Re: [FW-1] Problem renewing SecuRemote certificate

Wed, 05 Sep 2007 18:53:52 -0700

Actually they worked quite well for us (300+ remote users) and they are a heck of a lot more secure than user name & password.
There's an SK article on how to set it up. You have to generate an administrator certificate that is put into your browser store. Then you run this command on the SmartCenter to authorize the certificate and to turn on the interface. Then you go to https://<SmartCenterIP>:18265 and you have a browser interface to the entire certificate authority with access authenticated by the admin certificate you created. You can search, renew, create, whatever. 

Ray



From: John Lindblom <[EMAIL PROTECTED]>

Reply-To: Mailing list for discussion of Firewall-1              
<FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM>

To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] Problem renewing SecuRemote certificate
Date: Wed, 5 Sep 2007 09:36:01 -0500

I'm not sure what you mean by "web interface to the ICA", I'm only familiar
with the SPLAT web access.

It sounds like certificates could be a pain.





             Ray
             <[EMAIL PROTECTED]
             IL.COM>                                                    To
             Sent by: Mailing          [EMAIL PROTECTED]
             list for                  INT.COM
             discussion of                                              cc
             Firewall-1
             <FW-1-MAILINGLIST                                     Subject
             @AMADEUS.US.CHECK         Re: [FW-1] Problem renewing
             POINT.COM>                SecuRemote certificate


             09/04/2007 06:16
             PM


             Please respond to
             Mailing list for
               discussion of
                Firewall-1
             <FW-1-MAILINGLIST
             @AMADEUS.US.CHECK
                POINT.COM>






Sneaker-net. :-)


Once it's expired, it's expired. You will need to issue a new certificate
and get it to them somehow or use the "pull" method where they enter the
code they receive by email to get a new certificate.

If you're running current versions of FW-1 and SecuRemote/SecureClient, the

automatic renewal process works fine as long as they connect once when they

are inside the renewal period. That's 60 days by default. I raised mine to
90.

I use the web interface to the ICA (the one on port 18265 of the
SmartCenter) and run queries occasionally to make sure I don't let one
expire.

Ray



>From: John Lindblom <[EMAIL PROTECTED]>
>Reply-To: Mailing list for discussion of Firewall-1
><FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM>
>To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
>Subject: Re: [FW-1] Problem renewing SecuRemote certificate
>Date: Tue, 4 Sep 2007 08:43:07 -0500
>
>This raises a question for me.
>
>How are end user certificates handled when they expire if they can't be
>renewed?  I just started using certificates and I need to plan for issues
>with expiration.
>
>John
>
>
>
>              Richard Newton
>              <[EMAIL PROTECTED]
>              COM>
To
>              Sent by: Mailing
[EMAIL PROTECTED]
>              list for                  INT.COM
>              discussion of
cc
>              Firewall-1
>              <FW-1-MAILINGLIST
Subject
>              @AMADEUS.US.CHECK         Re: [FW-1] Problem renewing
>              POINT.COM>                SecuRemote certificate
>
>
>              09/03/2007 09:27
>              PM
>
>
>              Please respond to
>              Mailing list for
>                discussion of
>                 Firewall-1
>              <FW-1-MAILINGLIST
>              @AMADEUS.US.CHECK
>                 POINT.COM>
>
>
>
>
>
>

>Ray -- Thanks so much.  It looks like this did the trick.  (It was the 
VPN

>cert on the firewall that was expired.)
>
>~~Richard~~
>
>On 9/3/07, Ray <[EMAIL PROTECTED]> wrote:
> >
> > Which certificate is expired? The one that the SecuRemote uses to
> > authenticate themselves to the firewall or the actual VPN certificate
on
> > the
> > firewall?
> >
> > If it is an end user certificate, it cannot be renewed once it's
>expired.
> >
> > If it's the one for the firewall, try un-checking VPN on the firewall
> > object, save the firewall object, open the firewall object, re-check
>VPN,
> > save the firewall object and push the policy.
> >
> > Ray
> >
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to [EMAIL PROTECTED]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[EMAIL PROTECTED]
>=================================================
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to [EMAIL PROTECTED]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[EMAIL PROTECTED]
>=================================================

_________________________________________________________________
Share your special parenting moments!
http://www.reallivemoms.com?ocid=TXT_TAGHM&loc=us

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================


_________________________________________________________________

Can you find the hidden words?  Take a break and play Seekadoo! 
http://club.live.com/seekadoo.aspx?icid=seek_hotmailtextlink1


=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================






















					Reply via email to