Check Point Next Generation

Integrating Microsoft’s Windows 2000 and

.NET Server Active Directory with Check
Point NG and SecureClient.

Author:
Joe Green
jgreen@us.checkpoint.com
Revision for .NET Server:
Oren Green
ogreen@checkpoint.com

Last updated: June 1, 2003

Check Point Software Technologies 1

6/3/2003
 Check Point Next Generation

This document assumes the following.

1. You have an understanding of installing and configuring Check Point NG in a

distributed environment (Management and Module installed separately). Note:
Active Directory Integration CAN work in a Stand Alone deployment.
2. You have a basic understanding of Active Directory and Windows 2000 and
Windows .NET Servers.

Internal LAN External LAN Remote Users LAN

172.16.1.x /24 10.1.1.x /24 192.168.10.x /24
.254 .254 .253 SBox .1 SecureClient
FW-1 Management
.200 Server
Active Directory Server

In the above configuration, the Check Point Management server is also the Active
Directory Server. In a real world deployment, these two applications probably would not
be running together. However, it provides an easy way to learn this set-up with the
minimum amount of computers in a lab.

The DNS domain used in the above configuration is laxlab.com

The Management Servers FQDN is msad.laxlab.com

The following steps provide an outline of what this document covers.

1. Installation/Configuration of Active Directory

2. Installation/Configuration of Microsoft’s DNS Server
3. Installation/Configuration of Microsoft’s Certificate Authority Server
4. Check Point configuration for LDAP
5. Setting up a template and managing users.

Before starting, the following should be verified:

1. Check Point NG FP3 HF2 should be installed and you should be able to push
policies without any problems. (e.g. SIC is functioning, name resolution is
working, etc.)
2. All machines have IP connectivity to each other.
3. The Microsoft High Encryption Pack is installed. This can be obtained at;
http://www.microsoft.com/windows2000/downloads/recommended/encryption/default.asp

Licensing:
To integrate Check Point and LDAP together, you must have the Account Management
Module license. This license is applied to the Management Server (or CMA in Provider-
1). The AMM license is also included in the Smart Center Pro bundle.

Check Point Software Technologies 2

6/3/2003
 Check Point Next Generation

Known issues and limitations:

1. SSL works only with the following configuration:

Max = Strong, Min = Strong.
2. Using 'fwm dbexport/import' to import FW-1 users into the Active Directory
will not import the users passwords.
3. SSL is forced by default so it is not possible to edit user's passwords and groups
on the Active directory in clear mode (port 389).

Installing Microsoft’s Active Directory:

1. From within Windows, go to the StartÆRun prompt, enter the command

dcpromo. The Active Directory Wizard will start and you need to provide the
following input at the prompts. (See pictures below)
a. Domain Controller for a new domain
b. Create a new domain tree
c. Create a new forest of domain trees
d. Type the full DNS name for the new domain **Note** This is the DNS
Domain that your computer belongs to. E.g. laxlab.com
e. Type in the domain netbios name (this is for earlier versions of Windows.
E.g. laxlab
f. Specify the Database and Log locations (take the defaults)
g. Enter the location for the System Volume Folder (again, take the defaults)
h. At this point in the Active Directory installation, it will warn you that it
cannot contact a DNS server for your domain (unless you have already
configured DNS). Either use the existing DNS installation or have the
wizard install it for you (having the Wizard install it is very easy).
i. Set the permissions to be compatible with your environment.
j. Set the password for the Directory Services restore and click next at the
summary screen to complete installation of Active Directory and DNS.

Note: When Active Directory finishes installing, it will ask you to reboot the
computer, don’t reboot yet. If you just installed DNS for your domain, the
computer will take a long time present you with the logon screen after reboot.
The computer is trying to contact a DNS to resolve the domain that was just
created. To avoid this, make the Primary DNS server of your computer, the
local computer itself. Now, reboot.

