Thông tin tài liệu
UserAuthority
Administration Guide
Version NGX R65
700358 March 7, 2007
TM
© 2003-2007 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying,
distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written
authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or
omissions. This publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer
Software clause at DFARS 252.227-7013 and FAR 52.227-19.
TRADEMARKS:
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point Express, Check Point
Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement,
Cooperative Security Alliance, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1,
FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless
Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management,
Provider-1, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer,
SecureUpdate, SecureXL, SecureXL Turbocard, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro,
SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal,
SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering,
TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN-
1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web
Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router,
Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm is a Check
Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The
products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected by
other U.S. Patents, foreign patents, or pending applications.
For third party notices, see: THIRD PARTY TRADEMARKS AND COPYRIGHTS.
Table of Contents 5
Contents
Preface Who Should Use This Administration Guide 10
Summary of Contents 11
Appendices 12
Related Documentation 13
More Information 16
Feedback 17
Chapter 1 Introduction
The Need for UserAuthority 20
Identity-based Access Control for Outbound Connections via VPN-1 Power Gateway
21
Underlying Concept and Advantage 22
Typical Deployment 23
UserAuthority SSO for VPN-1 Power Deployment 23
OPSEC Protocols 25
How to Use this Administration Guide 26
Chapter 2 UserAuthority Deployments and Installation
Overview 28
Deployments 29
Outbound Access Control 29
Citrix MetaFrame or Windows Terminal Services 34
Supported Platforms 37
Installation and Configuration 38
Installing and Configuring UAS on VPN-1 Power 38
Installing and Configuring the UAS on the Windows DC 49
Chapter 3 Outbound Access Control
The Challenge 60
The UserAuthority Solution 61
Identification using SecureAgent 63
Identity Sharing 63
Retrieving Windows Groups with UserAuthority 68
Outbound Access Control using Citrix Terminals as TIP 69
Scenario - An Organization using Multiple Windows DCs 70
Scenario - An Organization Using Multiple Domains 72
Configurations 74
Adding Additional Windows DCs 74
Outbound Access Control on Citrix or Windows Terminals 75
Configuring UserAuthority Domain Equality 75
6
Chapter 4 User Management in UserAuthority
Overview 80
Managing Users and Groups 81
Users in UserAuthority 81
User Groups in UserAuthority 81
Using a Local Check Point Database 83
Using an External Database 84
Using the Windows User Identity 85
Users in the Windows Domain 85
Configuring UserAuthority to Recognize Windows User Groups 85
Chapter 5 Auditing in UserAuthority
Overview 88
Using Logs for Auditing 89
Auditing Outbound Traffic Using UserAuthority Outbound Access Control 90
Configuring UserAuthority for Auditing 94
Configuring Auditing of Requests for External Resources 94
Chapter 6 High Availability and Load Balancing
Overview 96
High Availability 96
Load Balancing 96
High Availability and Load Balancing in UserAuthority 97
Using Multiple Windows DCs 98
Using a VPN-1 Power Cluster 99
Chapter 7 UserAuthority CLIs
Chapter 8 UserAuthority OPSEC APIs
Overview 110
Programming Model 111
Defining a UAA Client 114
Client Server Configuration 114
OPSEC UserAuthority API Overview 114
Function Calls 125
Session Management 125
Assertions Management 126
Managing Queries 129
Managing Updates 130
Managing Authentication Requests 131
Assertions Iteration 132
Managing UAA Errors 134
Debugging 135
Event Handlers 136
UAA_QUERY_REPLY Event Handler 136
UAA_UPDATE_REPLY Event Handler 137
Table of Contents 7
UAA_AUTHENTICATE_REPLY Event Handler 138
Chapter 9 Monitoring the UserAuthority Environment
Overview 142
System Monitoring 143
Monitoring the System Status 143
User Monitoring 148
Monitoring User Activities 148
Monitoring Example: SecureAgent Cannot Provide User Identity 149
Chapter 10 Troubleshooting UserAuthority
Overview 152
General Problems 153
Why is there no established SIC? 153
Why are Domain Controller Queries not Sent Properly? 156
User-Related Problems 157
Why does SecureAgent not identify the user? 157
Why are Terminal Server Clients not Identified by UAS? 160
Why does the Firewall Report Identify Users as Unknown? 161
Appendix A Integrating UserAuthority with Meta IP
Overview 164
Required Components 165
Preliminary Steps 166
Windows DC Configuration 167
VPN-1 Power Policy Configuration 168
DHCP Server Configuration 170
Appendix B Glossary
Acronyms and Abbreviations 176
Index 183
8
9
Preface
P
Preface
In This Chapter
Who Should Use This Administration Guide page 10
Summary of Contents page 11
Related Documentation page 13
More Information page 16
Feedback page 17
Who Should Use This Administration Guide
10
Who Should Use This Administration Guide
This Administration Guide is intended for administrators responsible for
maintaining network security within an enterprise, including policy management
and user support.
This Administration Guide assumes a basic understanding of
• System administration.
• The underlying operating system.
• Internet protocols (IP, TCP, UDP etc.).
[...]... abbreviations used in this Administration Guide Related Documentation Related Documentation The NGX R65 release includes the following documentation TABLE P-1 VPN-1 Power documentation suite documentation Title Description Internet Security Product Suite Getting Started Guide Contains an overview of NGX R65 and step by step product installation and upgrade procedures This document also provides information... secure VoIP traffic Virtual Private Networks Administration Guide This guide describes the basic components of a VPN and provides the background for the technology that comprises the VPN infrastructure Chapter Preface 13 Related Documentation TABLE P-1 VPN-1 Power documentation suite documentation (continued) Title Description Eventia Reporter Administration Guide Explains how to monitor and audit traffic,... set, see Chapter 8, “UserAuthority OPSEC APIs”” Chapter 1 Introduction 25 How to Use this Administration Guide How to Use this Administration Guide This Administration Guide provides step-by-step instructions for configuring UserAuthority In order to assist you in the deployment of UserAuthority, this Administration Guide contains various scenarios that suit the deployments of most enterprises These scenarios... What’s New, Licenses, Minimum hardware and software requirements, etc Upgrade Guide Explains all available upgrade paths for Check Point products from VPN-1/FireWall-1 NG forward This guide is specifically geared towards upgrading to NGX R65 SmartCenter Administration Guide Explains SmartCenter Management solutions This guide provides solutions for control over configuring, managing, and monitoring... SecurePlatform™/ SecurePlatform Pro Administration Guide Explains how to install and configure SecurePlatform This guide will also teach you how to manage your SecurePlatform machine and explains Dynamic Routing (Unicast and Multicast) protocols Provider-1/SiteManager-1 Administration Guide Explains the Provider-1/SiteManager-1 security management solution This guide provides details about a three-tier,... environments TABLE P-2 Integrity Server documentation Title Integrity Advanced Server Installation Guide Explains how to install, configure, and maintain the Integrity Advanced Server Integrity Advanced Server Administrator Console Reference Provides screen-by-screen descriptions of user interface elements, with cross-references to relevant chapters of the Administrator Guide This document contains an overview... SecureClient/Integrity client package Related Documentation TABLE P-2 Integrity Server documentation (continued) Title Description Integrity Advanced Server System Requirements Provides information about client and server requirements Integrity Agent for Linux Installation and Configuration Guide Explains how to install and configure Integrity Agent for Linux Integrity XML Policy Reference Guide Provides the contents...Summary of Contents Summary of Contents This Administration Guide provides step-by-step instructions for configuring UserAuthority In order to assist you in the deployment of UserAuthority, this Administration Guide contains various scenarios that suit the deployments of most enterprises These scenarios are followed by detailed... Appendices This Administration Guide contains the following appendices: Table A-2 Appendix Appendix A, “Integrating UserAuthority with Meta IP” explains how UserAuthority can easily be integrated with the Meat IP product to provide authenticated IP addresses from an authenticated IP pool to authenticated users Appendix B, “Glossary” 12 Description describes the acronyms and abbreviations used in this Administration. .. Client Management Guide Explains how to use of command line parameters to control Integrity client installer behavior and post-installation behavior Chapter Preface 15 More Information More Information • • 16 For additional technical information about Check Point products, consult Check Point’s SecureKnowledge at https://secureknowledge.checkpoint.com/ See the latest version of this document in the User . used
in this Administration Guide.
Related Documentation
Chapter Preface 13
Related Documentation
The NGX R65 release includes the following documentation
TABLE. This
guide is specifically geared towards upgrading to
NGX R65.
SmartCenter
Administration Guide
Explains SmartCenter Management solutions. This
guide
Ngày đăng: 25/01/2014, 08:20
Xem thêm: Tài liệu Administration Guide Version NGX R65 doc, Tài liệu Administration Guide Version NGX R65 doc, Connection-Based Vs. IP-Based Information in Queries