msft active dir ckp ng fp3
TRANSCRIPT
-
7/28/2019 Msft Active Dir Ckp Ng Fp3
1/16
Check Point Next Generation Feature Pack 3
Check Point Software Technologies
12/16/2002
How to configure Microsofts Active
Directory to work with Check Point NG FP-3
and SecureClient.
Author:Joe GreenSecurity Engineer
Check Point Software Technologies, Inc.5757 W. Century Blvd.
-
7/28/2019 Msft Active Dir Ckp Ng Fp3
2/16
Check Point Next Generation Feature Pack 3
Check Point Software Technologies
12/16/2002
Los Angeles, CA [email protected]
This document assumes the following.
1. You have an understanding of installing and configuring Check Point NG in adistributed environment (Management and Module installed separately).Note:
Active Directory Integration CAN work in a Stand Alone deployment.2. You have a basic understanding of Active Directory and Windows 2000.
Management ServerActive Directory Server
SBoxSBoxSecureClient
Internal LAN172.16.1.x /24
External LAN10.1.1.x /24
Remote Users LAN192.168.10.x /24
.200
.254 .254 .253 .1
In the above configuration, the Check Point Management server is also the ActiveDirectory Server. In a real world deployment, these two applications probably would notbe running together. However, it provides an easy way to learn this set-up with the
minimum amount of computers in a lab.Note: This document can be followed even ifyour Active Directory Server is on a separate computer. It will mention the different steps
needed and how to perform those actions.
The DNS domain used in the above configuration is laxlab.com
The Management Servers FQDN is msad.laxlab.com
The following steps provide an outline of what this document covers.
1. Installation/Configuration of Active Directory
2. Installation/Configuration of Microsofts DNS Server3. Installation/Configuration of Microsofts Certificate Server
4. Check Point configuration for LDAP5. Setting up a template and managing users.
Before starting, the following should be verified:1. Check Point NG FP3 should be installed and you should be able to push policies
without any problems. (e.g. SIC is functioning, name resolution is working, etc.)2. All machines have IP connectivity to each other.3. The Microsoft High Encryption Pack is installed. This can be obtained at;http://www.microsoft.com/windows2000/downloads/recommended/encryption/default.asp
Licensing:
-
7/28/2019 Msft Active Dir Ckp Ng Fp3
3/16
Check Point Next Generation Feature Pack 3
Check Point Software Technologies
12/16/2002
To integrate Check Point and LDAP together, you must have the Account ManagementModule license. This license is applied to the Management Server (or CMA in Provider-
1). The AMM license is also included in the Smart Center Pro bundle.
Installing Microsofts Active Directory:
If you didnt install Microsofts Windows 2000 Advanced Server, you need to add Active
Directory to you Windows 2000 Server installation. Heres how.
1. From within Windows, go to the StartRun prompt, enter the commanddcpromo. The Active Directory Wizard will start and you need to provide thefollowing input at the prompts. (See pictures below)
a. Domain Controller for a new domainb. Create a new domain tree
c. Create a new forest of domain treesd. Type the full DNS name for the new domain **Note** This is the DNS
Domain that your computer belongs to. E.g. laxlab.com
e. Type in the domain netbios name (this is for earlier versions of Windows.E.g. laxlab
f. Specify the Database and Log locations (take the defaults)g. Enter the location for the System Volume Folder (again, take the defaults)h. At this point in the Active Directory installation, it will warn you that it
cannot contact a DNS server for your domain (unless you have alreadyconfigured DNS). Either use the existing DNS installation or have thewizard install it for you (having the Wizard install it is very easy).
i. Set the permissions to be compatible with your environment.j. Set the password for the Directory Services restore and click next at the
summary screen to complete installation of Active Directory and DNS.
Note: When Active Directory finishes installing, it will ask you to reboot the
computer, don t reboot yet. If you just installed DNS for your domain, thecomputer will take a long time present you with the logon screen after reboot.
The computer is trying to contact a DNS to resolve the domain that was justcreated. To avoid this, make the Primary DNS server of your computer, thelocal computer itself. Now, reboot.
