Check Point Next Generation Feature Pack 3

How to configure Microsofts Active Directory to work with Check Point NG FP-3 and SecureClient.

Author: Joe Green Security Engineer Check Point Software Technologies, Inc. 5757 W. Century Blvd. Check Point Software Technologies 12/16/2002

Check Point Next Generation Feature Pack 3 Los Angeles, CA 90045 jgreen@us.checkpoint.com This document assumes the following. 1. You have an understanding of installing and configuring Check Point NG in a distributed environment (Management and Module installed separately). Note: Active Directory Integration CAN work in a Stand Alone deployment. 2. You have a basic understanding of Active Directory and Windows 2000.

Internal LAN 172.16.1.x /24 .200 .254 Management Server Active Directory Server .254

External LAN 10.1.1.x /24 .253

SBox

Remote Users LAN 192.168.10.x /24 .1

SecureClient

In the above configuration, the Check Point Management server is also the Active Directory Server. In a real world deployment, these two applications probably would not be running together. However, it provides an easy way to learn this set-up with the minimum amount of computers in a lab. Note: This document can be followed even if your Active Directory Server is on a separate computer. It will mention the different steps needed and how to perform those actions. The DNS domain used in the above configuration is laxlab.com The Management Servers FQDN is msad.laxlab.com The following steps provide an outline of what this document covers. 1. 2. 3. 4. 5. Installation/Configuration of Active Directory Installation/Configuration of Microsofts DNS Server Installation/Configuration of Microsofts Certificate Server Check Point configuration for LDAP Setting up a template and managing users.

Before starting, the following should be verified: 1. Check Point NG FP3 should be installed and you should be able to push policies without any problems. (e.g. SIC is functioning, name resolution is working, etc.) 2. All machines have IP connectivity to each other. 3. The Microsoft High Encryption Pack is installed. This can be obtained at;
http://www.microsoft.com/windows2000/downloads/recommended/encryption/default.asp

Licensing:

Check Point Software Technologies 12/16/2002

Check Point Next Generation Feature Pack 3 To integrate Check Point and LDAP together, you must have the Account Management Module license. This license is applied to the Management Server (or CMA in Provider1). The AMM license is also included in the Smart Center Pro bundle. Installing Microsofts Active Directory: If you didnt install Microsofts Windows 2000 Advanced Server, you need to add Active Directory to you Windows 2000 Server installation. Heres how. 1. From within Windows, go to the Start Run prompt, enter the command dcpromo . The Active Directory Wizard will start and you need to provide the following input at the prompts. (See pictures below) a. Domain Controller for a new domain b. Create a new domain tree c. Create a new forest of domain trees d. Type the full DNS name for the new domain **Note** This is the DNS Domain that your computer belongs to. E.g. laxlab.com e. Type in the domain netbios name (this is for earlier versions of Windows. E.g. laxlab f. Specify the Database and Log locations (take the defaults) g. Enter the location for the System Volume Folder (again, take the defaults) h. At this point in the Active Directory installation, it will warn you that it cannot contact a DNS server for your domain (unless you have already configured DNS). Either use the existing DNS installation or have the wizard install it for you (having the Wizard install it is very easy). i. Set the permissions to be compatible with your environment. j. Set the password for the Directory Services restore and click next at the summary screen to complete installation of Active Directory and DNS. Note: When Active Directory finishes installing, it will ask you to reboot the computer, dont reboot yet . If you just installed DNS for your domain, the computer will take a long time present you with the logon screen after reboot. The computer is trying to contact a DNS to resolve the domain that was just created. To avoid this, make the Primary DNS server of your computer, the local computer itself. Now, reboot. DCPROMO:

Check Point Software Technologies 12/16/2002

Check Point Next Generation Feature Pack 3

Check Point Software Technologies 12/16/2002

Check Point Next Generation Feature Pack 3

DNS Install:

2. Upon reboot, you need to install Microsofts Certificate Server. This is required for SSL communication between the Active Directory Server and the Check Point Management console. a. This is installed through the Windows Control Panel Add/Remove ComponentsAdd/Remove Windows Components . b. Select the Certificate Services option and click next. Then choose the following options. i. Select Enterprise Root CA Check Point Software Technologies 12/16/2002

Check Point Next Generation Feature Pack 3 ii. Fill in the CA Identifying Information fields. Note: This is the information that will be part of your certificate. iii. Take the Data Storage Location defaults. iv. Certificate Server is now installed (no reboot necessary).

