How To Connect Checkpoint To Gemalto Sa Server With A Checkpoint Vpn And Connect To A Check Point Wifi With A Cell Phone Or Ipvvv On A Pc Or Ipa (For A Pbv) On A Micro

Transcription

1 Application Note: Integrate Check Point IPSec or SSL VPN with Gemalto SA Server January

2 All information herein is either public information or is the property of and owned solely by Gemalto NV. and/or its subsidiaries who shall have and keep the sole right to file patent applications or any other kind of intellectual property protection in connection with such information. Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise, under any intellectual and/or industrial property rights of or concerning any of Gemalto s information. This document can be used for informational, non-commercial, internal and personal use only provided that: The copyright notice below, the confidentiality and proprietary legend and this full warning notice appear in all copies. This document shall not be posted on any network computer or broadcast in any media and no modification of any part of this document shall be made. Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities. The information contained in this document is provided AS IS without any warranty of any kind. Unless otherwise expressly agreed in writing, Gemalto makes no warranty as to the value or accuracy of information contained herein. The document could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Furthermore, Gemalto reserves the right to make any change or improvement in the specifications data, information, and the like described herein, at any time. Gemalto hereby disclaims all warranties and conditions with regard to the information contained herein, including all implied warranties of merchantability, fitness for a particular purpose, title and noninfringement. In no event shall Gemalto be liable, whether in contract, tort or otherwise, for any indirect, special or consequential damages or any damages whatsoever including but not limited to damages resulting from loss of use, data, profits, revenues, or customers, arising out of or in connection with the use or performance of information contained in this document. Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall not incur, and disclaims, any liability in this respect. Even if each product is compliant with current security standards in force on the date of their design, security mechanisms' resistance necessarily evolves according to the state of the art in security and notably under the emergence of new attacks. Under no circumstances, shall Gemalto be held liable for any third party actions and in particular in case of any successful attack against systems or equipment incorporating Gemalto products. Gemalto disclaims any liability with respect to security for direct, indirect, incidental or consequential damages that result from any use of its products. It is further stressed that independent testing and verification by the person using the product is particularly encouraged, especially in any application in which defective, incorrect or insecure functioning could result in damage to persons or property, denial of service or loss of privacy. Copyright 2008 Gemalto N.V. All rights reserved. Gemalto and the Gemalto logo are trademarks and service marks of Gemalto N.V. and/or its subsidiaries and are registered in certain countries. All other trademarks and service marks, whether registered or not in specific countries, are the property of their respective owners. GEMALTO, B.P. 100, GEMENOS CEDEX, FRANCE. Tel: +33 (0) Fax: +33 (0)

3 Table of contents Use case... 4 Overview... 5 Architecture... 7 Configure Check Point FW... 8 Configure Check Point IPSec VPN Configure Check Point SSL VPN Configure RADIUS connection Declare RADIUS resource Configure RADIUS resource Create users Create a security rule Open the connection to the Intranet using SA Server IPSec VPN Client SSL VPN Client Appendix 1: Configure an IAS RADIUS Server with SA Server IAS RADIUS prerequisites Add a RADIUS Client Install and configure SA Server agent for IAS Restart IAS Appendix 2: Configure Juniper Steel-Belted RADIUS Server SBR pre-requisites Add RADIUS Client Install and configure SA Server agent for SBR Restart SBR Appendix 3: Configure Free RADIUS Server on Linux Free RADIUS pre-requisites Add RADIUS Client Install and configure SA Server agent for Free RADIUS Restart Free RADIUS Appendix 4: Active Directory configuration

4 Use case To provide Mobile Users an access to their Corporate Network, it is usual to install a VPN Gateway. As only recognized users should be entitled to access to the Intranet, the gateway should be able to authenticate a Mobile Users. This is the main feature provided by the Gemalto SA Server. The link between the VPN Gateway and the SA Server is usually realized through the standard RADIUS protocol implemented by an AAA server. Mobile Users Corporate Network Internet VPN Gateway Authentication Authentication Radius Server Gemalto SA Server 4

