GreenBorder Professional

version

2.7.3

VPN Configuration Guide

Version2.7

331 Fairchild Dr. Mountain View, CA 94043 [Link] Document Version: 2.7.3 Final Revision Date: July 2005 2002-2005 Green Border Technologies, Inc. All rights reserved. GreenBorder is a trademark or registered trademark of Green Border Technologies, Inc. in the United States and/or other countries. Microsoft, Outlook, Windows, and Internet Explorer are trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. Check Point, SecuRemote, SecureClient, VPN-1, Firewall-1, SmartCenter, and VPN-1 Pro are trademarks or registered trademarks of Check Point Software Technologies Ltd.

VPN Configuration Guide

Introduction
[Link] configurationdoesnotchangedynamicallyanddoesntneedtobeupdatedtorespondto [Link] [Link],thereareafewconfiguration optionstoconsiderwhenplanningyoursupportforVPNusers: DoesyourtrustedcorporatenetworkuseprivateIPaddresses? Privateaddressesinsidethefirewallareacommonchoicefororganizationswithlim [Link] ingtable.
Network Address [Link] [Link] [Link] Subnet Mask [Link] [Link] [Link]

TheseaddressesmightbeusedonaremotenetworkthataVPNuserconnectsat home,inahotel,[Link],GreenBordermustdetermine thattheremotenetworkisnotpartofthetrustednetwork;therefore,youmustconfig [Link] detailsabouthowtoconfigurenetworkrules,seeConfiguringTrustinPrivateIP Rangesonpage 2. DoremoteusersaccesswebbasedresourcesonthepublicInternet? Forexample,remoteusersmightusethepublicInternetforOutlookWebAccessor [Link] [Link],youwouldneedtocreaterulestotrustthe webbasedsitesthatremoteusersaccess.(SeeConfiguringWebbasedResourcesfor RemoteUsersformoreinformation.

Version2.7

VPNConfigurationGuide|1

DoyouuseCheckPointSecuRemoteorCheckPointSecureClientVPNclients? CheckPointSecuRemoteandSecureClientVPNclientscancreatetransparentVPN [Link] thatGreenBorderdoesnotrecognizethetransparentconnection,andsodoesnot [Link] [Link] ConnectionsandWorkingwithCheckPointVPNClientsformoreinformation.

Inmostcases,theconfigurationyouneedforVPNusersdoesnotaffectnonVPNusers [Link],forallGreenBorderusers,youcanuseasingle [Link] VPNusersseparatefromtheconfigurationforinternalusers,itisasimplematterto createanewconfiguration,orderiveaconfigurationforVPNusersfromanexisting configuration.RefertoChapter4,CreatingandConfiguringAgentConfigurationsinthe GreenBorderAdministratorsGuideforinformationonderivingorcreatingnew configurations.

ConfiguringTrustinPrivateIPRanges
IfyouuseprivateIPaddressesonyourcorporatenetwork,youneedtosettheTrustonly oninterfacesthatauthenticateaserveroptioninyourTrustedNetworkrulesforVPN users.Figure11showshowyouwouldsetthisoption.

2|VPNConfigurationGuide

Version2.7

Figure 1-1

Setting Trust Only on Interfaces that Authenticate a Server

NOTE You cannot modify the inherited network rules in an inherited configuration, you can only add new rules. To create special rules for VPN users, you can modify the network rules in the parent configuration or start with a clean configuration that does not have a parent.

Bysettingthisoption,thenetworkrangewillonlybetrustedwhentheGreenBorder [Link] GreenBorderagentfromtrustingremotenetworksatahomeorhotel,forexample, becausetheGreenBorderManagementServerwillnotbereachableonthosenetworks. However,whenaGreenBorderuserinitiatesaVPNconnection,thenewVPNinterface willtriggertheGreenBorderagenttotryagaintoauthenticateitsGreenBorder [Link],allofthe networkaddressesthatareroutedovertheVPNinterfaceandthatmatchTrusted Networkruleswillbetrusted.

