Publishing Your Installation Packages

Một phần của tài liệu check point ng vpn 1 firewall 1 advanced configuration and troubleshooting phần 7 pdf (Trang 60 - 64)

After you’ve created your installation package, you need a way to easily dis- tribute the package to your users. A common method is to publish it on a Web site accessible to remote users. If the package contains topology information, this might be a way for sensitive network configuration information to fall into the wrong hands. A clever way to solve this problem is to use Partial Topology. This method delays the distribution of the topology information until after the user authenticates to the firewall. The user will be prompted with “Click here to update site,” and if the management server is configured to require authentication for topology exchange, your rollout can still limit topology information to authenticated users. If Partial Topology is not used, the customized package will contain no site information.

Damage & Defense…

The Silent Installation Window

The eighth window (see Figure 10.10) is the Silent Installation window.

As we like to say in the IT business, what if your end users are just “normal”

people? What if they use IT simply as a means to an end? After spending years “in the trenches,” it might be hard for an IT specialist to believe that not everyone shares his or her desire to tweak and fiddle with every possible configuration option. Here in the Silent Installation window ,you’ll find an opportunity to shield your users from unnec- essary complexity and possibly shield yourself from unnecessary support issues, which is, of course, an important goal of the SecureClient Packaging tool anyway.

The only decision that you cannot shield your users from during the installation process is whether to accept the end-user license agreement. Other than that, here you have the opportunity to make the process completely silent.

Once you have made your selections, click Next to continue.

Figure 10.9 The Certificates Window

Figure 10.10 The Silent Installation Window

The Installation Options Window

The ninth window (see Figure 10.11) is the Installation Options window.This configu- ration window is something of a companion to the previous window in that you’re able to set the defaults for the key installation choices you considered allowing the user to make.Your options here include:

Default installation destination folder Choose whether you want the client to install in the default destination folder (typically C:\Program Files\Check Point\SecuRemote) or whether you want to specify a different default folder.

Adapters installation Choose whether you want to install

SecuRemote/SecureClient on all adapters (including Ethernet) or on just the dialup adapters.

Install SecureClient by default If this option is selected, the installation program will install SecureClient by default. Otherwise, SecuRemote will be installed by default.

Make your selections and click Next to continue.

The Operating System Logon Window

The tenth window (see Figure 10.12) is the Operating System Logon window.

Figure 10.11 The Installation Options Window

Secure Domain Logon (SDL) allows clients to securely log on to a Windows NT domain controller within the encryption domain, with both LAN and dial-up connections. With SDL, SecuRemote initializes before the domain controller authenticates the domain user.This allows the user’s credentials (username and password) as well as the user profile to travel over an encrypted tunnel between the client and the domain controller. Options available on this screen include:

Enable Secure Domain Logon (SDL) Checking this option ensures that SecuRemote/SecureClient is activated before Windows authentication cre- dentials are sent to the domain controller.

SDL Logon Timeout Configure the time (in seconds) during which the user must enter domain controller credentials.The logon will fail if there are no cached logon credentials and the proffered credentials are not entered during this period.

Enable Roaming user profiles Choosing this option will quietly allow the opening of encrypted connections with the domain controller, despite that fact that the connection has been closed by SecuRemote/SecureClient logoff or shutdown.These open connections may be required to enable the proper synchronization of user profiles with the domain controller.

Enable third-party GINA DLL Winlogon is a component of Windows (versions NT and later) that provides interactive logon support.The Winlogon executable works with the Graphical Identification and Authentication

(GINA) DLL to implement the authentication policy. By default, Windows loads and executes the standard Microsoft GINA DLL (MSGina.dll). Check this box if your clients might need to authenticate with a third-party GINA DLL replacement.

Make your selections and click Next to continue.

Figure 10.12 The Operating System Logon Window

The Finish Window

The eleventh window (see Figure 10.13) is the Finish window. Congratulations! You’ve successfully completed the wizard and created a profile.The profile is stored in a database on the management server and will be available to edit or copy or be the basis for generating a different package in the future. If you were to choose YES, Create profile and generate package, the SecureClient Packaging Tool Package Generator wizard would launch immediately.

NOTE

The SecureClient Packaging tool uses the configuration options chosen in this wizard to configure the userc.C and Product.ini files (usually located in the SecuRemote\database directory on the client machine). These files can also be edited with a text editor, allowing all the options to be configured.

Click Finish to continue and close the wizard.

Một phần của tài liệu check point ng vpn 1 firewall 1 advanced configuration and troubleshooting phần 7 pdf (Trang 60 - 64)

Tải bản đầy đủ (PDF)

(64 trang)