Certificate Server:

3. Next, you need to allow the schema to be viewed and modified by the Microsoft Management console (MMC). This is easily done through the GUI in Windows 2000. a. Register the schema DLL. Go to Start Run, and type regsvr32 schmmgmt.dll (you should see a message stating that the operation was successful). b. Go to Start Runand type mmc. c. From within the MMC, click on the Console menu, then click Add/Remove Snap-In d. Click add and select Active Directory Schema , click add, click close and click ok to return to the MMC. e. Expand the Active Directory Schema (click on the + symbol). Check Point Software Technologies 12/16/2002

Check Point Next Generation Feature Pack 3 f. Right click on the A.D. Schema in the MMC and select Operations Masters. g. Place a check in the box titled The schema may be modified on this domain controller. h. Exit the MMC and reboot. MMC:

4. Next, you need to delegate control of the directory so that the administrator can make changes. a. Go to StartPrograms Administrative Tools Active Directory Users and Computers . b. Right click on you citys domain and choose delegate control. c. Add the administrator account (or administrators group) and check both of the boxes in the next screen. Click ok and then exit. Delegation:

5. To enable SSL communication between FireWall-1 and Active Directory, the following needs to be done: a. Got to StartProgramsAdministrative ToolsDomain Security Policy. b. Go to Security SettingsPublic Key PoliciesAutomatic Certificate Request Settings , right click and select New Automatic Certificate Request. c. Select Domain Controller from the window, then select your CA. SSL: Check Point Software Technologies 12/16/2002

Check Point Next Generation Feature Pack 3

Check Point VPN-1 Configuration:

1. Log into the Check Point Policy Editor. 2. Go to the Policy Menu Global Properties. a. From the LDAP Account Management branch, select Use LDAP Account Management and click ok. b. Next, go to the Manage MenuServers . Create a LDAP Account Unit Object. Use the following parameters: (Screen shots below) (General Tab) i. Name=a descriptive name. ii. Check the boxes User Management and CRL Retrieval iii. Set the LDAP Profile type to Microsoft_AD . (Servers Tab) c. On the servers tab, you need to add your server and set all the necessary parameters. (See figures below) i. Host=your LDAP server (we are using our Mgmt. server since A.D. and the CP Mgmt. are on the same box). If you have a separate A.D. server, create an object for that and select that as the Host. ii. Login DN: cn=administrator,cn=users,dc=laxlab,dc=com (Note:substitute yo ur DNS domain for laxlab) iii. Enter the administrators password. iv. Permissions (R/W, or RO, your choice). v. Set the Early Version Compatibility (Back on the Servers tab). (Encryption tab) d. On the Encryption tab, set the following parameters. i. Use SSL. ii. Click Fetch for Fingerprint. iii. Set Encryption to strong and strong for Min and Max. iv. Click ok. (Objects Management) e. On the objects management tab, select your A.D. object and fetch the branch. (Authentication) Check Point Software Technologies 12/16/2002

Check Point Next Generation Feature Pack 3 f. On the authentication tab, make sure and select what template you want to use. Check Point LDAP Configuration:

Optional Configuration: Extending the Schema: There are certain attributes that can be defined for users in Check Point VPN-1 and not Active Directory. It is possible in a production environment that a customer will not want

Check Point Software Technologies 12/16/2002

Check Point Next Generation Feature Pack 3 to extend the Schema of the Active Directory server. This operation is not necessary. By extending the schema you gain the benefit of having these Check Point attributes: 1. Time and date the user can log in. 2. Source and destination of the user. 3. Ike Properties. 4. Account lockout. 5. Password expiration. 6. LDAP Server templates. 7. etc. You still have the ability to control some of these things through the Active Directory database. Regardless, if you do not extend the schema, you will still be able to use those users. Schema Extension (Optional): Close the Policy Editor and extend the Active Directory schema. Note: This is done from the management console. g. Using Wordpad, open the file $FWDIR\lib\ldap\schema_microsoft_ad.ldif and replace all instances of DOMAINNAME with you domain name. e.g. dc=laxlab, dc=com. (Use Edit menuReplace) Save and Exit. h. *Important* Before you run the ldapmodify command, you must be able to resolve the hostname of the A.D. Server. This is crucial if the A.D. Server is on a separate computer! Modify your \Winnt \system32\drivers\etc\hosts file and add entries for the A.D. Server. E.g. 172.16.1.200 msad 172.16.1.200 msad.laxlab.com i. Next (from the DOS prompt), using the ldapmodify command (all on one line), run the command: E.g. ldapmodify c h msad.laxlab.com D cn=administrator,cn=users,dc=laxlab,dc=com w password f c:\winnt\fw1 \ng\lib\ldap\schema_microsoft_ad.ldif
Note: In the above syntax, substitute your hostname and DNS Domain Name for msad.laxlab.com. The output of the ldapmodify command should look like;
[Begin example] adding new entry CN=fw1auth-method,CN=Schema,CN=Configuration,dc=laxlab,dc=com adding new entry CN=fw1auth-server,CN=Schema,CN=Configuration,dc=laxlab,dc=com adding new entry CN=fw1pwdlastmod,CN=Schema,CN=Configuration,dc=laxlab,dc=com adding new entry CN=fw1skey-number,CN=Schema,CN=Configuration,dc=laxlab,dc=com adding new entry CN=fw1skey-seed,CN=Schema,CN=Configuration,dc=laxlab,dc=com adding new entry CN=fw1skey-passwd,CN=Schema,CN=Configuration,dc=laxlab,dc=com adding new entry CN=fw1skey-mdm,CN=Schema,CN=Configuration,dc=laxlab,dc=com

