Product Guide Addendum SafeWord Check Point User Management Console Version 2.1
Copyright 2005 Secure Computing Corporation. All rights reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of Secure Computing Corporation. Trademarks Secure Computing, SafeWord, Sidewinder, Sidewinder G2, SmartFilter, Type Enforcement, SofToken, Enterprise Strong, Mobile Pass, G2 Firewall, PremierAccess, SecureSupport, SecureOS, Bess and Strikeback are trademarks of Secure Computing Corporation, registered in the U.S. Patent and Trademark Office and in other countries. G2 Enterprise Manager, SmartReporter, On-Box, Application Defenses, RemoteAccess, Sentian, Securing connections between people, applications and networks are trademarks of Secure Computing Corporation. All other trademarks, tradenames, service marks, service names, product names, and images mentioned and/or used herein belong to their respective owners. Technical Support information Secure Computing works closely with our Channel Partners to offer worldwide Technical Support services. If you purchased this product through a Secure Computing Channel Partner, please contact your reseller directly for support needs. To contact Secure Computing Technical Support directly, telephone +1.800.700.8328 or +1.651.628.1500. If you prefer, send an e-mail to support@securecomputing.com. To inquire about obtaining a support contract, refer to our Contact Secure Web page for the latest information at www.securecomputing.com. Customer Advocate information To suggest enhancements in a product or service, or to request assistance in resolving a problem, please contact a Customer Advocate at +1.877.851.9080. If you prefer, send an e-mail to customer_advocate@securecomputing.com. If you have comments or suggestions you would like to make regarding this document or any other Secure Computing document, please send an e-mail to techpubs@securecomputing.com. Printing history Date Part number Software Release July 2005 86-0945095-A Product Guide Addendum, SafeWord Check Point User Management Console i
ii
Introduction Introduction This addendum to the SafeWord 2.1 Product Guide describes the SafeWord Check Point User Management Console (UMC), which you selected as your preferred database tool during your SafeWord software installation. The UMC is the central management tool for managing users and tokens. This document describes the console, and gives information on using the console to manage users and authenticators. This document includes the following topics: Introduction on page 1 Check Point User Management Console on page 2 Configuring SafeWord strong authentication on page 4 What next? on page 10 Product Guide Addendum for the SafeWord Check Point UMC 1
Check Point User Management Console Check Point User Management Console SafeWord s Check Point UMC is the user management tool for user data stored in a Check Point database. Aside from a few visual differences between the Check Point UMC and the Active Directory UI, and some additional steps in configuring authentication setup before deploying the system, the functions of the user management interface are the same whether user records are stored in Active Directory or the Check Point user database. The Check Point UMC Console is divided into two management interfaces. The first interface allows you to list tokens, view and search for user and token associations, and import new token records into the system. It is also where backup and restore database functions are performed. Figure 1 shows the SafeWord Check Point Console in comparison with the Active Directory console. Figure 1. Search Utility window Check Point window Active Directory window The second interface allows you to associate users with SafeWord tokens, assign PINs, generate emergency passcodes, and test tokens after assigning them to individual users. Figure 2 shows the SafeWord Check Point Console User Properties window where these tasks are performed. 2 Product Guide Addendum for the SafeWord Check Point UMC
Check Point User Management Console Figure 2. Check Point and Active Directory user Properties windows Check Point window Active Directory window Launching the console Launching the Check Point UMC is done via the Windows Start menu, Start -> Programs -> Secure Computing -> SafeWord -> SafeWord Check Point Console. In Active Directory environments, the management console is started using the Active Directory Users and Computers tool. Product Guide Addendum for the SafeWord Check Point UMC 3
Configuring SafeWord strong authentication Configuring SafeWord strong authentication Once SafeWord is installed, registered, activated, and you have customized it with your own administration passwords, you are ready to configure SafeWord strong authentication. Configuring authentication for Check Point To use SafeWord s Check Point Console to manage users, you will need to configure SafeWord RADIUS authentication. This will create a RADIUS Server object in the Check Point database. The Configure SafeWord RADIUS Authentication window shown in Figure 3 appears the first time you launch the management interface. You can also access this window by clicking on the Check Point Users node. When the Configure SafeWord RADIUS Authentication window appears, do the following: Figure 3. Configure SafeWord RADIUS Authentication window 1. Enter the IP Address of the machine hosting the SafeWord IAS Agent. 2. Enter the Port number over which the machine hosting the SafeWord IAS Agent will communicate. 3. Click OK, and a success window appears. You will be prompted that the RADIUS Secret must be set. You manually set the RADIUS secret in the Check Point Management GUI. Open the GUI by doing the following: 4. Open the Check Point SmartDashboard. 5. When the Check Point Smart Update window appears, enter your administrative password. 6. Select the Servers tab on the left pane of the window. 7. Expand the RADIUS Server node. 8. Edit the SafeWordRADIUS_<IP>_<Port>. The RADIUS Server Properties window appears. 4 Product Guide Addendum for the SafeWord Check Point UMC
