Remote Access Advanced Configuration
Domain Controller Name Resolution
If clients are configured in Connect Mode and Office Mode, clients automatically resolve the NT domain name using dynamic WINS.
Otherwise, clients resolve the NT domain name using either LMHOSTS or WINS.
LMHOSTS
Enter the relevant information (see below) the $FWDIR/conf/dnsinfo.C
file on the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., and install the policy.
( :LMdata( :( :ipaddr (<IP address>) :name (<host name>) :domain (<domain name>) ) :( :ipaddr (<IP address>) :name (<host name>) :domain (<domain name>) ) ) ) |
When the topology is updated, the name resolution data will be automatically transferred to the dnsinfo
entry of the userc.C
file and then to its LMHOSTS
file.
Authentication Timeout and Password Caching
The Problem
Users consider multiple authentications during the course of a single session to be a nuisance. At the same time, these multiple authentications are an effective means of ensuring that the session has not been hijacked (for example, if the user steps away from the endpoint computer for a period of time). The problem is finding the correct balance between convenience and security.
The Solution
Multiple authentication can be reduced by:
-
Increasing the re-authentication interval
-
Caching the user's password
Re-Authentication Interval
For Connect Mode, the countdown to the timeout begins from the time that the Remote Access client is connected.
To set the length of time between re-authentications:
-
From Global Properties.
, select -
From the navigation tree, click Remote Access> Endpoint Security VPN.
-
In Re-authenticate user every, select a number of minutes between re-authentications.
-
Click OK.
-
Install Policy.
Password Caching
When the timeout expires, the user will be asked to authenticate again. If password-caching is enabled, clients will supply the cached password automatically and the authentication will take place transparently to the user. In other words, the user will not be aware that re-authentication has taken place.
Password caching is possible only for multiple-use passwords. If the user's authentication scheme implement one-time passwords (for example, SecurID), then passwords cannot be cached, and the user will be asked to re-authenticate when the authentication time-out expires. For these schemes, this feature should not be implemented.
To configure password caching:
-
From Global Properties.
, select -
From the navigation tree, click Remote Access> Endpoint Security VPN.
-
In Enable password caching, select an option.
-
If Password caching is enabled, in Cache password for, select the amount of minutes it is cached for.
Secure Domain Logon (SDL)
The Problem
When a Remote Access client user logs on to a domain controller, the user has not yet entered credentials, and so the connection to the domain controller is not encrypted.
The Solution
When the Secure Domain Logon (SDL) feature is enabled, after the user enters the OS user name and password (but before the connection to the domain controller is started), the User Authentication window appear. When the user enters the Remote Access client credentials, the connection to the domain controller takes place over an encrypted tunnel.
Configuring SDL Timeout
Because SDL depends on the synchronization of concurrent processes, flexibility in defining timeouts is important.
The SDL Timeout feature controls the period, during which a user must enter their domain controller credentials.
When the allocated time expires and no cached information is used (if applicable), the Secure Domain Logon fails.
The timeout is controlled by the global parameter sdl_netlogon_timeout
:
-
Publish the SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. session.
-
Close all SmartConsole windows.
-
Connect with Database Tool (GuiDBEdit Tool) (sk13009) to the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..
-
In the top left pane, go to Table > Global Properties > firewall_properties.
-
In the top right pane, click global_properties.
-
Click the Search menu > Find (or press the CTRL+F keys).
-
In the Find window:
-
In the Find what field, paste:
sdl_netlogon_timeout
-
In the Search in section, selection only Fields
-
Click Find Next
-
-
In the lower pane:
-
Right-click
sdl_netlogon_timeout
> click Edit -
Enter the applicable integer value of seconds
-
Click OK.
-
-
Click the File menu > Save All.
-
Click the File menu > Exit.
-
Connect with SmartConsole to the Management Server.
-
Install the Access Control policy on the applicable VPN Gateway.
Cached Information
When the Remote Access client computer successfully logs on to a domain controller, the user's profile is saved in cache. This cached information will be used if subsequent logons to the domain controller fail, for whatever reason.
To configure this option in the Windows Registry:
-
Go to
HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon
. -
Create a new key "
CachedLogonCount
" with the valid range of values from 0 to 50.The value of the key is the number of previous logon attempts that a server will cache.
