How to configure SecureClient, Office Mode, Certificates, and Remote Access Communities

Check Point Next Generation Feature Pack 3
How to configure SecureClient, Office Mode,
Certificates, and Remote Access Communities
in NG FP-3.
Author:
Joe Green
Security Engineer
Check Point Software Technologies, Inc.
5757 W. Century Blvd.
Los Angeles, CA 90045
jgreen@us.checkpoint.com
Check Point Software Technologies
12/13/2002
Check Point Next Generation Feature Pack 3
Introduction:
The purpose of this document is to provide an understanding of how to configure Check
Point NG FP3 to work with SecuRemote/Client. Although this document will focus on
SecureClient, some of the concepts can be applied to SecuRemote.
Background:
In the past few years, an increasing number of users have switched from dial- up to
broadband services. Whether they are on the road or at home, users are staying connected
to the Internet for longer periods of time. Using a VPN client without Firewall
technology does not make sense in today’s environment. In addition to that, depending
on users to keep their own personal firewalls up to date and configured properly is not
realistic or secure. It is a must to be able to manage these policies centrally. This guide
will provide an understanding of how that is done.
Differences:
Even though SecuRemote and SecureClient share the same code for installation, the two
products have very different capabilities. SecuRemote provides authentication and
encryption only for the remote user. SecureClient provides all of that plus a personal
firewall that can be centrally managed via the Smart Center or Smart Center Pro.
SecureClient also includes several other features including, OfficeMode, Secure
Configuration Verification, a Packaging Tool, etc.
Overview:
This document will focus on how to set up SecureClient to work with VPN Communities
and NG FP3. The Gateway that SecureClient will be connecting to will be an NG FP3
Gateway being managed by a separate physical Management Server.
Note: The gateway CAN be a cluster object. Gateway Clusters can be Policy Servers.
Lab set up:
The map below represents the test bed for this document. Note: The S-Box introduces an
additional hop in the network. There can be problems when using OfficeMode and
SecureClient on the same subnet as the Gateway.
Components Installed:
On the VPN-1 Pro Gateway, the Policy Server code was selected as an additional
component during installation. The Management Server does not need the Policy Server
code in this configuration.
Check Point Software Technologies
12/13/2002
Check Point Next Generation Feature Pack 3
Licensing:
In this scenario, the following licenses would be required:
One SecureClient license for the total # of users that will be us ing the client (not
concurrent). This SecureClient license is applied to the Management Station and the
Policy Server licenses are applied to the Gateways. These licenses are tied to the
Management station’s I.P. and pushed out through SecureUpdate. Starting in NG FP3,
there is a SecuRemote license included with the Policy Server License.
Last, FP3 has a built in 15 day trial license for all the products.
Configuration: (The steps below assume you have already deployed NG FP-3 in a
distributed configuration like the diagram above.) This document also assumes that you
have established SIC, are able to push a policy, etc.
Using the Check Point SmartDashboard (formerly know as the Policy Editor), you need
to configure the following things:
1. Configure your remote users and their group.
2. Configure your OfficeMode network.
3. Configure your VPN-1/Firewall object (Gateway).
4. Set up the Remote Access Community (RAC).
5. Configure your Rulebase for the Firewall and for the SecureClient users.
6. Test your set up.
Configuring your user and their group:
This is more of a convenience to do up front. When you configure your VPN-1 Gateway
object and check the box for Policy Server, it requires you to specify your user group
under the Authentication branch. So, start by configuring the user and the ir group. In our
example, we are using the user “jgreen” and the group “Remote-Users” (don’t forget to
set your users parameters, e.g. password, encryption, etc).
To create a user and their group, start by clicking on the users tab in the “Objects Tree”.
Then, right click on Users , and select “New User”, “default”. Give the user their name,
authentication scheme, password, etc. We are using VPN-1 password in our example.
After the user is configured, create the group by right clicking on the “Groups ” branch
and selecting “New Group”. See figures 1.1 and 1.2
Check Point Software Technologies
12/13/2002
Check Point Next Generation Feature Pack 3
Fig. 1.1
Fig. 1.2 (This image shows the Authentication scheme and the Policy Server user group,
which will be referenced later.)
Configuring your OfficeMode Network:
Now you need to configure the network address that we will use for OfficeMode I.P.
addresses. This network object is simply an address space that the VPN-1 Gateway will
issue IP addresses from. Note: Do not make this network part of your encryption domain.