DCPROMO:

Check Point Software Technologies 3

6/3/2003
 Check Point Next Generation

Check Point Software Technologies 4

6/3/2003
 Check Point Next Generation

DNS Install:

2. Upon reboot, you need to install Microsoft’s Certificate Server. This is required
for SSL communication between the Active Directory Server and the Check Point
Management console.
a. This is installed through the Windows Control PanelÆAdd/Remove
ComponentsÆAdd/Remove Windows Components.
b. Select the Certificate Services option and click next. Then choose the
following options.
i. Select Enterprise Root CA

Check Point Software Technologies 5

6/3/2003
 Check Point Next Generation

ii. Fill in the CA Identifying Information fields. Note: This is the

information that will be part of your certificate.
iii. Take the Data Storage Location defaults.
iv. Certificate Server is now installed (no reboot necessary).

Certificate Server:

3. Next, you need to allow the schema to be viewed and modified by the Microsoft
Management console (MMC). This is easily done through the GUI in Windows
2000 and .NET Server.

a. Register the schema DLL. Go to StartÆRun, and type regsvr32

schmmgmt.dll (you should see a message stating that the operation was
successful).
b. Go to StartÆRunÆand type mmc.
c. From within the MMC, click on the Console menu, then click
Add/Remove Snap-In…
d. Click add and select Active Directory Schema, click add, click close and
click ok to return to the MMC.
e. Expand the Active Directory Schema (click on the + symbol).

Check Point Software Technologies 6

6/3/2003
 Check Point Next Generation

f. Right click on the A.D. Schema in the MMC and select Operations Masters.
g. Place a check in the box titled “The schema may be modified on this
domain controller.”
h. Exit the MMC and reboot.

***Note***
To Enable Schema Updates by Means of the Registry:
It is not recommended to enable schema updates by directly editing the "Schema Update
Allowed" registry key. Schema updates should be enabled through the console method,
whenever possible. If for some reason the console method cannot be used, the following
registry key may be edited directly:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

To directly edit this registry key, perform the following steps:

Click Start, click Run, and then in the Open box, type:

regedit

Then press ENTER.

Locate and click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

On the Edit menu, click New, and then click DWORD Value.
Enter the value data when the following registry value is displayed:
Value Name: Schema Update Allowed
Data Type: REG_DWORD
Base: Binary
Value Data: Type 1 to enable this feature, or 0 (zero) to disable it.

Quit Registry Editor.

The schema may now be updated on the domain controller that holds the schema
operations master role.

More Information:
Clicking to select the Schema may be modified on this Domain Controller check box in
the console adds the "Schema Update Allowed" registry value if it is not present.

Clicking to clear the Schema may be modified on this Domain Controller check box sets
the "Schema Update Allowed" registry value to zero, but it does not delete the value.

Further information about the Active Directory schema may be found in Chapter 4 of the
Windows 2000 Server Distributed Systems Guide, which is part of the Windows 2000
Server Resource Kit.

Check Point Software Technologies 7

6/3/2003
 Check Point Next Generation

MMC:

4. Next, you need to delegate control of the directory so that the administrator can
make changes.
a. Go to StartÆProgramsÆAdministrative ToolsÆActive Directory
Users and Computers.
b. Right click on you city’s domain and choose delegate control.
c. Add the administrator account (or administrators group) and check both of
the boxes in the next screen. Click ok and then exit.
Delegation:

5. To enable SSL communication between FireWall-1 and Active Directory, the

following needs to be done:
a. Got to StartÆProgramsÆAdministrative ToolsÆDomain Security Policy.

Check Point Software Technologies 8

6/3/2003
 Check Point Next Generation

b. Go to Security SettingsÆPublic Key PoliciesÆAutomatic Certificate Request

Settings, right click and select New Automatic Certificate Request.
c. Select Domain Controller from the window, then select your CA.

SSL:

Check Point VPN-1/FireWall-1 Configuration:

1. Log into the Check Point SmartDashboard.
2. Go to the Policy MenuÆGlobal Properties.
a. From the LDAP Account Management branch, select Use LDAP
Account Management and click ok.
b. Next, go to the Manage MenuÆServers. Create a LDAP Account Unit
Object. Use the following parameters: (Screen shots below)
(General Tab)
i. Name=a descriptive name.
ii. Check the boxes “User Management” and “CRL Retrieval”
iii. Set the LDAP Profile type to Microsoft_AD and fetch the branch.
Note: Active Directory only returns "cn=users,dc=x" where x is the AD domain.
When users are defined under separate organizational units those units should be
manually added as branches.

