On Thu, 2004-12-16 at 22:38, Juan B wrote:
Hi,
We use FW 4.1 ( soon we will upgrade). this is the
task: one external user needs to have terminal control
(TSclient) to a server in a my DMZ.this user will be
switching ip address so I cant authenticate based on
ip address my. I want his session will be encrypted.
how Can I do this with version 4.1 I need him to
create a VPN right? how I do that with 4.1?
thanks !!
Hi
Well, there are some steps to be taken to accomplish that (it's been
awhile since I last laid my hands on a 4.1, so I can't tell you off the
top of my hat). I recommend you read the product documentation. Look for
your version at
https://www.checkpoint.com/support/technical/documents/docs_vpn_fw.html
Then you will need your remote user to use a VPN client (SecureClient or
SecuRemote - one is free, but doesn't have a firewall included, the
other one has, but isn't free). Docs are at
https://www.checkpoint.com/support/technical/documents/docs_srsc.html
You will be going along the lines: craete user - define authentication
schemes - define encryption schemes - define VPN properties for gateway
(cluster) - define encryption domain (probably just your terminal
server) - add rule with Client Encryption (and probably some others
allowing IPsec et al.) - configure Client Encryption (right click on
Action field) ... I might be missing some details, though. Do read the
docs.
Then, just some thoughts:
- From what you write, it seems that your remote user will be using a
MSWindows machine that connects directly to the internet via various
providers. How do you make sure that machine is clean? Afair 4.1 does
not provide you with the tools for it.
- Depending on which client you use, you will need additional licenses
on the gateway. I don't believe CP is still shipping licenses for 4.1.
- Using the free client is risky since you can't ensure that the client
isn't forwarding any traffic from it's local net through into your DMZ.
- If you use the non-free client with its personal firewall, you will
need a policy server on one of your gateways. (There was a bug that
forced you to install that policy server on a firewall that was not part
of the cluster if you had a gateway cluster, but I don't remember if it
was 4.1 or NGFP1)
- 4.1 has gone a considerable amount of time without bugfixing and
maintenance, so various security issues are likely to be unresolved and
remain so.
- You're not going to get any support out of CP for that.
- An alternative might be using other VPN software (open/free) behind
your CP gateway (if you have the knowhow) or even Windows native IPsec
(I don't have any experience with it, but I've been told that it's
improved over previous versions).
- Do get that upgrade.
Good luck
/markus
--
***************************************************
Markus Wernig
UNIX/Network Security Engineer - CCSA
GPG - http://markus.wernig.net/pubkey - CA558BF7
- -------------------------------------------------
Linux User Group Bern - http://www.lugbe.ch
Kampagne f. Freie Software: http://wilhelmtux.ch
***************************************************
