Print Download PDF Send Feedback

Previous

Next

Configuring SecurID ACE/Server

These are the options to enable connectivity between Virtual Systems and a SecurID ACE/Server:

The SecurID ACE/Server sends a shared key (called a "node secret") to its peer ACE/Clients. This key is unique per IP address, and is sent when it connects to the ACE/Server for the first time.

Included Topics

Configuring Shared Authentication

Configuring Private Authentication

Configuring Shared Authentication

Configure shared authentication so that all the Virtual Systems on the VSX Gateway use the same encryption key to authenticate to the remote SecurID/ACE server. Each cluster member uses a different encryption key and node secret file.

The SecurID encryption key is stored in the sdconf.rec file. When you generate the sdconf.rec file, use the MIP (Member IP address) of a VSX Gateway interface that connects to the ACE/Server.

The first time that a Virtual System connects and attempts to authenticate to the ACE/Server, the server sends the node secret file (securid) to that Virtual System. Copy the node to all the other Virtual Systems.

To generate an sdconf.rec file:

  1. From the ACE/Server, generate the sdconf.rec file with the VSX Gateway MIP.
  2. Do the previous step again for each cluster member using the VSX Gateway MIP.

    For example, a cluster with three VSX Gateways and each member has five Virtual Systems. Generate three sdconf.rec files, one for each cluster member.

To configure shared authentication:

  1. Configure shared authentication on the Virtual Systems.
    1. Open SmartDashboard.
    2. From the Network Objects tree, double-click the Virtual System.

      The Virtual Systems General Properties window opens.

    3. From the navigation tree, select Other > Legacy Authentication.
    4. Make sure that SecurID and Shared are selected.
    5. Click OK.

      Do all of the previous steps for each Virtual System.

    6. Install the policy on the Virtual Systems.
  2. From the VSX Gateway CLI, for each Virtual System create the sdopts.rec file that contains the MIP.
    1. Enter Expert mode and change the context to the Virtual System. Run

      # vsenv <vsid>

    2. Create the file, $VAR_ACE/sdopts.rec

      For VS0, create the file /var/ace/sdopts.rec

    3. From a text editor, add this parameter to the sdopts.rec file.

      CLIENT_IP=<MIP>
      <MIP> is the Member IP address of the VSX Gateway.

  3. For each Virtual System, copy the same encryption key file, sdconf.rec, to $VAR_ACE.

    For VS0, copy the file to /var/ace.

    On 61000/41000 Security Systems, copy the same encryption key file sdconf.rec to $FWDIR/conf in the context of that Virtual System.

  4. For cluster configurations, do all of the previous steps for each cluster member.
  5. For cluster configurations, on the Security Management Server of the VSX Gateway make sure that Hide NAT is disabled.
    1. Open the table.def file.
      • Gaia, SecurePlatform, IPSO - $FWDIR/lib/table.def
      • Windows - %FWDIR%\lib\table.def
    2. Make sure that the no_hide_services_ports parameter contains UDP 5500.

      Sample parameter with Hide NAT disabled:

      no_hide_services_ports = { <500, 17>, <259, 17>, <1701, 17>, <123, 17>, <5500, 17> };

    3. Save the file.
    4. From SmartDashboard, install the policy on the VSX Gateway.

To distribute the node secret to the Virtual Systems:

  1. Authenticate to the gateway with a SecurID ACE/Server user account.

    The ACE/Server sends the node secret file to the gateway.

  2. Search each Virtual System to locate the node secret file, securid.
    • For VS0, search in /var/ace.
    • For other Virtual Systems, search in $VAR_ACE.
    • On 61000/41000 Security Systems, search in $FWDIR/conf in the context of each Virtual System.
  3. Copy the securid file to $VAR_ACE.

    For VS0, copy the file to /var/ace.

    On 61000/41000 Security Systems, copy the securid file to $FWDIR/conf in the context of each Virtual System.

