Thanks for the input David, its a reasonable way of doing it, but I suppose
what I really wanted to know is...
Is there any way of getting in securely without modifying the guiclients
file?
If not then it is a real 'wish list' item for Check Point (do they respond
here?)
Paul
--------------------------------------------------------------------------------------------
C. Paul Simons
Corporate Network Services
IHS Energy Group, Englewood, CO.
Main: +1 303 736 3000
Direct: +1 303 736 3451
Fax: +1 303 736 3860
Mobile: +1 303 748 5242
"David C. Diemer"
<[EMAIL PROTECTED]> To:
<[EMAIL PROTECTED]>,
Sent by:
<[EMAIL PROTECTED]>
[EMAIL PROTECTED] cc:
kpoint.com Subject: Re: [FW1]
GUI client over Securemote
12-10-00 12:12
This is the way we do it using the Enterprise edition with the management
console
using SSH on UNIX. In addition, this is the "quick and dirty" method. A
more
elegant solution is to use PKI, LDAP, RADIUS, etc.
Install
1. Create a group that contains the userids that should be allowed to
access the
management console. In this example, I have created a group called
FWAdmin.
2. Create a rule using Client Authentication. The reason for client
authentication is
because you may come from any IP address and use the defined services
as long
as you are authenticated beforehand. Insert a rule before the stealth
rule that
looks like this:
FWAdmin@any <mgmt console> <desired svcs> ClientAuth
Long
3. Telnet to port 259 or HTTP to port 900, login, and authenticate for the
session
(no. 1, I believe). The telnet or HTTP session will disconnect
immediately.
4. SSH to your management console and login.
5. Modify $FWDIR/conf/gui-clients and add your current IP address to the
file. You may want to create a backup of this file fitst.
6. You may now run all the GUI clients from home!
Backout
Remove your IP address from the gui-clients file and all is well again.
David C. Diemer, CCSA, CNE
Enterprise Security Firewall Engineer
Georgia Department of Administrative Services (DOAS)
[EMAIL PROTECTED]
404.651.9677
>>> <[EMAIL PROTECTED]> 10/12/00 12:52PM >>>
Has anyone found a way of running the GUI clients (policy/log/status) when
connected via Securemote.
The problem is with the 'cpconfig' setup and what to put in the 'GUI
Clients' without breaking security but not knowing what IP your coming in
on.
Paul
--------------------------------------------------------------------------------------------
C. Paul Simons
Corporate Network Services
IHS Energy Group, Englewood, CO.
Main: +1 303 736 3000
Direct: +1 303 736 3451
Fax: +1 303 736 3860
Mobile: +1 303 748 5242
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
