Re: AD Domain Password change vía SecuRemote

Hi,

May be you need allow Kerberos change password protocol(for
windows the ports are tcp/464 and udp/464),

Check this references:

http://www.faqs
.org/rfcs/rfc3244.html
http://www.faqs.org/faqs/kerberos-faq/general/secti
on-70.html

I hope this can help you

Regards.

-----Mensaje original-----
De: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM]En nombre de Sergio
Alvarez
Enviado el: Miércoles, 28 de Marzo de 2007 07:46 p.m.
Para: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
Asunto: [FW-1] AD Domain Password change vía SecuRemote


Hello,

I have this customer currently running NGX R60 (HA cluster,
everything
running on SPLAT), they have a large number of remote users
getting
connected all the time to the network via SecuRemote.

Recently the IT department decided to deploy a new security
policy in which
every user of their Active Directory Domain must change
his/her password
every 90 days. There is no problem with the regular LAN
users as when they
login to the domain in the morning will start getting
warnings about their
passwords expiring in a few days and the option to change
it, but with the
remote users this whole deal is different. When they first
start working
with the company, somebody from the IT staff configures
their laptops to
belong to the domain, they go home and never return back to
the office.
Since SecuRemote gets connected once the machine is up and
running, they
never get the warning messages or the option to change their
passwords.

There is a feature available in Secure Client named Secure
Domain Logon
(SDL) which actually makes the client initiate the VPN
before the Domain
login process and the documentation says the idea is to
allow for the login
process to occur in a secure manner, but that is pretty much
the whole
description on the feature.

I have done some research about this in the SK, with no
success.

So my questions are:

1) Does anybody know if SDL will actually help with this
issue?

2) If so, does anybody know if Secure Client licensing is
supposed to be
required to use such feature? (Office Mode, for example, is
supposed to be
used only with such licensing, but the documentation has
always lacked of
detailed information about this licensing issues)

3) If SDL is not the way to go, has anybody else had to deal
with this
password change deal before?

I would really appreciate any help with this issue.

Regards


-- 
Sergio Alvarez
(506)8301342

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Thanks Romey,

I don't really have much knowledge related with Microsoft
stuff or Windows
Domains, so do you know how exactly does that Kerberos
change password
works?

I'm thinking first of all that if this is something the DC
initiates to the
users and these are SecuRemote users going through an IP
Pool NAT, most
likely it will not work.

On any case my questions about SDL are because I believe
this whole password
change thing happens only during domain logon, do you know
if I'm right or
not?

Thanks again.

Regards


On 3/28/07, Cecoban, S. A. de C. V. - Romey Valadez
<rvaladezcecoban.org.mx>
wrote:
>
> Hi,
>
> May be you need allow Kerberos change password
protocol(for windows the
> ports are tcp/464 and udp/464),
>
> Check this references:
>
> http://www.faqs
.org/rfcs/rfc3244.html
> http://www.faqs.org/faqs/kerberos-faq/general/secti
on-70.html
>
> I hope this can help you
>
> Regards.
>
> -----Mensaje original-----
> De: Mailing list for discussion of Firewall-1
> [mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM]En nombre de Sergio
> Alvarez
> Enviado el: Miércoles, 28 de Marzo de 2007 07:46 p.m.
> Para: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
> Asunto: [FW-1] AD Domain Password change vía
SecuRemote
>
>
> Hello,
>
> I have this customer currently running NGX R60 (HA
cluster, everything
> running on SPLAT), they have a large number of remote
users getting
> connected all the time to the network via SecuRemote.
>
> Recently the IT department decided to deploy a new
security policy in
> which
> every user of their Active Directory Domain must change
his/her password
> every 90 days. There is no problem with the regular LAN
users as when they
> login to the domain in the morning will start getting
warnings about their
> passwords expiring in a few days and the option to
change it, but with the
> remote users this whole deal is different. When they
first start working
> with the company, somebody from the IT staff configures
their laptops to
> belong to the domain, they go home and never return
back to the office.
> Since SecuRemote gets connected once the machine is up
and running, they
> never get the warning messages or the option to change
their passwords.
>
> There is a feature available in Secure Client named
Secure Domain Logon
> (SDL) which actually makes the client initiate the VPN
before the Domain
> login process and the documentation says the idea is to
allow for the
> login
> process to occur in a secure manner, but that is pretty
much the whole
> description on the feature.
>
> I have done some research about this in the SK, with no
success.
>
> So my questions are:
>
> 1) Does anybody know if SDL will actually help with
this issue?
>
> 2) If so, does anybody know if Secure Client licensing
is supposed to be
> required to use such feature? (Office Mode, for
example, is supposed to be
> used only with such licensing, but the documentation
has always lacked of
> detailed information about this licensing issues)
>
> 3) If SDL is not the way to go, has anybody else had to
deal with this
> password change deal before?
>
> I would really appreciate any help with this issue.
>
> Regards
>
>
> --
> Sergio Alvarez
> (506)8301342
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>