A value of 0 disables logon caching.
A value greater than 50 keeps only 50 logon attempts in the cache.
Configuring Secure Domain Logon
-
Configure the Remote Access client to use LMHOSTS (all platforms) or WINS (all platforms except Windows 9x).
-
For Win NT and Win 2000, configure the SDL timeout.
-
Define the site where the domain controller resides and download/update the topology.
-
If the endpoint computer is not already a domain member, configure it to be a domain member.
-
For Win NT and 2000:
-
Enable Auto Local Logon (optional)
-
Enable Secure Domain Logon
-
-
Reboot the computer.
-
Log in to the computer.
Using Secure Domain Logon
-
When the Windows Logon window appears, enter the operating system credentials.
-
Click OK.
The Logon window appears.
-
Enter the Remote Access client credentials during the defined time (see Configuring SDL Timeout).
If you fail to logon and no cached information is used, wait one minute and try again.
If SDL is already configured on the endpoint computer, the administrator can customize the Remote Access client installation packages with SDL enabled by default.
Create a self-extracting Remote Access client package using the VPN Configuration Utility and select Enable Secure Domain Logon. See the Remote Access Clients for Windows Administration Guide for your release on the Endpoint Security home page.
Post-Connect Script
The Post-Connect feature runs a script on an endpoint computer after the Remote Access client establishes a VPN connection.
The Post-Connect script runs with user-level permissions.
For security reasons, it is not supported to run the Post-Connect script, if a Secure Domain Login occurs before a Windows login.
Simultaneous Login and Aggressive Simultaneous Login Prevention (SLP)
You can use Simultaneous Login Prevention (SLP) to restrict the ability of a user to log in to Remote Access VPN An encrypted tunnel between remote access clients (such as Endpoint Security VPN) and a Security Gateway. more than once.
SLP is supported only if you configure the same authentication method for the user from all devices (see User and Client Authentication for Remote Access).
To configure simultaneous login settings:
-
From the left navigation panel, click Gateways & Servers.
-
Double-click the Security Gateway / Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. object.
-
From the navigation tree, click Remote Access.
-
Below Simultaneous Login, select one of these:
-
User is allowed several simultaneous login - a user can log in to Remote Access VPN from more than one device at the same time
-
User is allowed only single login - a user can log in to Remote Access VPN from only one device
-
-
Click OK.
-
Install the policy on the VPN Gateway.
Aggressive SLP enables a VPN Gateway to automatically disconnect a remote user with more than one simultaneous login. When Aggressive SLP is enabled, inactive VPN tunnels are disconnected.
To enable Aggressive SLP:
-
On the VPN Gateway command line, run this command in the Expert mode:
ckp_regedit -a \\SOFTWARE\\CheckPoint\\VPN1 aggresive_slp_sc_disconnect -n 1
-
In SmartConsole, install policy on this VPN Gateway.
To disable Aggressive SLP:
-
On the VPN Gateway command line, run this command in the Expert mode:
ckp_regedit -a SOFTWARE\\CheckPoint\\VPN1 aggresive_slp_sc_disconnect -n 0
-
In SmartConsole, install policy on this VPN Gateway.
To check the configuration status of Aggressive SLP:
On the VPN Gateway command line, run this command in the Expert mode
|
One of these outputs appears:
-
aggresive_slp_sc_disconnect ("[4]1")
- shows that Aggressive SLP is enabled. -
aggresive_slp_sc_disconnect ("[4]0")
- shows that Aggressive SLP is disabled.
Perfect Forward Secrecy (PFS)
In cryptography, Perfect Forward Secrecy (PFS) refers to the condition in which the compromise of a current session key or long-term private key does not cause the compromise of earlier or subsequent keys. Security Gateways meet this requirement with a PFS mode. When PFS is enabled, a new Diffie-Helman (DH)key is generated during IKE phase II, and renewed for each key exchange. .
To enable VPN Gateway to enforce PFS for Remote Access clients:
-
On the VPN Gateway command line, run this command in the Expert mode:
ckp_regedit -a \\SOFTWARE\\CheckPoint\\VPN1 force_ra_pfs -n 1
-
In SmartConsole, install policy on this VPN Gateway.
-
Optional: To change the DH group, in SmartConsole, go to > Global properties > Remote Access > VPN – Authentication and Encryption > Encryption algorithms > Edit > Phase 1 > Use Diffie-Hellman group.