5 Overview This document provides a deployment scenario to show you how it is possible to configure a Check Point IPSec VPN or a Check Point SSL VPN to use Gemalto SA Server to authenticate Mobile Users. The deployment scenario describes an example that has been tested by Gemalto. It is possible that other configurations will work equally well but you should bear in mind that these have not been tested. Caution: Consequently, this document should not be considered as an instruction manual on how to configure your system. To provide SA Server authentication for Check Point IPSec VPN or Check Point SSL VPN, your system requires the following pre-requisites: A Check Point FW appliance, We used the Check Point NGX R65 software version with this firewall. The appliance hosts two physical interfaces and is able to act as a gateway from the Internal Network to the External Network. o <IP Check Point FW Internal Address> represents the IP address of the physical interface visible from the Internal Network. This network is seen as a trusted network. In our laboratory <IP Check Point FW Internal Address> was o /24 <IP Check Point FW External Address> represents the IP address of the physical interface visible from the External Network The External Network is seen as an unsecured network. In our laboratory <IP Check Point FW External Address> was /24 An AD Domain machine hosting an Active Directory LDAP and acting as domain controller. In our laboratory the domain hosted by AD Domain was gemalto.fr We will use the term Mobile Users to refer to users who have an account in AD Domain and who will access from the External Network to the Internal Network through the Check Point FW. Their accounts must be configured to allow remote access control. A Gemalto SA Server, The server must be installed in mixed mode and connected to the AD Domain. It is supposed to be provisioned for devices and users. <Base URL SA Server> will be used to refer to the URL that should be used to access SA Server. In our laboratory <Base URL SA Server> was A RADIUS Server, This server is the link between Check Point FW and Gemalto SA Server. We have validated three configurations using o o IAS RADIUS for which <IP IAS address> will be used to refer to IAS RADIUS server IP address. In our laboratory, <IP IAS address> was Juniper Steel-Belted RADIUS for which <IP SBR address> will be used to refer to Juniper Steel-Belted RADIUS server IP address. In our laboratory, <IP SBR address> was o Free RADIUS for which <IP FreeR address> will be used to refer to Free RADIUS server IP address. In our laboratory, <IP FreeR address> was Each RADIUS configuration is described in the appendices of this document. 5

6 In order to demonstrate a successful authentication, we also need: A client, We used a standard XP SP2 machine. 6

7 Architecture The following figure shows the architecture associated with the deployment scenarios described in this document. 7

8 Configure Check Point FW This chapter describes the needed configuration for integration and configuration of Check Point IPSec VPN and Check Point SSL VPN with Gemalto SA Server. Caution: Check Point components have some restriction about the Password length: this length could not be more than 16 characters! As the OTP value is sent to SA Server through the Password field, this is the concatenation OTP + LDAP Password which is limited to 16 characters. Using 6 digits OTP token, the LDAP Password cannot be more than 10 characters! To configure the Check Point FW for Check Point IPSEC VPN or Check Point SSL VPN, you have to use the SmartDashboard tool. Installation is not part of this document; please refer to the Check Point one. Using SmartDashboard: Select Network Objects tab by clicking on 8

9 Expand Network Objects tree Expand Check Point sub-tree Select the VPN Gateway object In our laboratory, it was called CKP-IPSec-SSL Right Click on this object Select Edit 9

10 The Check point Gateway General Properties window is displayed. In Check Point Products tick VPN choice. Note: In our case, the Check Point object is defined with is external interface <IP Check Point External Address> but it is also possible to use the internal interface <IP Check Point FW Internal Address>. Then select VPN in the tree displayed on the left 10

11 The VPN window is displayed In This module participates in the following VPN communities: section, Click on [Add ] This adds the RemoteAccess community. Then expand Remote Access in the tree displayed on the left and Select Office Mode 11

12 This display the Office Mode window Select Allow Office Mode to all users choice and Select Manual (using IP pool) choice Note: Office Mode provides an IP address to the VPN virtual driver of client PC. Note: The CP_default_Office_Mode_addresses_pool is a network automatically created by Check Point. This pool will be used to attribute IP addresses. 12

13 Configure Check Point IPSec VPN This section should be addressed only after the Check Point FW has been configured! See Configure Check Point FW chapter. Using SmartDashboard: Select Network Objects tab by clicking on Expand Network Objects tree Expand Check Point sub-tree Select the VPN Gateway object In our laboratory, it was called CKP-IPSec-SSL Right Click on this object Select Edit Select Topology in the tree displayed on the left 13