-- 
Sergio Alvarez
(506)8301342

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Hi Sergio

I haven't done this exactly how you are describing, but
setting up SDL means that the user authenticates to the
domain rather than using chanced credentials and will be
prompted. 

Also, if the user has a screen-saver and it locks while they
are VPN'ed into your network the user will be prompted about
any password changes as they will also send credentials to
your domain controllers.

Re: the licensing.. the licensing is an art!! I don't think
that a lic is required, but I cant be sure

HTH
Dan 

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM]
On Behalf Of Sergio Alvarez
Sent: Thursday, 29 March 2007 3:22 p.m.
To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] AD Domain Password change vía
SecuRemote

Thanks Romey,

I don't really have much knowledge related with Microsoft
stuff or Windows
Domains, so do you know how exactly does that Kerberos
change password
works?

I'm thinking first of all that if this is something the DC
initiates to the
users and these are SecuRemote users going through an IP
Pool NAT, most
likely it will not work.

On any case my questions about SDL are because I believe
this whole password
change thing happens only during domain logon, do you know
if I'm right or
not?

Thanks again.

Regards


On 3/28/07, Cecoban, S. A. de C. V. - Romey Valadez
<rvaladezcecoban.org.mx>
wrote:
>
> Hi,
>
> May be you need allow Kerberos change password
protocol(for windows the
> ports are tcp/464 and udp/464),
>
> Check this references:
>
> http://www.faqs
.org/rfcs/rfc3244.html
> http://www.faqs.org/faqs/kerberos-faq/general/secti
on-70.html
>
> I hope this can help you
>
> Regards.
>
> -----Mensaje original-----
> De: Mailing list for discussion of Firewall-1
> [mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM]En nombre de Sergio
> Alvarez
> Enviado el: Miércoles, 28 de Marzo de 2007 07:46 p.m.
> Para: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
> Asunto: [FW-1] AD Domain Password change vía
SecuRemote
>
>
> Hello,
>
> I have this customer currently running NGX R60 (HA
cluster, everything
> running on SPLAT), they have a large number of remote
users getting
> connected all the time to the network via SecuRemote.
>
> Recently the IT department decided to deploy a new
security policy in
> which
> every user of their Active Directory Domain must change
his/her password
> every 90 days. There is no problem with the regular LAN
users as when they
> login to the domain in the morning will start getting
warnings about their
> passwords expiring in a few days and the option to
change it, but with the
> remote users this whole deal is different. When they
first start working
> with the company, somebody from the IT staff configures
their laptops to
> belong to the domain, they go home and never return
back to the office.
> Since SecuRemote gets connected once the machine is up
and running, they
> never get the warning messages or the option to change
their passwords.
>
> There is a feature available in Secure Client named
Secure Domain Logon
> (SDL) which actually makes the client initiate the VPN
before the Domain
> login process and the documentation says the idea is to
allow for the
> login
> process to occur in a secure manner, but that is pretty
much the whole
> description on the feature.
>
> I have done some research about this in the SK, with no
success.
>
> So my questions are:
>
> 1) Does anybody know if SDL will actually help with
this issue?
>
> 2) If so, does anybody know if Secure Client licensing
is supposed to be
> required to use such feature? (Office Mode, for
example, is supposed to be
> used only with such licensing, but the documentation
has always lacked of
> detailed information about this licensing issues)
>
> 3) If SDL is not the way to go, has anybody else had to
deal with this
> password change deal before?
>
> I would really appreciate any help with this issue.
>
> Regards
>
>
> --
> Sergio Alvarez
> (506)8301342
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>



-- 
Sergio Alvarez
(506)8301342

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================