Download - Checkpoint NGX User Authority
-
7/31/2019 Checkpoint NGX User Authority
1/310
Check Point UserAuthorityGuide
NGX (R60)
For additional technical information about Check Point products, consult Check Points SecureKnowledge at
http://support.checkpoint.com/kb/
See the latest version of this document in the User Center at
http://www.checkpoint.com/support/technical/documents/docs_r60.html
Part No.: 700358
April 13, 2005
http://support.checkpoint.com/kb/http://www.checkpoint.com/support/technical/documents/docs_r60.htmlhttp://www.checkpoint.com/support/technical/documents/docs_r60.htmlhttp://support.checkpoint.com/kb/ -
7/31/2019 Checkpoint NGX User Authority
2/310
Check Point Software Technologies Ltd.U.S. Headquarters: 800 Bridge Parkway, Redwood City, CA 94065, Tel: (650) 628-2000 Fax: (650) 654-4233, [email protected] Headquarters: 3A Jabotinsky Street, Ramat Gan, 52520, Israel, Tel: 972-3-753 4555 Fax: 972-3-575 9256, http://www.checkpoint.com
2003-2005 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyrightand distributed under licensing restricting their use, copying, distribution, anddecompilation. No part of this product or related documentation may be reproduced inany form or by any means without prior written authorization of Check Point. While everyprecaution has been taken in the preparation of this book, Check Point assumes noresponsibility for errors or omissions. This publication and features described herein aresubject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth insubparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause atDFARS 252.227-7013 and FAR 52.227-19.
TRADEMARKS:
2003-2005 Check Point Software Technologies Ltd. All rights reserved.
Check Point, Application Intelligence, Check Point Express, the Check Point logo,AlertAdvisor, ClusterXL, Cooperative Enforcement, ConnectControl, Connectra, CoSa,Cooperative Security Alliance, Eventia, Eventia Analyzer, FireWall-1, FireWall-1 GX,FireWall-1 SecureServer, FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL,Integrity, InterSpect, IQ Engine, Open Security Extension, OPSEC, Policy LifecycleManagement, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureKnowledge,
SecurePlatform, SecuRemote, SecureXL Turbocard, SecureServer, SecureUpdate,SecureXL, SiteManager-1, SmartCenter, SmartCenter Pro, Smarter Security,SmartDashboard, SmartDefense, SmartLSM, SmartMap, SmartUpdate, SmartView,SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker,SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM,User-to-Address Mapping, UserAuthority, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge,VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1VSX, VPN-1 XL, Web Intelligence, ZoneAlarm, ZoneAlarm Pro, Zone Labs, and the ZoneLabs logo, are trademarks or registered trademarks of Check Point SoftwareTechnologies Ltd. or its affiliates. All other product names mentioned herein aretrademarks or registered trademarks of their respective owners. The products describedin this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935 and6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending
applications.
THIRD PARTIES:
Entrust is a registered trademark of Entrust Technologies, Inc. in the United States andother countries. Entrusts logos and Entrust product and service names are alsotrademarks of Entrust Technologies, Inc. Entrust Technologies Limited is a wholly ownedsubsidiary of Entrust Technologies, Inc. FireWall-1 and SecuRemote incorporatecertificate management technology from Entrust.
Verisign is a trademark of Verisign Inc.
The following statements refer to those portions of the software copyrighted by Universityof Michigan. Portions of the software copyright1992-1996 Regents of the University of
Michigan. All rights reserved. Redistribution and use in source and binary forms arepermitted provided that this notice is preserved and that due credit is given to theUniversity of Michigan at Ann Arbor. The name of the University may not be used toendorse or promote products derived from this software without specific prior writtenpermission. This software is provided as is without express or implied warranty.CopyrightSax Software (terminal emulation only).
The following statements refer to those portions of the software copyrighted by CarnegieMellon University.
Copyright 1997 by Carnegie Mellon University. All Rights Reserved.
Permission to use, copy, modify, and distribute this software and its documentation forany purpose and without fee is hereby granted, provided that the above copyright noticeappear in all copies and that both that copyright notice and this permission notice appearin supporting documentation, and that the name of CMU not be used in advertising orpublicity pertaining to distribution of the software without specific, written priorpermission.CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, INNO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT ORCONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROMLOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR INCONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
The following statements refer to those portions of the software copyrighted by The OpenGroup.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANYCLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THESOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
The following statements refer to those portions of the software copyrighted by TheOpenSSL Project. This product includes software developed by the OpenSSL Project foruse in the OpenSSL Toolkit (http://www.openssl.org/).
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY *EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULARPURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, ORPROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANYTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THEUSE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCHDAMAGE.
The following statements refer to those portions of the software copyrighted by EricYoung. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANYEXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULARPURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, ORPROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANYTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THEUSE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCHDAMAGE. Copyright1998The Open Group.The following statements refer to those portions of the software copyrighted by Jean-loupGailly and Mark Adler Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler. Thissoftware is provided 'as-is', without any express or implied warranty. In no event will theauthors be held liable for any damages arising from the use of this software. Permissionis granted to anyone to use this software for any purpose, including commercial
applications, and to alter it and redistribute it freely, subject to the following restrictions:1. The origin of this software must not be misrepresented; you must not claim that youwrote the original software. If you use this software in a product, an acknowledgment inthe product documentation would be appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not bemisrepresented as being the original software.
3. This notice may not be removed or altered from any source distribution.
The following statements refer to those portions of the software copyrighted by the GnuPublic License. This program is free software; you can redistribute it and/or modify itunder the terms of the GNU General Public License as published by the Free SoftwareFoundation; either version 2 of the License, or (at your option) any later version. Thisprogram is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
without even the implied warranty of MERCHANTABILITY or FITNESS FOR APARTICULAR PURPOSE. See the GNU General Public License for more details.Youshould have received a copy of the GNU General Public License along with this program;if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,USA.
The following statements refer to those portions of the software copyrighted by ThaiOpen Source Software Center Ltd and Clark Cooper Copyright (c) 2001, 2002 Expatmaintainers. Permission is hereby granted, free of charge, to any person obtaining acopy of this software and associated documentation files (the "Software"), to deal in theSoftware without restriction, including without limitation the rights to use, copy, modify,merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permitpersons to whom the Software is furnished to do so, subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies orsubstantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUTWARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITEDTO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULARPURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS ORCOPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHERLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USEOR OTHER DEALINGS IN THE SOFTWARE.GDChart is free for use in your applications and for chart generation. YOU MAY NOT re-distribute or represent the code as your own. Any re-distributions of the code MUSTreference the author, and include any and all original documentation. Copyright. BruceVerderaime. 1998, 1999, 2000, 2001. Portions copyright 1994, 1995, 1996, 1997, 1998,1999, 2000, 2001, 2002 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the National Institutes of Health. Portions copyright 1996, 1997, 1998, 1999,2000, 2001, 2002 by Boutell.Com, Inc. Portions relating to GD2 format copyright 1999,
-
7/31/2019 Checkpoint NGX User Authority
3/310
2000, 2001, 2002 Philip Warner. Portions relating to PNG copyright 1999, 2000, 2001,2002 Greg Roelofs. Portions relating to gdttf.c copyright 1999, 2000, 2001, 2002 JohnEllson ([email protected]). Portions relating to gdft.c copyright 2001, 2002 John Ellson([email protected]). Portions relating to JPEG and to color quantization copyright2000, 2001, 2002, Doug Becker and copyright (C) 1994, 1995, 1996, 1997, 1998, 1999,2000, 2001, 2002, Thomas G. Lane. This software is based in part on the work of theIndependent JPEG Group. See the file README-JPEG.TXT for more information.Portions relating to WBMP copyright 2000, 2001, 2002 Maurice Szmurlo and Johan Vanden Brande. Permission has been granted to copy, distribute and modify gd in anycontext without fee, including a commercial application, provided that this notice ispresent in user-accessible supporting documentation. This does not affect your
ownership of the derived work itself, and the intent is to assure proper credit for theauthors of gd, not to interfere with your productive use of gd. If you have questions, ask."Derived works" includes all programs that utilize the library. Credit must be given inuser-accessible documentation. This software is provided "AS IS." The copyright holdersdisclaim all warranties, either express or implied, including but not limited to impliedwarranties of merchantability and fitness for a particular purpose, with respect to thiscode and accompanying documentation. Although their code does not appear in gd 2.0.4,the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue SoftwareCorporation for their prior contributions.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use thisfile except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
The curl license
COPYRIGHT AND PERMISSION NOTICECopyright (c) 1996 - 2004, Daniel Stenberg, .All rights reserved.