14 The Topology window is displayed. In VPN Domain select Manually defined Click on [New ] Create the VPN_domain object This group is the set of networks and hosts that will be available to Mobile Users through the IPSec VPN. In our laboratory, this was the Internal Network so we created a Network type object called Internal-LAN using /24 definition and we added the VPN_domain embedding Internal-LAN object. 14

15 Configure Check Point SSL VPN This section should be addressed only after the Check Point FW has been configured! See Configure Check Point FW chapter. Using SmartDashboard: Select Network Objects tab by clicking on Expand Network Objects tree Expand Check Point sub-tree Select the VPN Gateway object In our laboratory, it was called CKP-IPSec-SSL Right Click on this object Select Edit Select Remote Access in the tree displayed on the left 15

16 The Remote Access window is displayed In Visitor Mode configuration tick Support Visitor Mode This activates the https daemon for SSL client connections. Note: If the https default port (tcp/443) is already used for administration, you have to deactivate this feature launching the command webui disable in expert mode. This operation doesn t trouble the configuration operations using SmartDashboard. Select SSL Clients sub-tree 16

17 The SSL Clients window is displayed. In SSL clients allowed to connect to this gateway tick SSL Network Extender choice Note: SSL Network Extender is an ActiveX component that is downloaded on the client PC during the first connection to VPN SSL gateway. It encapsulates all the traffic to the Internal Network in an SSL tunnel. 17

18 Configure RADIUS connection This chapter describes the creation of RADIUS resources that will be used to connect the Check Point FW to the Gemalto SA Server. In our laboratory, we used Microsoft IAS, Juniper Steel-Belted RADIUS and Free RADIUS. Declare RADIUS resource We started by creating a node for the each RADIUS Server we used. Using SmartDashboard: Select Network Objects tab by clicking on Right Click on Nodes sub-tree Select New Select Host In our laboratory, we created a node for server_ias, for server_sbr and for server_freeradius, one for each available RADIUS Server. 18

19 Configure RADIUS resource Then we have to configure the created nodes. Using SmartDashboard: Select Servers and OPSEC Applications tab by clicking on Right Click on Servers sub tree Select New Select RADIUS 19

20 The RADIUS Server Properties window is displayed Select the General tab In Name: enter an arbitrary name for the RADIUS Server. This name will be used during the user configuration (See pages 24/28). In our laboratory, we used IAS, SBR and FreeRadius according to the used RADIUS Server. In Comment: enter an arbitrary comment if needed. In Host: select the previously defined node object object (See page 18) In Service: select NEW-RADIUS (udp/1812) rather than the default value RADIUS (udp/1645). This selection allows compatibility with the current RADIUS standard. Note: IAS and SBR RADIUS Servers can be used with both port 1645 (old standard) and 1812 (current standard). But Free RADIUS is only usable with the port 1812! In Shared Secret: enter a value that will secure the communication with the RADIUS Server. You will have to enter the same value during the configuration of the selected RADIUS Server (See Pages 44/56/61). In Priority: you can change the default value (1) to select the order used to call many RADIUS Servers implementing Mobile Users authentication. Note: all other parameters are options set to their default values. Click on [OK] 20

21 Create users We can use different ways to manage Check Point users. We can declare all users (i.e. define all login) in Check Point and associate each of them to a selected RADIUS server. With that way, when an authentication request is sent, Check Point validate the user (login) is present in the internal database and forward the request to the associated RADIUS. We can also forward all authentication requests to RADIUS servers when no user is define in Check Point. In our laboratory, we implemented both solutions taking advantage of the multiple RADIUS servers. Solution based on a user duplicated in Check Point internal base For this solution, we created the Grp_Users_IAS group, the Grp_Users_SBR group and the Grp_Users_FreeRadius group. Using SmartDashboard: Select Users and Administrators tab by clicking on 21

22 Expand Users and Administrators tree Right Click on User Groups sub tree Select New Group The Group Properties window is displayed Create a group by filling o Names: with an arbitrary name, o Comment: with an arbitrary comment, o Color: with a color associated to the group o View: with the default value All Click on [OK] Right Click on Users sub tree Select New User Select Standard_User 22

23 The User Properties window is displayed Select the General tab In Login Name: enter the name of an existing LDAP user. Select the Groups tab In Available Groups select the targeted group name Click on [Add >] 23

24 Select the Authentication tab In Authentication Scheme: select RADIUS In Select a RADIUS Server of Group of Servers: from Settings: section select the RADIUS server associated to this user. You can choose a name you created during in the RADIUS server properties configuration (See page 20). Note: all other parameters are options set to their default values as they don t take part to the authentication mechanism implemented by Gemalto SA Server. Click on [OK] 24

25 Solution based on a generic user The generic user has a reserved name: generic*. During its configuration, we can forward all authentication requests using a login name not declared in Check Point base to a specific RADIUS server. Using SmartDashboard: Select Users and Administrators tab by clicking on Expand Users and Administrators tree Right Click on External User Profiles sub tree Select New External User Profile Select Match all users 25

26 The External User Profile Properties window is displayed Select the General tab Nothing has to be modified in this first window 26

27 Select the Groups tab In Available Groups select the targeted group name Click on [Add >] 27

28 Select the Authentication tab In Authentication Scheme: select RADIUS In Select a RADIUS Server of Group of Servers: from Settings: section select the RADIUS server associated to this user. You can choose one name you created during in the RADIUS server properties (See page 20). Note: all other parameters are options set to their default values as they don t take part to the authentication mechanism implemented by Gemalto SA Server. Click on [OK] 28

29 Create a security rule We now have to create a rule to define the privileges gained by authenticated users. Using SmartDashboard: Select Rules in the menu Select Add sub-menu Right Click in Source column Select Add Users Access 29

30 The User Access window is displayed In User Group: select the user groups that are concerned by this rule In Location: select No restriction choice Note: The No restriction choice is used to avoid Check Point restrictions to the Client IP addresses. When selected, suffix is added to the User Group name. Click on [OK] Right Click in VPN column Select Edit Cell 30

31 The VPN Match Conditions window is displayed In Match conditions select Only connections encrypted in specific VPN Communities Click on [Add ] Select RemoteAccess Click on [OK] Right Click in VPN column Select Edit 31

32 The Remote Access Community Properties window is displayed Validate All Users is available in Remote Access User Groups: from Participant User Group entry in the tree presented on the left side. 32

33 Open the connection to the Intranet using SA Server Here is how a Mobile User accesses to the Internal Network using the Check Point FW and Gemalto SA Server. We previously described two configurations: VPN IPSec and VPN SSL. From the client side, we have also two different configurations. IPSec VPN Client To connect to IPSec VPN, you have to use the Check Point VPN Client version NGX R60 HFA02. Note: Client installation is not described in this document. Please, refer to the Check Point documentation. When installed, is available in the system tray. Double-Click on [ ] to launch the client First connection The first time you launch the client, the following message is displayed. Click on [Yes] The Site Wizard window is displayed In Server Address or Name: enter <IP Check Point FW External Address> This is the address that is visible from the client PC. 33

34 Click on [Next >] Select User name and Password choice Click on [Next >] In User name: enter the name associated to a Mobile User as it is defined in the LDAP (Active Directory). In Password: enter a value made by the concatenation of the 6 OTP digits with the LDAP Password. 34

35 Click on [Next >] Select Standard choice Click on [Next >] If the following message is displayed Click on [No] Note: In our configuration we didn t implement this feature allowing downloading security rules in the firewall embedded in the VPN Client. 35

36 The validation site window is displayed If the network administrator has provided the Internal CA Certificate Fingerprint: then the user can validate it. This allows to validate the client is connected to the expected site. Click on [Next >] Click on [Finish] 36

37 The following message is displayed Click on [No]. The connection will be presented in the following section. After the first connection Here is described the connections when the first time launch has been realized. Double-Click on [ ] in the system tray to launch the client In User name: enter the name associated to a Mobile User as it is defined in the LDAP (Active Directory). In Password: enter a value made by the concatenation of the 6 OTP digits with the LDAP Password. 37