SecurityRisksofNotRequiringAuthentication
Insomecases,itmightnotbepossibletohaveaGreenBorderManagementServer availableforVPNuserstoauthenticate,oryourVPNclientmightcreatetransparent connectionsthatdonottriggeranauthenticationrequest(seethesectionIssueswith TransparentVPNConnectionsbelow.)Therefore,youronlyoptionforVPNusersmight [Link] [Link],theremote computeriseffectivelycutofffromtheremotenetworkwhiletheVPNisactive,sothe

Version2.7

VPNConfigurationGuide|3

onlyrisksaredamageandtheftofdataonthecomputer(versuspotentialuseofthe computertoattackserversinsidethecorporatenetwork). Iftheoptiontorequireserverauthenticationisnotchecked,anetworkwillalwaysbe [Link] [Link] includeportsusedforfileandprintersharing,[Link] [Link],thebenefitofusingnetworkfileand printersharingusuallyoutweighsthesecurityrisks,butonaremotenetworkthereisno reasontohavetheseportsopen. Alessseriousissuewithnotrequiringtrustisthatanywebsiteonaremotenetworkthat [Link] attackerontheremotenetworkcouldgetausertovisitawebpagehostedonthat network(byusingaDNSpoisoningorinjectionattack).Thehostilewebpagewouldbeon anetworkconsideredtrusted,[Link] runningfromthatwebsitewouldhaveaccessnotonlytotheuserscomputerbutcould alsouseaVPNconnectiontoaccessyourcorporatenetwork. Theserisksarepresentedsothatyouunderstandtheimplicationsofnotusingtheoption [Link],youmightdecideto accepttheserisksifyouhaveothersecuritycountermeasures.

IssueswithTransparentVPNConnections
AtransparentVPNconnectioncreatesanIPSectunnelintothecorporatenetworkwithout [Link] transparentconnectionsareCheckPointSecuRemoteandSecureClient. IfnonewnetworkinterfaceiscreatedfortheVPNconnection,thereisnoeventtotrigger [Link] theoptiontorequireserverauthenticationtotrustanetwork,thenetworkaccessible [Link], thereisnoGreenBorderManagementServeravailable,soallnetworksareconsidered [Link] server,allnetworksremainuntrustedevenaftertheVPNtunneliscreated. Thesecurityrisksundertheseconditionsarefromcontentandcodeinsidethe [Link],theremight [Link] VPNconnectionisuntrusted,anythingrunninginsidetheGreenBorderenvironmenthas [Link],iftheuserbrowsesthecorporate intranet,[Link]

4|VPNConfigurationGuide

Version2.7

couldbeinterceptedortracedbymalwareintroducedtotheGreenBorderenvironment fromanotherInternetsite. Tomitigatethesesecurityrisks,youshouldnotusetransparentVPNconnectionswith [Link] [Link]. (SeethesectionInstallingGreenBorderoveraVPNConnectionformoreinformation.) IfyoumustuseaVPNclientintransparentmode,considernotrequiringserver [Link] [Link] authenticationareoftenmoretolerablethantherisksofforcingyourcorporateintranetto bebrowsedwithinGreenBorder.

Version2.7

VPNConfigurationGuide|5

ConfiguringWebbasedResourcesforRemote Users
Remoteusersmightneedaccesstowebbasedcorporateapplications,suchasOutlook [Link] makeiteasyforuserstoaccessthemwithoutusingaVPNtunnelintothecorporate [Link](andmightnot evenbeaccessiblefromwithinthecorporatefirewall),youmightnothaveaddedthemas TrustedNetworkrulesinyourconfigurations. AddTrustedNetworkrulesforanywebbasedcorporateapplicationsthatremoteusers [Link],usetheIPaddress fortherule;otherwise,youcanusethenameoftheapplicationhost.

InstallingGreenBorderoveraVPNConnection
IftheGreenBorderagentisinstalledoveraVPNconnection,theuserwillhaveto manuallyupdatetheconfigurationbeforetheGreenBorderagentwillstart. WhentheGreenBorderagentisinstalled,ithasadefault,[Link] thecomputerrestartsafterinstallation,theagentdownloadsthelatestconfigurationfrom [Link], theGreenBorderManagementServerwillnotbeavailableuntiltheVPNconnectionis reestablished(whichisnotnormallyduringbootup).Therefore,afterauserinstalls GreenBorderoveraVPNconnection,theGreenBorderSecurityAgentwillbedisabled (therewillbearedXonthetrayicon),andtheuserwillbenotifiedthatnoconfiguration hasbeedownloaded TostarttheGreenBorderagentafterinstallingoveraVPNconnection,dothefollowing: 1 2 3 EstablishtheVPNconnectionsothattheGreenBorderManagementServercanbe reached. [Link] progressastheagentcontactsitsserveranddownloadsthelatestconfiguration. TroubleshootanyVPNInstallationissues.(SeethenextsectionTroubleshootingVPN InstallationIssues.)

