Installing SecureClient Software

Previous page
Table of content
Next page

Each remote user that will be connecting to your firewall via VPN needs to install the SecureClient software. This software is available on your Check Point NG AI CD-ROM, and the latest version is also downloadable from the Check Point Web site at www.checkpoint.com/techsupport/downloads_sr.html. It is highly recommended that you read the release notes prior to installing or upgrading the SecuRemote/SecureClient software. You will notice that there are two versions on the Web site to download; a self-extracting .exe file for end users to run and a compressed .tgz version, which is similar to what is provided on the NG AI CD-ROM. The .tgz version contains all of the individual files needed by an administrator to create a customized installation, which is discussed later in the SecureClient Packaging Tool section.

You may notice that the software package is called SecuRemote/_SecureClient. The installation is for both VPN clients , with the important distinction being that SecuRemote does not contain the desktop security components that SecureClient does. This means that with SecuRemote, the user s desktop will not be protected from external attacks, nor will they receive policy updates from your policy server. To install the SecureClient software, perform the following steps:

  1. Run the SecuRemote/SecureClient installation program. If you have a previous version of SecuRemote or SecureClient on your workstation, you will be asked if you would like to upgrade or overwrite the old version, as shown in Figure 11.13. Upgrading your previous version of SecuRemote/SecureClient preserves your configuration data, so you would be wise to take this option. Overwriting may be necessary if there is something wrong with the previous version, and you want to start with a clean installation. Also, if you want to switch from SecuRemote to SecureClient or vice versa, choose overwrite, since upgrading will only upgrade the type of client you already have installed. Whichever option you choose, click Next to continue.

    click to expand
    Figure 11.13: Previous Version Screen

  2. Next, you will be asked if you want to install SecureClient or SecuRemote, as shown in Figure 11.14. Unless you have a particular reason not to provide personal firewall functionality for this client, it would be best to take advantage of these additional security features by installing SecureClient. Select the checkbox for Install VPN-1 SecureClient and click Next .

    click to expand
    Figure 11.14: SecureClient

  3. Next, you will be asked what network adapters you would like to bind SecuRemote/SecureClient to, as shown in Figure 11.15. The most secure method of running SecuRemote/SecureClient is to bind it to all adapters. Binding to all adapters means that traffic passing through any physical interface on the desktop will be secured and encrypted. Otherwise, it is increasingly possible for unauthorized access attempts via one of the desktop s other network interfaces. This option also relates to the Desktop Configuration Verification where you specified whether or not the policy must be installed on all interfaces. If you selected this option and you do not choose to install on all adapters here, this client will be denied access. Select Install on all network adapters and click Next .

    click to expand
    Figure 11.15: Network Adapters

  4. Next, the installation wizard will install the SecuRemote/SecureClient kernel into the OS. This is a fairly intensive and delicate process that may take several minutes. By placing itself at the OS level, SecuRemote/SecureClient can ensure the highest level of security, since it will inspect packets prior to their interaction with applications. Note that during this phase, all of your current network connections will be briefly interrupted .

  5. You will then be prompted to restart your system, which is required prior to using SecuRemote/SecureClient.

SecureClient Packaging Tool

To reduce the amount of configuration and customization each remote user must perform to their VPN client, Check Point provides the SecureClient Packaging Tool. This tool enables you to create a customized SecureClient package that you can distribute to your remote users. The end result is an easy-to-install, self-extracting SecureClient executable file that is designed to your specifications. The SecureClient Packaging Tool is installed from your Check Point NG AI CD-ROM. The installation of the SecureClient Packaging Tool is part of the Management Clients installation covered in Chapter 2.

  1. Once installed, the SC Packaging Tool is run from the Start Check Point Management Clients section. Upon loading the tool, you will see the log-in screen as shown in Figure 11.16. You will log in to the SC Packaging Tool with the same credentials you used to log into SmartDashboard. Click OK to log in.


    Figure 11.16: Packaging Tool Login

  2. The first time you log in, you will see a blank window. Figure 11.17 shows this window with a list of profiles. You will want to create a new profile. To do this, go to the Profile menu, and choose New . Click Next on the welcome screen.

    click to expand
    Figure 11.17: List of Profiles

  3. You will now see the General configuration screen, as shown in Figure 11.18. For Profile name , enter a descriptive name for this profile. Note that this name can only contain up to 256 alphanumeric characters and cannot contain any spaces. In this case, you will use StandardProfile. The Comment section can include a more detailed comment about this profile. Once you have entered these, click Next .

    click to expand
    Figure 11.18: General Properties

  4. Next, you will be presented with your first configuration options, as shown in Figure 11.19. These configurations affect how the end-user will interact with the application. Transparent mode watches for packets leaving the desktop directed towards the VPN domain of any of the gateways and prompts for authentication only when it sees traffic destined for one. This can be annoying when a desktop system is continually polling a printer or print server and the client insists on connecting. Connect mode is similar to dial-up networking, and therefore end users seem to understand it better. Click on the envelope in the taskbar and it presents a screen that has a button named Connect . Connect mode is probably the most widely deployed now.