38 Click on [Connect ] Then, if the connection is successful Then the following icon is displayed in the system tray to recall the VPN is opened. To close the tunnel, Double-Click on in the system tray Click on [Disconnect] 38

39 SSL VPN Client To connect to SSL VPN, you just need a WEB browser. During the first connection, the SSL VPN gateway imposes the installation of Check Point SSL Extender (Active X component). This is a virtual interface that encapsulates all the communication inside an SSL tunnel. Note: We used a standard computer with XP SP2. We also used an account with administrator privileges as it was needed to install the Check Point SSL Extender. First connection The first time you connect to the SSL VPN, SSL Network Extender is installed. To connect to the Check Point FW Gateway: Launch your preferred WEB browser (IE, FireFox, etc.) In the address field, enter <IP Check Point FW External Address> In User Name: enter the name associated to a Mobile User as it is defined in the LDAP (Active Directory). In Password: enter a value made by the concatenation of the 6 OTP digits with the LDAP Password. Click on [OK] 39

40 The Check Point FW gateway tries to install the SSL Network Extender on the client PC. This installation can generate actions request like the following one: This installation can generate warnings like the following one: Those elements are dependent from the security parameters of the browser. You have to acknowledge them. When this component is installed, you can see the following window: If the network administrator has provided the Internal CA Certificate Fingerprint: then the user can validate it. This allows to validate the client is connected to the expected site! Click on [Yes] 40

41 After the first connection Here is described the connections when the first time launch has been realized. To connect to the Check Point FW Gateway: Launch your preferred WEB browser (IE, FireFox, etc.) In the address field, enter <IP Check Point FW External Address> In User Name: enter the name associated to a Mobile User as it is defined in the LDAP (Active Directory). In Password: enter a value made by the concatenation of the 6 OTP digits with the LDAP Password. Click on [OK] 41

42 If you are successfully authentication, the following window is displayed Then, it is possible to access to resources from Internal Network, according to the security policy. Note: The Office Mode IP: displayed in the previous figure is used internally by the gateway. Its value is arbitrary. To close the SSL tunnel Click on [Disconnect] 42

43 Appendix 1: Configure an IAS RADIUS Server with SA Server We used the IAS server version embedded in Windows Server 2003 SP1. IAS RADIUS prerequisites The IAS RADIUS installation is not described in this document. It is presumed to be already done. Check IAS RADIUS Server domain The IAS RADIUS server must be part of the AD Domain as IAS RADIUS has to check that each Mobile User has an account in the directory. You can check IAS RADIUS and AD Domain are part of the same domain using the following process: Right click on My Computer and Select Properties Check in Computer Name tab that the computer is in a domain. You can modify those parameters if needed. Access to IAS administration You have to: Click on Start and Select Administrative Tools Select Internet Authentication Service 43

44 Add a RADIUS Client You now have to add the Check Point FW as a RADIUS client: Right click on RADIUS Clients and Select New RADIUS Client In Friendly name enter a name for Check Point FW, In Client address (IP or DNS) enter <IP Check Point FW Internal Address>. Click on [Next >] Select RADIUS Standard for Client-Vendor: Enter the chosen shared secret in Shared secret: and in Confirm shared secret:. This must be the same value as the one you entered when you configured the Check Point FW (Shared Secret Page 20). Click on [Finish] to validate those parameters. 44

45 Configure Access Policies You have to add a new remote access policy: Right click on Remote Access Policies and Select New Remote Access Policy Click on [Next >] in the wizard windows Select Set up a custom policy choice in How do you want to set up this policy and add a friendly name in Policy name. Click on [Next >] Click on [Add ] in Policy Conditions window 45

46 Select Client-IP-Address in Attribute types: and click on [Add ] Enter <IP Check Point FW Internal Address> in Type a word or a wild card (for example, abc.*): and click on [OK] Click on [Next >] 46

47 Select Grant remote access permission in If a connection request matches the specified conditions: and click on [Next >]. Click on [Edit Profile ] in the profile window Select Authentication tab and uncheck all boxes except Unencrypted authentication (PAP, SPAP) Select Encryption tab 47

48 Check only the No encryption box. Then click on [OK] In the Profile window, click on [Next >] In the New Remote Access Policy Wizard window, click on [Finish] The new policy is now available. 48

