Configuring a SecuRemote VPN

Previous page
Table of content
Next page


In this section you will see how to configure your gateway for client encryption with SecuRemote, Check Point's client-to-site VPN tool. First, you will configure your gateway to act as a SecuRemote "Server," and then define the SecuRemote users, including their authentication methods. Finally, you will add the appropriate rules to your rule base to allow the encrypted communication.

Local Gateway Object

SecuRemote clients support both FWZ and IKE encryption schemes. From the Workstation Properties window on your local gateway (the gateway through which SecuRemote connections will pass), you need to make sure that the encryption scheme you are using is supported by checking it in the VPN tab. When using FWZ with SecuRemote, you have the option of encapsulating the packets prior to transmission—this option is available in the FWZ Properties dialog, which you saw earlier in the chapter (see Figure 16.1). This will enable SecuRemote clients to access nonroutable networks behind the SecuRemote server (gateway) once they are authenticated and a VPN tunnel is established.

Next, you must define your VPN domain, which in this case defines which networks your SecuRemote clients will have access to once they have been authenticated. Set this as usual in the Topology tab of the Workstation Properties window on your local gateway. For SecuRemote, you need to check Exportable for SecuRemote on the same tab (see Figure 16.2). This enables clients to download the networks that they will have access to after being authenticated.

Finally, you must choose which authentication methods your gateway will support; for these exercises, you will choose VPN-1 & FireWall-1 Password on the Authentication tab of the Workstation Properties window on your local gateway. If you neglect to check the appropriate authentication scheme here, your users will all get "Authentication not supported" errors when they attempt to log in.

Note that if you are using FWZ encryption, you must check off Respond to Unauthenticated Topology Requests in the Desktop Security page of the Global Properties window (see Figure 16.12).

click to expand
Figure 16.12: Desktop Security Window from Policy | Global Properties

User Encryption Properties

Assume for this section that you have a preexisting set of users that you want to configure for client encryption.

Start by opening the Users window by choosing Users from the Manage menu in the Policy Editor. Select an existing user and click Edit. The User Properties window appears. Here, you have two choices. If you are using IKE, the user's authentication parameters are defined on the Encryption tab. If you are using FWZ, the user's authentication properties are defined on the Authentication tab.

FWZ

For FWZ, once you click on the Authentication tab, you can choose an authentication method from the drop-down list. Choosing VPN-1 & FireWall-1 Password will enable you to enter a password in the text box. On the user's Encryption tab, select FWZ and click Edit. This will present you with a dialog box, from which you can select encryption and data integrity methods (see Figure 16.13).

click to expand
Figure 16.13: FWZ Properties

IKE

With IKE, you do all of your setup from the Encryption tab of the User Properties window. Choosing IKE and clicking Edit here brings up the IKE Properties window. On the Authentication tab, select Password, and enter the user's password. On the Encryption tab, select the encryption and data integrity methods you will use for the client VPN (see Figure 16.14).

click to expand
Figure 16.14: IKE Properties

Client Encryption Rules

Your client encryption rule will look as follows (see Figure 16.15):

click to expand
Figure 16.15: SecuRemote Client Encrypt Rule

  • Source AllUsers@Any

  • Destination Local_Net

  • Service Any

  • Action Client Encrypt

  • Track Log

In this case, the Source column must specify a group of users and a location; the location can be "Any," or be a specific allowable source network. Destination must be the VPN domain defined for those users on the local gateway object.

Once the rule is in place, you can edit the Client Encrypt properties by double-clicking the Client Encrypt icon (see Figure 16.16). If the source column of your rule base conflicts with allowed sources in the user properties setup, the client encrypt properties will specify how to resolve the conflict. You can specify that the intersection of the allowed user sources and the rule base determine when to allow access, or to ignore the user database altogether.

click to expand
Figure 16.16: Client Encrypt Properties



Previous page
Table of content
Next page
The Best Damn Firewall Book Period
The Best Damn Firewall Book Period
ISBN: 1931836906
EAN: 2147483647
Year: 2003
Pages: 240
Authors: Cherie Amon, Thomas W. Shinder, Anne Carasik-Henmi
BUY ON AMAZON
Database Modeling with MicrosoftВ® Visio for Enterprise Architects (The Morgan Kaufmann Series in Data Management Systems)
The CISSP and CAP Prep Guide: Platinum Edition
Microsoft VBScript Professional Projects
InDesign Type: Professional Typography with Adobe InDesign CS2
Lean Six Sigma for Service : How to Use Lean Speed and Six Sigma Quality to Improve Services and Transactions
Quartz Job Scheduling Framework: Building Open Source Enterprise Applications
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy