as contained in the STRUCT:
connHandle TrConnStruct
char mDisplayName[PARAM_MAX_LEN]; the same of the site, as given by the user. char mGwIP[PARAM_MAX_LEN]; the IP address of the sites gateway. char mGwHostname[PARAM_MAX_LEN]; the FQDN of the site. int mConnStatus; the status of the connection: connecting, connected, reconnecting, or terminated (when the service is down). Idle=0. bool mIsActiveSite; TRUE if this connection is the active site, meaning the last site to which the user successfully connected. TrAuthInformation mAuthInfo; the authentication scheme for the given site. TrConn mConnHandle; the connection handle.
TrConnConnect
Connects to the site according to the given connection handle. Also checks to see whether the user cancels the action at any point.
474
Arguments
Argument IN/OUT in Meaning... Specifically, only the connhandle and authentication information inside the STRUCT are required.
connStruct
TrConnCancelConnect
Cancels the connection to the given site.
TrConnCancelConnect(TrConn connHandle);
connHandle
TrConnCreate
Creates a new site according to the data given in connStruct, and returns a connection handle.
connStruct
TrConnDelete
Deletes a site according to the given connection handle.
Chapter 19
Arguments
Argument IN/OUT in Meaning... the handle of the site to be deleted.
connHandle
TrGetInformation
This function returns a list of all Domain Names. The service obtains the list of DNs from certificates in the certificate store.
paramType
pParamValue
out
TrGetConfiguration
Retrieves information related to site variables. The function expects an argument list. The first argument must be the IP address of the gateway if referring to a specific gateway, otherwise an empty string. Each argument must be a string that holds the name of the requested configuration variable.
476
Arguments
Argument IN/OUT in out Meaning... Message that contains attributes to retrieve, such as default time out. Returns requested attribute
pParams pConfiguration
TrSetConfiguration
This function saves the users configuration as an attribute / value pair, for example: Attribute IP Address Authentication scheme The function expects an argument list. The first argument must be the IP address of the gateway if referring to a specific gateway, otherwise an empty string. Each argument must be a string that holds the name of the attribute. Value 192.168.x.x
pConfiguration
TrAPIGetVersion
Returns the client version.
Chapter 19
Arguments
Argument IN/OUT out Meaning... Returns major version, minor version, and build number
version
TrSendNotification
Sends a notification from the client to the service. All notifications are described in TrAPIType.h. The client can register with the service to receive only specific notifications. By default, the client receives all notifications.
pClientNotification
TrRegisterErrorCallback
When communication with the service is lost, the client registers a callback to be called by TrAPI.dll.
478
Notification Identifiers
Arguments
Argument IN/OUT in in Meaning... the registered callback clients opaque to the callback
ErrorCbFunctor cb clientOpaque
Notification Identifiers
TrNotificationID
Identifiers for each notification.
NotificationID
TR_NOTIFICATION_NETWORK_OUT TR_NOTIFICATION_NETWORK_IN TR_NOTIFICATION_NETWORK_NO_ NETWORK TR_NOTIFICATION_CONNECTION_ DISCONNECTED
Meaning and Format... The client is located outside of the VPN domain The client is located within the VPN domain No network available Connection disconnected Disconnect reason: type - eTrArgTypeStr val - a string representing the disconnect reason default_text - NULL Reconnecting Reconnecting reason: type - eTrArgTypeStr val - a string representing the reconnecting reason default_text - NULL
TR_NOTIFICATION_CONNECTION_ RECONNECTING
Chapter 19
Notification Identifiers
NotificationID
TR_NOTIFICATION_TRAC_STOP TR_NOTIFICATION_LOG
