Remote Access Advanced Configuration

Domain Controller Name Resolution

If clients are configured in Connect Mode and Office Mode, clients automatically resolve the NT domain name using dynamic WINS.

Otherwise, clients resolve the NT domain name using either LMHOSTS or WINS.

LMHOSTS

Enter the relevant information (see below) the $FWDIR/conf/dnsinfo.C file on the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., and install the policy.

(
    :LMdata(
        :(
            :ipaddr (<IP address>)
            :name (<host name>)
            :domain (<domain name>)
        )
        :(
            :ipaddr (<IP address>)
            :name (<host name>)
            :domain (<domain name>)
        )
    )
)

When the topology is updated, the name resolution data will be automatically transferred to the dnsinfo entry of the userc.C file and then to its LMHOSTS file.

Authentication Timeout and Password Caching

The Problem

Users consider multiple authentications during the course of a single session to be a nuisance. At the same time, these multiple authentications are an effective means of ensuring that the session has not been hijacked (for example, if the user steps away from the endpoint computer for a period of time). The problem is finding the correct balance between convenience and security.

The Solution

Multiple authentication can be reduced by:

  • Increasing the re-authentication interval

  • Caching the user's password

Re-Authentication Interval

For Connect Mode, the countdown to the timeout begins from the time that the Remote Access client is connected.

To set the length of time between re-authentications:

  1. From Menu, select Global Properties.

  2. From the navigation tree, click Remote Access> Endpoint Security VPN.

  3. In Re-authenticate user every, select a number of minutes between re-authentications.

  4. Click OK.

  5. Install Policy.

Password Caching

When the timeout expires, the user will be asked to authenticate again. If password-caching is enabled, clients will supply the cached password automatically and the authentication will take place transparently to the user. In other words, the user will not be aware that re-authentication has taken place.

Password caching is possible only for multiple-use passwords. If the user's authentication scheme implement one-time passwords (for example, SecurID), then passwords cannot be cached, and the user will be asked to re-authenticate when the authentication time-out expires. For these schemes, this feature should not be implemented.

To configure password caching:

  1. From Menu, select Global Properties.

  2. From the navigation tree, click Remote Access> Endpoint Security VPN.

  3. In Enable password caching, select an option.

  4. If Password caching is enabled, in Cache password for, select the amount of minutes it is cached for.

Secure Domain Logon (SDL)

The Problem

When a Remote Access client user logs on to a domain controller, the user has not yet entered credentials, and so the connection to the domain controller is not encrypted.

The Solution

When the Secure Domain Logon (SDL) feature is enabled, after the user enters the OS user name and password (but before the connection to the domain controller is started), the User Authentication window appear. When the user enters the Remote Access client credentials, the connection to the domain controller takes place over an encrypted tunnel.

Configuring SDL Timeout

Because SDL depends on the synchronization of concurrent processes, flexibility in defining timeouts is important.

The SDL Timeout feature controls the period, during which a user must enter their domain controller credentials.

When the allocated time expires and no cached information is used (if applicable), the Secure Domain Logon fails.

The timeout is controlled by the global parameter sdl_netlogon_timeout:

Cached Information

When the Remote Access client computer successfully logs on to a domain controller, the user's profile is saved in cache. This cached information will be used if subsequent logons to the domain controller fail, for whatever reason.

To configure this option in the Windows Registry:

  1. Go to HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon.

  2. Create a new key "CachedLogonCount" with the valid range of values from 0 to 50.

    The value of the key is the number of previous logon attempts that a server will cache.

    A value of 0 disables logon caching.

    A value greater than 50 keeps only 50 logon attempts in the cache.

Configuring Secure Domain Logon

  1. Configure the Remote Access client to use LMHOSTS (all platforms) or WINS (all platforms except Windows 9x).

  2. For Win NT and Win 2000, configure the SDL timeout.

  3. Define the site where the domain controller resides and download/update the topology.

  4. If the endpoint computer is not already a domain member, configure it to be a domain member.

  5. For Win NT and 2000:

    • Enable Auto Local Logon (optional)

    • Enable Secure Domain Logon

  6. Reboot the computer.

  7. Log in to the computer.

Using Secure Domain Logon

  1. When the Windows Logon window appears, enter the operating system credentials.

  2. Click OK.

    The Logon window appears.