Permission to use, copy, modify, and distribute this software for any purpose
with or without fee is hereby granted, provided that the above copyright
notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ANDNONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OROTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OROTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE
OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.Except as contained in this notice, the name of a copyright holder shall not be used inadvertising or otherwise to promote the sale, use or other dealings in this Softwarewithout prior written authorization of the copyright holder.
The PHP License, version 3.0
Copyright (c) 1999 - 2004 The PHP Group. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, ispermitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list ofconditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list ofconditions and the following disclaimer in the documentation and/or other materialsprovided with the distribution.
3. The name "PHP" must not be used to endorse or promote products derived from thissoftware without prior written permission. For written permission, please [email protected].
4. Products derived from this software may not be called "PHP", nor may "PHP" appearin their name, without prior written permission from [email protected]. You may indicatethat your software works in conjunction with PHP by saying "Foo for PHP" instead ofcalling it "PHP Foo" or "phpfoo"
5. The PHP Group may publish revised and/or new versions of the license from time totime. Each version will be given a distinguishing version number. Once covered code hasbeen published under a particular version of the license, you may always continue to useit under the terms of that version. You may also choose to use such covered code underthe terms of any subsequent version of the license published by the PHP Group. No one
other than the PHP Group has the right to modify the terms applicable to covered codecreated under this License.
6. Redistributions of any form whatsoever must retain the following acknowledgment:
"This product includes PHP, freely available from ".
THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS'' ANDANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR APARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PHPDEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ORSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OROTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVENIF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This software consists of voluntary contributions made by many individuals on behalf ofthe PHP Group. The PHP Group can be contacted via Email at [email protected].
For more information on the PHP Group and the PHP project, please see . This product includes the Zend Engine, freely available at .
This product includes software written by Tim Hudson ([email protected]).
Copyright (c) 2003, Itai Tzur
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, arepermitted provided that the following conditions are met:
Redistribution of source code must retain the above copyright notice, this list ofconditions and the following disclaimer.
Neither the name of Itai Tzur nor the names of other contributors may be used toendorse or promote products derived from this software without specific prior writtenpermission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS ANDCONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AREDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, ORCONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENTOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; ORBUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCEOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd
Permission is hereby granted, free of charge, to any person obtaining a copy of thissoftware and associated documentation files (the "Software"), to deal in the Softwarewithout restriction, including without limitation the rights to use, copy, modify, merge,publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons
to whom the Software is furnished to do so, subject to the following conditions: Theabove copyright notice and this permission notice shall be included in all copies orsubstantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ANDNONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHTHOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHERIN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF ORIN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS INTHE SOFTWARE.
Copyright 2003, 2004 NextHop Technologies, Inc. All rights reserved.
Confidential Copyright Notice
Except as stated herein, none of the material provided as a part of this document may becopied, reproduced, distrib-uted, republished, downloaded, displayed, posted ortransmitted in any form or by any means, including, but not lim-ited to, electronic,mechanical, photocopying, recording, or otherwise, without the prior written permission ofNextHop Technologies, Inc. Permission is granted to display, copy, distribute anddownload the materials in this doc-ument for personal, non-commercial use only,provided you do not modify the materials and that you retain all copy-right and otherproprietary notices contained in the materials unless otherwise stated. No materialcontained in this document may be "mirrored" on any server without written permission ofNextHop. Any unauthorized use of any material contained in this document may violatecopyright laws, trademark laws, the laws of privacy and publicity, and communicationsregulations and statutes. Permission terminates automatically if any of these terms orcondi-tions are breached. Upon termination, any downloaded and printed materials mustbe immediately destroyed.
Trademark Notice
The trademarks, service marks, and logos (the "Trademarks") used and displayed in thisdocument are registered and unregistered Trademarks of NextHop in the US and/or othercountries. The names of actual companies and products mentioned herein may beTrademarks of their respective owners. Nothing in th is document should be construed asgranting, by implication, estoppel, or otherwise, any l icense or right to use any Trademarkdisplayed in the document. The owners aggressively enforce their intellectual propertyrights to the fullest extent of the law. The Trademarks may not be used in any way,including in advertising or publicity pertaining to distribution of, or access to, materials in
this document, including use, without prior, written permission. Use of Trademarks as a"hot" link to any website is prohibited unless establishment of such a link is approved in
advance in writing. Any questions concerning the use of these Trademarks should bereferred to NextHop at U.S. +1 734 222 1600.
-
7/31/2019 Checkpoint NGX User Authority
4/310
U.S. Government Restricted Rights
The material in document is provided with "RESTRICTED RIGHTS." Software andaccompanying documentation are provided to the U.S. government ("Government") in atransaction subject to the Federal Acquisition Regulations with Restricted Rights. TheGovernment's rights to use, modify, reproduce, release, perform, display or disclose are
restricted by paragraph (b)(3) of the Rights in Noncommercial Computer Software andNoncommercial Computer Soft-ware Documentation clause at DFAR 252.227-7014 (Jun1995), and the other restrictions and terms in paragraph (g)(3)(i) of Rights in Data-General clause at FAR 52.227-14, Alternative III (Jun 87) and paragraph (c)(2) of theCommer-cial
Computer Software-Restricted Rights clause at FAR 52.227-19 (Jun 1987).
Use of the material in this document by the Government constitutes acknowledgment ofNextHop's proprietary rights in them, or that of the original creator. The Contractor/Licensor is NextHop located at 1911 Landings Drive, Mountain View, California 94043.Use, duplication, or disclosure by the Government is subject to restrictions as set forth inapplicable laws and regulations.
Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty
THE MATERIAL IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTIESOF ANY KIND EITHER EXPRESS OR IMPLIED. TO THE FULLEST EXTENT POSSIBLEPURSUANT TO THE APPLICABLE LAW, NEXTHOP DISCLAIMS ALL WARRAN-TIES,
EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIEDWARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,NON INFRINGEMENT OR OTHER VIOLATION OF RIGHTS. NEITHER NEXTHOP NOR
ANY OTHER PROVIDER OR DEVELOPER OF MATERIAL CONTAINED IN THISDOCUMENT WARRANTS OR MAKES ANY REPRESEN-TATIONS REGARDING THEUSE, VALIDITY, ACCURACY, OR RELIABILITY OF, OR THE RESULTS OF THE USEOF, OR OTHER-WISE RESPECTING, THE MATERIAL IN THIS DOCUMENT.
Limitation of Liability
UNDER NO CIRCUMSTANCES SHALL NEXTHOP BE LIABLE FOR ANY DIRECT,INDIRECT, SPECIAL, INCIDENTAL OR CONSE-QUENTIAL DAMAGES, INCLUDING,BUT NOT LIMITED TO, LOSS OF DATA OR PROFIT, ARISING OUT OF THE USE, ORTHE
INABILITY TO USE, THE MATERIAL IN THIS DOCUMENT, EVEN IF NEXTHOP OR ANEXTHOP AUTHORIZED REPRESENTATIVE HAS ADVISED OF THE POSSIBILITY OFSUCH DAMAGES. IF YOUR USE OF MATERIAL FROM THIS DOCUMENT RESULTSIN
THE NEED FOR SERVICING, REPAIR OR CORRECTION OF EQUIPMENT OR DATA,YOU ASSUME ANY COSTS THEREOF. SOME STATES DO NOT ALLOW THEEXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SOTHE
ABOVE LIMITATION OR EXCLUSION MAY NOT FULLY APPLY TO YOU.
Copyright ComponentOne, LLC 1991-2002. All Rights Reserved.
