You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Introduction<br />
<strong>Check</strong> <strong>Point</strong>® VPN-1 SecuRemote/<br />
SecureClient NG with Application<br />
Intelligence (<strong>R56</strong>)<br />
3/30/04<br />
Supplemental Guide<br />
In This Document<br />
SecuRemote/SecureClient (<strong>R56</strong>) deployment requires specific Gateway settings. These<br />
Gateway settings are outlined in this document.<br />
Gateway Considerations<br />
Policy server<br />
Every VPN Gateway defined as a site in SecureClient must also function as a policy server.<br />
Select the Policy Server check box when defining a new <strong>Check</strong> <strong>Point</strong> Gateway in<br />
SmartDashboard. Load a desktop policy on the VPN modules in addition to a security<br />
policy.<br />
CompactView<br />
Introduction page 1<br />
Gateway Considerations page 1<br />
Sofaware safe@Office considerations page 4<br />
Configuring Office Mode page 4<br />
Configuring the Gateway for Visitor Mode page 8<br />
IMPORTANT<br />
<strong>Check</strong> <strong>Point</strong> recommends that customers stay up-to-date with the latest<br />
service packs and versions of security products, as they contain security<br />
enhancements and protection against new and changing attacks.<br />
If you wish to use CompactView, then the site’s gateway must be configured for:
Office mode<br />
Visitor mode<br />
UDP encapsulation<br />
IKE over TCP<br />
Office mode<br />
To configure the gateway for office mode, see: “Configuring Office Mode” on page 4”.<br />
Visitor mode<br />
To configure the gateway for visitor mode, see: “Configuring the Gateway for Visitor<br />
Mode” on page 8”.<br />
UDP Encapsulation<br />
UDP encapsulation is configured per Gateway in the community. On the Gateway’s<br />
Properties window > Remote Access. In the NAT traversal section, select Support NAT<br />
traversal mechanism (UDP encapsulation)<br />
SecuRemote/SecureClient. 2
IKE Over TCP<br />
IKE over TPC is enabled in Global Properties > Remote Access > VPN Basic. Select Gateways<br />
support IKE over TCP.<br />
Port 443 usage<br />
Port 443 on the Gateway must be available for CompactView Visitor Mode usage. You may<br />
need to change the Gateway configuration in case the Gateway platform is SecurePlatform<br />
or Nokia.<br />
To configure SecurePlatform Webui to work with another port:<br />
1 On SecurePlatform, enable the webui using webui enable<br />
<br />
2 In SmartDashboard, add a rule at the top of the Security Policy Rule Base that accepts<br />
https traffic to the SecurePlatform Gateway. In the properties of the https service,<br />
specify the port you entered via the webui enable command.<br />
3 Modify the access control rule, so that the Gateway allows access on the new port<br />
number.<br />
SecuRemote/SecureClient. 3
To configure Nokia Voyager to work with another port:<br />
1 In your browser, connect to Voyager.<br />
2 Select Config and then select Voyager Web Access.<br />
3 If Require encryption is selected, then reconfigure the Voyager SSL port number to a port<br />
other than 443.<br />
4 If IPSO specific default filters are used, edit the default IPSO filter INSPECT code to<br />
allow connections on the new port number. Follow the customize default filters<br />
instructions.<br />
Sofaware safe@Office considerations<br />
If SecuRemote/SecureClient is used to connect to a Safe@Office appliance, the following<br />
must to be configured on the Safe@Office appliance:<br />
1 Using SmartDashboard connected to a <strong>Check</strong> <strong>Point</strong> management server, obtain a p12<br />
certificate.<br />
2 Using the Safe@Office GUI, install the p12 certificate on the Safe@Office appliance<br />
Open the Safe@Office GUI and login<br />
Select VPN > Certificate > Install Certificate<br />
Select the .p12 that was generated previously<br />
Configuring Office Mode<br />
Before starting the Office Mode configuration, select an internal address space designated<br />
for remote users that employ Office Mode. This can be any IP address space, as long as the<br />
addresses in this space do not conflict with addresses used within the enterprise domain. It<br />
is possible to choose address spaces which are not routable on the Internet, such as 10.x.x.x.<br />
Office Mode — IP Pool Configuration<br />
To deploy the basic Office Mode (using IP pools):<br />
1 Create a network object to represent the IP Pool, by selecting Manage > Network<br />
Objects > New > Network.<br />