Meaning and Format... Service is stopped Logs message Log string: type - eTrArgTypeStr val - the log's string default_text - NULL Client upgrade is required. upgrade string type - eTrArgTypeStr val - the upgrade's string default_text - NULL Upgrade notification sent by the client to the service. Perform upgrade type - eTrArgTypeInt32 val - an integer represents whether the user wishes to upgrade: 1 for upgrade, 0 for no_upgrade. default_text - NULL End point failed the endpoint compliance test
TR_NOTIFICATION_UPGRADE
TR_NOTIFICATION_CLIENT_UPGR ADE
TR_NOTIFICATION_ICS_NO_COMP LIANCE
480
Notification Identifiers
NotificationID
TR_NOTIFICATION_AUTH_SUPPLY _CREDS
Meaning and Format... Supply authentication credentials. The number of arguments depends on the authentication scheme: 1. GW: type - eTrArgTypeStr val - a string representing the gateways name default_text - NULL 2. Authentication type (TrAuthType): type - eTrArgTypeInt32 val - an integer represents the authentication type default_text - NULL 3. Number of parameters: type - eTrArgTypeInt32 val - an integer represents the number of parameters (e.g. 2 for username+password, 1 for certificate dn, 3 for username+pin+passcode) default_text - NULL #) Param number # type - eTrArgTypeStr val - a string representing the parameter (e.g. "username" or "passcode", etc) default_text - NULL
Chapter 19
Notification Identifiers
NotificationID
TR_NOTIFICATION_CLIENT_CRED ENTIALS
Meaning and Format... Authentication credentials sent from the client to the service. The number of arguments depends on the authentication scheme. 1. Gateway type - eTrArgTypeStr val - a string representing the gateway's ip address default_text - NULL 2. Authentication type (TrAuthType): type - eTrArgTypeInt32 val - an integer represents the authentication type default_text - NULL 3. Number of values: type - eTrArgTypeInt32 val - an integer represents the number of values (e.g. 2 for username+password, 1 for certificate dn, 3 for username+pin+passcode) default_text - NULL #) Value number # type - eTrArgTypeStr val - a string representing the value (e.g. the username value, the pin code value, etc) default_text - NULL
482
Notification Identifiers
NotificationID
TR_NOTIFICATION_CONNECTION_ PROGRESS
Meaning and Format... Progress of the connection operation. Takes six arguments: 1. Flows type: type - eTrArgTypeInt32 val - an integer indicating the flow type: PRIMARY_CONN_FLOW = 0 RECONNECT_FLOW = 1 DISCONNECT_FLOW = 2 DOWNLOAD_CL_SETTINGS_FLOW =3 default_text - NULL 2. Steps status: val - an integer indicating the TrStatus of the step default_text - NULL 3. Steps name: type - eTrArgTypeStr val - a string representing the step's name default_text - NULL 4. Steps reason for error: type - eTrArgTypeStr val -a string representing the reason for the step's failure. This value is only relevant when the step fails. If the step's status is success, this value equals to the empty string. default_text - NULL
Chapter 19
Notification Identifiers
NotificationID
Meaning and Format... 5. Total progress: type - eTrArgTypeInt32 val - an integer indicating the connect progress in percentages default_text - NUL 6. Next steps name: type - eTrArgTypeStr val - a string representing the next step's name (empty string if this is the last step) default_text - NULL
484
Chapter 19
TrRegisterNotificationCallback
This function registers with the service notifications to be sent to the client.
486
Arguments
Argument IN/OUT in in in Meaning... the registered callback clients opaque. the notification type: TR_NOTIFICATION_NETWORK_TYPE = (1<<16) TR_NOTIFICATION_CONNECTION_TY PE = (1<<17) TR_NOTIFICATION_SUGGEST_CONNE CT_TYPE = (1<<18) TR_NOTIFICATION_TRAC_STOP_TYPE = (1<<19) TR_NOTIFICATION_LOG_TYPE = (1<<20) TR_NOTIFICATION_AUTH_TYPE = (1<<21) TR_NOTIFICATION_DOWNLOAD_TYPE = (1<<22) TR_NOTIFICATION_CLIENT_TYPE = (1<<23) TR_NOTIFICATION_ICS_TYPE = (1<<24) TR_NOTIFICATION_ALL = 32767 << 16
For example, to receive only notifications of type network, connection and stop notifications then eNotificationType should be equal to: TR_NOTIFICATION_NETWORK_TYPE | TR_NOTIFICATION_CONNECTION_TYP E| TR_NOTIFICATION_TRAC_STOP_TYPE
Chapter 19
TrUnregisterNotificationCallback
Unregisters the notification callback.
TrMsgCreate
This function creates an array of parameters included in the message.
