Embed Size (px)
Citation preview
CheckPoint Software Technologies LTD.
How to Install and Configure SecureClient and SecureServer
Event: Partner Exchange Conference Date: October 19, 1999 Revision 1.0 Author: Richard Devera, Southern Region Technical Consultant Credits: Joe Dipietro, Mark Elliot
2
Table of Contents
Equipment Needed:.......................................................................................................... 3
Configuration overview:.................................................................................................... 5
Configuration Details ........................................................................................................ 6
Install and Configure SecureServer.................................................................................. 6
Install and Configure SecureClient................................................................................. 21
Appendix A - Troubleshooting Tips and New Features ................................................. 28
Appendix – A cont............................................................................................................ 29
Authenticated Topology Downloads ............................................................................... 29
Appendix B – Tables ........................................................................................................ 31
3
Configure a SecureClient and SecureServer network This document explains the how to setup and configure SecureClient and SecureServer with Check Point VPN-1 Version 4.1. Basic knowledge of the Check Point architecture is a prerequisite. For further information on how to install the product, please refer to Getting Started for VPN-1/Firewall-1 guide.
Goal of the Demo: • To show steps on how to deploy a VPN between a client and server using SecureClient and
SecureServer.
Equipment Needed: • Firewall-1 version 4.1 or greater (Unix or NT) • x86 platform running NT 4.0 Server SP 4 • x86 platform running Windows 98 • Sun platform w/Solaris 2.6 • NT or Solaris based platform 128 MB RAM, 2GB diskspace
Configure SecureClient and SecureServer
Web/FTP ServerNT PDC - Domain “CS”NT Server Software SP4
Meta IP - DHCP/DNS/UAM IP: 192.32.42.44
Netmask: 255.255.255.0DG: NONE
IP: 192.32.42.52Netmask: 255.255.255.0
DG: NONE
INTERNAL NETWORKIP Network: 192.32.42.0Netmask: 255.255.255.0
42.41
Solaris - Secure ServerIP Network: 192.32.42.41Netmask: 255.255.255.0DG: NONE
NOTE: All subnet masks are 255.255.255.0All IP Addresses are for Subnet and Host IP Addressie. 42.41 = 192.32.42.41DG = Default Gateway
42.51
42.44
42.52
Secure ClientWin 95/98 IP: 192.32.42.43Netmask: 255.255.255.0DG:NONE
LDAP ServerIP Network: 192.32.42.51Netmask: 255.255.255.0DG: NONE
SecuClientNT Server SP4
IP: 192.32.42.42Netmask: 255.255.255.0
DG: NONE
42.42
42.43
4
5
Configuration overview: 1. Interconnect systems and hubs as per topology diagram.
2. Install Windows 98 on one client, Windows NT Server for the Management console, Solaris 2.6 for the
SecureServer.
3. Create user account bob (password abcd1234) on the SecureServer.
4. Configure Network interfaces and routing. Verify connectivity by using ping to each host. 5. Install SecureServer on a Solaris machine 6. Install the management console on an Windows NT server machine 7. Install SecureClient on the Windows 98 machine 8. Create a SecureClient VPN rule to the SecureServer
9. Define and install a policy for the services to be tested.
10. Initiate an FTP session
11. Verify an encrypted FTP connection using log viewer
6
Configuration Details Install and Configure SecureServer 1. Install SecureServer 2. Insert the VPN Enterprise CD v4.1 into the disk drive. 3. Change directory to /cdrom/cpstrongsuite_41 4. Run ./InstallU 5. Install VPN-1 / FW-1 Product
+------------------------------------------------+| PRODUCT MENU |+------------------------------------------------+| [*] 1. VPN-1 / FireWall-1 || [ ] 2. FloodGate-1 || [ ] 3. (Compression Module - not available) || [ ] 4. Meta IP |+------------------------------------------------+
7
6. For Setup type, Select Distributed Installation
7. For Distributed Installation, select Management Server/Enforcement Point Software
8. Enter N to when asked for backward compatibility 9. When asked to install in base directory, answer Y. 10. If you will be using MetaIP UAM, select Y, you will have to supply IP address of the UAM server,
otherwise, select ‘N’ to for MetaIP configuration.