In the Network Properties — General tab, set the IP pool range of addresses as follows:<br />
In Network Address specify the first address to be used (e.g. 10.130.56.0).<br />
In Net Mask enter the subnet mask according to the amount of addresses you wish to<br />
use (entering 255.255.255.0, for example, this will designate all 254 IP addresses<br />
from 10.130.56.1 till 10.130.56.254 for SecureClient Office Mode addresses.)<br />
Changes to the Broadcast Address section and the Network Properties — NAT tab are<br />
not necessary.<br />
SecuRemote/SecureClient. 4
Close the network object properties window.<br />
2 Open the Gateway object through which the remote users will connect to the internal<br />
network and select the Remote Access > Office Mode page. Enable Office Mode for<br />
either all users or for a certain group.<br />
In the Allocate IP from network select the IP Pool network object you have<br />
previously created.<br />
IP lease duration — specify the duration in which the IP is used by the SecureClient<br />
machine.<br />
Under Multiple Interfaces, specify whether you want routing to be done after the<br />
encapsulation of Office Mode packets, allowing traffic to be routed correctly when<br />
your gateway has multiple external interfaces.<br />
Select Anti-Spoofing if you wish the firewall to check that Office Mode packets are<br />
not spoofed.<br />
It is possible to specify which WINS and DNS servers Office Mode users should use. To<br />
specify WINS and/or DNS servers, continue to step 3. Otherwise skip to step 6.<br />
Note - WINS and DNS servers should be set on the SmartCenter machine only when IP pool is the<br />
selected method.<br />
3 Create a DNS server object, by selecting Manage >Network objects >New >Node > Host<br />
and specify the DNS machine’s name, IP address and subnet mask. Repeat this step if<br />
you have additional DNS servers.<br />
4 Create a WINS server object, by selecting Manage >Network objects >New >Node > Host<br />
and specify the WINS machine’s name, IP address and subnet mask. Repeat this step if<br />
you have additional WINS servers.<br />
5 In the <strong>Check</strong> <strong>Point</strong> Gateway — Remote Access > Office Mode page, in the IP Pool section<br />
click the “optional parameters” button.<br />
In the IP Pool Optional Parameters window, select the appropriate objects for the<br />
primary and backup DNS and WINS servers.<br />
In the Domain name field, specify the suffix of the domain where the internal names<br />
are defined. This instructs the Client as per what suffix to add when it addresses the<br />
DNS server (e.g. example.com).<br />
6 Install the Policy.<br />
7 Make sure that all the internal routers are configured to route all the traffic destined to<br />
the internal address space you had reserved to Office Mode users through the VPN-1<br />
Pro Gateway. For instance, in the example above it is required to add routes to the class<br />
C sub network of 10.130.56.0 through the gateway’s IP address.<br />
SecuRemote/SecureClient. 5
Office Mode via ipassignment.conf File<br />
It is possible to over-ride the Office Mode settings created on SmartCenter Server by<br />
editing a plain text file called ipassignment.conf in the \FWDIR\conf directory of the<br />
Firewall module. The module uses these Office Mode settings and not those defined for the<br />
object in SmartCenter Server.<br />
Ipassignment.conf can specify:<br />
An IP per user/group, so that a particular user or user group always receives the same<br />
Office Mode address. This allows the administrator to assign specific addresses to users,<br />
or particular IP ranges/networks to groups when they connect using Office Mode.<br />
A different WINS server for a particular user or group<br />
A different DNS server<br />
Different DNS domain suffixes for each entry in the file.<br />
<strong>Check</strong>ing the Syntax<br />
The syntax of the ipassignment file can be checked using the command ipafile_check.<br />
From a shell prompt use issue: vpn ipafile_check ipassignment.conf<br />
The two parameters are:<br />
warn. Display errors<br />
detail. Show all details<br />
SecuRemote/SecureClient. 6
For example:<br />
Office Mode — DHCP Configuration<br />
1 When DHCP is the selected mode, DNS and WINS parameters are downloaded from<br />
the DHCP server. If using Office Mode in DHCP mode and you wish to supply the<br />
user with DNS and/or WINS information, make sure that the DNS and/or WINS<br />
information on your DHCP server is set to the correct IP addresses.<br />
