In This Section: |
If your organization uses Microsoft Active Directory (AD) to manage users, you can use these password settings allow continuous remote access for your users.
Note - Mobile Access does not support Microsoft Active Directory 2000. |
Administrators can configure SmartDashboard to tell users to change their passwords before they expire. This is an efficient way to ensure that users have continuous access to resources. See sk33404.
Passwords expire in these cases:
When the password expires, a message tells the user that the login failed. The administrator can configure a setting in SmartDashboard to give users the option to enter a new password after the old one expired. Users whose passwords expired then receive a message: Your password has expired. Enter a new password. They must then enter and confirm a new password to enter the Mobile Access or VPN client portal.
To enable password change after expiration:
The LDAP Account Unit Properties window opens.
The LDAP Server Properties window opens
SupportOldSchema
and change its value to 1
For more about LDAP and user management, see the R80.10 Security Management Administration Guide.
When the Session Visibility and Management Utility is enabled, each time a user connects remotely to an R77.30 or higher gateway, the data is recorded in an SQL database.
You can run queries on this database with the Session Visibility and Management Utility.
You can use the Utility to:
The main commands are described below. You can also edit the configuration XML file to create custom commands. See sk104644 for advanced configuration.
These Check Point clients are fully supported with the Session Visibility and Management Utility:
These clients are supported but sessions on them cannot be terminated:
By default the Session Visibility and Management Utility is disabled.
To enable or disable the Session Visibility and Management Utility:
$CVPNDIR/bin/cvpnd_settings $FWDIR/conf/sessionIS.C set "database_conf:dataDir" "/var${FWDIR}/datadir/postgres/sessions" nobackup ; chown cp_postgres /var$FWDIR/datadir/postgres/sessions/postgresql.conf
RAsession_util on
To disable:
On the gateway, run:
RAsession_util off
cpstop
cpstart
To see the number of sessions open at a given time:
RAsession_util show sessions_num
To disconnect a user:
RAsession_util terminate {all|byuser <user>|bysession_id <id>|custom <sql constraint>}
Parameter |
Description |
---|---|
|
Disconnect all Remote Access users |
|
Disconnect a user by user name |
|
Disconnect the session with the given session ID |
|
Disconnect users that match an SQL constraint |
Examples:
# RAsession_util terminate all
# RAsession_util terminate byuser james_wilson
# RAsession_util terminate bysession_id 521bd4788
# RAsession_util terminate custom "src_ip='1.1.1.1'"
To see data of connected users:
RAsession_util show users {all | byname <user_name> | where <where_clause>}
Parameter |
Description |
---|---|
|
Show all users |
|
Show data of the given user name |
|
Show users by constraint |
|
Show user certificates by constraints |
Examples:
# RAsession_util show users all
# RAsession_util show users byuser "james_wilson"
# RAsession_util show users where "client_name=’Mobile Access Portal’"
(This command shows all the users connected from the Mobile Access Portal.)
To disconnect or see data of users that match a non-default definition, use constraints. First, become familiar with the Check Point scheme for Remote Access sessions. Then, use the field names or types to run a
or terminate
command on matching users.show users
To see valid constraint fields:
RAsession_util show scheme
Examples:
This command shows the given fields where the client is the Mobile Access Portal, and the results are ordered according to the creation time:
RAsession_util show custom –FIELDS “session_id,user_name,client_name,browser_name,machine_name,os_name” –WHERE “client_name=’Mobile Access Portal’” –ORDERBY “creation_time”
This command shows the given fields where the client type is Capsule Workspace:
RAsession_util show custom –FIELDS “user_name,sessionid,client_ver,client_build_number,os_name,os_ver,device_type” –WHERE “client_name=’Capsule Workspace’”
SCHEME
Description: Shows the table scheme of the database.
Usage: SCHEME
Parameters: None
SESSION_OP
Description: Performs an operation on a session or session based on the defined constraints.
Usage: SESSION_OP <Operation_type> <Sql_constraint [list_of_parameters]>
Parameters:
Parameter |
Description |
---|---|
Operation_type |
Type of operation to perform on sessions. Only |
Sql_constraint |
Criteria to select the sessions on which to perform the operation. For example, "username=’aa’”. It can also be a parametric sql WHERE clause that includes $ signs instead of values, for example, |
List_of_parameters |
Can be empty or list of parameters to be placed instead of the $ signs in the WHERE clause. |
Examples:
SESSION_OP terminate “username='James Wilson’”
SESSION_OP terminate “username=$1 and srcip=$2” “James Wilson,192.0.2.10”
SELECT
Description: Run a query on the sessions table.
Usage: SELECT <-FIELDS <fields>> [-WHERE <where_clause> [list_of_parameters]] [-GROUPBY <group_by_fields>] [-ORDERBY <order_by_fields>] [-LIMIT <limit_size> [-OFFSET <offset_number>]]
Parameters:
Parameter |
Description |
---|---|
FIELDS <fields> |
FIELDS flag with list of fields to select delimited by “,”. |
WHERE <where_clause> |
WHERE flag with the SQL WHERE clause. <where_clause> can also include $ signs instead of values, for example, “username=$1 and srcip=$2”. This where_clause means that the first parameter in the List_of_parameters will be placed instead of $1, and the second will be as $2 . |
List_of_parameters |
Can be empty or list of parameters to be placed instead of the $ signs in the WHERE clause. |
GROUPBY <group_by_fields> |
GROUPBY flag with list of fields to group by delimited by “,”. |
ORDERBY <order_by_fields> |
ORDERBY flag with list of fields to order the result by delimited by “,”. |
LIMIT <limit_size> |
LIMIT flag with the limit size. |
OFFSET <offset_number> |
OFFSET flag with the result offset. |
Example:
SELECT –FIELDS “login name,clientname,sessionid” –WHERE “loginname=’aa’” –ORDERBY “clientname”