BIND: ISC Bind (Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC"))
Copyright 1997-2001, Theo de Raadt: the OpenBSD 2.9 Release
-
7/31/2019 Checkpoint NGX User Authority
5/310
Table of Contents 3
Table Of Contents
Chapter 1 IntroductionThe Need for UserAuthority 11
Web Access Management (WebAccess) 11
Identity-based Access Control for Outbound Connections via VPN-1 Pro Gateway 13
Underlying Concept and Advantage 13
Typical Deployments 14UserAuthority for Enterprise Web Applications Deployment 14
Business to Consumer (B2C) Deployment 18
UserAuthority SSO for VPN-1 Pro Deployment 20
OPSEC Protocols 21
UserAuthority Management Model 21
How to Use this Guide 22
Chapter 2 UserAuthority Deployments and InstallationOverview 23Deployments 25
UserAuthority for Enterprise Web Applications 25
UserAuthority WebAccess Deployment 27
Terms in UserAuthority WebAccess Configuration 29
Workflow 31
Test Your Deployment 32
B2C 32
Workflow 36Test Your Deployment 37
Outbound Access Control 38
Workflow 39
Test Your Deployment 39
Adding an SSO Rule 39
Citrix MetaFrame or Windows Terminal Services 42
Workflow 43
Test Your Deployment 43
Adding an SSO Rule for Citrix MetaFrame or Windows Terminal Services 44
Combining the Deployments 45
Workflow 47
Test Your Deployment 48
Installation and Configuration 49
Installing and Configuring UAS on VPN-1 Pro 49
Installing the UserAuthority License 49
Installing UAS on the VPN-1 Pro Gateway 50
Configuring the UAS 55Installing and Configuring the UAS on the Windows DC 61
-
7/31/2019 Checkpoint NGX User Authority
6/310
4
Installing the UAS 61
Configuring UAS Properties 65
Configuring SecureAgent Automatic Installation 68
Installing and Configuring UserAuthority WAPS 70
Installing UserAuthority WAPS 71
Configuring UserAuthority WAPS 72
Configuring UserAuthority WAPS in SmartDashboard 75
Installing and Configuring the UserAuthority WAPI 80
Configuring UserAuthority WAPI in SmartDashboard 83
Configuring Common Suffix Domains 83
Configuring Virtual Hosts 84
Configuring a Basic Web SSO Rule 85
Configuring UserAuthority WebAccess Application Settings 87Configuring the Single Sign-On Effect 89
Configuring the Insert Header Effect 90
Defining Authentication Domains 92
Setting Up SSL Terminating Certificates on your UserAuthority WAPS Installation 94
Chapter 3 Web SSOThe Challenge 97
The UserAuthority Solution 98SSO Types for Web Applications 100
Achieving User Identity 101
Internal Users 101
Identification using the NTLM Authentication Protocol 102
Identification of Users on a Citrix or Terminal Services 103
Remote Users with a VPN Client 104
Remote Users without a VPN Client 105
Mapping User Identity to Application Information by UserAuthority 106
Using a Header for Authentication 108
Special Scenarios 108
Web SSO with an Internal Proxy 108
For security reasons, WAPS does not accept forward connections from all proxies. 109
Workflow 110
Test Your Deployment 110
Web SSO with Citrix 110
Workflow 110
Web SSO with more than one Web site 110Workflow 111
Test Your Deployment 111
Web SSO with Manual Identity Sharing 111
Workflow 112
Test Your Deployment 112
Configuration 112
UserAuthority WebAccess SSO for Web Application Authentication 113
SSO for HTTP Basic Authentication 113
SSO for HTML Form Authentication 113Providing User Identity Web Applications with no Authentication Requirements 114
-
7/31/2019 Checkpoint NGX User Authority
7/310
Table of Contents 5
Configuring Manual UserAuthority Settings 114
Manually Updating User Credentials 115
Disabling UserAuthority WebAccess for Specific IP Addresses 115
Configuring Integrated Windows Authentication 116
Troubleshooting the Establish a Trust Procedure 119
Troubleshooting the NTLM Procedure 120
Ensuring that all Local Web pages are Recognized as Intranet Sites 120
Configuring Multiple Web Sites in SmartDashboard 122
Advanced Configuration 124
Configuring UserAuthority WebAccess to Recognize Cache Proxy Users 124
Configuring Manual Identity Sharing Options 125
Creating UAS Groups 127
Chapter 4 Authorization for Web ApplicationsThe Challenge 129
The UserAuthority Access Control Solution 130
Access Control Policy 131
Creating Security and Authorization Rules 131
Access Control Enforcement 132
Access Control Scenarios 134
User Groups with Different Authorization Levels 134Enforcing SSL Encryption on Connections 136
Configuration 137
Defining Web Sites 138
Defining Advanced Web Site Options 141
Advanced Properties 141
Custom Rejection Policy 144
Access Control with SSO-Only Web Site 145
Defining URLs 145
Defining Security and Authorization Rules 146
Defining a Basic Access Control Policy 147
Security Rules 148
Authorization Rules 150
Advanced Configuration in SmartDashboard 152
UserAuthority WebAccess Advanced Configurations Window 153
Defining Operation Objects and Groups 154
Defining Trust Objects and Groups 159
Creating a Trust Object 159Trust Object Parameters 160
Chapter 5 Outbound Access ControlThe Challenge 167
The UserAuthority Solution 168
Identification using SecureAgent 170
Identity Sharing 170
Using Outbound Access Control with Web SSO 171Workflow 171
Retrieving Windows Groups with UserAuthority 171
-
7/31/2019 Checkpoint NGX User Authority
8/310
6
Outbound Access Control using Citrix Terminals as TIP 172
Scenario - An Organization using Multiple Windows DCs 172
Workflow 173
Test Your Deployment 174
Scenario - An Organization Using Multiple Domains 174
Workflow 175
Test Your Deployment 175
Configurations 176
Adding Additional Windows DCs 176
Workflow 176
Outbound Access Control on Citrix or Windows Terminals 176
Configuring UserAuthority Domain Equality 177
Chapter 6 User Management in UserAuthorityOverview 181
Managing Users and Groups 182
Users in UserAuthority 182
User Groups in UserAuthority 182
Using a Local Check Point Database 183
Using an External Database 183
Using the Windows User Identity 184Users in the Windows Domain 184
Configuring UserAuthority to Recognize Windows User Groups 184
Chapter 7 Web Security FeaturesOverview 187
Broken Access Control 188
Broken Account and Session Management 189
Remote Administration Flaws 191Web Server and Application Misconfiguration 193
Chapter 8 Auditing in UserAuthorityOverview 195
Using Logs for Auditing 196
Auditing Outbound Traffic Using UserAuthority Outbound Access Control 198
Displaying the Resource Name in the Information Field 200
Auditing Web Access Using UserAuthority WebAccess 201Auditing User Requests 203
Auditing UserAuthority WebAccess Authorization Rejections 204
Other UserAuthority WebAccess Logs 205
Configuring UserAuthority for Auditing 206
Configuring Auditing of Requests for External Resources 206
Configuring Auditing for UserAuthority WebAccess 206
Configuring Rejection Policy Logs 207
Configuring Auditing of Requests for URLs Outside the Policy Scope 208
Configuring SSO Abuse Tracking 209Customizing Logs 210
-
7/31/2019 Checkpoint NGX User Authority
9/310
Table of Contents 7
Disabling Specific Log Entries 211
Customizing Specific Log Entries 212
Eliminating Logging of Graphics Files 213
Chapter 9 High Availability and Load BalancingOverview 215
High Availability 215
Load Balancing 216
High Availability and Load Balancing in UserAuthority 216
Using Multiple UserAuthority WebAccess Servers 216
Using UserAuthority WAPS Clusters 216
Configuring WebAccess Cluster 218
Workflow 218
Creating a New Server Group 218
Creating a Logical Server Object 219
Defining a Security Policy for the UserAuthority WAPS Cluster Server Group 221
Using Multiple Windows DCs 222
Using a VPN-1 Pro Cluster 222
Using VPN-1 Pro Clusters 222
Synchronizing the Credentials Manager 222
Automatic Synchronization 223Using the db_sync Script 223
Chapter 10 UserAuthority CLIsUAS 226
uas debug 226
uas drv 226
uas reconf 227
uas d 227uas kill 227
uas ver 227
netsod 228
netsod debug 228
netsod drv 228
netsod d 229
netsod kill 229
netsod simple 229
netsod simple kill 229netsod ver 230
uas 230
cpstop 230
cpstart 231
cprestart 231
uagstop 231
uagstart 232
wastop 232
wastart 232
service wa_proxy 232
-
7/31/2019 Checkpoint NGX User Authority
10/310
8
sysconfig 233
remote_wa_admin 233
wac_ver 234
ver 234
uainfo 234
Chapter 11 UserAuthority OPSEC APIsOverview 237
Programming Model 237
Defining a UAA Client 240
Client Server Configuration 240
OPSEC UserAuthority API Overview 241
UAA Client Application Structure 242
Event Handling 243
Requests 243
Key Assertions 244
Request Assertions 245
Replies 247
Connection-Based Vs. IP-Based Information in Queries 249
UAA Assertions Structure Functions 250
Processing Error Codes 250Session Management 250
Function Calls 251
Session Management 251
uaa_new_session 251
uaa_end_session 252
Assertions Management 252
uaa_assert_t_create 252
uaa_assert_t_add 252
uaa_assert_t_duplicate 253uaa_assert_t_destroy 253
