Dreez's
PKI Single Sign-On Project

Configure FW VPN User

Revision Control

Contact Dreez: mje@secev.com

Overview

This section describes the tasks associated with adding and configuring a VPN user to enable the client to log in with a X.509 certificate. There are two options to registering this client:

1. Checkpoint Management Client - If you do NOT have an LDAP system and are keeping the user name database on the firewall itself within the firewall you can register the client on the firewall user database.
2. LDAP Active Directory queries - If you have an W2K Active Directory, and you keep the user name database in AD. 

Because this is a single-signon project we naturally recommend you use AD. But for those that are not ready to use AD, we will describe how to register people in Checkpoints Management Station.

Process

Checkpoint Management Station

The first step is determining what user name the user has been assigned in the certificate. The information can be found here: Specify User Name:

Once the user name is determined, we create a new user in the firewall user database and enter that name into the user properties window. 

We then assign the user to the group of VPN users (make sure you build the group ahead of time).

The authentication scheme does not matter.

Check the type of encryption you will be using  And make sure you log everything!!!

This is part is important. Make sure you use an encryption algorithm that your Checkpoint license supports. Also make sure you clients can support the encryption strength.

The X.509 certificate replaces a password so you can uncheck the password. However, in testing mode you may wish to retain the password in order to test without PKI.

Microsoft Active Directory LDAP

If you decide to use implement true single-sign on, then you need to store the username database on a centralized LDAP server instead of the firewall. In our case, this LDAP server is Microsoft Active Directory with LDAP extensions. 

Before we go into details, we assume that you have been through the process of extending Active Directory to include Firewall-1 information. See our description here.

To access the LDAP username database on Active Directory, there is a tool called Account Management Client for Checkpoint. This is basically an LDAP viewer into the Active Directory domain controller.

The diagram below illustrates how to configure a connection to Active Directory. The Login DN is critical. The format is:

cn=administrator, cn=users,dc=domain,dc=com

The next you do is click Fetch, which will return all the branches you are authorized to manage. Delete all these branches but the CN=Users branch (assuming this is where your users are all stored).

Once the "Account Unit" is configured, enter the Microsoft administrator password and click OK to enter into the LDAP manager.

This brings you into the LDAP display window that displays all the user names (we have blanked out all our user accounts for obvious security reasons). From this window you can assign Checkpoint VPN information by double clicking the specific user.

When the users property sheet opens, you will see a "Login" field that is empty. This is the field that must match up with the "cn=" of the users certificate character by character. See here for information about specifying user names. Specify User Name:

The only other fields you have to specify is the encryption fields. Go to the Encryption tab, then the FWZ tab. Enable FWZ1 if you want to do FWZ1. The following diagram shows the options. Make sure your license key supports the form of encryption you are enabling.

And/Or enable IKE. The following diagram specifies all the options associate with IKE. Once again make sure your license key supports the encryption options.

Debugging

1. Make sure you turn on debugging for the client
2. Make sure you specify an encryption algorithm that is compatible with your Checkpoint license. Use fw printlic to display the licenses loaded on your system. On the following license, we support 3DES as well as DES.
   
   
   
   
3. Make sure your client software can support the selected encryption type. Don't expect straight DES client VPN software to support Triple DES software.
4. As always, try to get the VPN working without PKI, use only username passwords to make sure the VPN configurations are correct before adding in PKI
5. If use use LDAP, it needs a separate license.
6. I haven't gotten groups and templates working 100% within Active Directory. Actually I got groups working, but its a bit of a LDAP kludge and I'm not proud to post it. Stay tuned. See FAQ.

Home | Services | Training | Support | Contact Us | Search

Copyright 2006, Security Evolution, Inc.