Configuring SafeWord strong authentication Figure 4. New RADIUS Secret window 9. Enter your Shared Secret in the Shared Secret field, then click OK. Configuring authentication for Active Directory If you are using Active Directory to manage users, you can configure SafeWord for Check Point to work with existing Active Directory users without adding Check Point s Active Directory schema extensions. This is made possible by defining an object and associating it with the LDAP account unit defined on the Active Directory Server. For example, if you want to enable all users with IKE+Hybrid, based on the Active Directory passwords, create a new template with the IKE properties enabled and VPN-1/FireWall-1 as the authentication method. In addition to defining a template, you will be manually creating a RADIUS server, and creating an LDAP Account Unit for your Active Directory environment. Enabling LDAP user management Before you can configure authentication for Active Directory, you must enable LDAP user management. To enable LDAP user management, do the following: 1. Open the Check Point Management GUI. 2. Select Policy -> Global Properties. A window appears with the first file in the tree highlighted. 3. Select LDAP Account Management from the list in the tree. 4. Click Use LDAP Account Management. Product Guide Addendum for the SafeWord Check Point UMC 5
Configuring SafeWord strong authentication Figure 5. RADIUS Server Properties window Manually adding a RADIUS server As part of the process for configuring SafeWord authentication, you will need to manually add a RADIUS server. To manually add a RADIUS server, do the following: 1. Open the RADIUS Server Properties window. 2. Choose a name for your RADIUS server and enter it in the Name field. 3. Choose or create an appropriate host object and enter that in the Host field. 4. From the Service field drop down list, choose UDP Service Object for the RADIUS port. Note: By default, IAS listens on ports 1645 and 1812. Ensure that the UDP Service object you choose matches one of the ports. 5. Enter your Shared Secret. 6. Click OK to complete the setup. 6 Product Guide Addendum for the SafeWord Check Point UMC
Configuring SafeWord strong authentication Creating an LDAP Account Unit The next part of the process for configuring SafeWord authentication for Active Directory users is to create an LDAP Account Unit. To create an LDAP Account Unit, do the following: 1. In the Check Point Management GUI, open the LDAP Account Unit Properties window. Figure 6. LDAP Account Unit Properties window 2. Create an LDAP Account Unit for your Active Directory by doing the following: a. Select the User management option under Account Unit Usage. b. Select Microsoft_AD from the Profile drop down list. c. Click OK to complete the setup. There are two options for how authentication from RADIUS will occur. You can choose to either specify authentication attributes for all users from Active Directory by using a template, or you can specify the attributes for individual users by extending Check Point s Active Directory schema. Choose the method that is most appropriate for your users and reference the following sections to set up your choice. Product Guide Addendum for the SafeWord Check Point UMC 7
Configuring SafeWord strong authentication Figure 7. LDAP Account Management window Using a template to specify authentication attributes globally for all users To use a template to specify authentication, do the following: 1. Browse to the Templates node on your Check Point User Interface. 2. Create a new template using the Check Point interface. 3. On the Template window s Authentication tab, ensure that the Authentication Scheme is defined as RADIUS. 4. Ensure that the RADIUS server that you defined earlier in this process is is selected from the list labeled Select a RADIUS Server or Group of Servers. 5. Reopen the LDAP Account Unit you created earlier, and go to the Authentication tab of the Properties window. 8 Product Guide Addendum for the SafeWord Check Point UMC
Configuring SafeWord strong authentication Figure 8. The Authentication tab of the LDAP Account Unit Properties window 6. Confirm the following settings: a. RADIUS is selected as the Allowed Authentication Scheme. b. Use User Template is selected as the User s default value. Extending the Active Directory schema to specify authentication attributes individually for users To extend Check Point s Active Directory schema to specify authentication attributes individually for users, you should consult your Check Point documentation. Such discussions are beyond the scope of this guide. Additional Check Point security If you are using Check Point User Management Support, and are using the User Center to enroll users and tokens, you must also assign the SafeWord authentication method to users in Check Point databases. The User Center will not extend the authentication to those users. To do so, right click on the user, then choose Configure Authentication. Product Guide Addendum for the SafeWord Check Point UMC 9
What next? What next? The following is a list of tasks that need to be done before you can start using your software. Each of these tasks is described in detail in your SafeWord 2.1 Product Guide. Note: Specific chapter references within the Product Guide are called out. 1. Register and activate your software (Chapter 2). a. Locate the software serial number and token group ID. b. Register the software. c. Verify the activation. d. (If applicable) activate additional tokens. e. Change your administrative password. f. Secure user passwords with PINs. 2. Prepare and distribute tokens to users (Chapter 3). a. Assign tokens with the SMC, or let users enroll their own tokens with the User Center. b. Test the tokens. 10 Product Guide Addendum for the SafeWord Check Point UMC
Part Number: 86-0945095-A Software Version: SafeWord Check Point User Management Console Product names used within are trademarks of their respective owners. 2005 Secure Computing Corporation. All rights reserved.