Remote Access Advanced Configuration

In This Section: Domain Controller Name Resolution Authentication Timeout and Password Caching Secure Domain Logon (SDL) How to Work with non-Check Point Firewalls Resolving Internal Names with an Internal DNS Server Split DNS

Domain Controller Name Resolution

If clients are configured in Connect Mode and Office Mode, clients automatically resolve the NT domain name using dynamic WINS.

Otherwise, clients resolve the NT domain name using either LMHOSTS or WINS.

LMHOSTS

Enter the relevant information (see below) the $FWDIR/conf/dnsinfo.C file on the Security Gateway, and install the policy.

( :LMdata( :( :ipaddr (<IP address>) :name (<host name>) :domain (<domain name>) ) :( :ipaddr (<IP address>) :name (<host name>) :domain (<domain name>) ) ) )

When the topology is updated, the name resolution data will be automatically transferred to the dnsinfo entry of the userc.C file and then to its LMHOSTS file.

Authentication Timeout and Password Caching

The Problem

Users consider multiple authentications during the course of a single session to be a nuisance. At the same time, these multiple authentications are an effective means of ensuring that the session has not been hijacked (for example, if the user steps away from the client for a period of time). The problem is finding the correct balance between convenience and security.

The Solution

Multiple authentication can be reduced by:

• Increasing the re-authentication interval
• Caching the user's password

Re-Authentication Interval

For Connect Mode, the countdown to the timeout begins from the time that the Client is connected.

To set the length of time between re-authentications:

1. From Menu, select Global Properties.
2. From the navigation tree, click Remote Access > Endpoint Security VPN.
3. In Re-authenticate user every, select a number of minutes between re-authentications.
4. Click OK.
5. Install Policy.

Password Caching

When the timeout expires, the user will be asked to authenticate again. If password-caching is enabled, clients will supply the cached password automatically and the authentication will take place transparently to the user. In other words, the user will not be aware that re-authentication has taken place.

Password caching is possible only for multiple-use passwords. If the user's authentication scheme implement one-time passwords (for example, SecurID), then passwords cannot be cached, and the user will be asked to re-authenticate when the authentication time-out expires. For these schemes, this feature should not be implemented.

To configure password caching:

1. From Menu, select Global Properties.
2. From the navigation tree, click Remote Access > Endpoint Security VPN.
3. In Enable password caching, select an option.
4. If Password caching is enabled, in Cache password for, select the amount of minutes it is cached for.

Secure Domain Logon (SDL)

The Problem

When a Remote Access client user logs on to a domain controller, the user has not yet entered credentials and so the connection to the domain controller is not encrypted.

The Solution

When the Secure Domain Logon (SDL) feature is enabled, then after the user enters the OS user name and password (but before the connection to the domain controller is started), the User Authentication window is displayed. When the user enters the client credentials, the connection to the domain controller takes place over an encrypted tunnel.

Cached Information

When the Remote Access client computer successfully logs on to a domain controller, the user's profile is saved in cache. This cached information will be used if subsequent logons to the domain controller fail, for whatever reason.

To configure this option in the client registry, proceed as follows:

1. Go to HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon.
2. Create a new key CachedLogonCount with the valid range of values from 0 to 50. The value of the key is the number of previous logon attempts that a server will cache.

   A value of 0 disables logon caching and any value above 50 will only cache 50 logon attempts.

Configuring Secure Domain Logon

1. Configure the SecuRemote client to use LMHOSTS (all platforms) or WINS (all platforms except Win 9x).
2. For Win NT and Win 2000, configure the SDL timeout.
3. Define the site where the domain controller resides and download/update the topology.
4. If the client is not already a domain member, configure the machine as a domain member.
5. For Win NT and 2000:
   • Enable Auto Local Logon (optional)
   • Enable Secure Domain Logon
6. Reboot the computer and logon.

Using Secure Domain Logon

After you have rebooted the computer:

1. When the Windows Logon window is displayed, enter the operating system credentials.
2. Click OK.

   The Logon window is displayed.