(Servers Tab)
c. On the servers tab, you need to add your server and set all the necessary
parameters. (See figures below)
i. Host=your LDAP server (we are using our Mgmt. server since
A.D. and the CP Mgmt. are on the same box).
ii. Login DN: cn=administrator,cn=users,dc=laxlab,dc=com
(Note:substitute your DNS domain for laxlab)
iii. Enter the administrator’s password.

Check Point Software Technologies 9

6/3/2003
 Check Point Next Generation

iv. Permissions
(Encryption tab)
d. On the encryption tab, set the following parameters.
i. Use SSL.
ii. Click Fetch for Fingerprint.
iii. Set Encryption to strong and strong for Min and Max.
iv. Type in the IKE password (the same as the administrators
password) Click ok.
(Objects Management)
e. On the objects management tab, select your A.D. object and fetch the
branch.
(Authentication)
f. On the authentication tab, make sure and select what template you want
to use.

Check Point LDAP Configuration:

Check Point Software Technologies 10

6/3/2003
 Check Point Next Generation

Extending the Schema (Optional Configuration):

There are certain attributes that can be defined for users in Check Point VPN-1/FireWall-1
and not Active Directory. It is possible in a production environment that a customer will
not want to extend the Schema of the Active Directory server. This operation is not
necessary. By extending the schema you gain the benefit of having these Check Point
attributes:
1. Time and date the user can log in.
2. Source and destination of the user.
3. Ike Properties.
4. Account lockout
5. Password expiration
6. etc.

You still have the ability to control some of these things through the Active Directory
database. Regardless, if you do not extend the schema, you will still be able to use those
users.

Schema Extension procedure:

Close the SmartDashboard and extend the Active Directory schema.
g. Using Wordpad, open the file $FWDIR\lib\ldap\schema_microsoft_ad.ldif
and replace all instances of DOMAINNAME with your domain name. e.g.
dc=laxlab,dc=com.
h. Next (from the command prompt), using the ldapmodify command (all on
one line), run the command:
E.g.
C:\ldapmodify –c –h msad.laxlab.com –D
“cn=administrator,cn=users,dc=laxlab,dc=com” –w password –f
c:\winnt\fw1\ng\lib\ldap\schema_microsoft_ad.ldif

Check Point Software Technologies 11

6/3/2003
 Check Point Next Generation

Note: In the above syntax, substitute your hostname and DNS Domain Name for
mickey.laxlab.com.

The output of the ldapmodify command should look like;

[Begin example]

adding new entry CN=fw1auth-method,CN=Schema,CN=Configuration,dc=laxlab,dc=com

adding new entry CN=fw1auth-server,CN=Schema,CN=Configuration,dc=laxlab,dc=com

adding new entry CN=fw1pwdlastmod,CN=Schema,CN=Configuration,dc=laxlab,dc=com

adding new entry CN=fw1skey-number,CN=Schema,CN=Configuration,dc=laxlab,dc=com

adding new entry CN=fw1skey-seed,CN=Schema,CN=Configuration,dc=laxlab,dc=com

adding new entry CN=fw1skey-passwd,CN=Schema,CN=Configuration,dc=laxlab,dc=com

adding new entry CN=fw1skey-mdm,CN=Schema,CN=Configuration,dc=laxlab,dc=com

adding new entry CN=fw1expiration-date,CN=Schema,CN=Configuration,dc=laxlab,dc=com

adding new entry CN=fw1hour-range-from,CN=Schema,CN=Configuration,dc=laxlab,dc=com

adding new entry CN=fw1hour-range-to,CN=Schema,CN=Configuration,dc=laxlab,dc=com

adding new entry CN=fw1day,CN=Schema,CN=Configuration,dc=laxlab,dc=com

adding new entry CN=fw1allowed-src,CN=Schema,CN=Configuration,dc=laxlab,dc=com

[End example]

3. Log back into the Check Point SmartDashboard and make sure you have the
Object List window pane open. Go to the users tab in the Objects Tree and
double click on the Active Directory Server.
4. You should now see all of your users.