2 On your DHCP server’s configuration, make sure that you have designated an IP<br />
address space for Office Mode users (e.g., 10.130.56.0).<br />
3 Create a new node object by selecting Manage >Network objects >New >Node >Host,<br />
representing the DHCP server and specify the machine’s name, IP address and subnet<br />
mask.<br />
4 Open the Gateway object through which the remote users will connect to the internal<br />
network and select the Remote Access > Office Mode page. Enable Office Mode to<br />
either all users or to a certain group.<br />
<strong>Check</strong> the Automatic (use DHCP) option.<br />
Select the DHCP object you have previously created.<br />
SecuRemote/SecureClient. 7
In the Virtual IP address for DHCP server replies, specify an IP address from the sub<br />
network of the IP addresses which are designated for Office Mode usage (e.g.<br />
10.130.56.254). Since Office Mode supports DHCP Relay method for IP<br />
assignment, you can direct the DHCP server as to where to send its replies. The<br />
routing on the DHCP server and that of internal routers must be adjusted so that<br />
packets from the DHCP server to this address are routed through the gateway.<br />
Under Multiple Interfaces, specify whether you want routing to be done after the<br />
encapsulation of Office Mode packets, to allow traffic to be routed correctly when<br />
your gateway has multiple external interfaces.<br />
If you wish to use the Anti-Spoofing feature, continue to step 5, otherwise skip to<br />
step 7.<br />
5 Create a network object to represent the address space you’ve allocated for Office Mode<br />
on your DHCP server, by selecting Manage >Network Objects >New > Network.<br />
In the Network Properties — General tab, set the DHCP address range as follows:<br />
In Network Address specify the first address that is used (e.g. 10.130.56.0).<br />
In Net Mask enter the subnet mask according to the amount of addresses that is used<br />
(entering 255.255.255.0, for example, designates that all 254 IP addresses from<br />
10.130.56.1 until 10.130.56.254 are set aside for SecureClient Office Mode addresses<br />
on the DHCP server).<br />
Changes to the Broadcast Address section and the Network Properties — NAT tab are<br />
not necessary.<br />
Close the network object properties window.<br />
6 Return to the Gateway object, open the Remote Access > Office Mode page. In the<br />
Additional IP addresses for Anti-Spoofing, select the network object you have created<br />
with the IP address range you have set aside for Office Mode on the DHCP server.<br />
7 Install the policy.<br />
8 Make sure that all the internal routers are configured to route all the traffic destined to<br />
the internal address space you had reserved to Office Mode users through the VPN-1<br />
Pro Gateway. For instance, in the example above it is required to add routes to the class<br />
C sub network of 10.130.56.0 through the gateway’s IP address.<br />
Note - Office mode is supported only in Connect Mode.<br />
Configuring the Gateway for Visitor Mode<br />
To enable the Visitor mode on the Gateway:<br />
On the Gateway object running the Visitor Mode Server, Remote Access page > Visitor<br />
Mode section, select Support Visitor Mode.<br />
SecuRemote/SecureClient. 8
If port 443 is the assigned port for Visitor mode server, do not change the tcp https<br />
default in the Allocated Port section.<br />
If a customized port (other than the default port) is agreed upon, from the drop-down<br />
menu select the service that corresponds to this port. If the chosen port is not<br />
represented by a pre-defined service in SmartDashboard, create this service.<br />
In Allocated IP Address the default is All IPs. To avoid port conflicts, select the<br />
appropriate routable valid IP for the Visitor Mode server. If the server has Dynamic<br />
Interface Resolving Configuration... enabled (on the VPN - Advanced page) it is<br />
recommended to allocate a specific address for visitor mode instead of All IPs.<br />
Note - When Visitor Mode is activated on the Gateway, a Visitor mode handshake is used to discover<br />
the interface, rather than RDP packets<br />
Visitor Mode and Gateway Clusters<br />
Cluster support is limited. The high availability and Load Sharing solutions must provide<br />
“stickiness”. That is, the visitor mode connection must always go through the same cluster<br />
member.<br />
Failover from cluster member to cluster member in a High Availability scenario is not<br />
supported.<br />
SecuRemote/SecureClient. 9