  3. Enter the Remote Access client credentials during the defined time (see Configuring SDL Timeout).

If you fail to logon and no cached information is used, wait one minute and try again.

If SDL is already configured on the endpoint computer, the administrator can customize the Remote Access client installation packages with SDL enabled by default.

Create a self-extracting Remote Access client package using the VPN Configuration Utility and select Enable Secure Domain Logon. See the Remote Access Clients for Windows Administration Guide for your release on the Endpoint Security home page.

Post-Connect Script

The Post-Connect feature runs a script on an endpoint computer after the Remote Access client establishes a VPN connection.

The Post-Connect script runs with user-level permissions.

For security reasons, it is not supported to run the Post-Connect script, if a Secure Domain Login occurs before a Windows login.

Simultaneous Login and Aggressive Simultaneous Login Prevention (SLP)

You can use Simultaneous Login Prevention (SLP) to restrict the ability of a user to log in to Remote Access VPNClosed An encrypted tunnel between remote access clients (such as Endpoint Security VPN) and a Security Gateway. more than once.

SLP is supported only if you configure the same authentication method for the user from all devices (see User and Client Authentication for Remote Access).

To configure simultaneous login settings:

  1. From the left navigation panel, click Gateways & Servers.

  2. Double-click the Security Gateway / ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. object.

  3. From the navigation tree, click Remote Access.

  4. Below Simultaneous Login, select one of these:

    • User is allowed several simultaneous login - a user can log in to Remote Access VPN from more than one device at the same time

    • User is allowed only single login - a user can log in to Remote Access VPN from only one device

  5. Click OK.

  6. Install the policy on the VPN Gateway.

Aggressive SLP enables a VPN Gateway to automatically disconnect a remote user with more than one simultaneous login. When Aggressive SLP is enabled, inactive VPN tunnels are disconnected.

To enable Aggressive SLP:

  1. On the VPN Gateway command line, run this command in the Expert mode:

    ckp_regedit -a \\SOFTWARE\\CheckPoint\\VPN1 aggresive_slp_sc_disconnect -n 1

  2. In SmartConsole, install policy on this VPN Gateway.

To disable Aggressive SLP:

  1. On the VPN Gateway command line, run this command in the Expert mode:

    ckp_regedit -a SOFTWARE\\CheckPoint\\VPN1 aggresive_slp_sc_disconnect -n 0

  2. In SmartConsole, install policy on this VPN Gateway.

To check the configuration status of Aggressive SLP:

On the VPN Gateway command line, run this command in the Expert mode

grep slp $CPDIR/registry/HKLM_registry.data

One of these outputs appears:

  • aggresive_slp_sc_disconnect ("[4]1") - shows that Aggressive SLP is enabled.

  • aggresive_slp_sc_disconnect ("[4]0") - shows that Aggressive SLP is disabled.

Perfect Forward Secrecy (PFS)

In cryptography, Perfect Forward Secrecy (PFS) refers to the condition in which the compromise of a current session key or long-term private key does not cause the compromise of earlier or subsequent keys. Security Gateways meet this requirement with a PFS mode. When PFS is enabled, a new Diffie-Helman (DH)key is generated during IKE phase II, and renewed for each key exchange. .

To enable VPN Gateway to enforce PFS for Remote Access clients:

  1. On the VPN Gateway command line, run this command in the Expert mode:

    ckp_regedit -a \\SOFTWARE\\CheckPoint\\VPN1 force_ra_pfs -n 1

  2. In SmartConsole, install policy on this VPN Gateway.

  3. Optional: To change the DH group, in SmartConsole, go to Menu > Global properties > Remote Access > VPN – Authentication and Encryption > Encryption algorithms > Edit > Phase 1 > Use Diffie-Hellman group.

