There are a few steps to follow in order to get it working.
1. In the network object for your policy server, make sure the 'Exportable
to SecuRemote' option is set (VPN tab), and 'VPN-1 & Firewall-1 Modules
Installed' (General Tab).
2. Under Policy Properties / Desktop Security, define the appropriate policy
and enforcement options.
3. Create a Policy Server object (Manage Servers) and set your policy host
and the User Group it will be enforcing (I just have one policy server which
serves a global group)
4. You obviously need a rule to allow users to connect. You also need a rule
which allows a connection between the SecureClient and the policy server
e.g.
-------------------------------------------------------------------------
Src | Dst | Svc | Action | Track | Install On
-------------------------------------------------------------------------
Help@Any | Pol-Svr | FW1_pslogon | Accept | Long | Gateways
Help@Any | Enc-Dom | Any | Client Encrypt | Account | Gateways
-------------------------------------------------------------------------
5. If there is a firewall between the client and Policy Server, you must
create a rule which allows FW1_encalsulation and RDP if you are using FWZ,
or IPSec if you are using IKE. e.g. If your policy server sits in the
protected domain.
When you install the policy, it downloads the appropriate desktop policy to
the policy server.
CAVEAT: Make sure all your clients are upgraded to a SecureClient prior to
implementing a desktop security policy. If there are any SecuRemote clients
that don't support desktop policies (build 4157 I think, but earlier
versions may support it) then they will authenticate, but they won't have
access to the network, and they won't have a clue why. Earlier versions
don't display a message about incorrect desktop policies.
You will need to update your topology on the SecureClient. I prefer
out-of-band updates.
Hope this helps.
Craig/
-----Original Message-----
From: Joshua Gray [mailto:[EMAIL PROTECTED]]
Sent: Thursday, June 22, 2000 6:23 AM
To: Little, Craig; '[EMAIL PROTECTED]'
Cc: [EMAIL PROTECTED]
Subject: RE: [FW1] Policy Server for Secure Client
What license did you use on the management box to get the ability to enforce
the security on secure clients. Right now I don't even have the option to
select Login to a policy server because it is grayed out on the client side.
Any help is appreciated.
Thanks
-----Original Message-----
From: Little, Craig [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, June 21, 2000 5:10 AM
To: '[EMAIL PROTECTED]'
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: [FW1] Policy Server for Secure Client
I've implemented it on the management server, but you can implement it
wherever you have a firewall licence. There may be a 'light' licence you can
purchase to install it on its own machine - but that may have been a rumour.
Craig/
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, June 21, 2000 11:04 PM
To: Little, Craig
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: [FW1] Policy Server for Secure Client
Hi
This policy server is separate from whatever manages mutliple firewall
policies on FW-1 Enterprise ?
Tim Higgins
"Little, Craig"
<[EMAIL PROTECTED]> To:
"'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
Sent by: cc:
[EMAIL PROTECTED]
[EMAIL PROTECTED] Subject:
RE: [FW1] Policy Server for Secure Client
kpoint.com
21/06/00 09:38
The policy Server keeps track of the number of SecureClient's currently
logged on with policies in force.
Craig/
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, June 21, 2000 9:02 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [FW1] Policy Server for Secure Client
Hi
You have to have a separate license for Secure Client (Secure Remote is
free).
Don't know how/where this license is applied - at client and Fwall ? - can
someone please confirm ?
We currently run just SR for our dial-up users but we want to look at using
ADSL/Cable-Modems in future and will need to use S Client for extra
security if this goes ahead.
Tim Higgins
[EMAIL PROTECTED]
Sent by: To:
[EMAIL PROTECTED]
[EMAIL PROTECTED] cc:
kpoint.com Subject:
[FW1] Policy Server for Secure Client
20/06/00 23:34
To get the policy server setup correctly what type of license do you need
exactly? I have gotten an eval suite from our reseller but when I use
secure remote/client the option to login to a policy server is always
grayed
out. I have created a policy server on the management side but still
nothing changes. Any help on what it takes to make this work would be
appreciated. Please reply back to the group and send the email directly to
me.
Thanks,
Joshua Gray
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
#**********************************************************************
This message is intended solely for the use of the individual
or organisation to whom it is addressed. It may contain
privileged or confidential information. If you have received
this message in error, please notify the originator immediately.
If you are not the intended recipient, you should not use,
copy, alter, or disclose the contents of this message. All
information or opinions expressed in this message and/or
any attachments are those of the author and are not
necessarily those of Hughes Network Systems Limited,
including its European subsidiaries and affiliates. Hughes
Network Systems Limited, including its European
subsidiaries and affiliates accepts no responsibility for loss
or damage arising from its use, including damage from virus.
#**********************************************************************
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
#**********************************************************************
This message is intended solely for the use of the individual
or organisation to whom it is addressed. It may contain
privileged or confidential information. If you have received
this message in error, please notify the originator immediately.
If you are not the intended recipient, you should not use,
copy, alter, or disclose the contents of this message. All
information or opinions expressed in this message and/or
any attachments are those of the author and are not
necessarily those of Hughes Network Systems Limited,
including its European subsidiaries and affiliates. Hughes
Network Systems Limited, including its European
subsidiaries and affiliates accepts no responsibility for loss
or damage arising from its use, including damage from virus.
#**********************************************************************
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