+-----------------------------------------------------------------------++-----------------------------------------------------------------------+| SETUP TYPE |+-----------------------------------------------------------------------+| [ ] 1. STAND ALONE INSTALLATION || This option installs all components of the products || you have selected on a single machine. || [*] 2. DISTRIBUTED INSTALLATION || This option allows you to assign specific product components || (management server software,enforcement points and management || clients) for each products that you are installing to different || machines. |+-----------------------------------------------------------------------+
+-----------------------------------------------------------------------++-----------------------------------------------------------------------+| DISTRIBUTED INSTALLATION |+-----------------------------------------------------------------------+| [*] 1. Management Server/Enforcement Point Software || The required components will be installed for this machine || to function as a management server and/or as an enforcement || point for the product(s) you have selected. || [ ] 2. User Interface || The required components will be installed for this machine || to function as a client for the product(s) you have selected. |+-----------------------------------------------------------------------+
----------------------------------------------------------------------- Would you like to configure your MetaIP products with VPN-1/FireWall-1? If so - the installation will complete now the required setup. ----------------------------------------------------------------------- Please enter [y]es or [n]o. y Enter your UAM HOST IP ADDRESS 192.32.42.44
8
11. After accepting the license agreement, you will be asked to choose the type of installation and module
you want to install. • Choose VPN-1 & Firewall-1 Distributed Installation for the installation selection • Choose VPN-1 & Firewall-1 Gateway/Server Module for the module selection • Choose VPN-1 & Firewall-1 – SecureServer as the kernel module selection
12. Choose Y to automatically start the software from /etc/rc3.d.
Choosing Installation ------------------------ (1) VPN-1 & FireWall-1 Stand Alone Installation (2) VPN-1 & FireWall-1 Distributed Installation Option (1) will install VPN-1 & FireWall-1 Internet GateWay (Management Server and Enforcement Module) on a single machine. Option (2) will allow you to install specific components of the VPN-1 & FireWall-1 Enterprise Products on different machines. Enter your selection (1-2/a): 2 Installing VPN-1 & FireWall-1 Distributed Installation. Which Module would you like to install ? ------------------------------------------- (1) VPN-1 & FireWall-1 Enterprise Management and Gateway/Server Module (2) VPN-1 & FireWall-1 Gateway/Server Module (3) VPN-1 & FireWall-1 Enterprise Management Enter your selection (1-3/a) [1]: 2 Which Module would you like to install ? ------------------------------------------- (1) VPN-1 & FireWall-1 - Limited hosts (25, 50, 100 or 250) (2) VPN-1 & FireWall-1 - Unlimited hosts (3) VPN-1 & FireWall-1 - SecureServer Enter your selection (1-3/a) [2]: 3 **************** VPN-1 & FireWall-1 kernel module installation **************** installing VPN-1 & FireWall-1 kernel module... Done.
Do you wish to start VPN-1 & FireWall-1 automatically from /etc/rc3.d (y/n) [y]? y VPN-1 & FireWall-1 startup code installed in /etc/rc3.d
9
13. You will be asked to enter in a license, enter ‘y’ You will need to register the certificate issued with
this software at http://license.checkpoint.com. After receive your registered license via email, you will need to enter the appropriate data at the prompts.
14. Next you will be asked to configure the masters (management stations), enter ‘y’ to add Management
Stations • Enter an IP address 192.32.42.52 • Secret Key: abcd1234 (this key can be any random alphanumeric characters) On the Management Station, remember to type in the following: # cd $FWDIR/bin # fw putkey –p abcd1234 192.32.42.41
15. Configure the SMTP server, select N for NO 16. Configure for SNMP extension, select N 17. Configure for Groups, select the default values (none, y) 18. Configure IP forwarding, select Y
Configuring Licenses... ======================= The following licenses are installed on this host: Do you want to add licenses (y/n) [n] ? y Host: 192.32.42.41 Date: 13Oct1999 String: axEgJL3uE-78jpjSjfJ-mJFTnxKJC-LnmKusv8o Features: CPFW-EVAL-1-3DES-v41 CPTC-ETF-U-v41 CK-FW-FG-4.1-BETA-USE-ONLY
Configuring Masters... ====================== Masters are trusted Management Stations which will control this Check Point Module. Do you want to add Management Stations (y/n) [y] ? y Please enter the list of hosts that will be Management Stations. Enter hostname or IP address, one per line, terminating with CTRL-D or your EOFcharacter. 192.32.42.52 Is this correct (y/n) [y] ? y You will now be prompted to enter a secret key that will be used to authenticate the communication between this Module and the Management Stations that you have selected. Enter secret key: Again secret key:
