Endpoint Security January 9, 2008 Gateway Integration Guide Version NGX 7.0 GA © 2008 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point Endpoint Security, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoreXL, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Pointsec, Pointsec Mobile, Pointsec PC, Pointsec Protector, Policy Lifecycle Management, Provider-1, PureAdvantage, PURE Security, the puresecurity logo, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Security Management Portal, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SMP, SMP On-Demand, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, UTM-1, UTM-1 Edge, UTM-1 Edge Industrial, UTM-1 Total Security, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN-1 Power, VPN-1 Power Multi-core, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm ForceField, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm is a Check Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 5,987,611, 6,496,935, 6,873,988, 6,850,943, and 7,165,076 and may be protected by other U.S. Patents, foreign patents, or pending applications. Endpoint Security Gateway Integration Guide 5 Contents Preface About this Guide 10 About the Endpoint Security Documentation Set . 10 Documentation for Administrators .10 Documentation for Endpoint Users 11 Feedback . 12 Chapter 1 Gateway Integration Overview Prerequisites 13 System Requirements . 13 Chapter 2 Network Access Server Integration Understanding Cooperative Enforcement Architecture 15 Configuration Overview 17 Before You Begin .17 Configuring Cooperative Enforcement 17 Configuring the RADIUS Server 18 Configuring the NAS as a RADIUS Client .18 Configuring Endpoint Security as a RADIUS Client .19 Configuring Endpoint Security Access to the RADIUS Server .20 Configuring Endpoint Security . 23 Enabling 802.1x Communication 23 Creating a Catalog for the Gateway 23 Assigning a Policy to the Gateway Catalog 23 Configuring the NAS . 25 Configuring Endpoint Computers 26 Configuring Endpoints for Use with Wireless Access Points 26 Configuring Endpoints for Use with Wired Connections 31 Supported Enforcement Behaviors . 34 Troubleshooting Your Installation . 35 General 35 Internet Authentication Service .35 Endpoint Security 35 Endpoint Security client .35 Network Access Server .35 Chapter 3 Check Point VPN-1 Integration Cooperative Enforcement Using SecureClient and SCV . 37 Cooperative Enforcement Workflow 37 Understanding the SecureClient/Endpoint Security client Unified In- staller .38 Endpoint Security Gateway Integration Guide Contents 6 System Requirements . 39 Configuring VPN-1 to Allow Access to Endpoint Security 40 Integrating the Endpoint Security client with SecureClient . 41 Integrating with an Existing SecureClient .41 Integrating with an Existing Endpoint Security client 41 Creating a localized unified installation package .42 Configuring your VPN-1Installation 43 Configuring the SecureClient Installation .46 Checking that the Computer is Securely Configured 47 Installing an Endpoint Security client after SecureClient .47 Installing SecureClient after the Endpoint Security client 48 Checking the Connection 48 Configuring the SCV Policy 48 Installing the SCV Policy on Policy Servers .52 Configuring an Endpoint Security client for Use with SecureClient .53 Packaging the Policy File .54 Chapter 4 VPN-1 UTM/Power Gateway Integration Benefits of VPN-1 UTM or Power Gateway Integration 57 System Requirements . 57 Configuring the Gateway and Server for Cooperative Enforcement 57 Configuring the Gateway on Endpoint Security Server 58 Configuring the Gateway to Use the Endpoint Security Server 58 Chapter 5 Cisco VPN Concentrator Integration System Requirements . 61 Integrating Cisco VPN 3000 Series Concentrator . 62 Configuring the Cisco Concentrator 62 Configuring the Endpoint Security client . 65 Overview of client communications 65 Configuring the Enterprise Policy 66 Packaging the Policy File with Flex or Agent 70 Troubleshooting 71 Checking connection to the Endpoint Security Server 71 Checking the Log files 72 Checking the SSL Certificate Exchange .72 Checking the SSL Certificate Validity .72 Checking the Encryption Type .73 Checking Port Settings .73 Chapter 6 Configuring the Cisco Catalyst 2950 Requirements 76 Server Requirements 76 Client Requirements 76 Configuring Cisco Catalyst 2950 G Switch 77 Configuring the Endpoint Computers 80 Endpoint Security Gateway Integration Guide Contents 7 Troubleshooting 81 Chapter 7 Configuring the Cisco Aironet 1100 Series Wireless Access Point System Requirements . 