The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the Ask the Author form. You will also gain access to thousands of other FAQs at ITFAQnet.com.
1. | Can I install the policy server on two firewalls for redundancy? |
|
2. | What licensing issues should I take into account when installing a policy server? |
|
3. | I want my salespeople to be able to log on and browse my NT/domain from the field. I also want them to be able to be notified that their NT passwords will be expiring at the same time. |
|
4. | I have a really large network with a lot of VPN traffic to and from multiple VPN domains, and notice frequent connection interruptions. |
|
5. | I have a number of employees who connect from the site of another company. The other company s firewall does not let IPSec traffic through. Is there any way I can let them make a VPN connection? |
|
6. | I have a single firewall but I want to create a number of ways for users to connect in Connect mode. (i.e., one with IKE over TCP and Force UDP Encapsulation enabled, another with Visitor mode, and a third with Route All Traffic enabled) When I download the topology, I am only allowed to select these options on a per-site basis. How can I provide this functionality to my users? |
|
7. | I want to use Visitor mode, but SecurePlatform is using port 443, how can I turn off the Web interface on Secure Platform to allow Visitor mode to function on port 443? |
|
Answers
1. | You can configure the policy server for high availability, but it is more complicated than simply installing the policy server on two separate firewalls. Consult the Check Point NG AI documentation for details. |
2. | In addition to your existing FireWall-1 licenses, the policy server requires a separate license on each firewall module on which it is installed. You also need to ensure that you have sufficient user licenses for the number of remote users that will be connecting. The user licenses are installed on the Management Module. |
3. | See the Secure Domain Logon section in Chapter 10. |
4. | Check to make sure that Key exchange for subnets is enabled under the firewall workstation object under the Advanced IKE Properties tab. Check the size of the connection table. Check gateway memory usage and processor load ( fw tab “t connections “s and fw ctl pstat ). |
5. | Yes, Visitor mode (also called TCP Tunneling) was designed specifically for this purpose. It takes the IPSec traffic, wraps it with Hypertext Transfer Protocol (http), then Secure Sockets Layer (SSL) encrypts the entire thing and sends it over port 443. It will even function through proxy servers. It works amazingly well but at a cost; all of the additional overhead of HTTP and SSL in addition to IPSec means that the bandwidth through the tunnel will be lower and latency may be higher. In case you are wondering, Check Point s firewall can be configured to block Visitor Mode (TCP Tunneling) connections. |
6. | Look at Manage Remote Access Connection Profiles in SmartDashboard. You can create multiple profiles for a single site. These connection profiles will be downloaded with the topology the next time the client updates itself. Note that once you do this, the downloaded connection profiles are the only ones the user will be able to use and all the connection profiles will be read-only. This read-only attribute removes the ability for the end user to mess it up and eases helpdesk burden tremendously. |
7. | From the command line, execute webui disable to disable the Web interface completely or webui enable <new port to run web server on> to move it to another port. Currently, there is no way to bind the Web server to specific IP addresses on the firewall. |