10
19. When configuring the default filter, configure to allow only traffic necessary for boot.
20. After successful installation, the script will ask to reboot, select y 21. On the management console, create a network object named secureserver. Configure with IP address
192.32.42.41. Workstation type is host and check box VPN-1 & Firewall enabled with version 4.1
Configuring Default Filter... ============================= Do you wish to modify your /etc/rcS.d boot scripts to allow a default filter to be automatically installed during boot (y/n) [y] ? y Which default filter do you wish to use? ---------------------------------------- (1) Allow only traffic necessary for boot (2) Drop all traffic NOTE: If you are installing the VPN-1 & FireWall-1 module, and not reconfiguring, it is recommended you choose option (1) in order to allow communications with the VPN-1 & FireWall-1 management. After installing a policy on the module from the management, you can reconfigure the default filter to option (2) Enter your selection (1-2) [1]:
Hints: • If DNS or the host file is
defined, Get Address will return the IP address defined for the server.
• The Get button in Modules
Installed will get the version of the enforcement point.
• Gateway type does not
have to be selected for SecureServer.
11
22. Select the Interfaces tab and select Get.
12
23. Select the Authentication tab, uncheck all boxes.
24. Click on the OK button to save. 25. Double click on the secureserver network
object and select the VPN tab. 26. Check the box labeled Exportable for
SecuRemote 27. Under Encryption schemes defined, check
the IKE box and highlight IKE, select Edit
Note: In this configuration we are using IKE pre-shared secrets. An authentication scheme does not need to be defined, unless this server will be performing multiple authentication methods.
13
Note: If you check Public Key Signatures, you will have to create a certificate and configure a CA server. For this demo, we will only use Pre-Shared Secret.
28. Under Key Negotiation Encryption
Methods, enable all methods. 29. Under Hash Method, enable both
methods. 30. Under Authentication Method, check Pre-
Shared secret
31. Check Supports Aggressive Mode, since we are only supporting a host we do not need to enable Supports Subnets.
32. Click on OK and save the changes. 33. Select Manage->Users from the menu bar on the Policy Editor 34. Create a user, bob.
14
35. In the authentication tab, select VPN-1 & Firewall-1 Password
36. Select the encryption tab and check Log Successful Authentication Track. 37. Select IKE in Client Encryption Methods and Edit.
15
38. Under the Authentication tab, check Password (for pre-shared secret) and type in a password.
(Remember this password for SecureClient use)
39. Select the Encryption tab. Check ESP, SHA1, and 3DES.
16
40. Create a user group, finance-dept, and add bob to this group.
17
41. Go to Manage->Servers and
select New->Policy Server 42. Create a policy server called
accounting-server. 43. Select secureserver as the host
this policyserver will be assigned to.
44. Select finance-dept as the user
group assigned to the policy server.
45. Select OK and Close the Server object manager.
18
46. Go to Manage->Properties and select the Desktop Security tab. 47. Check the following: • Respond to Unauthenticated Cleartext Topology Requests (See Appendix on Authenticated
Topology Requests) • Desktop is Enforcing Required Policy • Policy is Installed on All Interfaces • Generate Log • Notify Desktop User 48. Allow Outgoing & Encrypted will be used as the Required Policy for All Desktops . (See Appendix
B for information on all Required Policy for All Desktop options)
19
49. Create two rules like the following diagram: Source Dest Service Action Track InstallOn Time finance-dept@Any Any telnet, ftp Client Encrypt Long secureserver any Any Any Any drop Long secureserver any • The first rule allows users within the finance department telnet and ftp access to any node using the
client vpn (SecureClient). • The second rule drops all users who do not meet the first rule. (This is always the last rule, this is only
showed as the last rule to track for logging)
NOTE: Please note that on Rule #1, by Clicking with
the right mouse button on the "Client Encrypt", you now have the option to ENFORCE the client's desktop parameters before allowing this connection. This means if the client disables or reconfigures their desktop machines, the SecureServer module will not allow the desktop to get access to the server. That is what the "Apply Rule Only if Desktop Configuration Options are Verified Means" à