83 Server Requirements 83 Client Requirements 83 Configuring Cisco Aironet 1100 Series Wireless Access Point . 84 Creating a Cooperative Enforcement SSID 84 Defining a Wired Equivalent Privacy (WEP) Key 85 Defining Endpoint Security as the RADIUS Server on the NAS .85 Setting the Reauthentication Interval 86 Configuring Endpoint Computers 87 Troubleshooting 88 Chapter 8 Cisco ASA System Requirements . 90 Cooperative Enforcement with ASA 91 Workflow . 92 Basic Configuration Tasks . 93 Naming and Configuring the Interface .93 Configuring the Server Address .94 Configuring the Port .95 Configuring the Interface Location 95 Configuring the Timeout Interval .95 Setting the Fail State .95 Setting the Secure Socket Layer Certificate Options 96 Setting the Client Firewall 96 Saving 97 Additional Command Line Parameter Reference 98 clear configure zonelabs-integrity 98 show running-config zonelabs-integrity 98 zonelabs-integrity interface .99 Chapter 9 Nortel Contivity VPN Switch Integration Configuring the Nortel Contivity VPN Switch . 101 Enabling Tunnel Filter and Tunnel Management Filter 101 Creating an Endpoint Security client Software Definition and Tunnel- Guard Rule .103 Creating a Nortel Restricted Access Tunnel Filter to the Endpoint Secu- rity server Sandbox 109 Configuring the Endpoint Security clients . 113 Chapter 10 Configuring the Enterasys RoamAbout R2 System Requirements . 117 Server Requirements 117 Client Requirements 117 Endpoint Security Gateway Integration Guide Contents 8 Configuring Enterasys RoamAbout R2 118 Defining a Wired Equivalent Privacy (WEP) Key 118 Defining Endpoint Security as the RADIUS Server on the NAS .119 Configuring Endpoint Computers 121 Chapter 11 Configuring the Check Point Safe@Office 425W System Requirements . 123 Server Requirements 123 Client Requirements 123 Configuring the Safe@Office 425W 124 Configuring the Wireless Settings 124 Defining Endpoint Security as the RADIUS Server on the NAS .125 Configuring Endpoint Computers 127 Endpoint Security Gateway Integration Guide 9 Preface In This Preface About this Guide page 10 About the Endpoint Security Documentation Set page 10 Feedback page 12 About this Guide Endpoint Security Gateway Integration Guide 10 About this Guide This guide describes the steps necessary to integrate your gateway device with Endpoint Security. Integrating your gateway with Endpoint Security enables you to use the Cooperative Enforcement™ feature for remote access protection. Please make sure you have the most up-to-date version available for the version of Endpoint Security that you are using. Before using this document, you should read and understand the information in the Endpoint Security Administrator Guide in order to familiarize yourself with the Cooperative Enforcement feature. About the Endpoint Security Documentation Set A comprehensive set of documentation is available for Endpoint Security, including the documentation for the Endpoint Security clients. This includes: “Documentation for Administrators,” on page 10 “Documentation for Endpoint Users,” on page 11 Documentation for Administrators The following documentation is intended for use by Endpoint Security administrators. Table 4-1: Server Documentation for Administrators Title Description Endpoint Security Installation Guide Contains detailed instructions for installing, configuring, and maintaining Endpoint Security. This document is intended for global administrators. Endpoint Security Administrator Guide Provides background and task-oriented information about using Endpoint Security. It is available in both a Multi and Single Domain version. Endpoint Security Administrator Online Help Contains descriptions of user interface elements for each Endpoint Security Administrator Console page, with cross- references to the associated tasks in the Endpoint Security Administrator Guide. Endpoint Security System Requirements Contains information on client and server requirements and supported third party devices and applications. Endpoint Security Gateway Integration Guide Contains information on integrating your gateway device with Endpoint Security. [...]