DCPROMO:
-
7/28/2019 Msft Active Dir Ckp Ng Fp3
4/16
Check Point Next Generation Feature Pack 3
Check Point Software Technologies
12/16/2002
-
7/28/2019 Msft Active Dir Ckp Ng Fp3
5/16
Check Point Next Generation Feature Pack 3
Check Point Software Technologies
12/16/2002
DNS Install:
2. Upon reboot, you need to install Microsofts Certificate Server. This is requiredfor SSL communication between the Active Directory Server and the Check Point
Management console.a. This is installed through the Windows Control PanelAdd/Remove
ComponentsAdd/Remove Windows Components.
b. Select the Certificate Services option and click next. Then choose thefollowing options.
i. Select Enterprise Root CA
-
7/28/2019 Msft Active Dir Ckp Ng Fp3
6/16
Check Point Next Generation Feature Pack 3
Check Point Software Technologies
12/16/2002
ii. Fill in the CA Identifying Information fields. Note: This is theinformation that will be part of your certificate.
iii. Take the Data Storage Location defaults.iv. Certificate Server is now installed (no reboot necessary).
Certificate Server:
3. Next, you need to allow the schema to be viewed and modified by the Microsoft
Management console (MMC). This is easily done through the GUI in Windows2000.
a. Register the schema DLL. Go to StartRun, and type regsvr32schmmgmt.dll (you should see a message stating that the operation was
successful).b. Go to StartRunand type mmc.
c. From within the MMC, click on the Console menu, then clickAdd/Remove Snap-In
d. Clickadd and select Active Directory Schema, clickadd, clickclose and
clickokto return to the MMC.e. Expand the Active Directory Schema (click on the + symbol).
-
7/28/2019 Msft Active Dir Ckp Ng Fp3
7/16
-
7/28/2019 Msft Active Dir Ckp Ng Fp3
8/16
Check Point Next Generation Feature Pack 3
Check Point Software Technologies
12/16/2002
Check Point VPN-1 Configuration:1. Log into the Check Point Policy Editor.2. Go to the Policy MenuGlobal Properties.
a. From the LDAP Account Managementbranch, select Use LDAPAccount Management and clickok.
b. Next, go to the Manage MenuServers . Create a LDAP Account Unit
Object. Use the following parameters: (Screen shots below)(General Tab)
i. Name=a descriptive name.
ii. Check the boxes User Management and CRL Retrievaliii. Set the LDAP Profile type to Microsoft_AD .
(Servers Tab)c. On the servers tab, you need to add your server and set all the necessary
parameters. (See figures below)
i. Host=your LDAP server (we are using our Mgmt. server sinceA.D. and the CP Mgmt. are on the same box). If you have a
separate A.D. server, create an object for that and select that as theHost.
ii. Login DN:cn=administrator,cn=users,dc=laxlab,dc=com
(Note:substitute your DNS domain for laxlab)iii. Enter the administrators password.
iv. Permissions (R/W, or RO, your choice).v. Set the Early Version Compatibility (Back on the Servers tab).
(Encryption tab)
d. On the Encryption tab, set the following parameters.
i. Use SSL.ii. ClickFetch for Fingerprint.iii. Set Encryption to strong and strong for Min and Max.iv. Clickok.
(Objects Management)e. On the objects management tab, select your A.D. object and fetch the
branch.(Authentication)
-
7/28/2019 Msft Active Dir Ckp Ng Fp3
9/16
Check Point Next Generation Feature Pack 3
Check Point Software Technologies
12/16/2002
f. On the authentication tab, make sure and select what template you wantto use.
Check Point LDAP Configuration:
Optional Configuration: Extending the Schema:There are certain attributes that can be defined for users in Check Point VPN-1 and not
Active Directory. It is possible in a production environment that a customer will not want
-
7/28/2019 Msft Active Dir Ckp Ng Fp3
10/16
-
7/28/2019 Msft Active Dir Ckp Ng Fp3
11/16
Check Point Next Generation Feature Pack 3
Check Point Software Technologies
12/16/2002
adding new entry CN=fw1expiration-date,CN=Schema,CN=Configuration,dc=laxlab,dc=com
adding new entry CN=fw1hour-range-from,CN=Schema,CN=Configuration,dc=laxlab,dc=com
adding new entry CN=fw1hour-range-to,CN=Schema,CN=Configuration,dc=laxlab,dc=com
adding new entry CN=fw1day,CN=Schema,CN=Configuration,dc=laxlab,dc=com
adding new entry CN=fw1allowed-src,CN=Schema,CN=Configuration,dc=laxlab,dc=com
[End example]
3. Log back into the Check Point Policy Editor and make sure you have the ObjectList window pane open. Go to the users tab in the Objects Tree and double clickon the Active Directory Server.