  4. For cluster configurations, for each cluster member:
    • Locate a Virtual System that is active on that member and do the all the previous steps.
    • If there are no active Virtual Systems on that member, fail-over to the cluster member and then do the all the previous steps.

Configuring Private Authentication

Configure private authentication so that the active and standby Virtual Systems use the same encryption key and node secret file to authenticate to the remote SecurID ACE/Server.

The SecurID encryption key is stored in the sdconf.rec file. When you generate the sdconf.rec file, use the VIP (Virtual IP address) of the Virtual System interface that connects to the ACE/Server.

The first time that a VSX Gateway connects to the ACE/Server, the server sends the node secret file (securid) to that VSX Gateway. Copy the node to all the other VSX Gateways.

To generate an sdconf.rec file:

  1. From the ACE/Server, generate the sdconf.rec file with the Virtual System VIP.
  2. Do the previous step again for each Virtual System on the VSX Gateway.

    For example, a cluster with three VSX Gateways and each member has five Virtual Systems. Generate five sdconf.rec files, one for each Virtual System.

To configure private authentication:

  1. Configure private authentication on the VSX Gateway and the Virtual Systems.
    1. Open SmartDashboard.
    2. From the Network Objects tree, double-click the VSX Gateway.

      The VSX Gateway General Properties window opens.

    3. From the navigation tree, select Other > Authentication.
    4. Make sure that SecurID and Private are selected.
    5. Click OK.

      Do all of the previous steps for each Virtual System.

    6. Install the policy on the Virtual Systems.
  2. From the VSX Gateway CLI, for each Virtual System create the sdopts.rec file that contains the VIP of that Virtual System.
    1. Enter Expert mode and change the context to the Virtual System. Run: # vsenv <vsid>
    2. Create the file, $VAR_ACE/sdopts.rec

      For VS0, create the file /var/ace/sdopts.rec

      On 61000/41000 Security Systems, create the file $FWDIR/conf/sdopts.rec in the context of each Virtual System.

    3. From a text editor, add this parameter to the sdopts.rec file.

      CLIENT_IP=<VIP>
      <VIP> is the Virtual IP address of the Virtual System.

  3. For each Virtual System, copy the encryption key file, sdconf.rec, to $VAR_ACE.

    Each Virtual System on the VSX Gateway uses a different sdopts.rec file.

    For VS0, copy the file to /var/ace.

    On 61000/41000 Security Systems, copy the file to $FWDIR/conf/ in the context of each Virtual System.

  4. For cluster configurations, do all of the previous steps for each cluster member.
  5. For cluster configurations, on the Security Management Server make sure that Hide NAT is enabled.

    For Multi-Domain Server, use the Domain Management Server that manages the Virtual System.

    1. Open the table.def file.
      • Gaia, SecurePlatform, IPSO - $FWDIR/lib/table.def
      • Windows - %FWDIR%\lib\table.def
    2. Make sure that the no_hide_services_ports parameter DOES NOT contain UDP 5500.

      Sample parameter with Hide NAT enabled:

      no_hide_services_ports = { <500, 17>, <259, 17>, <1701, 17>, <123, 17> };

    3. Save the file.
    4. From SmartDashboard, install the policy on the Virtual Systems.

To distribute the node secret to Virtual Systems in a VSX cluster:

  1. Authenticate to the Virtual System on the gateway with a SecurID ACE/Server user account.

    The ACE/Server sends the node secret file to the gateway.

  2. Locate the cluster member of the active Virtual System.
  3. From that cluster member, copy the securid file to the same Virtual System on the other members.
    • For VS0, copy the file to /var/ace.
    • For other Virtual Systems, copy the file to $VAR_ACE.
    • On 61000/41000 Security Systems, copy the file to $FWDIR/conf/ in the context of each Virtual System.
  4. Do all of the previous steps for each Virtual System.
01 May 2018 © 2018 Check Point Software Technologies Ltd. All rights reserved.