6|VPNConfigurationGuide

Version2.7

TroubleshootingVPNInstallationIssues
IftheGreenBorderSecurityAgentisstillnotenabled,themostlikelyreasonthatthe [Link] troubleshoottheproblem: 1 2 VerifythattheVPNisactivelyconnected. [Link] administrator,orifyouaretheadministrator,visittheGreenBorderManagement Serverwebinterfaceat[Link] ChecktheApplicationeventlogtoverifythattheproblemisthattheserverwasnot reachedbydoingthefollowing: a RightclickMyComputer(ontheStartMenuorDesktop)[Link] openstheComputerManagementconsole. b c UnderSystemTools,openEventVieweranddoubleclickApplication. [Link] theeventtoseethecontents. d IftheeventisFailedtoauthenticateserver:YOURSERVERNAME,the problemisthattheservercouldnotbereached. e IfthereisnoerrorfromtheGBNetworkAuthenticatorortheerrorisnotan authenticationfailure,contactGreenBordersupportformorehelp. 4 Checkwhethertheservercanbereachedbydoingthefollowing: a [Link] example,iftheservernamegivenisYOURSERVERNAME,openInternet Explorerandtrytogoto[Link] b Ifyougetanerrorpage,[Link] theerrorisCannotfindserverorDNSError,theserverisnotreachable. c Ifyougetadifferenterror,suchasanHTTP404Filenotfoundorapermission error,theGreenBorderManagementServerisreachable,buttheremaybeanother [Link]. 5 Iftheservercannotbereached,trytodisconnecttheVPNconnection,connectagain, thentrytoUpdatetheGreenBorderconfiguration.

Version2.7

VPNConfigurationGuide|7

Iftheserverisstillunreachable,[Link],ifthe [Link],tryusingInternet Explorertovisit[Link] IfyoudonotgetaDNSerror(thatis,yougetapermissionserrororapagenotfound), theserverisreachableusingthefullyqualifiedname,andyoucandothefollowing: a [Link] youarefamiliarwithmodifyingtheregistry,[Link] updatethevaluein HKEY_LOCAL_MACHINE\Software\GreenBorder\ServerUrlwiththefully qualifiednameoftheGreenBorderManagementServer. b Ifyouarenotfamiliarwitheditingtheregistry,contactGreenBordersupportfor assistance.

8 9

Iftheserverisstillnotreachable,itmaybeonanetworksegmentthatisnotaccessible [Link]. RightclicktheGreenBordertrayiconandclickEnable.

WorkingwithCheckPointVPNClients
ThissectionliststheclientstestedwithGreenBorderandbrieflydiscussinstallationand securityissueswithCheckPointVPNclients.

ClientsTestedwithGreenBorder
GreenBorderhastestedthefollowingCheckPointVPNclientstoensurethattheyare compatiblewiththeGreenBorderSecurityAgent: CheckPointSecuRemote(R55)(IfyoudonotuseprivateIPaddresses;seeSecurity IssueswithGreenBorderwhenCheckPointVPNClientsuseTransparentModeon page 9) CheckPointSecureClient(R55)

IfyourCheckPointVPNclientdoesnotappearonthislist,contactGreenBordersupport. GreenBorderiscontinuouslyupdatingthelistoftestedapplications,andwearealways willingtoverifyapplicationsthatourcustomersuse.

8|VPNConfigurationGuide

Version2.7

InstallingCheckPointVPNClientswithGreenBorder
ThereisnospecialinstallationprocedurerequiredforinstallingGreenBorderandCheck [Link]. IfyouinstallGreenBorderremotelyonacomputerconnectedtothecorporatenetwork usingtheVPN,besuretoreadInstallingGreenBorderoveraVPNConnectionon page 6.

SecurityIssueswithGreenBorderwhenCheckPointVPN ClientsuseTransparentMode
IfyouuseprivateIPaddressesinsideyourcorporatenetwork,andyouuseaCheckPoint VPNclientintransparentmode,theremaybesecurityissuesforremoteGreenBorder [Link],youcanaddressthesecurityissuesbyusing OfficeModeinsteadofoperatingtheVPNclientintransparentmode. ThesectionsConfiguringTrustinPrivateIPRangesandIssueswithTransparentVPN Connectionsdescribessecurityissuesindetail ToconfigureOfficeModeforyourVPNusers,youshouldconsultyourCheckPoint [Link] basictestingorapilotproject,theprocedurefromtheCheckPointdocumentation providedinthefollowingsectionscanhelpyoucreateabasicOfficeModeconfiguration.