4. You should now see all of your users.GUI:
You are now done incorporating Microsofts Active Directory with NG FP-3. The next
section will explain how to incorporate that with SecureClient.
Integrating SecureClient with Active Directory:
The theory behind utilizing Active Directory for the user database is that you do not haveto recreate any users and their passwords. Users that already exist in the directory cannow use that username and password for authentication. This dramatically reduces the
overhead associated with managing a separate user database.
-
7/28/2019 Msft Active Dir Ckp Ng Fp3
12/16
Check Point Next Generation Feature Pack 3
Check Point Software Technologies
12/16/2002
Note: Before proceeding, you should have SecureClient configured, tested, and workingwith standard user authentication. That way, you wont be troubleshooting two different
issues if there is a problem. If you do not understand how to configure FP-3 andSecureClient, please see the white paper How to configure SecureClient in NG FP-3
located on the configuration Documents page of the Check Point public web site.
To utilize Active Directory for authenticating your remote users, you must first start by
creating an External Group. To do this, follow the instructions below.1. Launch the SmartDashboard GUI and click on the Users Icon (See Figure
above). To see the users, make sure you have the Objects Tree and ObjectsList open (these can be opened by clicking on the View Menu andselecting the corresponding options).
2. You should see a branch on the left entitled LDAP Groups . You needto right click on that and select New LDAP Group. Set the properties
as follows:a. Enter a descriptive name (ours is VPN-Users ).b. Select the account unit you wish to use (this should be the Account
Unit you already created).c. Select the groups scope.
-
7/28/2019 Msft Active Dir Ckp Ng Fp3
13/16
Check Point Next Generation Feature Pack 3
Check Point Software Technologies
12/16/2002
Notice that in the screen shot above, we have selected All Account-Units Users. Thismeans that a user that exists anywherein the Active Directory database can authenticate.
If you would like to control this at a more granular level, you can create a new group inActive Directory that contains only certain users you want to have remote access.
Example:In this scenario, we create a new group on the AD Server and call it Secure-Client-
Users. In this group, we place all the A.D. users who we want to give remote access to.We then create a new LDAP Group in SmartDashboard and give it the following
properties.
Notice that we specify the group by using the syntax cn=Secure-Client-Users (withoutthe quotes). Also note that the LDAP Group name is VPN-Users . This will be the group
we use in the source of the Remote Access rule(s).
Click ok to save all of your changes and open up your VPN-1 Gateway object. You need
to click on the Authentication branch and set the appropriate user group for associationwith the Policy Server.
-
7/28/2019 Msft Active Dir Ckp Ng Fp3
14/16
Check Point Next Generation Feature Pack 3
Check Point Software Technologies
12/16/2002
Next, you need to make sure that the properties for your users template are set correctly.This template will hold the properties for things like encryption, password method, etc. In
our example, we are using the template default (you can have multiple templates).Here are some of the properties of that template and also the properties of a user linked tothat template. Remember, the template was tied to the LDAP Account Unit.
(Template) (User)
-
7/28/2019 Msft Active Dir Ckp Ng Fp3
15/16
Check Point Next Generation Feature Pack 3
Check Point Software Technologies
12/16/2002
(User)
When integrating with MS AD, you specify the password on the template as VPN-1
Firewall-1 password. When you open up a user and click on their auth tab, you see thatit is picking up the properties from the template.
Now, you need to create the rule that allows Remote Access and set up your SecureClientPolicy. Below is a screen shot of how the rule base would appear.
-
7/28/2019 Msft Active Dir Ckp Ng Fp3
16/16
Check Point Next Generation Feature Pack 3
Check Point Software Technologies
12/16/2002
The rule we are concentrating on is rule #1. This rule shows our LDAP-Group as thesource (remember, this is the group created in the Check Point GUI , not in A.D.). OurLDAP group references our A.D. group and also references the Account Unit (which
references the user template, etc.). Make sense?
Next, you would configure your Remote Access Community, the SecureClient rule base,
push the Policy, etc. All of those steps are outlined in the How to ConfigureSecureClient in NG FP-3 guide.
Please make sure and review the Check Point SmartView Tracker (formerly the LogViewer). It contains a lot of useful information especially when testing out a new
configuration.
Please send any comments, or corrections [email protected].
Please contact your local reseller for additional help. Dont have a reseller? Contact yourlocal Check Point representative. Dont have a local Check Point representative? Findone at www.checkpoint.comor by calling a Check Point regional office in your area.
Contact information for Check Point offices and Resellers is available on our web site.
Thank you.