For this document, our OfficeMode network is called “Office-Mode-Network”. To
Check Point Software Technologies
12/13/2002
Check Point Next Generation Feature Pack 3
create, click on the Network Objects tab in the Objects Tree and go to the “Networks”
branch. Then, right click and select “New Network ”. See figure 2.1
Fig. 2.1
Configuring your VPN-1/Firewall-1 Object:
Launch the SmartDashboard GUI and locate your VPN-1 Gateway Object. (Ours is
called SPLAT) See Figure 3.1
Fig. 3.1
Check Point Software Technologies
12/13/2002
Check Point Next Generation Feature Pack 3
Double click on your gateway or right click and select edit. The screen in figure 3.2
should appear.
Fig 3.2
Notice that the I.P. address on the general tab is the external I.P. of the gateway, this is
important for OfficeMode. Also, note that VPN-1 Pro and SecureClient Policy Server
products are checked under “Check Point Products”. Make sure that you go through all of
the screens and completely configure your gateway. For SecureClient to work, you need
to assign a user group to the Policy Server. This is done under the Authentication branch
(See Figure 1.2 above). You can configure your user group directly from the
authentication screen if you wish. Note: Make sure the authentication scheme you are
using for your users is checked on the Authentication tab of the Gateway object.
While you have your Gateway object open, click on the Remote Access branch. The
following screen should appear. See Figure 3.3
Check Point Software Technologies
12/13/2002
Check Point Next Generation Feature Pack 3
Fig. 3.3
Click on the Radio button “Allow Office Mode to all users ” and select “Manual”, then
select your Office Mode network. Next, click on the “Optional Parameters ” button and
enter any DNS/WINS information you would like to pus h out to the client. You have to
select pre-defined hosts here. So, if needed, create objects that represent the physical
DNS/WINS servers beforehand. See Fig. 3.4 Note: If you want to incorporate an existing
DHCP server, please refer to the “DesktopSecurity.pdf” included with the FP-3
documentation.
Check Point Software Technologies
12/13/2002
Check Point Next Generation Feature Pack 3
Fig. 3.4
Before closing your Gateway object, make sure you have defined all of the IKE
parameters (if needed). The default certificate for IKE is generated automatically for you.
Configuring your Remote Access Community (RAC):
Next, you need to make your Gateway object a member of the RAC. To do this, click on
the VPN Manager tab in the SmartDashboard. See figure 4.1 (You don’t see the VPN
manager tab? That’s because you are in “Traditional Mode”. Create a new Policy –
FileàNew, and create a “Simplified Mode” policy.) There is a converter available to
convert polices from Traditional to Simplified Mode if needed.
Check Point Software Technologies
12/13/2002
Check Point Next Generation Feature Pack 3
Fig 4.1
Here, you will double click to open the RAC and set the properties. You need to add your
gateway object and set the user group. See figures 4.2 and 4.3.
Fig. 4.2
Fig 4.3
Now, we need to configure our Security Rulebase and our SecureClient Rulebase (the
personal firewall).
Check Point Software Technologies
12/13/2002
Check Point Next Generation Feature Pack 3
Configuring the Rulebases:
When using “Simplified Mode” Policies, there is no Client Encrypt in the action column.
There is no “Encrypt” action either. The encryption properties are taken care of via the
community or under Global properties. So, here is how our remote access rule would
look in NG FP-3. See figure 5.1
Fig 5.1
Notice that our first rule is our Remote-Users accessing the internal network via the
Remote Access Community and the action is accept. That’s all there is to the remote
access rule. Next, we need to configure the SecureClient Rulebase (the remote users
firewall policy). Here is what ours looks like. See figure 5.2
Check Point Software Technologies
12/13/2002
Check Point Next Generation Feature Pack 3
Fig. 5.2
This is a simple Rulebase, but easy to explain. The inbound rules control traffic going
inbound to the client. The outbound rules control traffic originating from the client. So,
we allow our internal network to communicate to the users with encrypted traffic and
everyone else gets dropped. We also allow our remote users to communicate to the
internal network with encrypted traffic and we allow them to go anywhere else without
encryption.
NOTE: When you specify specific user groups in the rules, those rules apply when you
are logged onto the Policy Server. When you specify the group “All Users”, those rules
still apply when you log off of the Policy Server. This is how you can control things like
Split Tunneling, etc.
Remote Access Properties:
Last, you need to configure the encryption properties for all your remote access users.
This can be left as the default or you can customize it. This is done under the
PolicyàGlobal Properties àRemote Access menu in the SmartDashboard. See figures
6.1 and 6.2
Check Point Software Technologies
12/13/2002
Check Point Next Generation Feature Pack 3
Fig. 6.1
Fig. 6.2
Check Point Software Technologies
12/13/2002
Check Point Next Generation Feature Pack 3
Before proceeding, Install your Policy and save all the changes. Now, it’s time to
configure the client and test everything out.
Client side configuration:
For this, you need to either manually install the client or use the SecureClient Packaging
Tool for an automated installation.