49 Configure Connection Request Policies You have to add a new connection request policy: In Connection Request Processing, Right click on Connection Request and Select New Connection Request Policy Click on [Next >] in the wizard window Select A custom policy, Enter a name in Policy name and Click on [Next >] In the Policy conditions windows, click on [Add ], Select Client-IP-Address, Click on [Add ], Enter <IP Check Point FW Internal Address>, Click on [OK] and Click on [Next >] In the Request Processing Method, click on [Edit Profile] In the Authentication tab, select Authenticate requests on this server and Click on [OK] In the Request Processing Method window, click on [Next >] In the New Connection Request Policy Wizard window, click on [Finish] 49

50 The new policy is now available. Install and configure SA Server agent for IAS You now have to install the SA Server IAS agent on the IAS RADIUS server. This component will forward all authentication requests received by IAS to SA Server. Double-click on IAS_AgentSetup.exe on the IAS RADIUS server, Click on [Next >] 50

51 Select I accept the terms in the license agreement and click on [Next >] You now have to enter <Base URL SA Server>/saserver/servlet/UserRequestServlet in Protiva Authentication Servlet URL: Caution: During the installation, you have to replace localhost by the real IP address of SA Server. You also have to set the port if this is not the standard port 80. Don t forget to replace the proposed protiva path by saserver as it is now the default choice used during SA Server installation. Click on [Next >] 51

52 Click on [Install] Click on [Finish] 52

53 Restart IAS To launch the installed agent, you now have to re-start IAS. In Internet Authentication Service window, click on in the toolbar to stop IAS. Then, click on the green arrow in the same toolbar to restart the server and take the changes into account. 53

54 Appendix 2: Configure Juniper Steel-Belted RADIUS Server We used the Juniper Steel-Belted RADIUS V6.01 on a Windows Server 2003 SP1. SBR pre-requisites Juniper Steel-Belted RADIUS installation is not described in this document. Launch SBR admin portal To open Juniper Steel-Belted RADIUS admin portal: Start a browser on the following URL: <IP SBR address>:1812 Click on Launch link. A login window is displayed. You have to fill User Name and Password using an account with administrator privileges on the Juniper Steel-Belted RADIUS server. Port is automatically filled with the default 1813 value. Click on [Login] 54

55 Add RADIUS Client You now have to add the Check Point FW as a RADIUS client: Right click on RADIUS Clients 55

56 and Select Add: Complete the following fields: o In Name: enter a friendly name for Check Point FW, o In IP Address: enter <IP Check Point FW Internal Address>, o In Shared secret: enter the same value you entered when you configured the Check Point FW (Share Secret Page 20). o Make sure you select - Standard Radius in Make or model: Click on [OK] Install and configure SA Server agent for SBR You now have to install the SA Server SBR agent on the Juniper Steel-Belted RADIUS server. This component will forward all authentication requests received by the SBR to SA Server. 56

57 Double-click on SBR_AgentSetup.exe on Juniper Steel-Belted RADIUS server, Click on [Next >] Select I accept the terms in the license agreement and click on [Next >] 57

58 Select the Service folder in the SBR installation directory so that it appears in Folder name: Usually, this is under \Program Files\Juniper Networks\Steel-Belted Radius Click on [Next >] Enter <Base URL SA Server>/saserver/servlet/UserRequestServlet in Protiva Authentication Servlet URL: Caution: During the installation, you have to replace localhost by the real IP address of SA Server. You also have to set the port if this is not the standard port 80. Don t forget to replace the proposed protiva path by saserver as it is now the default choice used during SA Server installation. 58

59 Click on [Next >] Click on [Install] Click on [Finish] Restart SBR To launch the installed agent, you now have to re-start SBR service. Select Start, Select Control Panel, Select Administrative Tools Select Services 59

60 Then, Right Click on Steel-Belted Radius And choose Restart Check agent integration To check the installed agent is running, Start the Steel-Belted Radius Administrator (as presented in the Launch SBR admin portal section) Select Authentication Policies then Order of Methods Check that Protiva SBR Agent is in Active Authentication Methods: Note: Other authentication methods can be present in both columns according to the SBR configuration. 60