3. Enter the client credentials in the defined time (see Configuring SDL Timeout).

If you fail to logon and no cached information is used, wait one minute and try again.

If SDL is already configured on the client, the administrator can customize the client installation packages with SDL enabled by default.

Create a self-extracting client package using the VPN Configuration Utility and select Enable Secure Domain Logon. See the Remote Access Clients for Windows Administration Guide for your release:

1. Go to the Endpoint Security home page.
2. Go to Detailed Information per Release > Detailed Client Releases Information.
3. In the row for your client release, go to the Additional Information column.
4. Click Documentation.

How to Work with non-Check Point Firewalls

If a remote access client is located behind a non-Check Point firewall, the following ports must be opened on the firewall to allow VPN traffic to pass:

Port	Description
UDP port 500	Always, even if using IKE over TCP
TCP port 500	Only if using IKE over TCP
IP protocol 50 ESP	Unless always using UDP encapsulation
UDP port 2746	Only if using MEP, interface resolving or interface High Availability
UDP port 259	Only if using MEP, interface resolving or interface High Availability

Resolving Internal Names with an Internal DNS Server

Problem:

Remote Access Clients use an internal DNS server to resolve the names of internal hosts (behind the Security Gateway) with non-unique IP addresses.

Solution:

Best practice is:

• For Endpoint Security VPN and Check Point Mobile for Windows, use Office mode.
• For SecuRemote, use the Split DNS feature.

Split DNS

Split DNS uses a SecuRemote DNS Server, an object that represents an internal DNS server that you can configure to resolve internal names with private IP addresses (RFC 1918). It is best to encrypt the DNS resolution of these internal names.

After you configure a SecuRemote DNS server to resolve traffic from a specified domain and install policy, it takes effect. If users try to access that domain while connected to the VPN, the request is resolved by the SecuRemote DNS server. The internal DNS server can only work when users are connected to the VPN.

You can configure multiple SecuRemote DNS servers for different domains.

Configuring Split DNS

To configure a SecuRemote DNS server for Split DNS:

1. In SmartConsole, in the Objects tree, select New > More > Server > More > SecuRemote DNS.

   The New SecuRemote DNS window opens.

2. In the General tab, enter a name for the server and select the host on which it runs.
3. In the Domains tab, click Add to add the domains that will be resolved by the server.

   The Domain window opens,

4. Enter the Domain Suffix for the domain that the SecuRemote DNS server will resolve, for example, checkpoint.com.
5. In the Domain Match Case section, select the maximum number of labels that can be in the URL before the suffix. URLs with more labels than the maximum will not be sent to that DNS.
   • Match only *.suffix - Only requests with 1 label are sent to the SecuRemote DNS. For example, "www.checkpoint.com" and "whatever.checkpoint.com" but not "www.internal.checkpoint.com."
   • Match up to x labels preceding the suffix- Select the maximum number of labels. For example, if you select 3, then the SecuRemote DNS Server will be used to resolve "www.checkpoint.com" and "www.internal.checkpoint.com" but not "www.internal.inside.checkpoint.com".
6. Click OK.
7. Click OK.
8. Install the policy.

Enabling or Disabling Split DNS

Split DNS is automatically enabled. On Endpoint Security VPN and Check Point Mobile for Windows, you can edit a parameter in the trac_client_1.ttm configuration file to set if Split DNS is enabled, disabled, or depends on the client settings.

To change the setting for Split DNS on the gateway:

1. On the gateway, open the $FWDIR/conf/trac_client_1.ttm file with a text editor.
2. Add the split_dns_enabled property to the file:

   :split_dns_enabled ( :gateway ( :map ( :true (true) :false (false) :client_decide (client_decide) ) :default (client_decide) ) )

3. Set the value in the :default attribute:
   • true - enabled
   • false (default) - disabled
   • client_decide - Takes the value from a file on the client machine
4. Save the file and install the policy.