Prototype TRAPI_CPAPI TrMsg* TrMsgCreate(int version, char *ID, char *def_msg, unsigned int arguments_num,...); Arguments
Argument IN/OUT in in in in Meaning... version number of the message ID of the message The message text Number of parameters
TrMsgConstruct
This function creates a message without arguments.
Prototype TRAPI_CPAPI TrMsg *TrMsgConstruct(int version, char *ID, char *def_msg, unsigned int arguments_num);
488
Arguments
Argument IN/OUT in in in in Meaning... Version number of the message ID of the message The message text Number of parameters
TrMsgDestroy
This function destroys a given message.
TrMsgDestroy(TrMsg *message);
message
TrMsgGetVersion
This function gets the version of a given message.
message version
Chapter 19
TrMsgGetID
This function gets the ID of the message.
message ID
TrMsgGetDefaultMsg
This function fills the given message, and returns the status of the operation.
message def_msg
TrMsgArgIterCreate
This function creates an iterator for a given message, returns NULL for failure.
490
Arguments
Argument IN/OUT in Meaning... Given message
message
TrMsgArgIterDestroy
This function destroys an iterator.
iter
TrMsgArgIterGetArgNum
This function fills the argument number, and returns the status of the operation.
iter arg_num
TrMsgArgIterGetNextArg
This functions fills the next TrArg in theTrMsg. If there are no more TrArgs, fills arg with NULL, and the return code is TrOK. If the function fails, an appropriate TrStatus error code is returned, and arg is NULL.
Chapter 19
iter arg
TrMsgSetIntArg
This function sets the argument in the given position to int argument, and overrides the current argument that exists in the given position.
Prototype TRAPI_CPAPI TrStatus TrMsgSetIntArg(TrMsg *message,int pos, int val, char * default_txt); Arguments
Argument IN/OUT in in in in Meaning... the message position of the message value of the message the message text
message pos
val default_text
TrMsgSetStrArg
This function sets the argument in the given position to a str argument, and overrides the current argument that exists in the given position.
Prototype TRAPI_CPAPI TrStatus TrMsgSetStrArg(TrMsg *message, int pos, char * val, char * default_txt);
492
Arguments
Argument IN/OUT in in in in Meaning... the message the position of the message the value of the message the message text
message pos
val default_text
TrNotificationConstruct
This function creates a new TrNotification, and return NULL upon error.
ID arguments_num
TrNotificationGetID
This function fills the notification ID, and return the status of the operation.
Chapter 19
Arguments
Argument IN/OUT in out Meaning... the given notification the ID of the notification
notification ID
TrNotificationClone
This function clones a given TrNotification Prototype
TrNotificationClone(TrNotification
notification
TrNotificationDestroy
This function destroys a given TrNotification
notification
TrNotificationArgIterCreate
This function creates a TrNotificationArgIter for a given notification, and returns NULL on failure.
494
notification
TrNotificationArgIterDestroy
This function destroys a given TrNotificationArgIter.
iter
TrNotificationArgIterGetArgNum
This function fills the argument number, and returns the status of the operation.
Chapter 19
Arguments
Argument IN/OUT in in Meaning... the iterator the number of arguments
iter
arg_num
TrNotificationArgIterGetNextArg
This function fills the next TrArg in the TrNotification. When there are no more TrArgs, arg is filled with NULL, and the return code is TrOK. When failure occurs, the function returns the appropriate TrStatus error code, and arg is NULL.
iter
arg
TrNotificationSetIntArg
This function sets the argument in the given position to int argument, and overrides the current argument that exists in the given position.
Prototype TRAPI_CPAPI TrStatus TrNotificationSetIntArg(TrNotification *notification,int pos, int val, char * default_txt);
496
Arguments
Argument IN/OUT in in in in Meaning... the given notification position of the notification the value of the notification notification text
TrNotificationSetStrArg
This function sets the argument in the given position to str argument, and overrides the current argument that exists in the given position.
Prototype TRAPI_CPAPI TrStatus TrNotificationSetStrArg(TrNotification *notification, int pos, const char * val, char * default_txt); Arguments
Argument IN/OUT in in in in Meaning... the given notification position of the notification value of the notification notification text
TrNotificationSetDoubleArg
This function sets the argument in the given position to double argument, and overrides the current argument that exists in the given position.
