Advanced Password Management Settings

If your organization uses Microsoft Active Directory (AD) to manage users, you can use these password settings allow continuous remote access for your users.

Password Expiration Warning

Administrators can configure SmartDashboard to tell users to change their passwords before they expire. This is an efficient way to ensure that users have continuous access to resources. See sk33404.

Managing Expired Passwords

Passwords expire in these cases:

• The password exceeds the maximum number of days set in the Active Directory Group Policy.
• The User must change password at next logon option in the Active Directory configuration is enabled.

When the password expires, a message tells the user that the login failed. The administrator can configure a setting in SmartDashboard to give users the option to enter a new password after the old one expired. Users whose passwords expired then receive a message: Your password has expired. Enter a new password. They must then enter and confirm a new password to enter the Mobile Access or VPN client portal.

Configuring Password Change After Expiration

You can configure password change after expiration on gateways of version R71 or higher. Make sure that the LDAP server is configured to work with LDAP over SSL.

To enable password change after expiration:

1. In SmartDashboard, select Global Properties > User Directory (LDAP).
2. Under User Directory (LDAP) Properties, select Enable Password change when a user's Active Directory password expires.
3. In the LDAP Account Unit Properties window, make sure the assigned Profile is Microsoft_AD.
4. Make sure that the Login DN for the LDAP server, as configured in SmartDashboard, has sufficient permissions to modify the passwords of Active Directory users.
5. In the LDAP Server Properties window in the Encryption tab, select Use Encryption (SSL)
6. If the LDAP schema of the Active Directory is not extended with Check Point's LDAP schema, use GuiDBedit, the Check Point Database Tool to make these changes:
   • Select Managed Objects > LDAP > Microsoft_AD > Common
   • Find SupportOldSchema and change its value to 1

For more about LDAP and user management, see the R77 Security Management Administration Guide.

Session Visibility and Management Utility

When the Session Visibility and Management Utility is enabled, each time a user connects remotely to an R77.30 or higher gateway, the data is recorded in an SQL database.

You can run queries on this database with the Session Visibility and Management Utility.

You can use the Utility to:

• Show session information based on constraints
• Terminate user sessions based on constraints

The main commands are described below. You can also edit the configuration XML file to create custom commands. See sk104644 for advanced configuration.

These Check Point clients are fully supported with the Session Visibility and Management Utility:

• Capsule Workspace for iOS and Android
• Mobile Access Portal with SSL Network Extender (Application and Network modes)
• Remote Access VPN as part of the Endpoint Security Suite
• Remote Access Clients: Endpoint Security VPN, Check Point Mobile for Windows, SecuRemote

These clients are supported but sessions on them cannot be terminated:

• Capsule Connect
• Capsule VPN
• Windows 8.1 Check Point VPN Plugin

Enabing the Utility

By default the Session Visibility and Management Utility is disabled.

To enable or disable the Session Visibility and Management Utility:

1. For SecurePlatform only, run on the gateway:

   $CVPNDIR/bin/cvpnd_settings $FWDIR/conf/sessionIS.C set "database_conf:dataDir" "/var${FWDIR}/datadir/postgres/sessions" nobackup ; chown cp_postgres /var$FWDIR/datadir/postgres/sessions/postgresql.conf

2. To enable: On the gateway, run: RAsession_util on

   To disable: On the gateway, run: RAsession_util off

3. Run: cpstop
4. Run: cpstart
5. In a cluster environment, make the change on all cluster members.

Seeing the Number of Open Sessions

To see the number of sessions open at a given time:

RAsession_util show sessions_num

Disconnecting Remote Access Users

To disconnect a user:

RAsession_util terminate {all|byuser <user>|bysession_id <id>|custom <sql constraint>}

Examples:

# RAsession_util terminate all

# RAsession_util terminate byuser james_wilson

# RAsession_util terminate bysession_id 521bd4788

# RAsession_util terminate custom "src_ip='1.1.1.1'"

Seeing User Data

To see data of connected users:

RAsession_util show users {all | byname <user_name> | where <where_clause>}

Examples:

# RAsession_util show users all

# RAsession_util show users byuser "james_wilson"

# RAsession_util show users where "client_name=’Mobile Access Portal’" 

(This command shows all the users connected from the Mobile Access Portal.)

Using Constraints

To disconnect or see data of users that match a non-default definition, use constraints. First, become familiar with the Check Point scheme for Remote Access sessions. Then, use the field names or types to run a terminate or show users command on matching users.

To see valid constraint fields:

RAsession_util show scheme

Examples:

This command shows the given fields where the client is the Mobile Access Portal, and the results are ordered according to the creation time:

RAsession_util show custom –FIELDS “session_id,user_name,client_name,browser_name,machine_name,os_name” –WHERE “client_name=’Mobile Access Portal’” –ORDERBY “creation_time”

This command shows the given fields where the client type is Capsule Workspace:

RAsession_util show custom –FIELDS “user_name,sessionid,client_ver,client_build_number,os_name,os_ver,device_type” –WHERE “client_name=’Capsule Workspace’”