... sending your comments to: cp_techpub_feedback@checkpoint.com Endpoint Security Gateway Integration Guide 12 1 Chapter Gateway Integration Overview In This Chapter Prerequisites page 13 System Requirements page 13 This book describes the steps necessary to integrate your gateway device with Endpoint Security Integrating your gateway with Endpoint Security enables you to use the Cooperative Enforcement™... Configure Endpoint Security as a RADIUS client See page 19 c Configure Endpoint Security access to the RADIUS server See page 20 2 Configure Endpoint Security See page 23 a Enable 802.1x communication See page 23 b Create a catalog for the gateway See page 23 c Assign a policy to the gateway catalog See page 23 3 Configure the NAS See page 25 4 Configure the endpoint computer See page 26 Endpoint Security Gateway. .. tab Endpoint Security Gateway Integration Guide 27 Configuring Endpoints for Use with Wireless Access 2 In the Network Authentication dropdown list, select Open 3 In the Data Encryption dropdown list, select WEP 4 In the Network Key field, enter the WEP network key you created on the gateway Type the WEP network key a second time in the Confirm Network Key field Endpoint Security Gateway Integration Guide. .. configuration by right-clicking the NAS RADIUS client entry and choosing Properties Configuring Endpoint Security as a RADIUS Client Endpoint Security handles authentication requests to the RADIUS server Endpoint Security Gateway Integration Guide 19 Configuring Endpoint Security Access to the RADIUS To add Endpoint Security as a RADIUS client: 1 Open Internet Authentication Service, expand RADIUS clients,... right-clicking the Endpoint Security RADIUS client entry and choosing Properties Configuring Endpoint Security Access to the RADIUS Server To configure Endpoint Security access to the RADIUS server: 1 In the Internet Authentication Service left panel, select Remote Access Policies The Remote Access Policies appear in the right panel Endpoint Security Gateway Integration Guide 20 Configuring Endpoint Security. .. it again and choose start 10Right-click Internet Authentication Service (local) and select Register Server in Active Directory IAS can now authenticate users from your AD domain Endpoint Security Gateway Integration Guide 22 Configuring Endpoint Security Configuring Endpoint Security This section describes how to configure Endpoint Security to work with an 802.1x-compatible NAS To configure theEndpoint... is recommended that you have your gateway already configured to work with your network before beginning and that you have tested your setup System Requirements For all system requirements and version information for supported gateways, see the Endpoint Security System Requirements document Endpoint Security Gateway Integration Guide 13 2 Chapter Network Access Server Integration In This Chapter Understanding... VPN gateway, see the Endpoint Security Administrator Guide The information provided here assumes you have already installed VPN-1 For details about VPN-1 installation, see the Check Point VPN-1 documentation This chapter also assumes you have performed the steps for configuring Cooperative Enforcement described in the Endpoint Security Administrator Guide Endpoint Security Gateway Integration Guide. .. distribution See the Endpoint Security Implementation Guide for more information Introduction to Agent Provides basic information to familiarize new users with Agent This document is intended to be customized by an Administrator before distribution See the Endpoint Security Implementation Guide for more information Endpoint Security Gateway Integration Guide 11 Feedback Feedback Check Point is engaged in a continuous... configuration guide for that NAS Endpoint Security Gateway Integration Guide 35 3 Chapter Check Point VPN-1 Integration In This Chapter Cooperative Enforcement Using SecureClient and SCV page 37 System Requirements page 39 Configuring VPN-1 to Allow Access to Endpoint Security page 40 Integrating the Endpoint Security client with SecureClient page 41 This chapter describes how to integrate a Check Point Endpoint . Endpoint Security January 9, 200 8 Gateway Integration Guide Version NGX 7. 0 GA © 200 8 Check Point Software Technologies. this Guide Endpoint Security Gateway Integration Guide 10 About this Guide This guide describes the steps necessary to integrate your gateway device with Endpoint