Once you have the client installed, you need to set up your site. From within the
SecureClient window, click on the Site menu àMake New and enter your site
information (this is the external I.P. of your Gateway, not your manager unless they are
on the same box). After the site is set up, the following options need to be changed for
OfficeMode to function correctly. Open up SecureClient and click on “Configure Client
Mode”. See Figure 7.1
Fig. 7.1
Select Connect Mode. Fig 7.2
Fig. 7.2
Check Point Software Technologies
12/13/2002
Check Point Next Generation Feature Pack 3
You will need to restart SecureClient for this to take effect. Note: You are making this
change because OfficeMode is only supported in Connect Mode.
After you restart SecureClient, click on the SecureClient icon in the systray of Windows.
This will bring up the connect dialog box of SecureClient FP-3. See Figure 7.3
Fig. 7.3
Before you connect, click on the “Properties button in the screen above. This will take
you to the Profile screen and there will be an “Advanced” button in the middle. When
you click on the advanced button, you will see the screen in Figure 7.4.
Fig. 7.4
Check Point Software Technologies
12/13/2002
Check Point Next Generation Feature Pack 3
It is here that you select Support Office Mode and also configure the options for NAT
traversal.
Note: If you are sitting behind a NAT device or a device that does not perform Hide NAT
correctly, you will probably need to check both of these boxes. Also, in SmartDashboard,
under PolicyàGlobal PropertiesàRemote AccessàBasic, there is a “Support IKE
over TCP” option. Make sure it is checked.
Once you hit connect in the screen above (Fig. 7.3), it will prompt you for your username
and password. This is the user you initially created and the password that was set for
them. Test the connection with ICMP and NON-ICMP protocols (HTTP). In our
example, I am testing with HTTP and connecting to an internal web server. See Figure
7.5
Fig. 7.5
If you want to use certificates, proceed to the next section.
Using Certificates with SecureClient users:
This is much easier than it might sound due to the Internal Certificate Authority (ICA)
that is built into the management server. To use “2 factor” authentication and generate a
certificate, do the following:
Check Point Software Technologies
12/13/2002
Check Point Next Generation Feature Pack 3
1. Open up your user in the SmartDashboard and go to the Certificates tab. Click on the
“Generate and Save” button. See figure 8.1 It will now prompt you for a password and a
file location to save the certificate on your local computer. Note: On the Authentication
tab for the user, you can set that to “Undefined”. Make sure and install the Policy after
generating the Certificate.
Fig 8.1
Once you have saved your file locally, you need to transfer it to the computer running
SecureClient. You can copy the certificate to any directory you want and browse for it
when you go to connect.
(On the client computer)
Since we are using Connect Mode, when we click “connect”, we are presented with the
following screen. Fig. 8.2
Check Point Software Technologies
12/13/2002
Check Point Next Generation Feature Pack 3
Fig. 8.2
Take note that we have checked the box for “Use Certificate” and selected our certificate
file. We then type in the password that was entered when the certificate was created. If
you don’t want to have to browse for the certificate, you can enter your certificate into
the Microsoft CAPI. The Microsoft CAPI is the Crypto API. You can do this by simply
double clicking on the .p12 file (the cert) and following the Microsoft Certificate Import
Wizard. Once that’s done, you can click on the drop down box in the above screen shot
and it should say the name of the cert or say “certified” (depending on how you
configured it).
Miscellaneous notes and Troubleshooting :
If you are experiencing trouble, make sure and utilize the SecureClient Diagnostics Tool
that is installed by default with SecureClient. This shows a lot of information rega rding
connectivity, policy, etc.
Also, in SecureClient FP3, there is a built in sniffer for examining the communication
from SecureClient to the remote Gateway. It is located in the $SRDIR/bin directory and it
is called “srfw monitor”. The actual executable is called “srfw.exe” and the argument is
“monitor”. This tool is extremely useful for troubleshooting. There are several other tools
available from the command line so it is worth browsing that directory. One exa mple is
the mtuadjust.exe utility that can lower you MTU if necessary.
When all else fails, reboot all the systems to clear out any bad ARP entries, etc. Also,
make sure you have basic connectivity, e.g. ping. You can always run fw unloadlocal to
unload the Policy and ping the Firewall.
Please send any comments, or corrections to jgreen@us.checkpoint.com.
Check Point Software Technologies
12/13/2002
Check Point Next Generation Feature Pack 3
Please contact your local reseller for additional help. Don’t have a reseller? Contact your
local Check Point representative. Don’t have a local Check Point representative? Find
one at www.checkpoint.com or by calling a Check Point regional office in your area.
Contact information for Check Point offices and Resellers is available on our web site.
Thank you.
Check Point Software Technologies
12/13/2002