Management of Internal Certificate Authority (ICA) Certificates

If the administrator configured Certificate with enrollment as the user authentication method (Menu > Global properties > Remote Access > SSL Network Extender), users can create a certificate for their use, by using a registration key, provided by the system administrator.

To create a user certificate for enrollment:

  1. Follow the procedure in the Quantum Security Management Administration Guide for your version > Section "The Internal Certificate Authority (ICAClosed Internal Certificate Authority. A component on Check Point Management Server that issues certificates for authentication.) and the ICA Management Tool".

    Note - This version does not support enrollment to an External CA.

  2. Browse to the ICA Management Tool site and select Create Certificates:

    https://<IP address of Management Server>:18265

  3. Enter the user's name, and click Initiate to receive a Registration Key, and send it to the user.

    When the user attempts to connect to the SSL Network Extender, without having a certificate, the Enrollment window appears, and the user can create a certificate by entering the Registration Key, received from the system administrator.

    For a description of the user login experience, see Management of Internal Certificate Authority (ICA) Certificates.

    Note - The system administrator can direct the user to the URL below to allow the user to receive a Registration Key and create a certificate, even if they do not wish to use the SSL Network Extender, at this time.

    http://<IP Address of Security Gateway>/registration.html

  4. You can determine whether the SSL Network Extender is upgraded automatically, or not.

    Select the client upgrade mode from the drop-down list:

    • Do not upgrade - Users of older versions are not be prompted to upgrade.

    • Ask user - (Default) Ask user whether or not to upgrade, when the user connects.

    • Force upgrade - Every user, whether users of older versions or new users download and install the newest SSL Network Extender version.

      Note - Use the Force upgrade option only when the system administrator is sure that all the users have administrator privileges. Otherwise, the user cannot connect with SSL Network Extender.

    For a description of the user upgrade experience, see Management of Internal Certificate Authority (ICA) Certificates.

  5. Select the supported encryption method from the drop-down list:

    • 3DES only - (Default) The SSL Network Extender client supports 3DES, only.

    • 3DES or RC4 - The SSL Network Extender client supports the RC4 encryption method, as well as 3DES.

  6. You can determine whether to uninstall SSL Network Extender automatically when the user disconnects.

    Select the applicable option from the drop-down list:

    • Keep installed - (Default) Do not uninstall. If the user wishes to uninstall the SSL Network Extender, he/she can do so manually.

    • Ask user whether to uninstall - Ask user whether or not to uninstall, when the user disconnects.

    • Force uninstall - Always uninstall automatically, when the user disconnects.

    For a description of the user disconnect experience, see Management of Internal Certificate Authority (ICA) Certificates.

    Note - The Uninstall-on-Disconnect feature does not ask the user whether or not to uninstall, and does not uninstall the SSL Network Extender, if a user has entered a suspend/hibernate state, while the user was connected.

  7. You can determine how to activate Endpoint Security on Demand.

    When Endpoint Security on Demand (ESOD) is activated, users attempting to connect to the SSL Network Extender are required to successfully undergo an ESOD scan before being allowed to access the SSL Network Extender.

    Select the applicable option from the drop-down list:

    • None

    • Endpoint Security on Demand