20
50. Select Policy->Install to install the policy to secureserver
51. A successfully policy install will produce an output similar to the following diagram.
21
Install and Configure SecureClient 1. Install SecureClient on a Windows 98 client. See demo architecture. 2. Insert the Enterprise CD into the Windows 98 client and follow the following steps 3. The installation will auto play the installation script. Select Next
4. Click on Yes if you agree with the terms of the license agreement.
22
5. Select Mobile Desktop Components
6. Select VPN-1 SecuRemote/SecureClient. Please note that the same code is used for both SecuRemote
and SecureClient, if you install "Install Desktop Security Support" during the installation. The only difference is the configuration on the SecureServer or Firewall Module that will push the policy into the SecureClient Desktop. This will be a great advantage in the future, because the Customer will be able to add "SecureClient" Functionality without having to reinstall new software!
23
7. Setup application will display the products you want to install. Select Next to continue.
8. Choose the default destination directory.
9. Choose Install Desktop Security Support. This is for the SecureClient support.
24
10. Install SecureClient on all network adapters
11. Reboot the computer when setup is complete
12. After rebooting the machine, move the mouse down to the task bar and double-click on the
SecureClient envelope.
25
13. Create a site, 192.32.42.52 and Press OK to save
site data.
14. A dialog box will appear asking to download a security
policy. Select Ok, canceling this will defer loading a loading a security policy.
Note: You can see that a policy has been loaded into
your desktop by the "Envelop with a Lock" Icon in your task bar à
15. At the User Authentication dialog box enter the username
bob and password abcd1234
26
16. A dialog box will verify successful logon. 17. Open up a DOS command line and initiate an FTP session with the
secureserver. Logon with a valid username and password. (This example uses bob as the username and abcd1234 as the password).
18. Go to the management console and startup the log viewer to verify session.
27
19. Startup a DOS command-line prompt on another workstation on the LAN and run a ping test against
SecureClient desktop. Verify blocked traffic to the desktop.
20. On the SecureClient desktop, double-click on the envelope. Go to Policy->Disable Policy.
21. Go to back to command-line prompt on another
workstation and run a ping test against the SecureClient desktop.
22. Verify successful ping test. 23. Configuration complete.
28
Figure 1. Rebinding Adapters
Figure 2. Disabling Sites
Appendix A - Troubleshooting Tips and New Features 1 Error messages to SecureClient and SecureServer can be found in the document titled Check Point
Virtual Private Networks Version 4.1 2 Please note that SecuRemote/SecureClient can rebind to
the adapters in version 4.1, so that you do not need to reinstall SecuRemote/SecureClient as shown to the Right à.
3 Also note, that in version 4.1, you have the ability to
dynamically disable sites. This could be useful if two sites have the same encryption domains (step #28 - Encdomain), but using two different management stations. SecuRemote/SecureClient will then encrypt to site 192.32.42.31 and note 192.32.42.52. This is shown below:
4 This is a version 4.0 feature that can also be used in
version 4.1 which is to configure Single-Sign-On (SSO) on an NT Workstation or NT Server. This will save the username/password for SecuRemote/SecureClient and the NT Domain username/password, so that you don't have to type these in. This will handle the automatic key negotiation to establish the VPN Tunnel.
29
Appendix – A cont.
Authenticated Topology Downloads
Starting in version 4.0, the site’s topology can be downloaded in encrypted format. In earlier releases, the topology was downloaded in clear text. The topology information includes information about what the gateway supports FWZ or IKE or both. To setup topology downloads, 1. Disable/Uncheck Respond to
Unauthenticated Cleartext Topology Requests
2. Go to the VPN host/gateway network object 3. Click on the VPN tab 4. Select FWZ 5. Edit to generate an RSA key. 6. Save the changes and download the policy.
30
7. After successfully downloading the policy to SecureServer, download a new topology from
SecuRemote/SecureClient 8. You will be prompted to enter a username and password. On a successful download, configuration is
complete.
31
Appendix B – Tables The Desktop Policy options and Desktop Configurations options were taken directly from the Check Point Virtual Private Networks Version 4.1 document. These are the only policies for Phase I SecureClient in version 4.1. In a future version, the desktop security policy will be able to be configured in a very granular fashion.
