Advanced Password Management Settings
If your organization uses Microsoft Active Directory (AD) to manage users, you can use these password settings allow continuous remote access for your users.
|
Note - Mobile Access does not support Microsoft Active Directory 2000.
|
Password Expiration Warning
Administrators can configure SmartDashboard to tell users to change their passwords before they expire. This is an efficient way to ensure that users have continuous access to resources. See sk33404.
Managing Expired Passwords
Passwords expire in these cases:
- The password exceeds the maximum number of days set in the Active Directory Group Policy.
- The User must change password at next logon option in the Active Directory configuration is enabled.
When the password expires, a message tells the user that the login failed. The administrator can configure a setting in SmartDashboard to give users the option to enter a new password after the old one expired. Users whose passwords expired then receive a message: Your password has expired. Enter a new password. They must then enter and confirm a new password to enter the Mobile Access or VPN client portal.
Configuring Password Change After Expiration
You can configure password change after expiration on gateways of version R71 or higher. Make sure that the LDAP server is configured to work with LDAP over SSL.
To enable password change after expiration:
- In SmartDashboard, select Global Properties > User Directory (LDAP).
- Under User Directory (LDAP) Properties, select Enable Password change when a user's Active Directory password expires.
- In the LDAP Account Unit Properties window, make sure the assigned Profile is Microsoft_AD.
- Make sure that the Login DN for the LDAP server, as configured in SmartDashboard, has sufficient permissions to modify the passwords of Active Directory users.
- In the LDAP Server Properties window in the Encryption tab, select Use Encryption (SSL)
- If the LDAP schema of the Active Directory is not extended with Check Point's LDAP schema, use GuiDBedit, the Check Point Database Tool to make these changes:
- Select Managed Objects > LDAP > Microsoft_AD > Common
- Find
SupportOldSchema and change its value to 1
For more about LDAP and user management, see the R77 Security Management Administration Guide.
Session Visibility and Management Utility
When the Session Visibility and Management Utility is enabled, each time a user connects remotely to an R77.30 or higher gateway, the data is recorded in an SQL database.
You can run queries on this database with the Session Visibility and Management Utility.
You can use the Utility to:
- Show session information based on constraints
- Terminate user sessions based on constraints
The main commands are described below. You can also edit the configuration XML file to create custom commands. See sk104644 for advanced configuration.
These Check Point clients are fully supported with the Session Visibility and Management Utility:
- Capsule Workspace for iOS and Android
- Mobile Access Portal with SSL Network Extender (Application and Network modes)
- Remote Access VPN as part of the Endpoint Security Suite
- Remote Access Clients: Endpoint Security VPN, Check Point Mobile for Windows, SecuRemote
These clients are supported but sessions on them cannot be terminated:
- Capsule Connect
- Capsule VPN
- Windows 8.1 Check Point VPN Plugin
Enabing the Utility
By default the Session Visibility and Management Utility is disabled.
To enable or disable the Session Visibility and Management Utility:
- For SecurePlatform only, run on the gateway:
$CVPNDIR/bin/cvpnd_settings $FWDIR/conf/sessionIS.C set "database_conf:dataDir" "/var${FWDIR}/datadir/postgres/sessions" nobackup ; chown cp_postgres /var$FWDIR/datadir/postgres/sessions/postgresql.conf
- To enable: On the gateway, run:
RAsession_util on To disable: On the gateway, run: RAsession_util off
- Run:
cpstop - Run:
cpstart - In a cluster environment, make the change on all cluster members.
Seeing the Number of Open Sessions
To see the number of sessions open at a given time:
RAsession_util show sessions_num
Disconnecting Remote Access Users
To disconnect a user:
RAsession_util terminate {all|byuser <user>|bysession_id <id>|custom <sql constraint>}
Parameter
|
Description
|
all
|
Disconnect all Remote Access users
|
byuser
|
Disconnect a user by user name
|
bysession_id
|
Disconnect the session with the given session ID
|
custom
|
Disconnect users that match an SQL constraint
|
Examples:
# RAsession_util terminate all
# RAsession_util terminate byuser james_wilson
# RAsession_util terminate bysession_id 521bd4788
# RAsession_util terminate custom "src_ip='1.1.1.1'"
Seeing User Data
To see data of connected users:
RAsession_util show users {all | byname <user_name> | where <where_clause>}
Parameter
|
Description
|
all
|
Show all users
|
byuser
|
Show data of the given user name
|
where
|
Show users by constraint
|
certs
|
Show user certificates by constraints
|
Examples:
# RAsession_util show users all
# RAsession_util show users byuser "james_wilson"
# RAsession_util show users where "client_name=’Mobile Access Portal’"
(This command shows all the users connected from the Mobile Access Portal.)
Using Constraints
To disconnect or see data of users that match a non-default definition, use constraints. First, become familiar with the Check Point scheme for Remote Access sessions. Then, use the field names or types to run a terminate or show users command on matching users.
To see valid constraint fields:
RAsession_util show scheme
Examples:
This command shows the given fields where the client is the P, and the results are ordered according to the :
RAsession_util show custom –FIELDS “session_id,user_name,client_name,browser_name,machine_name,os_name” –WHERE “client_name=’Mobile Access Portal’” –ORDERBY “creation_time”
This command shows the given fields where the client type is :
RAsession_util show custom –FIELDS “user_name,sessionid,client_ver,client_build_number,os_name,os_ver,device_type” –WHERE “client_name=’Capsule Workspace’”
|