ConfiguringOfficeModeontheCheckPoint Firewall1orVPN1Server
[Link] [Link],youshouldconsult yourCheckPointdocumentation,fromwhichtheseprocedureswerederived,fordetailed information. BeforeconfiguringOfficeMode,theassumptionisthatstandardVPNRemoteAccesshas [Link],refer toyourCheckPointVPNdocumentation. YoumustselectaninternaladdressspacedesignatedforremoteusersUsingOfficeMode [Link] addressspaceaslongastheaddressesinthisspacedonotconflictwithaddressesused

Version2.7

VPNConfigurationGuide|9

[Link] ontheInternet,suchas10.x.x.x. ThebasicconfigurationofOfficeModeusingDHCPforaddressallocationcanbefoundin yourCheckPointVPN1documentation. TodeploythebasicOfficeMode(usingIPpools),performthefollowingsteps: 1 2 CreateanetworkobjecttorepresenttheIPPoolbyselectingManage>Network Objects>New>Network. IntheNetworkPropertiesGeneraltab,settheIPpoolrangeofaddressesasfollows: InNetworkAddressspecifythefirstaddresstobeused(forexample,[Link]) InNetMaskenterthesubnetmaskaccordingtotheamountofaddressesyou wishtouse(entering255.255.255.0,forexample.Thiswilldesignateall256IP addressfrom10.130.56.1till10.130.56.254) ChangestotheBroadcastAddressessectionandtheNetworkPropertiesNAT tabarenotnecessary. 3 OpentheGatewayobjectthroughwhichtheremoteuserwillconnecttotheinternal networkandselecttheRemoteAccess>[Link] eitherallusersorforacertaingroup.Figure12showstheOfficeModepagewith OfficeModeenableforallusers.

10|VPNConfigurationGuide

Version2.7

Figure 1-2

Nowdothefollowing: IntheAllocateIPfromnetworkselecttheIPPoolnetworkobjectyouhave previouslycreated. IPleasedurationspecifythedurationinwhichtheIPisusedbythe SecureClientmachine. UnderMultipleInterfaces,specifywetheryouwantroutingtobedoneafterthe encapsulationofOfficeModepackets,allowingtraffictoberoutedcorrectlywhen yougatewayhasmultipleexternalinterfaces.

Version2.7

VPNConfigurationGuide|11

SelectAntiSpoofingifyouwantthefirewalltocheckthatOfficeModepackets arenotspoofed.

ItispossibletospecifywhichWINSandDNSservesOfficeModeusershoulduse. TospecifyWINDSand/orDNSservers,continuetostep4.Otherwisegotostep7.
NOTE WINSandDNSserversshouldbesetontheCheckPointSmartCentermachine

onlywhenIPpoolistheselectedmethod. 4 CreateaDNSserverobjectbyselectingManage>Networkobjects>New>Node>Host andspecifytheDNSmachinesname,IPaddress,[Link] youhaveadditionalDNSservers. CreateaWINSserverobjectbyselectingManage>Networksobjects >New>Node>HostandspecifytheWINSmachinesname,IPaddress,andsubnet [Link]. IntheIPPoolsectionoftheCheckPointGatewayRemoteAccess>OfficeMode page,clicktheoptionalparametersbutton. IntheIPPoolOptionalParameterswindow,selecttheappropriateobjectsforthe primaryandbackupDNSandWINSservers. IntheDomainnamefields,specifythesuffixofthedomainwheretheinternal [Link] addressestheDNSserver(forexample,[Link]). 7 8 InstallthePolicy. Makesurethatalltheinternalroutersareconfiguredtorouteallthetrafficdestinedto theinternaladdressspaceyouhadreservedtoOfficeModeuserthroughtheCheck [Link],intheexampleabove,itisrequiredtoadd routestotheclassCsubnetworkof10.130.56.0throughthegatewaysIPaddress.

Inadditiontothestepsmentionedforthegatewaysideconfiguration,afewconfiguration stepshavetobeperformedontheclientsidetoconnectthegatewayinOfficemode.(See ConfiguringCheckPointSecureClienttoUseOfficeMode.

12|VPNConfigurationGuide

Version2.7

ConfiguringCheckPointSecureClienttoUse OfficeMode
Ontheclientsmachinethefollowingstepsshouldbeperformedtoconnecttothegateway inOfficeMode. 1 2 3 4 [Link],select Configure. SelectTools>ConfigureConnectionProfile>AdvancedandselectSupportOffice Mode. ClickOK,SaveandClose,thenselectExitfromyourFilemenu. [Link] usingadialupconnectiontoconnecttothegatewayselectUseDialUpandchosethe nameofyourdialupconnectionprofilefromthedropdownmenu.(Itisassumed thatsuchaprofilealreadyexists.)Ifdialupisnotused(thatis,connectiontothe gatewayisdonethroughanetworkinterfacecard),proceedtostep5. SelectConnecttoconnecttotheorganizationusingOfficeMode.

Theadministratorcansimplifyconfigurationbyconfiguringaprofileinadvanceand providingittotheuser.

Version2.7

VPNConfigurationGuide|13

14|VPNConfigurationGuide

Version2.7