Using SecuRemote Client Software

Once the client software is installed, you can start the SecuRemote GUI by double-clicking the envelope icon in your taskbar. Before you can use SecuRemote, you must create a new site by choosing Create New Site from the Sites menu (see Figure 10.21). Enter the IP address or hostname of your SecuRemote server (which is the gateway through which you will be connecting), and click OK . The site key information and topology will be downloaded automatically and stored in a file named userc.C on the client, in the SecuRemote installation s database directory.

Figure 10.21: Creating a New Site

Once a site you have successfully created a site, you can attempt a connection to something in your VPN domain. You should see an authentication dialog box pop up (see Figure 10.22); this is where you enter one of the previously defined usernames and passwords, after which you will be allowed access. This is an example of Transparent mode in action.

Figure 10.22: SecuRemote Authentication Window

If you want to have a login that functions more like Microsoft s Dial-Up Networking, double-click the envelope in your taskbar and select Tools Configure Client Mode . Select Connect and click OK . You will be notified that for these changes to take effect, you need to restart SecuRemote. Select File Stop VPN-1 SecuRemote to stop the client, and then select Check Point VPN-1 SecuRemote SecuRemote from the Start Programs menu. Once SecuRemote has initialized and you see it in your taskbar, left-click it, and you will see the connect dialog box shown in Figure 10.23.

Click Connect , and the rest of the login process is completed similarly to Transparent mode. This mode is easier for many users to understand and is probably the most common method of deployment today. To get back to the window shown in Figure 10.21, simply right-click the envelope in the taskbar and select Configure .

After a topology change, you need to update the SecuRemote clients so that their topology is in sync with the SecuRemote server. Updating the site can be done manually by right-clicking the site icon and choosing Update Site . This works for a small number of clients, but if you have a large number of remote users, you can enable automatic update (in SecuRemote version 4.1 or NG) in one of three ways:

Figure 10.23: SecuRemote Connection Window

• Prompt the client to update its topology whenever SecuRemote is started by changing :desktop_update_at_start (false) to True in the :props section of the objects_5_0.C file on the management station. This can be refused by the client.

• Prompt for update of all defined site topologies whenever SecuRemote is started by changing :update_topo_at_start (false) to True the :props section of the userc.C file on the desktop.

• Force updating of the site topology every n seconds by updating :desktop_update_frequency ( n ) to the :props section of the objects_5_0.C file on the management station.

Configuring & Implementing
Making Changes to Objects_5_0.C Stick

Editing the objects_5_0.C file can be tricky ”if it s not done correctly; your changes will be lost. You should follow these recommendations when making changes to the objects_5_0.C file on your management server. Note that this file is called objects.C on the firewall module, as it was in past versions of Check Point FireWall-1. Editing this file on the firewall module will have no effect, since it gets overwritten by the objects_5_0.C from the management station during policy installs . In addition, see Chapter 8, Managing Policies and Logs, for a discussion of the dbedit tool, which can be used to make changes to objects defined in objects_5_0.C. Of course, dbedit should be used to make all changes to the file, but in the event you must edit the file directly, follow these steps:

1. Close all GUI clients.

2. Perform cpstop on the management console.

3. Delete or rename the files objects_5_0.C.sav and objects_5_0.C.bak.

4. Back up the original objects_5_0.C.

5. Make the necessary changes to the objects_5_0.C file and save them.

6. Perform cpstart on the management console.

7. Install the security policy to all modules.

Secure Domain Login

Secure Domain Login (SDL) enables users to encrypt traffic to a Windows NT domain controller behind a FireWall-1 firewall. Normally, SecuRemote is activated after domain login, meaning that domain login is not encrypted. To enable SDL after installation, choose Enable Secure Domain Logon from the Passwords menu. This will take effect only after a reboot. Note that SDL over a dialup connection is only supported when using the Windows 2000 or NT clients ”the 98 or ME clients only support SDL over an Ethernet adapter when configured as part of a domain.

In order to successfully log in to an NT domain, you need to make sure you have the following client settings:

• Your Client for Microsoft Networks has Log on to Windows NT Domain checked.

• Your dialup profile is configured with your internal WINS server address.

• Or you need an LMHOSTS entry that points to your primary or backup domain controllers.

Designing & Planning
VPN Management

Easy VPN management is directly related to network topology choices. In general, one VPN endpoint with multiple small VPN domains behind it will be easier to manage than multiple distinct gateways, each with one VPN domain. The need for backend security can be best met by using gateways as needed behind the sole VPN endpoint. Each smaller gateway must then be configured to pass through encrypted traffic and key exchange traffic untouched. You can use Table 10.2 to assist in this effort.

 

Table 10.2: VPN Ports and Protocols

Encryption Scheme	Ports/Protocols Used
IKE	IKE (UDP port 500), ESP (IP protocol 50), AH (IP protocol 51), IKE over TCP (TCP port 500)*, UDP encapsulation (UDP port 2476)*,FW1_topo (TCP port 254), tunnel_test (UDP port 18234)*

* Not always necessary