GUI:

Check Point Software Technologies 12

6/3/2003
 Check Point Next Generation

You are now done incorporating Microsoft’s Active Directory with NG FP3 HF2. The
next section will explain how to incorporate that with SecureClient.

Integrating SecureClient with Active Directory:

The theory behind utilizing Active Directory for the user database is that you do not have
to recreate any users and their passwords. Users that already exist in the directory can
now use that username and password for authentication. This dramatically reduces the
overhead associated with managing a separate user database.

Note: Before proceeding, you should have SecureClient configured, tested, and working
with standard user authentication. That way, you won’t be troubleshooting two different
issues if there is a problem. If you do not understand how to configure FP-3 and
SecureClient, please see the white paper “How to configure SecureClient in NG FP-3”
located on the configuration Documents page of the Check Point public web site.

To utilize Active Directory for authenticating your remote users, you must first start by
creating an “External Group”. To do this, follow the instructions below.
1. Launch the SmartDashboard GUI and click on the Users Icon (See Figure
above). To see the users, make sure you have the Objects Tree and Objects
List open (these can be opened by clicking on the “View Menu” and
selecting the corresponding options).

Check Point Software Technologies 13

6/3/2003
 Check Point Next Generation

2. You should see a branch on the left entitled “LDAP Groups”. You need
to right click on that and select “New LDAP Group”. Set the properties
as follows:
a. Enter a descriptive name (ours is VPN-Users).
b. Select the account unit you wish to use (this should be the Account
Unit you already created).
c. Select the group’s scope.

Notice that in the screen shot above, we have selected “All Account-Unit’s Users”. This
means that a user that exists anywhere in the Active Directory database can authenticate.
If you would like to control this at a more granular level, you can create a new group in
Active Directory that contains only certain users you want to have remote access.

Example:
In this scenario, we create a new group on the AD Server and call it “Secure-Client-
Users”. In this group, we place all the A.D. users who we want to give remote access to.
We then create a new LDAP Group in SmartDashboard and give it the following
properties.

Check Point Software Technologies 14

6/3/2003
 Check Point Next Generation

Notice that we specify the group by using the syntax “cn=Secure-Client-Users” (without
the quotes). Also note that the LDAP Group name is VPN-Users. This will be the group
we use in the source of the Remote Access rule(s).

Click ok to save all of your changes and open up your VPN-1 Gateway object. You need
to click on the Authentication branch and set the appropriate user group for association
with the Policy Server.

Check Point Software Technologies 15

6/3/2003
 Check Point Next Generation

Next, you need to make sure that the properties for your user’s template are set correctly.
This template will hold the properties for things like encryption, password method, etc. In
our example, we are using the template “default” (you can have multiple templates).
Here are some of the properties of that template and also the properties of a user linked to
that template. Remember, the template was tied to the LDAP Account Unit.

Check Point Software Technologies 16

6/3/2003
 Check Point Next Generation

When integrating with MS AD, you specify the password on the template as “VPN-1
Firewall-1 password”. When you open up a user and click on their auth tab, you see that
it is picking up the properties from the template.

Now, you need to create the rule that allows Remote Access and set up your SecureClient
Policy. Below is a screen shot of how the rule base would appear.

Check Point Software Technologies 17

6/3/2003
 Check Point Next Generation

The rule we are concentrating on is rule #1. This rule shows our LDAP-Group as the
source (remember, this is the group created in the Check Point GUI , not in A.D.). Our
LDAP group references our A.D. group and also references the Account Unit (which
references the user template, etc.). Make sense?

Next, you would configure your Remote Access Community, the SecureClient rule base,
push the Policy, etc. All of those steps are outlined in the “How to Configure
SecureClient in NG FP3” guide.

Please make sure and review the Check Point SmartView Tracker (formerly the Log
Viewer). It contains a lot of useful information especially when testing out a new
configuration.

Check Point Software Technologies 18

6/3/2003