uaa_assert_t_compare 254
uaa_asser_t_n_elements 254
Managing Queries 254
uaa_send_query 254
uaa_abort_query 255
Managing Updates 256
uaa_send_update 256Managing Authentication Requests 256
uaa_send_authenticate_request 256
Assertions Iteration 257
uaa_assert_t_iter_create 257
uaa_assert_t_iter_get_next 258
uaa_assert_t_iter_reset 259
uaa_assert_t_iter_destroy 259
Managing UAA Errors 259
uaa_error_str 259Debugging 260
-
7/31/2019 Checkpoint NGX User Authority
11/310
Table of Contents 9
uaa_print_assert_t 260
Event Handlers 260
UAA_QUERY_REPLY Event Handler 261
UAA_UPDATE_REPLY Event Handler 262
UAA_AUTHENTICATE_REPLY Event Handler 263
Chapter 12 Monitoring the UserAuthority EnvironmentOverview 265
System Monitoring 266
Monitoring the System Status 266
UAS 267
UserAuthority WebAccess 268
Using UAS and UserAuthority WebAccess Logs for System Monitoring 269
Using UAS Logs 270
Monitoring Example: UAS is Offline 272
User Monitoring 273
Monitoring User Activities 273
Monitoring Example: Successful Access to a Web Application 275
Monitoring Example: SecureAgent Cannot Provide User Identity 276
Chapter 13 Troubleshooting UserAuthorityOverview 279
General Problems 280
Why is the service not available? 280
Symptom 280
Problem 280
Solutions 280
Why is there a proxy error? 281
Symptom 281Problem 282
Solutions 282
Why are users not authorized to view the page? 282
Symptom 282
Problem 282
Solutions 282
Why is there no established SIC? 283
Symptom 283
Problem 283Solutions 283
Why are users not authorized access when the policy is installed? 285
Symptom 285
Problem 285
Solutions 285
Why are there no logs in SmartView Tracker? 286
Symptom 286
Problem 286
Solutions 286
User-Related Problems 286
-
7/31/2019 Checkpoint NGX User Authority
12/310
10
Why is the service not available to the user? 286
Symptom 286
Problem 286
Solutions 287
Why cant the user sign in with a specific user name? 287
Symptom 287
Problem 287
Solutions 288
Why does SecureAgent not identify the user? 288
Symptom 288
Problem 288
Solutions 288
Why do users receive a pop-up even when signed into the domain? 291Symptom 291
Problem 291
Solutions 291
Appendix A Integrating UserAuthority with Meta IPOverview 293
Required Components 293
Preliminary Steps 294Windows DC Configuration 294
VPN-1 Pro Policy Configuration 294
DHCP Server Configuration 296
Appendix B GlossaryAcronyms and Abbreviations 301
-
7/31/2019 Checkpoint NGX User Authority
13/310
11
CHAPTER 1
Introduction
In This Chapter
The Need for UserAuthority
In todays business environment, enterprises need to provide employees, partners andcustomers with the ability to access and work with many different applications and
services. It is important that access to these applications be simple and convenient, and,
at the same time, secure, reliable, and easy to manage. UserAuthority is able to leverage
the security needs of your existing or new environment to higher levels.
UserAuthority can improve access control management in your enterpr ise in two major
ways: Web Access Management and identity-based access control for outbound
connections via the VPN-1 Pro gateway.
Web Access Management (WebAccess)
This solution provides the following functionalities and benefits:
Web Single Sign On (SSO): UserAuthority allows users to access all Web
applications with a single identity. There is no need for users to remember and
enter different credentials for each Web application accessed.
The Need for UserAuthority page 11
Underlying Concept and Advantage page 13
Typical Deployments page 14
OPSEC Protocols page 21
UserAuthority Management Model page 21
How to Use this Guide page 22
-
7/31/2019 Checkpoint NGX User Authority
14/310
The Need for UserAuthority
12
Authorization: UserAuthority provides authorization on the application level.
Each user is assigned (through a User Group) specific access privileges for each
application. Privileges can determine:
The types of access that a user is granted for a specific Web application (e.g.,read only, read/write, or no access at all).
How a user can access an application (e.g., using a specific authentication
method or using encryption).
From which locations a user can access a Web application (e.g., from the local
network only, both remotely and locally, or via remote access only).
Strong authentication paradigm: UserAuthority can provide strongerauthentication methods on the application level than the basic types of
authentication implemented in Web applications (e.g.,VPN-1 Pro authentication,
Secure ID, RADIUS, TACAC).
Auditing: UserAuthority can generate logs that show user activity. These logs can
be used to track user activity, for system analysis, and for legal purposes.
Increased Security: The UserAuthority WebAccess Proxy Server (WAPS) allows
all authentication and authorization activities to be moved from the systems Webservers to a different machine located in a safe DMZ. In that way, the Web
application can be located in an internal segment and receive only authenticated
requests.
Convenience:
On the administrator level A single management method can be used for
different systems in a network. This prevents the confusion of having a different
type of management for every system. On the user level UserAuthority can eliminate the need for users to
authenticate each time they access a different Web application using different
credentials and authentication methods.
Reduced costs: UserAuthority can reduce the need for users to contact the
enterprises help desk because they have forgotten the password or username for
specific applications.
Reduced development and maintenance costs: There is no need for
programmers to make changes to an applications code; the non-intrusive
mechanism provides all the functionality without the need to change the code of
the applications. Deploying UserAuthority in an enterprise is simple and fast and
does not require structural changes in your organization, such as migrating user
databases and changing your user repository for various applications. In addition,
because UserAuthority uses the same management tools and GUI as VPN-1 Pro,
most administrators are already familiar with its operation.
-
7/31/2019 Checkpoint NGX User Authority
15/310
Identity-based Access Control for Outbound Connections via VPN-1 Pro Gateway
Chapter 1 Introduction 13
Centralized management: A single central management function is used to
manage all access control and auditing functions for all Web applications in a
network.
High availability and load balancing: UserAuthority supports the use of clustersto ensure maximal system availability. In addition, clusters help to balance the load
between Web servers in a network with heavy traffic.
Identity-based Access Control for Outbound Connections viaVPN-1 Pro Gateway
UserAuthority can provide access control to external resources at the network level(Internet or other services outside the perimeter gateway). Through VPN-1 Pro
gateways, firewall authentication can be configured in the security policy to supply such
demand (Client, Session authentications). The major difference with UserAuthority is
the benefit of SSO to those authentications, eliminating the need for the user to
re-authenticate. UserAuthority enables the user to be identified transparently via the
gateway without human intervention. This functionality is also known as
UserAuthority SSO for VPN-1 Pro or Outbound SSO.
Underlying Concept and Advantage
One of the greatest advantages of UserAuthority is its ability to extract the user identity
from a Trusted Identification Point (TIP). UserAuthority establishes a trust relationship
with TIPs on the network to ensure that it is receiving trusted information.
UserAuthority TIPs include:
Windows logons to Domain Controllers
VPN-1 Pro authentication (SecureRemote/SecureClient) or any other
authentications to the gateways)
MS Terminal Services/Citrix MetaFrame servers
UserAuthority WebAccess authentication services
Once a user is logged on to a network (no matter where or how they logged on), the
user identity is used to provide SSO thereby enabling authentication to any Web-basedapplication on the users behalf. The users identity is also used for access control and
auditing purposes.
Extracting the user identity from the TIP enables the following benefits:
Once a user is logged on to the system and identified by UserAuthority, there is no
need to authenticate again, even when accessing a Web application.
Pure SSO, requiring only the initial network log on to a TIP. No otherauthentication is required.
-
7/31/2019 Checkpoint NGX User Authority
16/310
Typical Deployments
14
Utilization of existing authentication in the network environment to retrieve user
identification, without requiring the end user to identify to an additional
identification mechanism.
Integration of network level authentication with Web applications.
Deployment does not require any changes to Web applications.
Typical Deployments
This section describes three common types of deployments, and the particular benefits
of integrating UserAuthority into each of the deployment types. A detailed description
of the various UserAuthority deployment types, and how they are set up andimplemented, is presented in Chapter 2, UserAuthority Deployments and
Installation.
The first and the second deployment examples illustrate Web Access Management
scenarios. The last one illustrates identity-based access control for outbound
connections via a VPN-1 Pro gateway.
UserAuthority for Enterprise Web Applications DeploymentThis deployment typically includes both local and remote users who access various Web
applications. The deployment contains various Web servers, a firewall, and both local
and remote clients.
FIGURE 1-1 illustrates this deployment without UserAuthority.
-
7/31/2019 Checkpoint NGX User Authority
17/310
UserAuthority for Enterprise Web Applications Deployment
Chapter 1 Introduction 15
FIGURE 1-1 Enterprise with Web Applications Deployment without UserAuthority
In this deployment, each Web server must provide a means for user authentication. This
can become complicated and might not meet the needs of the enterprise. The
drawbacks of this type of deployment include:
An administrator cannot control user activities or audit them.
An administrator must manage multiple user databases with different authentication
means and passwords, or users must authenticate themselves each time they access a
different Web server or Web application.
The inability to accommodate a need to authorize different users to carry out
different activities. For example, when dealing with employee information, the
enterprise authorizes HR managers to have read/write access, lets only the CEOread the information, and forbids any other users from accessing this information.
In this deployment, access rights must be configured individually in each
application, according to each separate applications method for configuring access
rights.
The inability to accommodate a need to perform various actions in different ways.
For example, if the authorized user tries to carry out an action from home, the user
might be a required to carry out the action using a VPN tunnel, however this is notrequired when the user carries out the same action from the local network.
-
7/31/2019 Checkpoint NGX User Authority
18/310
Typical Deployments
16
No auditing or different auditing for some users.
FIGURE 1-2 shows this same type of deployment with UserAuthority.
FIGURE 1-2 Enterprise with Web Applications Deployment with UserAuthority
Two UserAuthority components have been added in this deployment; the
UserAuthority Server installed on the VPN-1 Pro gateway and the WAPS.
UserAuthority eliminates the need for multiple authentications by users. This is carried
out by the UserAuthority Server and WebAccess, working with the VPN-1 Pro
component on the gateway and the Windows Domain Controller (DC).
In this example, a users Web requests go to the WAPS. UserAuthority WebAccess
queries various components to retrieve the users identity. FIGURE 1-2 indicates four
areas that can be queried for user identity in this deployment.
Windows DC: UserAuthority WebAccess queries the Windows DC to get theusers identity through Windows Integrated Authentication (NTLM protocol).
VPN tunnel encryption: Remote users who sign on using a VPN client send
encrypted information that contains the users identity. UserAuthority WebAccess
recognizes requests that come over a VPN tunnel and queries VPN-1 Pro for the
user identity based on the information provided.
VPN-1 Pro: In some cases there is manual identification to VPN-1 Pro. In this
case, user identification is retrieved from the User list in VPN-1 Pro.
U A th it f E t i W b A li ti D l t
-
7/31/2019 Checkpoint NGX User Authority
19/310
UserAuthority for Enterprise Web Applications Deployment
Chapter 1 Introduction 17
UserAuthority WebAccess: Users who did not sign on to a network through the
Windows DC or a VPN tunnel might not be recognized by UserAuthority
WebAccess. In this case the user is prompted to manually authenticate to
UserAuthority WebAccess the first time a Web application is requested.Authentication is carried out against the user database on the VPN-1 Pro gateway
with the UserAuthority Server.
These four areas constitute Trusted Identification Points (TIPs) because a trust has been
established with each of these components (the VPN-1 Pro, Windows DC, and
UserAuthority WebAccess) so that UserAuthority WebAccess knows it is receiving
trusted information. For more information on setting up a trust relationship between
components in the system, see Chapter 2, UserAuthority Deployments andInstallation.
UserAuthority also supports retrieving the user identity on Citrix or Windows terminal
systems. In this case, the UserAuthority Server is also installed on the Citrix MetaFrame
server or Windows Terminal Services. UserAuthority is able to retrieve the user identity
from information provided by the users client connection to the server, even though a
user is not identified directly in a terminal configuration. For more information on
Citrix or Windows terminal deployments, see Chapter 2, UserAuthority Deploymentsand Installation.
UserAuthoritys ability to automatically identify users in this deployment is used to
provide:
Web SSO: Web SSO takes the user identity and matches it to specific credentials
for a requested Web application. These credentials are inserted automatically into
the applications authentication page on behalf of the user. This is all donetransparently, so that the user does not have to sign on to individual applications.
The sign on that is performed when the user first signs on to the system is the only
sign on that is necessary. For more information, see Chapter 3, Web SSO.
Web application authorization: UserAuthority uses the identity that was
retrieved from a TIP to match users to defined User Groups. These groups grant
users specific access to Web applications. Users are granted or denied access based
on the defined criteria. For more information, see Chapter 4, Authorization forWeb Applications.
Unified Authorization and Authentication policy: A single policy can be used
to handle all authentication and authorization to Web servers from anywhere.
Reduced need for authentication: Most users can be identified without
authentication (e.g., LAN users, VPN users).
Single auditing system: One system monitors all user activities, regardless of how
many Web servers are in the deployment.
Typical Deployments
-
7/31/2019 Checkpoint NGX User Authority
20/310
Typical Deployments
18
Improved authentication and security: UserAuthority improves authentication
and security methods by:
Using strong authentication methods for access to your system.
Allowing only identified and authorized requests to be sent by the proxy to the
Web server.
Business to Consumer (B2C) Deployment
Many enterprises offer services to customers through the Internet. One example is a
health maintenance organization that provides customers with the ability to view their
medical records online. FIGURE 1-3 shows a B2C deployment without UserAuthority.FIGURE 1-3 B2C Deployment without UserAuthority WebAccess
In this deployment, users access the Web servers directly. This does not allow the
enterprise to control customer actions when they sign on. This control is very
important because the information provided to customers is very sensitive. Only
authorized users should be able to access the information, and customers should only be
able to access their own information.
Business to Consumer (B2C) Deployment
-
7/31/2019 Checkpoint NGX User Authority
21/310
Business to Consumer (B2C) Deployment
Chapter 1 Introduction 19
By installing UserAuthority Server and UserAuthority WebAccess, an enterprise can
easily:
Allow only known users to carry out various requests and access specific
applications.
Authorize specific users to carry out specifically defined operations.
Provide unified access, authentication, and authorization to different Web services
and Web servers.
Implement a secure method of authentication within the enterprise.
FIGURE 1-4 shows a B2C deployment that utilizes the features of UserAuthority
WebAccess.FIGURE 1-4 B2C Deployment with UserAuthority WebAccess
In this deployment we have added the UserAuthority Server installed on the VPN-1
Pro gateway and the WAPS.
Typical Deployments
-
7/31/2019 Checkpoint NGX User Authority
22/310
yp p y
20
WAPS provides additional advantages to B2C deployments:
Requests can be distributed to multiple Web servers according to the Web servers
content. This is important because a request that originates outside the network is
not sent directly to a Web server that contains sensitive content. The WAPS sits ina protected segment (such as a DMZ) and then transfers the requests to the correct
Web server only after they have been authorized.
UserAuthority WebAccess can personalize a home page by inserting personal
information on the page. When a user accesses an enterprises Web site, the user is
greeted and possibly given personal instructions. UserAuthority WebAccess does
this by inserting the users identification information into a header that provides the
personal information to the Web page. This identity is kept between servers andservices.
UserAuthority can be smoothly integrated with VPN-1 Pro. There is no need to
change VPN-1 Pro policy by opening special ports for UserAuthority WebAccess
communication.
For more information, see Chapter 4, Authorization for Web Applications.
UserAuthority SSO for VPN-1 Pro Deployment
UserAuthority can provide authorization to external resources at the network level.
Most enterprises already use VPN-1 Pro authentication rules that require client or
session authentication to external resources. UserAuthority expands on this by
providing SSO to the VPN-1 Pro as well as auditing capabilities.
FIGURE 1-5 SSO for VPN-1 Pro Deployment
UserAuthority eliminates the need for a user to authenticate each time an external
resource is accessed. This is done by using the information on the Windows DC to
identify the user. When the user requests an external resource, the UserAuthority
Server on the VPN-1 Pro gateway queries the UserAuthority Server installed in a
Windows DC. The UserAuthority Server on the Windows DC sends a query to a
desktop application called SmartAgent, which identifies the user according to theWindows DC identification that was used at sign-on.
UserAuthority SSO for VPN-1 Pro Deployment
-
7/31/2019 Checkpoint NGX User Authority
23/310
Chapter 1 Introduction 21
This information is sent back to the UserAuthority Server on the VPN-1 Pro gateway
to provide authentication on behalf of the user. In this way, the user is automatically
authenticated each time without the need to re-authenticate each time a request for
external resources is made. This scenario is illustrated in FIGURE 1-5.
UserAuthority can be also configured to create logs each time a user requests an
external resource. This provides information on how users are accessing external
resources. Logs can provide various types of information, such as whether users are
violating enterprise policy or whether there are communications problems when trying
to access external resources.
UserAuthority extends the capabilities of VPN-1 Pro authentication by providing SSO,
which eliminates the need for users to authenticate to VPN-1 Pro and provides auditing
capabilities for requests to external resources. For more information, see Chapter 5,
Outbound Access Control.
OPSEC Protocols
UserAuthority supports all Check Point Open Platform for Security (OPSEC)
standards. OPSEC provides a single integration framework by using the OPSECSoftware Development Kit (SDK) for integration with Check Point VPN-1 Pro.
OPSEC APIs provide solutions for third-party and in-house integration.
The UAA (UserAuthority) API set can be used to create a single authorization solution
for any application. For example, an enterprise might want to use a single user
identification for applications that are not Web-based (such as a client installation) in
addition to their Web applications. The UAA OPSEC API enables the integration of
any application that requires authentication and authorization, and provides allUserAuthority benefits to the application.
Integration can be easily programmed by in-house programmers using the OPSEC
APIs. In addition, it is possible to turn to an OPSEC partner to develop a solution for
the enterprise. OPSEC partners are a group of professional programmers who use the
OPSEC standard.
For information on the OPSEC UAA API set, see Chapter 11, UserAuthority OPSECAPIs.
UserAuthority Management Model
Granular administration of UserAuthority allots different administrators or managers
various privileges. Work can be divided between administrators according to their
specialties.
How to Use this Guide
-
7/31/2019 Checkpoint NGX User Authority
24/310
22
The three types of administrators who administer UserAuthority are:
Security Administrator: This administrator is usually the main VPN-1 Pro
administrator and is responsible for all security issues in the enterprise. The Security
Administrator can monitor and enforce security requirements on the Web server.This provides two advantages:
The administrator can set enforcement not only per machine, but according to a
specific URL.
Because the policy is enforced on the Web server, not the VPN-1 Pro, it is
enforced for requests that do not pass through the VPN-1 Pro gateway.
Web Security Administrator: This person is responsible for all or most parts of
the Web site security as well as the overall security issues related to Web-based
applications. This administrator can set rules that have to do with all Web-based
security issues, but should not have access to other security issues. These rules are
defined in the Web Access tab in Check Points SmartDashboard.
Application Manager: This administrator is responsible for specific applications
on the Web server. Unlike the Web security administrator, the Application Manager
can only change policy for specific URLs as defined in the Web Access tab.
How to Use this Guide
This guide provides step-by-step instructions for configuring UserAuthority.
In order to assist you in the deployment of UserAuthority, this guide contains various
scenarios that suit the deployments of most enterprises. These scenarios are followed by
detailed workflows that can be used to help with your deployment. You can also
combine the deployments and workflows described in this guide to best suit thedeployment in your enterprise.
Please note that Chapter 2 provides the foundation for the deployment of
UserAuthority in its most basic form. Subsequent chapters elaborate on these
deployments. In addition some configurations have been excluded from these
deployments. These configurations can easily be added once your network has been
deployed with User Authority.
-
7/31/2019 Checkpoint NGX User Authority
25/310
23
CHAPTER 2
UserAuthorityDeployments andInstallation
In This Chapter
Overview
This chapter describes typical UserAuthority deployments and how to install and
configure the UserAuthority Server (UAS) and WebAccess components used in thedeployments.
The following deployments are described in this chapter:
UserAuthority for Enterprise Web Applications. This deployment is used
when an enterprise wants to implement Web Single Sign-On (SSO). This type of
SSO enables users to access multiple Web applications without having to be
authenticated each time an application is accessed. For more information on WebSSO, see Chapter 3, Web SSO.
Business to Consumer (B2C). This deployment is used when the enterprise
needs to implement authorization for Web applications and/or when using a single
authentication method for many applications.
Overview page 23
Deployments page 25
Installation and Configuration page 49
Overview
-
7/31/2019 Checkpoint NGX User Authority
26/310
24
In this deployment, an enterprise has many users accessing the network from the
Internet. Administrators need to provide specific access rights for each user. Users
can be assigned access to specific applications, at specific times, using a specific
authentication scheme, and may have different capabilities (such as read-onlyaccess). The B2C deployment allows these rights to be easily assigned and managed.
For more information, see Chapter 4, Authorization for Web Applications.
Outbound Access Control. This deployment is used to provide authorization of
users when they access external resources and for monitoring users requests to
access external resources. In this deployment, an administrator defines rules that
allow users on an internal network to access external systems (for example, Internet
or external subnets) without having to repeatedly authenticate to the VPN-1 Progateway. In other words, UserAuthority is configured to eliminate the need to
authenticate to VPN-1 Pro each time a request for an external resource is made. In
addition, each time a request to access an external resource is made, a log entry is
created. The administrator can configure UserAuthority to make these logs
available, so the administrator can view a list of user activities. For more
information, see Chapter 5, Outbound Access Control.
UserAuthority installed on Citrix MetaFrame or Windows TerminalServices. This deployment also provides user authorization, auditing and Web
SSO. The main difference between this deployment and the Enterprise with Web
Applications deployment is that the client computers are connected to a Citrix
MetaFrame or Windows Terminal Services. In this case, all users access applications
from the same source (the terminal), which has only one IP address. UserAuthority
uses port information to get the user identity in order to authorize and/or
authenticate the user.
Although each of these deployments can adequately serve an enterprise, it is possible to
combine them to create the deployment that best fits the enterprises network.
Combining the Deployments on page 45 describes how various components of the
deployments can be integrated.
The deployments described in this chapter are presented as follows:
a general workflow for each process is described;
the necessary components for the deployment are given;
detailed step-by-step procedures are then described.
This chapter also explains how to carry out the basic installations and configurations for
the UAS, WebAccess Proxy Server (WAPS), and other components that are necessary to
carry out the deployments described in this chapter. The configurations described are
the simplest configurations necessary to deploy UserAuthority. In most cases, additional
UserAuthority for Enterprise Web Applications
-
7/31/2019 Checkpoint NGX User Authority
27/310
Chapter 2 UserAuthority Deployments and Installation 25
configuration is not required, however, in complex networks, more advanced
configurations are possible. These configurations are described in later chapters of this
book.
Deployments
In This Section
This section presents some typical deployments to assist a network administrator in
determining the most suitable type of deployment for the enterprises network. This
section also describes how the elements in each deployment complement one anotherand how they can be combined.
UserAuthority for Enterprise Web Applications
This section describes UserAuthority deployment in an Enterprise with Web
applications. The users in this example include employees or members of the enterprise,
who can access the network from inside the enterprise and/or remotely (with or
without a VPN client).
In this deployment, UserAuthority:
Provides SSO to users, which improves the security and convenience of accessing
the enterprise Web application.
Enforces security and authorization rules for your organization, which allows only
authorized and secure access to the enterprise Web applications.
When a user accesses a Web application, WebAccess retrieves the user identity, decideswhether the request is authorized, and performs SSO.
A network security administrator does not have to search for individual security
solutions for each application because Check Points security is transparently integrated
with the application.
For more information, see Chapter 3, Web SSO.
UserAuthority for Enterprise Web Applications page 25
B2C page 32
Outbound Access Control page 38
Citrix MetaFrame or Windows Terminal Services page 42
Combining the Deployments page 45
Deployments
-
7/31/2019 Checkpoint NGX User Authority
28/310
26
The following components are required for this deployment:
UAS installed on the VPN-1 Pro module
WAPS installed and located in the DMZ (or segment separated from the local
network) or the WebAccess Plug-In (WAPI) installed on each Web server
VPN-1 Pro management installed on a gateway or other server
SmartDashboard installed on a gateway or other server.
At least one Web server
Windows Domain Controller (DC)
Local Internet Explorer client
Remote computer client (with or without VPN client)
For information on installing the various components, see For information on installing
the various components, see Workflow on page 31.
FIGURE 2-1 illustrates the deployment for an enterprise with Web applications.
FIGURE 2-1 Sample Deployment for an Enterprise with Web Applications
In this deployment, when a user requests access to a Web application, the request is
routed to the WAPS.
UserAuthority for Enterprise Web Applications
-
7/31/2019 Checkpoint NGX User Authority
29/310
Chapter 2 UserAuthority Deployments and Installation 27
UserAuthority WebAccess then queries one or more TIPs to identify the user as
follows:
VPN-1 Pro gateway: Users who access a network through a VPN tunnel
authenticate through the VPN-1 Pro gateway. Windows DC: If the client computers are in a Windows Domain and UAS on the
VPN-1 Pro gateway cannot identify the user, WAPS mediates its internal
authentication protocol (NTLM) with the Windows DC, enabling WAPS to obtain
the user identity that was provided to the Windows Domain in the login process.
Citrix or Windows Terminal Services deployments: UAS was on the VPN-1
Pro gateway obtains the user identification from UAS installed on the Terminal
Services.
UserAuthority WebAccess: In cases where User identity cannot be obtained
from another Trusted Identification Point (TIP), authentication takes place
according to VPN-1 Pro policy.
For more information, see Achieving User Identity on page 101.
After identification, WebAccess uses the identity information to:
Provide SSO: Credentials required by an application are injected into theapplications authentication page on behalf of the user. These credentials are stored
in the UserAuthority Credentials Manager. Web SSO is performed in a
non-intrusive way that does not require any changes to the key application code.
For more information on defining SSO in WebAccess, see Web SSO.
Provide authorization: UserAuthority WebAccess matches the identity
information to the rules defined in the WebAccess rule base. These rules determine
whether the user is authorized to view or work on the requested Web application.For more information, see Chapter 4, Authorization for Web Applications.
UserAuthority WebAccess Deployment
WebAccess can be deployed in two ways.
UserAuthority WebAccess Proxy Serer (WAPS)
WAPS is deployed on a dedicated machine. All requests for applications on the Webservers in the protected segment of the network are sent to the WAPS. The advantage
to this type of deployment is that the WAPS is deployed in a DMZ or similar restricted
zone in the LAN. Users requesting access to an application are not allowed to enter an
enterprises protected zone before being authenticated and authorized by the WAPS.
Deployments
-
7/31/2019 Checkpoint NGX User Authority
30/310
28
The WAPS is deployed as a reverse proxy. A reverse proxy is a proxy for the server. In
this case the client requests the IP of the proxy, which forwards the request to the
WAPS. If the users request is authorized, it is forwarded to the appropriate Web server,
which provides the requested Web application.The WAPS has the following security advantages:
Authentication takes place outside the enterprises trusted zone. No access is
permitted to the trusted zone if the requesting client is not authenticated or
authorized.
The network is protected from attack because authorization is carried out in a
protected zone (DMZ). All outside access is through standard HTTP and HTTPS
ports. A client computer only has access to the local network through the WAPS.
All authentication is centralized, eliminating the need to configure authentication
on each individual Web server in the network and greatly reducing costs.
Security can be provided easily because it is necessary to strengthen security at one
central point only, and not at multiple points throughout the network.
Other advantages of the WAPS include:
The WAPS is easy to maintain because it supports multiple Web servers with onlyone installation.
The WAPS supports all Web servers (not only IIS).
The WAPS supports Integrated Windows Authentication.
UserAuthority WebAccess Plug-In (WAPI)
WAPI is deployed directly on the Web server that hosts the Web applications. In this
case, the request is sent directly to the Web server with the requested Web application
and WAPI is configured to intercept all requests so they can be authenticated and
authorized.
Deploying the WAPI can be advantageous in networks with only a few Web servers.
Because the requests are sent directly to the actual Web server, an additional server is
not necessary. The WAPI must be configured individually for each Web server. In a
network with a large number of Web servers, the WAPI must be installed on each one.This requires a greater amount of effort in terms of initial configuration and
maintenance (for example, upgrades).
FIGURE 2-2 shows a deployment with the WAPS. This scenario has one Web server,
which is located in the DMZ.
UserAuthority for Enterprise Web Applications
-
7/31/2019 Checkpoint NGX User Authority
31/310
Chapter 2 UserAuthority Deployments and Installation 29
FIGURE 2-2 Sample Deployment for an Enterprise with an Internal Web Application usingUserAuthority WAPI
Terms in UserAuthority WebAccess Configuration
When you install WebAccess, a set of configuration options must be defined. These
options are displayed as part of the installation process. Most of the configurations are
the same for both the WAPS and the WAPI. However, for the WAPS, you must alsoconfigure virtual hosts. Common Suffix Domains are configured when there is more
than one Web server in the deployment.
Virtual Hosts
A virtual host is a Web server that holds the Web applications. When you deploy the
WAPS, you create a virtual host that defines how internal Web servers are assigned. (For
information on how to configure virtual hosts, see Configuring Virtual Hosts onpage 84).
Note - The WAPI is available for IIS servers only. For other servers, you must use the
UserAuthority WAPS.
Note - The WAPI deployment is best used when there is only one Web server or there is noaccess to the enterprises Web applications from outside the network. The WAPI does not
support Integrated Windows Authentication.
Deployments
-
7/31/2019 Checkpoint NGX User Authority
32/310
30
The network administrator defines the IP address of the server that is published (the
WAPS) and maps it to the Web server that holds the pages that are requested (the virtual
host). In cases where more than one Web server is used, a different virtual host is defined
for each Web server. It is also possible to define rules so that requests to the proxy can bemade through SSL and requests to the Web servers are sent by ordinary HTTP. Because
the client request is sent directly to the WAPS, the user only sees the address of the
WAPS.
Any information on the address or IP of the actual page the client requested remains
hidden. This is advantageous for security because the requester does not receive
information about the original server, which might contain additional sensitive
information. FIGURE 2-3 shows an example of the use of virtual hosts.FIGURE 2-3 Virtual Hosts
In FIGURE 2-3, the following servers are defined using the common suffix
.myEnterprise.com:
Webserver 1 is defined as webserver1.myEnterprise.com so that all requests to this
domain arrive at the proxy and are sent to 10.10.5.2 according to the virtual host
definition.
Webserver 2 is defined as webserver2.myEnterprise.com so that all requests to this
domain arrive at the proxy and are sent to 10.10.5.3 according to the virtual host
definition.
Common Suffix Domain
Common Suffix Domains are configured when there is more than one Web server in
the deployment.
The Common Suffix Domain is the last part of the domain. For example, in the
domain a.myEnterprise.com, the suffix domain is myEnterprise.com. Where there is
more than one Web server (for example, a.myEnterprise.com and b.myEnterprise.com),the Common Suffix Domain (shared by both domains) is .myEnterprise.com.
UserAuthority for Enterprise Web Applications
-
7/31/2019 Checkpoint NGX User Authority
33/310
Chapter 2 UserAuthority Deployments and Installation 31
When a user is identified, UserAuthority WebAccess places a cookie on the client. The
cookie contains encoded information that includes the user identity key. The cookie is
sent to the Web server for each request and UserAuthority WebAccess uses the cookie
identity key to recognize the user making the request. A cookie is sent by the browserif the requested domain includes the cookies domain.
UserAuthority WebAccess uses the Common Suffix Domain to make the cookie
available to all Web servers in the deployment. When you define a Common Suffix
Domain, all domains in the deployment will have the same suffix as is defined in the
Common Suffix Domain. In the Common Suffix Domain configuration, you can also
define how to handle requests that do not have the common suffix.
Workflow
The following workflow shows the steps needed to deploy UserAuthority in an
enterprise with Web applications.
To carry out the deployment:
1 Install the UAS on the VPN-1 Pro gateway (see Installing and Configuring UAS
on VPN-1 Pro on page 49).2 Install the WAPS on a separate server. Make sure to configure a virtual host and
then indicate a Common Suffix Domain for all the Web servers in the deployment.
