integrating active directory with fw-1 ng

Check Point Next Generation

Integrating Microsoft’s Windows 2000 and .NET Server Active Directory with Check

Point NG and SecureClient. Author: Joe Green [email protected] Revision for .NET Server: Oren Green [email protected] Last updated: June 1, 2003

Check Point Software Technologies 6/3/2003

1

mailto:[email protected]


This document assumes the following.

1. You have an understanding of installing and configuring Check Point NG in a distributed environment (Management and Module installed separately). Note: Active Directory Integration CAN work in a Stand Alone deployment.

2. You have a basic understanding of Active Directory and Windows 2000 and Windows .NET Servers.

FW-1 ManagementServer

Active Directory Server

SBoxSBox SecureClient

Internal LAN172.16.1.x /24

External LAN10.1.1.x /24

Remote Users LAN192.168.10.x /24

.200.254 .254 .253 .1

In the above configuration, the Check Point Management server is also the Active Directory Server. In a real world deployment, these two applications probably would not be running together. However, it provides an easy way to learn this set-up with the minimum amount of computers in a lab. The DNS domain used in the above configuration is laxlab.com The Management Servers FQDN is msad.laxlab.com The following steps provide an outline of what this document covers.

1. Installation/Configuration of Active Directory 2. Installation/Configuration of Microsoft’s DNS Server 3. Installation/Configuration of Microsoft’s Certificate Authority Server 4. Check Point configuration for LDAP 5. Setting up a template and managing users.

Before starting, the following should be verified:

1. Check Point NG FP3 HF2 should be installed and you should be able to push policies without any problems. (e.g. SIC is functioning, name resolution is working, etc.)

2. All machines have IP connectivity to each other. 3. The Microsoft High Encryption Pack is installed. This can be obtained at; http://www.microsoft.com/windows2000/downloads/recommended/encryption/default.asp

Licensing: To integrate Check Point and LDAP together, you must have the Account Management Module license. This license is applied to the Management Server (or CMA in Provider-1). The AMM license is also included in the Smart Center Pro bundle.


2

http://www.microsoft.com/windows2000/downloads/recommended/encryption/default.asp


Known issues and limitations:

1. SSL works only with the following configuration: Max = Strong, Min = Strong. 2. Using 'fwm dbexport/import' to import FW-1 users into the Active Directory

will not import the users passwords. 3. SSL is forced by default so it is not possible to edit user's passwords and groups

on the Active directory in clear mode (port 389). Installing Microsoft’s Active Directory:

1. From within Windows, go to the Start Run prompt, enter the command dcpromo. The Active Directory Wizard will start and you need to provide the following input at the prompts. (See pictures below)

a. Domain Controller for a new domain b. Create a new domain tree c. Create a new forest of domain trees d. Type the full DNS name for the new domain **Note** This is the DNS

Domain that your computer belongs to. E.g. laxlab.com e. Type in the domain netbios name (this is for earlier versions of Windows.

E.g. laxlab f. Specify the Database and Log locations (take the defaults) g. Enter the location for the System Volume Folder (again, take the defaults) h. At this point in the Active Directory installation, it will warn you that it

cannot contact a DNS server for your domain (unless you have already configured DNS). Either use the existing DNS installation or have the wizard install it for you (having the Wizard install it is very easy).

i. Set the permissions to be compatible with your environment. j. Set the password for the Directory Services restore and click next at the

summary screen to complete installation of Active Directory and DNS. Note: When Active Directory finishes installing, it will ask you to reboot the computer, don’t reboot yet. If you just installed DNS for your domain, the computer will take a long time present you with the logon screen after reboot. The computer is trying to contact a DNS to resolve the domain that was just created. To avoid this, make the Primary DNS server of your computer, the local computer itself. Now, reboot.

DCPROMO:


3



4


DNS Install:

2. Upon reboot, you need to install Microsoft’s Certificate Server. This is required for SSL communication between the Active Directory Server and the Check Point Management console.

a. This is installed through the Windows Control Panel Add/Remove Components Add/Remove Windows Components.

b. Select the Certificate Services option and click next. Then choose the following options.

i. Select Enterprise Root CA


5


ii. Fill in the CA Identifying Information fields. Note: This is the information that will be part of your certificate.

iii. Take the Data Storage Location defaults. iv. Certificate Server is now installed (no reboot necessary).

Certificate Server:

3. Next, you need to allow the schema to be viewed and modified by the Microsoft Management console (MMC). This is easily done through the GUI in Windows 2000 and .NET Server.

a. Register the schema DLL. Go to Start Run, and type regsvr32

schmmgmt.dll (you should see a message stating that the operation was successful).

b. Go to Start Run and type mmc. c. From within the MMC, click on the Console menu, then click

Add/Remove Snap-In… d. Click add and select Active Directory Schema, click add, click close and

click ok to return to the MMC. e. Expand the Active Directory Schema (click on the + symbol).


6


f. Right click on the A.D. Schema in the MMC and select Operations Masters. g. Place a check in the box titled “The schema may be modified on this

domain controller.” h. Exit the MMC and reboot.

***Note*** To Enable Schema Updates by Means of the Registry: It is not recommended to enable schema updates by directly editing the "Schema Update Allowed" registry key. Schema updates should be enabled through the console method, whenever possible. If for some reason the console method cannot be used, the following registry key may be edited directly: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters To directly edit this registry key, perform the following steps: Click Start, click Run, and then in the Open box, type: regedit Then press ENTER. Locate and click the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters On the Edit menu, click New, and then click DWORD Value. Enter the value data when the following registry value is displayed: Value Name: Schema Update Allowed Data Type: REG_DWORD Base: Binary Value Data: Type 1 to enable this feature, or 0 (zero) to disable it. Quit Registry Editor. The schema may now be updated on the domain controller that holds the schema operations master role. More Information: Clicking to select the Schema may be modified on this Domain Controller check box in the console adds the "Schema Update Allowed" registry value if it is not present. Clicking to clear the Schema may be modified on this Domain Controller check box sets the "Schema Update Allowed" registry value to zero, but it does not delete the value. Further information about the Active Directory schema may be found in Chapter 4 of the Windows 2000 Server Distributed Systems Guide, which is part of the Windows 2000 Server Resource Kit.


7


MMC:

4. Next, you need to delegate control of the directory so that the administrator can make changes.

a. Go to Start Programs Administrative Tools Active Directory Users and Computers.

b. Right click on you city’s domain and choose delegate control. c. Add the administrator account (or administrators group) and check both of

the boxes in the next screen. Click ok and then exit. Delegation:

5. To enable SSL communication between FireWall-1 and Active Directory, the

following needs to be done: a. Got to Start Programs Administrative Tools Domain Security Policy.


8


b. Go to Security Settings Public Key Policies Automatic Certificate Request Settings, right click and select New Automatic Certificate Request.

c. Select Domain Controller from the window, then select your CA. SSL:

Check Point VPN-1/FireWall-1 Configuration:

1. Log into the Check Point SmartDashboard. 2. Go to the Policy Menu Global Properties.

a. From the LDAP Account Management branch, select Use LDAP Account Management and click ok.

b. Next, go to the Manage Menu Servers. Create a LDAP Account Unit Object. Use the following parameters: (Screen shots below)

(General Tab) i. Name=a descriptive name.

ii. Check the boxes “User Management” and “CRL Retrieval” iii. Set the LDAP Profile type to Microsoft_AD and fetch the branch.

Note: Active Directory only returns "cn=users,dc=x" where x is the AD domain. When users are defined under separate organizational units those units should be manually added as branches.

(Servers Tab) c. On the servers tab, you need to add your server and set all the necessary

parameters. (See figures below) i. Host=your LDAP server (we are using our Mgmt. server since

A.D. and the CP Mgmt. are on the same box). ii. Login DN: cn=administrator,cn=users,dc=laxlab,dc=com

(Note:substitute your DNS domain for laxlab) iii. Enter the administrator’s password.


9


iv. Permissions (Encryption tab)

d. On the encryption tab, set the following parameters. i. Use SSL.

ii. Click Fetch for Fingerprint. iii. Set Encryption to strong and strong for Min and Max. iv. Type in the IKE password (the same as the administrators

password) Click ok. (Objects Management)

e. On the objects management tab, select your A.D. object and fetch the branch.

(Authentication) f. On the authentication tab, make sure and select what template you want

to use. Check Point LDAP Configuration:


10


Extending the Schema (Optional Configuration): There are certain attributes that can be defined for users in Check Point VPN-1/FireWall-1 and not Active Directory. It is possible in a production environment that a customer will not want to extend the Schema of the Active Directory server. This operation is not necessary. By extending the schema you gain the benefit of having these Check Point attributes:

1. Time and date the user can log in. 2. Source and destination of the user. 3. Ike Properties. 4. Account lockout 5. Password expiration 6. etc.

You still have the ability to control some of these things through the Active Directory database. Regardless, if you do not extend the schema, you will still be able to use those users. Schema Extension procedure: Close the SmartDashboard and extend the Active Directory schema.

g. Using Wordpad, open the file $FWDIR\lib\ldap\schema_microsoft_ad.ldif and replace all instances of DOMAINNAME with your domain name. e.g. dc=laxlab,dc=com.

h. Next (from the command prompt), using the ldapmodify command (all on one line), run the command: E.g. C:\ldapmodify –c –h msad.laxlab.com –D “cn=administrator,cn=users,dc=laxlab,dc=com” –w password –f c:\winnt\fw1\ng\lib\ldap\schema_microsoft_ad.ldif


11


Note: In the above syntax, substitute your hostname and DNS Domain Name for mickey.laxlab.com. The output of the ldapmodify command should look like; [Begin example] adding new entry CN=fw1auth-method,CN=Schema,CN=Configuration,dc=laxlab,dc=com adding new entry CN=fw1auth-server,CN=Schema,CN=Configuration,dc=laxlab,dc=com adding new entry CN=fw1pwdlastmod,CN=Schema,CN=Configuration,dc=laxlab,dc=com adding new entry CN=fw1skey-number,CN=Schema,CN=Configuration,dc=laxlab,dc=com adding new entry CN=fw1skey-seed,CN=Schema,CN=Configuration,dc=laxlab,dc=com adding new entry CN=fw1skey-passwd,CN=Schema,CN=Configuration,dc=laxlab,dc=com adding new entry CN=fw1skey-mdm,CN=Schema,CN=Configuration,dc=laxlab,dc=com adding new entry CN=fw1expiration-date,CN=Schema,CN=Configuration,dc=laxlab,dc=com adding new entry CN=fw1hour-range-from,CN=Schema,CN=Configuration,dc=laxlab,dc=com adding new entry CN=fw1hour-range-to,CN=Schema,CN=Configuration,dc=laxlab,dc=com adding new entry CN=fw1day,CN=Schema,CN=Configuration,dc=laxlab,dc=com adding new entry CN=fw1allowed-src,CN=Schema,CN=Configuration,dc=laxlab,dc=com [End example]

3. Log back into the Check Point SmartDashboard and make sure you have the Object List window pane open. Go to the users tab in the Objects Tree and double click on the Active Directory Server.

4. You should now see all of your users. GUI:


12


You are now done incorporating Microsoft’s Active Directory with NG FP3 HF2. The next section will explain how to incorporate that with SecureClient. Integrating SecureClient with Active Directory: The theory behind utilizing Active Directory for the user database is that you do not have to recreate any users and their passwords. Users that already exist in the directory can now use that username and password for authentication. This dramatically reduces the overhead associated with managing a separate user database. Note: Before proceeding, you should have SecureClient configured, tested, and working with standard user authentication. That way, you won’t be troubleshooting two different issues if there is a problem. If you do not understand how to configure FP-3 and SecureClient, please see the white paper “How to configure SecureClient in NG FP-3” located on the configuration Documents page of the Check Point public web site. To utilize Active Directory for authenticating your remote users, you must first start by creating an “External Group”. To do this, follow the instructions below.

1. Launch the SmartDashboard GUI and click on the Users Icon (See Figure above). To see the users, make sure you have the Objects Tree and Objects List open (these can be opened by clicking on the “View Menu” and selecting the corresponding options).


13


2. You should see a branch on the left entitled “LDAP Groups”. You need to right click on that and select “New LDAP Group”. Set the properties as follows:

a. Enter a descriptive name (ours is VPN-Users). b. Select the account unit you wish to use (this should be the Account

Unit you already created). c. Select the group’s scope.

Notice that in the screen shot above, we have selected “All Account-Unit’s Users”. This means that a user that exists anywhere in the Active Directory database can authenticate. If you would like to control this at a more granular level, you can create a new group in Active Directory that contains only certain users you want to have remote access. Example: In this scenario, we create a new group on the AD Server and call it “Secure-Client-Users”. In this group, we place all the A.D. users who we want to give remote access to. We then create a new LDAP Group in SmartDashboard and give it the following properties.


14


Notice that we specify the group by using the syntax “cn=Secure-Client-Users” (without the quotes). Also note that the LDAP Group name is VPN-Users. This will be the group we use in the source of the Remote Access rule(s). Click ok to save all of your changes and open up your VPN-1 Gateway object. You need to click on the Authentication branch and set the appropriate user group for association with the Policy Server.


15


Next, you need to make sure that the properties for your user’s template are set correctly. This template will hold the properties for things like encryption, password method, etc. In our example, we are using the template “default” (you can have multiple templates). Here are some of the properties of that template and also the properties of a user linked to that template. Remember, the template was tied to the LDAP Account Unit.


16


When integrating with MS AD, you specify the password on the template as “VPN-1 Firewall-1 password”. When you open up a user and click on their auth tab, you see that it is picking up the properties from the template. Now, you need to create the rule that allows Remote Access and set up your SecureClient Policy. Below is a screen shot of how the rule base would appear.


17



18

The rule we are concentrating on is rule #1. This rule shows our LDAP-Group as the source (remember, this is the group created in the Check Point GUI , not in A.D.). Our LDAP group references our A.D. group and also references the Account Unit (which references the user template, etc.). Make sense? Next, you would configure your Remote Access Community, the SecureClient rule base, push the Policy, etc. All of those steps are outlined in the “How to Configure SecureClient in NG FP3” guide. Please make sure and review the Check Point SmartView Tracker (formerly the Log Viewer). It contains a lot of useful information especially when testing out a new configuration.

integrating active directory with fw-1 ng

Documents

check point management

net server active directory

dns domain

microsofts active directory

check point management

active directory wizard

active directory integration

active directory finishes