Prototype TRAPI_CPAPI TrStatus TrNotificationSetDoubleArg(TrNotification *notification, int pos, double val, char * default_txt);
Chapter 19
Arguments
Argument IN/OUT in in in in Meaning... the given notification position of the notification value of the notification notification text
TrArgGetType
This functions fills the TrArg type, and returns the status of the operation.
arg type
TrArgGetIntVal
This functions fills the int value, and returns the status of the operation. If TrArg is not an int, an error is returned.
498
Arguments
Argument IN/OUT in out Meaning... the argument value of the argument
arg val
TrArgGetDoubleVal
This function fills the double value, and return the status of the operation. If TrArg is not double, an error is returned.
arg val
TrArgGetStrVal
This function fills the string value, and returns the status of the operation. If TrArg is not a string, an error is returned.
arg str
TrArgGetDefText
This function fills the TrArg default text, and returns the status of the operation.
Chapter 19
arg def_text
500
Index
Numerics
3DES 387, 407 CAB Package 373, 431 Uninstall 375 cable failure 285 Certificates 394 Certified embedded applications 124 Citrix Configuring 71 Services 66 Troubleshooting 326 Client Installation 372 Client Side Security 180 Client Side Security Highlights 37 Cluster configuration in SmartDashboard 295 preparing the machines 293 ClusterXL for Connectra 265 command expert 350 Command Line Interface 345 Compression concept 262 configuration 263 Configuring Authentication 177 Authentication and Authorization 177 Connectra what is it? 28
E
Email Services 78 Embedded applications 123 add-on 124 certified 124 configuring 138 Endpoint Compliance Internet Explorer settings 209 Endpoint Compliance Scanner 33 end-user Experience 208 Enforcement Mode 358 Error Messages 421 Expert Mode 350
A
Accessing Applications 40 accounting synchronization 273 ActiveSync 373, 374, 408 Add-on embedded applications 124 Application Request Mode 383 Applications 43, 89, 107 accessing 40 Associating Citrix Applications with User Groups 76 File Shares with User Groups 64 Mail Services with User Groups 60 mail services with user groups 83 Web Applications with User Groups 58 Authentication 33 Authentication & Authorization 157, 173 Authorization 33, 175 Automatic Connect 383
F
failover definition 266 when does it occur 285 File shares configuration of 60 File shares in Connectra 60 Firewall Policy 389 FTP 125 FTP embedded application 144
G D
Gateway History 358 Data compression concept 262 configuration 263 Digest authentication limitation 92 support 91
B
Basic authentication 91
H
Hub Mode 409
C
CAB file 426 January 2009
501
I
Initial Setup 40 interface failure 285 Internal CA Certificates 394 IP change of a standalone gateway 260, 306
P
Protection Level 34 editing 46 Protection-levels configuring 45 PuTTY 125 embedded application 143
J
Jabber 125 Jabber embedded application 143
R
RC4 387, 407 Re-authenticate Users 382 Remote Access Community 369 Remote Desktop 125
Telnet embedded application 139 Terminal (Putty) 125 TN3270 124 embedded application 140 TN5250 124 embedded application 141 Topology Update 396 Transform Template Files (TTM) 398 Troubleshooting 309 Citrix 326
U
User Workflow 38
M
Mail services configuration of 80 definition 78 MSI Package 373, 374
S
Scanning the Client Machine 213 Scripts running automatically 135 Secure Workspace Client-side security 37 Concept 34 Configuration 216 SecureClient Mobile and SSL Network Extender 112 SecurID 380 Security Features 36 Server Side Security Highlights 36 Session 35 Signing In 38 SSH 124 SSH embedded application 140 SSL Network Extender 32 SSL Network Extender Mode 358 Sticky Decision Function 369 Synchronization restrictions 273
V
Visitor Mode 368
N
Native Applications associating with User Groups 129 configuring 127 explained 108 Network drives automatically maping 135, 136 NTLM authentication support 91
W
Web Applications 49 Web applications configuration 50 explained 48 Web Intelligence automatically disabled protections 343 Webmail definition 78 Workflow 38
O
Office mode 116 Outlook Web Access configuring 50 features 50 troubleshooting 311
T
Telnet 124
502