To stop a Security Gateway from enforcing PFS for Remote Access clients:

  1. On the Security Gateway command line, run this command in the Expert mode

    ckp_regedit -d \\SOFTWARE\\CheckPoint\\VPN1 force_ra_pfs

  2. In SmartConsole, install policy on this Security Gateway.

To check the configuration status of PFS on the Security Gateway:

  1. On the Security Gateway command line, run this command in the Expert mode

    cat $CPDIR/registry/HKLM_registry.data | grep force_ra_pf

  2. If the force_ra_pfs parameter exists, then it is printed. This means that PFS is enforced.

How to Work with non-Check Point Firewalls

If a Remote Access client is located behind a non-Check Point firewall, the following ports must be opened on the firewall to allow VPN traffic to pass:

Port

Description

UDP port 500

Always, even if using IKE over TCP

TCP port 500

Only if using IKE over TCP

IP protocol 50 ESP

Unless always using UDP encapsulation

UDP port 2746

Only if using MEP, interface resolving or interface High Availability

UDP port 259

Only if using MEP, interface resolving or interface High Availability

Resolving Internal Names with an Internal DNS Server

Problem:

Remote Access Clients use an internal DNS server to resolve the names of internal hosts (behind the Security Gateway) with non-unique IP addresses.

Solution:

Best practice is:

  • For Endpoint Security VPN and Check Point Mobile for Windows, use Office mode.

  • For SecuRemote, use the Split DNS feature (see Split DNS).

Split DNS

Split DNS uses a SecuRemote DNS Server, an object that represents an internal DNS server that you can configure to resolve internal names with private IP addresses (RFC 1918). It is best to encrypt the DNS resolution of these internal names.

After you configure a SecuRemote DNS server to resolve traffic from a specified domain and install policy, it takes effect. If users try to access that domain while connected to the VPN, the request is resolved by the SecuRemote DNS server. The internal DNS server can only work when users are connected to the VPN.

You can configure multiple SecuRemote DNS servers for different domains.

Configuring Split DNS

To configure a Remote Access client DNS server for Split DNS:

  1. In SmartConsole, in the Objects tree, select New > More > Server> More> SecuRemote DNS.

    The New SecuRemote DNS window opens.

  2. In the General tab, enter a name for the server and select the host on which it runs.

  3. In the Domains tab, click Add to add the domains that will be resolved by the server.

    The Domain window opens,

  4. Enter the Domain Suffix for the domain that the Remote Access client's DNS server will resolve, for example, checkpoint.com.

  5. In the Domain Match Case section, select the maximum number of labels that can be in the URL before the suffix. URLs with more labels than the maximum will not be sent to that DNS.

    • Match only *.suffix - Only requests with 1 label are sent to the Remote Access client's DNS server. For example, "www.checkpoint.com" and "whatever.checkpoint.com" but not "www.internal.checkpoint.com".

    • Match up to x labels preceding the suffix - Select the maximum number of labels. For example, if you select 3, then the SecuRemote DNS Server will be used to resolve "www.checkpoint.com" and "www.internal.checkpoint.com" but not "www.internal.inside.checkpoint.com".

  6. Click OK.

  7. Install the policy.

Enabling or Disabling Split DNS

Split DNS is automatically enabled. On Endpoint Security VPN and Check Point Mobile for Windows, you can edit a parameter in the trac_client_1.ttm configuration file to set if Split DNS is enabled, disabled, or depends on the Remote Access client settings.

To change the setting for Split DNS on the Security Gateway:

  1. On the Security Gateway, edit the $FWDIR/conf/trac_client_1.ttm file with Vi editor.

    vi $FWDIR/conf/trac_client_1.ttm

  2. Add the "split_dns_enabled" property to the file:

    :split_dns_enabled (
        :gateway (
            :map (
                :true (true)
                :false (false)
                :client_decide (client_decide)
            )
            :default (client_decide)
        )
    )
  3. Set the value in the :default attribute:

    • true - enabled

    • false (default) - disabled

    • client_decide - Takes the value from a file on the endpoint computer

  4. Save the changes in the file and exit the editor.

  5. In SmartConsole, install policy on this Security Gateway.