Two questions : AD PKI integration & upgrade R60 -> R61

Hello,

I have two questions:

(1)
Is it possible to use an Active Directory PKI to [strongly]
authenticate
SecureClient users (i.e. use Windows certificates instead of
CheckPoint's own CA certificates or Entrust certificates) ?


I already digged the documentation, all I found is the AD
LDAP
integration using  SmartDirectory, but this enables the use
of AD
accounts username/passwords, not certificates.

(2)
I am running NGX R60 HFA2 on SPLAT (clustered environment
with load
sharing multicast mode - works like a charm btw). I am
considering the
upgrade to R61 for some new features regarding VPN-1 Edge
management and
Integrity server which is at last integrated to the
SmartCenter.

Has anyone already done this upgrade, do you have any
interresting (bad)
experiences to share? Does R61 include all bug fixes
introduced with
R60's HFA3 ?

Thanks in advance,
Alain

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Hi,

we want to authenticate our SecureClient users via Active
Directory and 
LDAP integration.
We have multiple Active Directory (AD) servers in different
countries.
We configured them the same way but we experience different
behavior.

SecureClient works when we logon with a user of AD1.
But when we try to connect with a user of AD2 we get the
error message 
"gateway not responding".
Smartview Tracker shows no drop/alerts or anything else.
When we use a 
wrong password then we get an error message that user or
password is wrong.
We captured packets between the enforcement module and the
ldap server 
and they look the same on the working and the nonworking AD.
First we 
see the search query and after that a bind request with the
user 
credentials that succeeds.
Furthermore when we create a client auth rule theres no
problem to 
authenticate a user of the 2 AD server. So i´m pretty sure
that LDAP is 
configured correctly.
When we look at SecureClient Diagnostics we can see after
Phase 1 
Details (Main Mode completes) - XAuth: "Sending user
authentication to 
VPN-1 Gateway" and after that
"VPN-1 Gateway did not response to IKE
key-exchange"

Gateway: Nokia IPSO 4.0 VRRP Cluster running NGX-R60-HFA02
SecureClient: NGX-R60-HFA1

Has anyone an idea where to look at ?

thanks in advance
Alex

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

You should disable the line
#define ENABLE_LDAP_SERVER
In %os%\FW1\R60\fw1\lib\implied_rules.def to make sure
that the ldap traffic will be encrypted/decrypted by
rulebase. 

Best Regards
Frank

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM]
On Behalf Of Alex
Sent: Monday, June 26, 2006 4:40 PM
To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
Subject: [FW-1] SecureClient & LDAP

Hi,

we want to authenticate our SecureClient users via Active
Directory and LDAP integration.
We have multiple Active Directory (AD) servers in different
countries.
We configured them the same way but we experience different
behavior.

SecureClient works when we logon with a user of AD1.
But when we try to connect with a user of AD2 we get the
error message "gateway not responding".
Smartview Tracker shows no drop/alerts or anything else.
When we use a wrong password then we get an error message
that user or password is wrong.
We captured packets between the enforcement module and the
ldap server and they look the same on the working and the
nonworking AD. First we see the search query and after that
a bind request with the user credentials that succeeds.
Furthermore when we create a client auth rule theres no
problem to authenticate a user of the 2 AD server. So i´m
pretty sure that LDAP is configured correctly.
When we look at SecureClient Diagnostics we can see after
Phase 1 Details (Main Mode completes) - XAuth:
"Sending user authentication to
VPN-1 Gateway" and after that
"VPN-1 Gateway did not response to IKE
key-exchange"

Gateway: Nokia IPSO 4.0 VRRP Cluster running NGX-R60-HFA02
SecureClient: NGX-R60-HFA1

Has anyone an idea where to look at ?

thanks in advance
Alex

=================================================
To set vacation, Out-Of-Office, or away messages, send an
email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription
options, email fw-1-ownerts.checkpoint.com
=================================================

MAKINO
DISCLAIMER--------------------------------------------------
--
This e-mail and any attachment is for authorised use by the
intendent
recipient(s) only ! It may contain proprietary material,
confidential
information and/ or subject to legal privilege. It should
not be
copied, disclosed to, retained or used by any other party.
If you are
not an intended recipient then please promptly delete this
e-mail and
any attachment and all copies and inform the sender. Thank
you.
------------------------------------------------end MAKINO
DISCLAIMER