    The other selection on this page is whether or not to allow the user to change between modes in the SecureClient GUI. For simplicity, most organizations elect to select one mode and not enable mode transition so that helpdesk employees have a single configuration to troubleshoot.

  5. You will next see the SecureClient configuration window, as shown in Figure 11.20. The options on this screen are defined below.

    • Allow clear connections for Encrypt action when inside the encryption domain When selected, this option allows unencrypted connections whenever both the source and destination of the connection are within the VPN domain (for example, when a laptop returns to the corporate campus and attempts to connect to an internal server). When this is the case, clear connections are allowed even if Encrypt is specified in the Desktop Security rulebase.

      click to expand
      Figure 11.19: Client Mode Configuration

    • Accept DHCP response without explicit inbound rule By default, SecureClient will accept dynamic host control protocol (DHCP) responses regardless of whether or not they are defined in the Desktop Security rulebase. If you do not select this option, these DHCP connections will only be allowed if they are defined explicitly in the rulebase.

    • Restrict SecureClient user intervention As described in the window, selecting this object will hide the Disable Policy item from the SecureClient menus . This removes the remote user s ability to disable the policy their SecureClient receives from the policy server.

    • Policy Server When selected, the Logon to Policy Server at SecureClient Startup option will result in the remote user being prompted to log on to the policy server defined as soon as SecureClient starts up. If you choose Enable Policy Server Load Sharing at SecureClient Startup , the logon request will be randomly sent to one of multiple policy servers.

    Click Next when you have configured this screen.

    click to expand
    Figure 11.20: SecureClient Configuration

  6. You will now see the Additional Information options, as shown in Figure 11.21. Here, you can select the options you want to enable for connectivity enhancements. IKE over TCP enables the IKE negotiation to happen over TCP port 500 instead of UDP port 500 as necessary, since some devices do not correctly know how to translate fragmented UDP packets. Force UDP encapsulation for IPSec Connections is useful in cases when the SecureClient is connected behind a NAT gateway; as some NAT gateways are unable to route ESP/AH packets properly for an Secure Internet Protocol (IPSec) VPN. Some NAT devices do not allow you to set up NAT for these protocols. Basically, it can only handle TCP, UDP, and Internet Control Message Protocol (ICMP). ESP and AH use protocols 50 and 51; these are needed along with the IKE service on UDP 500 for IPSec communication. Table 11.1 shows you which TCP, UDP, and IP protocols each encryption scheme uses. If you have a policy server behind a firewall, these are the ports that you need to open .

    click to expand
    Figure 11.21: Additional Information

    Table 11.1: Encryption Protocols

    Encryption Scheme

    Ports/Protocols Used

    IKE

    IKE (UDP port 500) ESP (IP protocol 50) AH (IP protocol 51) IKE over TCP (TCP port 500) * UDP encapsulation (UDP port 2476)* FW1_topo (TCP port 264) FW1_pslogon_NG (TCP port 18231) FW1_sds_logon (TCP port 18232) FW1_scv_keep_alive (UDP port 18233)

    * Not always necessary

    Here you are also allowed to define whether or not to give the user the option to stop SecuRemote/SecureClient. Note that even if the user stops SecureClient, the desktop will still be protected because it only stops the service, it does not remove the driver that is doing the enforcement. This screen tells you to decide how to handle connections if the user selects to erase the passwords. You can choose to allow or block (the default) already established connections.

    The last option on this page is to Use third party authentication DLL . This is used if you want to use a mechanism outside of what Check Point has provided for authenticating users. Examples of this include biometrics and token-based authentication systems. If you are using a system that has been OPSEC-certified to use Secure Authentication API (SAA), configure this as appropriate per the vendor s documentation.

    Click Next to continue.

  7. You will now be brought to the Topology Information screen, as shown in Figure 11.22. The options in the Topology Information screen include the following:

    • Change default topology port Topology information is transmitted by default on port 264. For port conflicts or security reasons, you can change this to an alternative port.

    • Obscure Topology on disk The topology information that FireWall-1 stores in the userc.C file can be stored in an obscured (non-human readable) format. If so, you must specify this option. For testing and debugging purposes, it is useful to be able to see the contents of the userc.C file. In production, however, there is little need for users to be able to see it.

      click to expand
      Figure 11.22: Topology Information

    • Accept unsigned topology If selected, the firewall will accept topology requests even if there is no security signing in place. This is not recommended, since it introduces a possible security hole.

