RE: [FW1] Internal CA for Hybrid mode

Frost, Timothy E Mon, 26 Jun 2000 20:43:21 -0700

If you configure FWZ as well as IKE, and generate the management
certificate, you will be able to do SR site update, etc.  It seems that SR
*requires* the FWZ certificate.

Found this during testing of CP2K and the latest build of SR (4157).

T

-- 
Timothy Frost                   mailto:[EMAIL PROTECTED]
EDS New Zealand                 Fax: +64-4-495-0473
8 Gilmer Terrace                        Phone: +64-4-495-0504
P O Box 3647
Wellington
New Zealand

> -----Original Message-----
> From: [EMAIL PROTECTED]
> [SMTP:[EMAIL PROTECTED]]
> Sent: Saturday, June 17, 2000 10:46 AM
> To:   [EMAIL PROTECTED]
> Cc:   [EMAIL PROTECTED]
> Subject:      Re: [FW1] Internal CA for Hybrid mode
> 
> 
> 
> 
> Unfortunately, the former.  It turns out that it is documented, I just
> missed
> it.  You cannot perform site configuration or site update using hybrid
> mode.
> The suggested approach from CP support is to maintain a user (or users)
> with
> preshared secrets specifically for the purpose of updating sites.  You can
> do
> initial site setup just by distributing the appropriate userc.c, or by
> using an
> account with preshared secret authentication.
> 
> Hope I'm making sense.  Good luck!
> 
> Dan Hitchcock
> Network Engineer
> 
> 
> 
> 
> 
> [EMAIL PROTECTED] on 06/16/2000 01:42:44 PM
> 
> To:
> cc:   [EMAIL PROTECTED] (bcc: Dan Hitchcock/CSB)
> 
> Subject:  Re: [FW1] Internal CA for Hybrid mode
> 
> 
> 
> 
> 
> 
> Are you saying that you can never do a site update with hybrid mode or are
> you saying that you can't use hybrid mode until you get a site update that
> includes the CA info?
> 
> Keith White
> 
> 
> 
>                     Dan.Hitchcock@homestre
>                     etbank.com                    To:
> [EMAIL PROTECTED]
>                                                   cc:
> [EMAIL PROTECTED], (bcc: Keith
>                     06/16/00 04:06 PM             White/NA/Millipore)
>                                                   Subject:     Re: [FW1]
> Internal CA for Hybrid mode
> 
> 
> 
> 
> 
> 
> 
> One possibility is that the SecuRemote client has not yet received the CA
> information.  You cannot perform site updates using hybrid mode auth
> (aaargh!),
> so you must make sure to update the site with a user that has a preshared
> secret
> (I assume you're using IKE, or hybrid mode is meaningless).  CA updates
> will NOT
> be pushed to the client in automatic topology update - you must manually
> update
> the site on the SR client after installing the CA.  To verify if the
> SecuRemote
> client has the necessary CA info, look in the userc.c file on the SR
> client
> for
> a section that looks something like:
> 
> :MgmtInternalCA (
>      :public (
>      yadda yadda
> 
> Hope that's a start...
> 
> Dan Hitchcock
> Network Engineer
> 
> 
> 
> 
> 
> [EMAIL PROTECTED] on 06/16/2000 12:32:00 PM
> 
> To:   [EMAIL PROTECTED]
> cc:    (bcc: Dan Hitchcock/CSB)
> 
> Subject:  [FW1] Internal CA for Hybrid mode
> 
> 
> 
> 
> 
> Hi all,
> 
> I have recently been installing FW1 version 4.1 SP1 in order to get the
> hybrid mode going and authenticate off of the FW1 internal user database.
> During the process, according to the documentation on CheckPoint's site, I
> have had to create an Internal CA.  Well, all seems good from the Policy
> manager perspective, where I see the internal CA under the manage servers
> windows and the certificate which was created under the firewall object.
> The test user was created according to the instructions and the firewall
> object also modified.  The problem comes when Secure Client tries to
> connect in an begins complaining that the firewall is not a CA. What could
> be causing this and where should I look to fix this problem?
> 
> Thanks.
> 
> John
> 
> 
> 
> ==========================================================================
> ======
> 
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==========================================================================
> ======
> 
> 
> 
> 
> 
> 
> 
> ==========================================================================
> ======
> 
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==========================================================================
> ======
> 
> 
> 
> 
> 
> 
> 
> ==========================================================================
> ======
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==========================================================================
> ======
> 
> 
> 
> 
> 
> 
> ==========================================================================
> ======
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==========================================================================
> ======


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================
RE: [FW1] Internal CA for Hybrid mode

Reply via email to