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Have you got any idea why VPN speed is slower as higher the
roundtrip
time is?  Example

Hamburg 34 mbit <---> France 2 mbit  (30ms ping)
Download/Upload speed 250/250 kbyte

Hamburg 34 mbit <----> Chicago 20 mbit (80 ms Ping)
Download/Upload Speed 350/120 kbyte

Hamburg 34 mbit <----> Tokyo 100mBit (240 ms Ping)
Download/Upload Speed 200/60 kbyte

???
Why upload speed is so slow (everywhere is checkpoint fw R60
HFA 2 od
HFA 3)

Thanx
Frank

MAKINO
DISCLAIMER--------------------------------------------------
--
This e-mail and any attachment is for authorised use by the
intendent
recipient(s) only ! It may contain proprietary material,
confidential
information and/ or subject to legal privilege. It should
not be
copied, disclosed to, retained or used by any other party.
If you are
not an intended recipient then please promptly delete this
e-mail and
any attachment and all copies and inform the sender. Thank
you.
------------------------------------------------end MAKINO
DISCLAIMER

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Frank, thx for the answer but it doesn´t help us in our
situation.
The ldap server queries are already working, we can see that
in packet 
traces on the servers.

Furthermore the LDAP traffic has not to be encrypted. Of
course we use 
LDAP-SSL and all servers can
be reached over a mpls network so there´s no vpn
communication between 
the enforcement modules and the active directories.

As already mentioned:
Clientauth, session auth... work, we can use all our
directory servers 
for authentication.
But SecureClient client only connects when the user is
authenticated by 
Active Directory 1.
The users of the other AD servers are unable to connect.
btw. the Active Directories are totally independent, no
trusts between 
them and different domains.

Best regards,
Alex


Sommerfeld, Frank schrieb:
> You should disable the line
> #define ENABLE_LDAP_SERVER
> In %os%\FW1\R60\fw1\lib\implied_rules.def to make
sure that the ldap traffic will be encrypted/decrypted by
rulebase. 
>
> Best Regards
> Frank
>
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM]
On Behalf Of Alex
> Sent: Monday, June 26, 2006 4:40 PM
> To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
> Subject: [FW-1] SecureClient & LDAP
>
> Hi,
>
> we want to authenticate our SecureClient users via
Active Directory and LDAP integration.
> We have multiple Active Directory (AD) servers in
different countries.
> We configured them the same way but we experience
different behavior.
>
> SecureClient works when we logon with a user of AD1.
> But when we try to connect with a user of AD2 we get
the error message "gateway not responding".
> Smartview Tracker shows no drop/alerts or anything
else. When we use a wrong password then we get an error
message that user or password is wrong.
> We captured packets between the enforcement module and
the ldap server and they look the same on the working and
the nonworking AD. First we see the search query and after
that a bind request with the user credentials that succeeds.
> Furthermore when we create a client auth rule theres no
problem to authenticate a user of the 2 AD server. So i´m
pretty sure that LDAP is configured correctly.
> When we look at SecureClient Diagnostics we can see
after Phase 1 Details (Main Mode completes) - XAuth:
"Sending user authentication to
> VPN-1 Gateway" and after that
> "VPN-1 Gateway did not response to IKE
key-exchange"
>
> Gateway: Nokia IPSO 4.0 VRRP Cluster running
NGX-R60-HFA02
> SecureClient: NGX-R60-HFA1
>
> Has anyone an idea where to look at ?
>
> thanks in advance
> Alex
>
> =================================================
> To set vacation, Out-Of-Office, or away messages, send
an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
subscription options, email fw-1-ownerts.checkpoint.com
=================================================
>
> MAKINO
DISCLAIMER--------------------------------------------------
--
> This e-mail and any attachment is for authorised use by
the intendent
> recipient(s) only ! It may contain proprietary
material, confidential
> information and/ or subject to legal privilege. It
should not be
> copied, disclosed to, retained or used by any other
party. If you are
> not an intended recipient then please promptly delete
this e-mail and
> any attachment and all copies and inform the sender.
Thank you.
> ------------------------------------------------end
MAKINO DISCLAIMER
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>
>
>   

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================