    • Perform automatic topology update only in Silent mode If enabled, this option causes SecureClient to obtain an updated topology after every key exchange. This is a very useful option.

    If you choose to utilize the Partial Topology option, the only information stored in the package about your site will be the system users will have to connect to in order to receive the topology. This is nice in the fact that after the end-user has rebooted, they are prompted to authenticate to download the latest topology information. In addition, if this package falls into the hands of someone outside the organization, the only information compromised is the address of your VPN gateway.

    Click Next when you have made your selections.

  8. This brings up the Certificates Information configuration screen, as shown in Figure 11.23. Here, you can select a Certificate Authority IP Address and Port , which are used to specify the location and port of your Entrust Certificate Authority server. You can also specify your LDAP server IP address and Port , which you should use if you are using an Lightweight Directory Access Protocol (LDAP) server as part of your configuration. Use Entrust Entelligence specifies whether SecureClient should use this proprietary feature of Entrust. When you have made your selections, click Next .

    click to expand
    Figure 11.23: Certificate Information

  9. Now you will see the Silent Installation configuration screen, as shown in Figure 11.24. The options here specify how many prompts the user will see when installing the SecureClient package. The Don t prompt user during installation option means that the user will see no prompts at all, which is what Check Point calls a silent installation . Alternatively, you can select Choose prompts that will be shown to users , and turn on or off the various prompts as per your requirements. Make your choices and click Next .

    click to expand
    Figure 11.24: Silent Installation

  10. You will now see the Installation Options Information screen, as shown in Figure 11.25. Here, you can specify the destination installation folder to use, what adapters you want SecureClient to bind to (see above for details), and whether you want the package to install SecureClient by default, as opposed to SecuRemote. You can also choose whether you want the user s system to be restarted by default after installation. Make your selections and click Next .

    click to expand
    Figure 11.25: Installation Options

  11. Next, you will see the Operating System Logon Information screen, as shown in Figure 11.26. Here, you can choose Enable Secure Domain Logon (SDL) and specify a timeout for SDL. This means that remote users will be able to log on to a Windows NT domain controller. Enable Roaming user profiles means users can use the Windows NT roaming profiles feature over their SecureClient connection. Finally, Enable third party GINA DLL enables you to use an external vendor s authentication DLL (for example, Novell s Client32 logon GINA). The VPN-1 User Guide also has information on changes you can make to the product.ini file and others to streamline the installation process. Make your selections and click Next .

    click to expand
    Figure 11.26: Operating System Logon

  12. You will now be brought to the Finish screen, as shown in Figure 11.27. Here, you can choose NO, Create profile only to have the packaging tool simply create a profile based on the parameters you have specified. Or, if you choose YES, Create profile and generate package , the Packaging Tool will generate a complete SecureClient package that you can then distribute to your remote clients.

    If you choose to generate the package, you will see the SecureClient Packaging Tool wizard, which will first ask you if you want to upload the package you are creating to an Automatic Software Distribution (ASD) S Automatic Software Distribution (ASD) server. If you have one defined, check the box and click Next to continue. You will be shown a screen with a prompt for a Package Source Folder , which is the location of the SecureClient package on your system. You can either use the package directory on the NG AI CD or you can place it ( unzipped ) in a directory on your PC. You will also be prompted for a destination folder, which is where the final package executable file will be placed. You will be required to create a package for each platform type (Windows 2000/XP, 98/ME, and NT). It is also useful to number the packages you created (similar to build numbers ) so you can tell if someone is using the latest version of the installer and configuration you have defined. Click Finish once you have made your selection.

    click to expand
    Figure 11.27: Finish

    Note  

    If you have a working version of userc.C and wish to have all the site information defined (as well as all the other options) as part of the package, do not select partial topology, place your pre-configured userc.C into the source directory replacing the stock userc.C , and generate the package.



Previous page
Table of content
Next page
Check Point NG[s]AI
Check Point NG[s]AI
ISBN: 735623015
EAN: N/A
Year: 2004
Pages: 149
BUY ON AMAZON
Agile Project Management: Creating Innovative Products (2nd Edition)
GO! with Microsoft Office 2003 Brief (2nd Edition)
Ruby Cookbook (Cookbooks (OReilly))
AutoCAD 2005 and AutoCAD LT 2005. No Experience Required
802.11 Wireless Networks: The Definitive Guide, Second Edition
Cultural Imperative: Global Trends in the 21st Century
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy