UserAuthority Administration Guide Version NGX R65 700358 March 7, 2007 TM © 2003-2007 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN- 1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm is a Check Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending applications. For third party notices, see: THIRD PARTY TRADEMARKS AND COPYRIGHTS. Table of Contents 5 Contents Preface Who Should Use This Administration Guide 10 Summary of Contents 11 Appendices 12 Related Documentation 13 More Information 16 Feedback 17 Chapter 1 Introduction The Need for UserAuthority 20 Identity-based Access Control for Outbound Connections via VPN-1 Power Gateway 21 Underlying Concept and Advantage 22 Typical Deployment 23 UserAuthority SSO for VPN-1 Power Deployment 23 OPSEC Protocols 25 How to Use this Administration Guide 26 Chapter 2 UserAuthority Deployments and Installation Overview 28 Deployments 29 Outbound Access Control 29 Citrix MetaFrame or Windows Terminal Services 34 Supported Platforms 37 Installation and Configuration 38 Installing and Configuring UAS on VPN-1 Power 38 Installing and Configuring the UAS on the Windows DC 49 Chapter 3 Outbound Access Control The Challenge 60 The UserAuthority Solution 61 Identification using SecureAgent 63 Identity Sharing 63 Retrieving Windows Groups with UserAuthority 68 Outbound Access Control using Citrix Terminals as TIP 69 Scenario - An Organization using Multiple Windows DCs 70 Scenario - An Organization Using Multiple Domains 72 Configurations 74 Adding Additional Windows DCs 74 Outbound Access Control on Citrix or Windows Terminals 75 Configuring UserAuthority Domain Equality 75 6 Chapter 4 User Management in UserAuthority Overview 80 Managing Users and Groups 81 Users in UserAuthority 81 User Groups in UserAuthority 81 Using a Local Check Point Database 83 Using an External Database 84 Using the Windows User Identity 85 Users in the Windows Domain 85 Configuring UserAuthority to Recognize Windows User Groups 85 Chapter 5 Auditing in UserAuthority Overview 88 Using Logs for Auditing 89 Auditing Outbound Traffic Using UserAuthority Outbound Access Control 90 Configuring UserAuthority for Auditing 94 Configuring Auditing of Requests for External Resources 94 Chapter 6 High Availability and Load Balancing Overview 96 High Availability 96 Load Balancing 96 High Availability and Load Balancing in UserAuthority 97 Using Multiple Windows DCs 98 Using a VPN-1 Power Cluster 99 Chapter 7 UserAuthority CLIs Chapter 8 UserAuthority OPSEC APIs Overview 110 Programming Model 111 Defining a UAA Client 114 Client Server Configuration 114 OPSEC UserAuthority API Overview 114 Function Calls 125 Session Management 125 Assertions Management 126 Managing Queries 129 Managing Updates 130 Managing Authentication Requests 131 Assertions Iteration 132 Managing UAA Errors 134 Debugging 135 Event Handlers 136 UAA_QUERY_REPLY Event Handler 136 UAA_UPDATE_REPLY Event Handler 137 Table of Contents 7 UAA_AUTHENTICATE_REPLY Event Handler 138 Chapter 9 Monitoring the UserAuthority Environment Overview 142 System Monitoring 143 Monitoring the System Status 143 User Monitoring 148 Monitoring User Activities 148 Monitoring Example: SecureAgent Cannot Provide User Identity 149 Chapter 10 Troubleshooting UserAuthority Overview 152 General Problems 153 Why is there no established SIC? 153 Why are Domain Controller Queries not Sent Properly? 156 User-Related Problems 157 Why does SecureAgent not identify the user? 157 Why are Terminal Server Clients not Identified by UAS? 160 Why does the Firewall Report Identify Users as Unknown? 161 Appendix A Integrating UserAuthority with Meta IP Overview 164 Required Components 165 Preliminary Steps 166 Windows DC Configuration 167 VPN-1 Power Policy Configuration 168 DHCP Server Configuration 170 Appendix B Glossary Acronyms and Abbreviations 176 Index 183 8 9 Preface P Preface In This Chapter Who Should Use This Administration Guide page 10 Summary of Contents page 11 Related Documentation page 13 More Information page 16 Feedback page 17 Who Should Use This Administration Guide 10 Who Should Use This Administration Guide This Administration Guide is intended for administrators responsible for maintaining network security within an enterprise, including policy management and user support. This Administration Guide assumes a basic understanding of • System administration. • The underlying operating system. • Internet protocols (IP, TCP, UDP etc.). [...]... abbreviations used in this Administration Guide Related Documentation Related Documentation The NGX R65 release includes the following documentation TABLE P-1 VPN-1 Power documentation suite documentation Title Description Internet Security Product Suite Getting Started Guide Contains an overview of NGX R65 and step by step product installation and upgrade procedures This document also provides information... secure VoIP traffic Virtual Private Networks Administration Guide This guide describes the basic components of a VPN and provides the background for the technology that comprises the VPN infrastructure Chapter Preface 13 Related Documentation TABLE P-1 VPN-1 Power documentation suite documentation (continued) Title Description Eventia Reporter Administration Guide Explains how to monitor and audit traffic,... set, see Chapter 8, “UserAuthority OPSEC APIs”” Chapter 1 Introduction 25 How to Use this Administration Guide How to Use this Administration Guide This Administration Guide provides step-by-step instructions for configuring UserAuthority In order to assist you in the deployment of UserAuthority, this Administration Guide contains various scenarios that suit the deployments of most enterprises These scenarios... What’s New, Licenses, Minimum hardware and software requirements, etc Upgrade Guide Explains all available upgrade paths for Check Point products from VPN-1/FireWall-1 NG forward This guide is specifically geared towards upgrading to NGX R65 SmartCenter Administration Guide Explains SmartCenter Management solutions This guide provides solutions for control over configuring, managing, and monitoring... SecurePlatform™/ SecurePlatform Pro Administration Guide Explains how to install and configure SecurePlatform This guide will also teach you how to manage your SecurePlatform machine and explains Dynamic Routing (Unicast and Multicast) protocols Provider-1/SiteManager-1 Administration Guide Explains the Provider-1/SiteManager-1 security management solution This guide provides details about a three-tier,... environments TABLE P-2 Integrity Server documentation Title Integrity Advanced Server Installation Guide Explains how to install, configure, and maintain the Integrity Advanced Server Integrity Advanced Server Administrator Console Reference Provides screen-by-screen descriptions of user interface elements, with cross-references to relevant chapters of the Administrator Guide This document contains an overview... SecureClient/Integrity client package Related Documentation TABLE P-2 Integrity Server documentation (continued) Title Description Integrity Advanced Server System Requirements Provides information about client and server requirements Integrity Agent for Linux Installation and Configuration Guide Explains how to install and configure Integrity Agent for Linux Integrity XML Policy Reference Guide Provides the contents...Summary of Contents Summary of Contents This Administration Guide provides step-by-step instructions for configuring UserAuthority In order to assist you in the deployment of UserAuthority, this Administration Guide contains various scenarios that suit the deployments of most enterprises These scenarios are followed by detailed... Appendices This Administration Guide contains the following appendices: Table A-2 Appendix Appendix A, “Integrating UserAuthority with Meta IP” explains how UserAuthority can easily be integrated with the Meat IP product to provide authenticated IP addresses from an authenticated IP pool to authenticated users Appendix B, “Glossary” 12 Description describes the acronyms and abbreviations used in this Administration. .. Client Management Guide Explains how to use of command line parameters to control Integrity client installer behavior and post-installation behavior Chapter Preface 15 More Information More Information • • 16 For additional technical information about Check Point products, consult Check Point’s SecureKnowledge at https://secureknowledge.checkpoint.com/ See the latest version of this document in the User . used in this Administration Guide. Related Documentation Chapter Preface 13 Related Documentation The NGX R65 release includes the following documentation TABLE. This guide is specifically geared towards upgrading to NGX R65. SmartCenter Administration Guide Explains SmartCenter Management solutions. This guide