Check Point Software Technologies 12/16/2002

Check Point Next Generation Feature Pack 3

adding new entry CN=fw1expiration-date,CN=Schema,CN=Configuration,dc=laxlab,dc=com adding new entry CN=fw1hour-range-from,CN=Schema,CN=Configuration,dc=laxlab,dc=com adding new entry CN=fw1hour-range-to,CN=Schema,CN=Configuration,dc=laxlab,dc=com adding new entry CN=fw1day,CN=Schema,CN=Configuration,dc=laxlab,dc=com adding new entry CN=fw1allowed-src,CN=Schema,CN=Configuration,dc=laxlab,dc=com [End example]

3. Log back into the Check Point Policy Editor and make sure you have the Object List window pane open. Go to the users tab in the Objects Tree and double click on the Active Directory Server. 4. You should now see all of your users. GUI:

You are now done incorporating Microsofts Active Directory with NG FP-3. The next section will explain how to incorporate that with SecureClient. Integrating SecureClient with Active Directory: The theory behind utilizing Active Directory for the user database is that you do not have to recreate any users and their passwords. Users that already exist in the directory can now use that username and password for authentication. This dramatically reduces the overhead associated with managing a separate user database.

Check Point Software Technologies 12/16/2002

Check Point Next Generation Feature Pack 3 Note: Before proceeding, you should have SecureClient configured, tested, and working with standard user authentication. That way, you wont be troubleshooting two different issues if there is a problem. If you do not understand how to configure FP-3 and SecureClient, please see the white paper How to configure SecureClient in NG FP-3 located on the configuration Documents page of the Check Point public web site. To utilize Active Directory for authenticating your remote users, you must first start by creating an External Group. To do this, follow the instructions below. 1. Launch the SmartDashboard GUI and click on the Users Icon (See Figure above). To see the users, make sure you have the Objects Tree and Objects List open (these can be opened by clicking on the View Menu and selecting the corresponding options). 2. You should see a branch on the left entitled LDAP Groups . You need to right click on that and select New LDAP Group. Set the properties as follows: a. Enter a descriptive name (ours is VPN-Users ). b. Select the account unit you wish to use (this should be the Account Unit you already created). c. Select the groups scope.

Check Point Software Technologies 12/16/2002

Check Point Next Generation Feature Pack 3 Notice that in the screen shot above, we have selected All Account -Units Users . This means that a user that exists anywhere in the Active Directory database can authenticate. If you would like to control this at a more granular level, you can create a new group in Active Directory that contains only certain users you want to have remote access. Example: In this scenario, we create a new group on the AD Server and call it Secure -Client Users . In this group, we place all the A.D. users who we want to give remote access to. We then create a new LDAP Group in SmartDashboard and give it the following properties.

Notice that we specify the group by using the syntax cn=Secure -Client-Users (without the quotes). Also note that the LDAP Group name is VPN-Users . This will be the group we use in the source of the Remote Access rule(s). Click ok to save all of your changes and open up your VPN-1 Gateway object. You need to click on the Authentication branch and set the appropriate user group for association with the Policy Server.

Check Point Software Technologies 12/16/2002

Check Point Next Generation Feature Pack 3

Next, you need to make sure that the properties for your users template are set correctly. This template will hold the properties for things like encryption, password method, etc. In our example, we are using the template default (you can have multiple templates). Here are some of the properties of that template and also the properties of a user linked to that template. Remember, the template was tied to the LDAP Account Unit.

(Template)

(User)

Check Point Software Technologies 12/16/2002

Check Point Next Generation Feature Pack 3

(User) When integrating with MS AD, you specify the password on the template as VPN-1 Firewall-1 password. When you open up a user and click on their auth tab, you see that it is picking up the properties from the template. Now, you need to create the rule that allows Remote Access and set up your SecureClient Policy. Below is a screen shot of how the rule base would appear.

Check Point Software Technologies 12/16/2002

Check Point Next Generation Feature Pack 3

The rule we are concentrating on is rule #1. This rule shows our LDAP-Group as the source (remember, this is the group created in the Check Point GUI , not in A.D.). Our LDAP group references our A.D. group and also references the Account Unit (which references the user template, etc.). Make sense? Next, you would configure your Remote Access Community, the SecureClient rule base, push the Policy, etc. All of those steps are outlined in the How to Configure SecureClient in NG FP-3 guide. Please make sure and review the Check Point SmartView Tracker (formerly the Log Viewer). It contains a lot of useful information especially when testing out a new configuration. Please send any comments, or corrections to jgreen@us.checkpoint.com. Please contact your local reseller for additional help. Dont have a reseller? Contact your local Check Point representative. Dont have a local Check Point representative? Find one at www.checkpoint.com or by calling a Check Point regional office in your area. Contact information for Check Point offices and Resellers is available on our web site. Thank you.

Check Point Software Technologies 12/16/2002