Make sure to configure WebAccess in SmartDashboard as well.
OR
If you are deploying the WAPI, install it on each Web server in your deployment.
For information on UserAuthority WebAccess installation and configuration, seeInstalling and Configuring UserAuthority WAPS on page 70 orInstalling and
Configuring the UserAuthority WAPI on page 80.
3 Configure the deployment to trust Windows Domain as an Identification Point.
A If you deploy the WAPS, configure Integrated Windows Authentication (see
Configuring Integrated Windows Authentication on page 116. If you
deploy the WAPI, install a UAS on the Windows DC, and configure
automatic SecureAgent installations (see Installing and Configuring the UAS
on the Windows DC on page 61).
B If your network includes Citrix/Terminal Services users you need to install a
UAS on the Citrix/Terminal Services. See Installing and Configuring the
UAS on the Windows DC on page 61. The installation and configuration
are the same. You do not need to configure SecureAgent.
Deployments
-
7/31/2019 Checkpoint NGX User Authority
34/310
32
4 Install a basic UserAuthority WebAccess policy. see Configuring a Basic Web SSO
Rule on page 85.
5 Manage users in VPN-1 Pro by defining at least one user in a user database and/or
connecting to an existing LDAP server. For more information on creating databases,see the instruction guides provided with the database software and hardware. For
more information, see Chapter 6, User Management in UserAuthority.
Test Your Deployment
1 Enter your Web site in such a way that you will be recognized by a TIP (for
example, from the local network or from SecureClient/SecureRemote).
If your application uses HTML form authentication, the application login page
should be displayed with a UserAuthority widget.
If your application uses basic authentication, a UserAuthority update page should
be displayed.
2 Enter your credentials.
3 Close your Web browser.
4 Enter the Web application again in such a way that you will be recognized by a TIP.
You automatically enter the application without seeing the login page.
B2C
A Business to Customer (B2C) deployment is used by enterprises that offer special
services to customers, clients or agents through the Internet. A typical example is a
company that sells books or toys and has customers who access the network from the
Internet. Security is important in this case because the company database might contain
sensitive information, such as customer financial details. It is important that only users
authorized to receive specific information can get that information, and only thatinformation.
In this deployment, the client computers belong to users who do not belong to the
enterprise. They do not have a VPN client, therefore identification is usually carried
out by UserAuthority WebAccess. UserAuthority provides two advantages in this type
of deployment:
Note - If a WebAccess Authentication page is displayed, a problem has occurred in the
identification process.
If you wish to test your deployment without TIP identification, see Test Your Deployment
on page 37.
B2C
h d f d b
-
7/31/2019 Checkpoint NGX User Authority
35/310
Chapter 2 UserAuthority Deployments and Installation 33
External Authorization Point: The remote users identification is captured by
UserAuthority WebAccess. Thereafter, UserAuthority WebAccess performs
authentication to the Web application on behalf of the user.
Single Sign-On: Users are authorized without having to authenticate to eachapplication that they request, and only authorized users can access the enterprises
Web applications.
Authorization policy answers the following criteria:
Who can do what and when it can be done.
How a Web site or application can be accessed.
A network administrator first sets an authorization policy in UserAuthority thatdetermines who can access applications, which applications they can access, and how
they can access them (i.e., read-only access or full access). It is also possible to
determine when a user has read-only access or even when they cannot access the
application.
The authorization policy determines how an application is accessed, for example,
whether access can be made over a non-secure connection or only over an SSL-secured
connection.
UserAuthority provides the means to implement authorization policy on an application
level. This means that users can only access those applications to which they are
specifically given access. Therefore, not all users who have permission to cross the
WAPS can access the same information. This is important for enterprises that provide
sensitive information, such as personal medical information or bank account
information. Users can sign on and gain access to the network, but depending on their
authorization rights, they can only gain access to their own information.
For more information on Authorization for Web Applications, see Chapter 4,
Authorization for Web Applications.
The following components are required for this deployment:
UAS installed on a VPN-1 Pro module. (A third-party firewall gateway can be used,
in this case the VPN-1 Pro module is installed on the same machine as
UserAuthority WebAccess. See FIGURE 2-5.)
WAPS installed and located in a DMZ (or segment separate from the local network)
or WAPI installed on each Web server. (For a description of WAPS and WAPI and
the differences between them, see UserAuthority WebAccess Deployment on
page 27).
VPN-1 Pro management installed on a gateway or other server.
SmartDashboard installed on a gateway or other server. At least one Web server.
Deployments
A i l k if f i i i h W b i
-
7/31/2019 Checkpoint NGX User Authority
36/310
34
An internal network if necessary for maintaining the Web site.
For information on installing the various components, see Workflow on page 31.
FIGURE 2-4 shows a B2C deployment with multiple Web servers and WAPS located
in the DMZ:
FIGURE 2-4 B2C Deployment
In this deployment, remote users connect to the system through UserAuthority
WebAccess. FIGURE 2-4 shows the system deploying the WAPS in the DMZ. It is
also possible to deploy a WAPI on each of the Web servers. In this case, a separate
WAPS is not necessary.
The WAPS configuration is recommended because fewer UserAuthority WebAccess
installations are necessary, and it assures that no user can access the applications Web
servers without being authenticated. For more information on the advantages of
deploying both types of UserAuthority WebAccess, see UserAuthority WebAccess
Deployment on page 27.
B2C
For security reasons the WAPS is typically located on a segment separate from the Web
-
7/31/2019 Checkpoint NGX User Authority
37/310
Chapter 2 UserAuthority Deployments and Installation 35
For security reasons, the WAPS is typically located on a segment separate from the Web
servers. This is usually in a DMZ, however, the network administrator can deploy the
network in whatever configuration best fits the enterprise. This includes configurations
where the WAPS is deployed on the same segment as the Web servers. Security isachieved by defining VPN-1 Pro policy so that all access to the network passes through
UserAuthority WebAccess.
UserAuthority WebAccess authenticates the client using a defined authentication
process. The first time a user accesses the system, an HTML authentication page is
displayed requesting the user credentials. For the remainder of the session,
UserAuthority WebAccess remembers the user identity. It is also possible to configure
the network so that a user does not have to enter credentials for successive sessions, iflogging on from the same client.
A B2C deployment can be deployed with a third-party (non-Check Point) firewall. In
this case, the VPN-1 Pro module is installed as a secure server on the same computer as
the UAS and WebAccess.
FIGURE 2-5 shows how UserAuthority is deployed when using a third-party firewall:
FIGURE 2-5 B2C Deployment with Third-Party Firewall Gateway
Deployments
In the B2C deployment the following takes place:
-
7/31/2019 Checkpoint NGX User Authority
38/310
36
In the B2C deployment, the following takes place:
1 The user accesses the companys Web resources using a Web browser.
2 When the user accesses a Web resource for the first time, the VPN-1 Pro allows therequest to arrive at UserAuthority WebAccess, which asks for the users identity.
3 UserAuthority WebAccess queries the UAS on the VPN-1 Pro gateway for the
users identity. If UserAuthority already knows the users identity (from a TIP, such
as a VPN tunnel or Windows domain), the identity is passed back to UserAuthority
WebAccess for authorization. If the identity is unknown, UserAuthority WebAccess
sends an authentication page and requests the users identification information.
4 UserAuthority WebAccess then matches the user against the defined UserAuthority
WebAccess rules.
5 Users who match the defined rules are authorized to access the requested Web
resource and are provided with SSO. For more information on configuring
authorization rules, see Chapter 4, Authorization for Web Applications.
Workflow
To carry out the deployment:
1 Install the UAS on the VPN-1 Pro gateway. (If you are using a third-party firewall,
install UAS on the same computer as UserAuthority WebAccess.) For more
information, see Installing and Configuring UAS on VPN-1 Pro on page 49.
2 Install the WAPS on a separate server. Make sure to configure a virtual host and
then indicate a Common Suffix Domain for all the Web servers in the deployment.OR
If you are deploying the WAPI, install it on each Web server in your deployment.
Make sure to configure WebAccess in SmartDashboard as well.
For information on UserAuthority WebAccess installation and configuration, see
Installing and Configuring UserAuthority WAPS on page 70 orInstalling and
Configuring the UserAuthority WAPI on page 80.
3 Install a default UserAuthority WebAccess policy, see Configuring a Bas