To stop a Security Gateway from enforcing PFS for Remote Access clients:
-
On the Security Gateway command line, run this command in the Expert mode
ckp_regedit -d \\SOFTWARE\\CheckPoint\\VPN1 force_ra_pfs
-
In SmartConsole, install policy on this Security Gateway.
To check the configuration status of PFS on the Security Gateway:
-
On the Security Gateway command line, run this command in the Expert mode
cat $CPDIR/registry/HKLM_registry.data | grep force_ra_pf
-
If the
force_ra_pfs
parameter exists, then it is printed. This means that PFS is enforced.
How to Work with non-Check Point Firewalls
If a Remote Access client is located behind a non-Check Point firewall, the following ports must be opened on the firewall to allow VPN traffic to pass:
Port |
Description |
---|---|
UDP port 500 |
Always, even if using IKE over TCP |
TCP port 500 |
Only if using IKE over TCP |
IP protocol 50 ESP |
Unless always using UDP encapsulation |
UDP port 2746 |
Only if using MEP, interface resolving or interface High Availability |
UDP port 259 |
Only if using MEP, interface resolving or interface High Availability |
Resolving Internal Names with an Internal DNS Server
Problem:
Remote Access Clients use an internal DNS server to resolve the names of internal hosts (behind the Security Gateway) with non-unique IP addresses.
Solution:
Best practice is:
-
For Endpoint Security VPN and Check Point Mobile for Windows, use Office mode.
-
For SecuRemote, use the Split DNS feature (see Split DNS).
Split DNS
Split DNS uses a SecuRemote DNS Server, an object that represents an internal DNS server that you can configure to resolve internal names with private IP addresses (RFC 1918). It is best to encrypt the DNS resolution of these internal names.
After you configure a SecuRemote DNS server to resolve traffic from a specified domain and install policy, it takes effect. If users try to access that domain while connected to the VPN, the request is resolved by the SecuRemote DNS server. The internal DNS server can only work when users are connected to the VPN.
You can configure multiple SecuRemote DNS servers for different domains.
Configuring Split DNS
To configure a Remote Access client DNS server for Split DNS:
-
In SmartConsole, in the Objects tree, select New > More > Server> More> SecuRemote DNS.
The New SecuRemote DNS window opens.
-
In the General tab, enter a name for the server and select the host on which it runs.
-
In the Domains tab, click Add to add the domains that will be resolved by the server.
The Domain window opens,
-
Enter the Domain Suffix for the domain that the Remote Access client's DNS server will resolve, for example,
checkpoint.com
. -
In the Domain Match Case section, select the maximum number of labels that can be in the URL before the suffix. URLs with more labels than the maximum will not be sent to that DNS.
-
Match only *.suffix - Only requests with 1 label are sent to the Remote Access client's DNS server. For example, "
www.checkpoint.com
" and "whatever.checkpoint.com
" but not "www.internal.checkpoint.com
". -
Match up to x labels preceding the suffix - Select the maximum number of labels. For example, if you select 3, then the SecuRemote DNS Server will be used to resolve "
www.checkpoint.com
" and "www.internal.checkpoint.com
" but not "www.internal.inside.checkpoint.com
".
-
-
Click OK.
-
Install the policy.
Enabling or Disabling Split DNS
Split DNS is automatically enabled. On Endpoint Security VPN and Check Point Mobile for Windows, you can edit a parameter in the trac_client_1.ttm
configuration file to set if Split DNS is enabled, disabled, or depends on the Remote Access client settings.
To change the setting for Split DNS on the Security Gateway:
-
On the Security Gateway, edit the
$FWDIR/conf/trac_client_1.ttm
file with Vi editor.vi $FWDIR/conf/trac_client_1.ttm
-
Add the "
split_dns_enabled
" property to the file::split_dns_enabled (
:gateway (
:map (
:true (true)
:false (false)
:client_decide (client_decide)
)
:default (client_decide)
)
)
-
Set the value in the
:default
attribute:-
true - enabled
-
false (default) - disabled
-
client_decide - Takes the value from a file on the endpoint computer
-
-
Save the changes in the file and exit the editor.
-
In SmartConsole, install policy on this Security Gateway.