Hi,
SDL feature enables secure logon in the network (the windows
authentication is done over VPN tunnel), this means when a
user power-on his PC and try to open his session in windows,
CheckPoint SecureClient will prompt to start the VPN, when
de VPN is up then windows sends authentication request to
the Domain Server, if the authentication was succesfull
windows session is open and the user can access to his
desktop with SecureClient VPN up.
Kerberos Authentication is a secure method to validate the
identity of the user, this method is based in a ticket (this
permits a user show this ticket to other server in the same
domain to access some resource with out send his password to
this server), used for windows 2000 and up. For the Kerberos
the time is important, for this reason in necesary the
clocks sincronization betwen clients PC and Domain Server
(NTP protocol).
If you want learn more about kerberos authentication see (in
spanish):
http://www.microsoft.com/latam/technet/articulos/1
99911/art07/
Regards.
-----Mensaje original-----
De: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AMADEUS.US.CHECKPOINT.COM]En nombre de Dan Swan
Enviado el: Miércoles, 28 de Marzo de 2007 09:49 p.m.
Para: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
Asunto: Re: [FW-1] AD Domain Password change vía SecuRemote
Hi Sergio
I haven't done this exactly how you are describing, but
setting up SDL means that the user authenticates to the
domain rather than using chanced credentials and will be
prompted.
Also, if the user has a screen-saver and it locks while they
are VPN'ed into your network the user will be prompted about
any password changes as they will also send credentials to
your domain controllers.
Re: the licensing.. the licensing is an art!! I don't think
that a lic is required, but I cant be sure
HTH
Dan 
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM]
On Behalf Of Sergio Alvarez
Sent: Thursday, 29 March 2007 3:22 p.m.
To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] AD Domain Password change vía
SecuRemote
Thanks Romey,
I don't really have much knowledge related with Microsoft
stuff or Windows
Domains, so do you know how exactly does that Kerberos
change password
works?
I'm thinking first of all that if this is something the DC
initiates to the
users and these are SecuRemote users going through an IP
Pool NAT, most
likely it will not work.
On any case my questions about SDL are because I believe
this whole password
change thing happens only during domain logon, do you know
if I'm right or
not?
Thanks again.
Regards
On 3/28/07, Cecoban, S. A. de C. V. - Romey Valadez
<rvaladezcecoban.org.mx>
wrote:
>
> Hi,
>
> May be you need allow Kerberos change password
protocol(for windows the
> ports are tcp/464 and udp/464),
>
> Check this references:
>
> http://www.faqs
.org/rfcs/rfc3244.html
> http://www.faqs.org/faqs/kerberos-faq/general/secti
on-70.html
>
> I hope this can help you
>
> Regards.
>
> -----Mensaje original-----
> De: Mailing list for discussion of Firewall-1
> [mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM]En nombre de Sergio
> Alvarez
> Enviado el: Miércoles, 28 de Marzo de 2007 07:46 p.m.
> Para: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
> Asunto: [FW-1] AD Domain Password change vía
SecuRemote
>
>
> Hello,
>
> I have this customer currently running NGX R60 (HA
cluster, everything
> running on SPLAT), they have a large number of remote
users getting
> connected all the time to the network via SecuRemote.
>
> Recently the IT department decided to deploy a new
security policy in
> which
> every user of their Active Directory Domain must change
his/her password
> every 90 days. There is no problem with the regular LAN
users as when they
> login to the domain in the morning will start getting
warnings about their
> passwords expiring in a few days and the option to
change it, but with the
> remote users this whole deal is different. When they
first start working
> with the company, somebody from the IT staff configures
their laptops to
> belong to the domain, they go home and never return
back to the office.
> Since SecuRemote gets connected once the machine is up
and running, they
> never get the warning messages or the option to change
their passwords.
>
> There is a feature available in Secure Client named
Secure Domain Logon
> (SDL) which actually makes the client initiate the VPN
before the Domain
> login process and the documentation says the idea is to
allow for the
> login
> process to occur in a secure manner, but that is pretty
much the whole
> description on the feature.
>
> I have done some research about this in the SK, with no
success.
>
> So my questions are:
>
> 1) Does anybody know if SDL will actually help with
this issue?
>
> 2) If so, does anybody know if Secure Client licensing
is supposed to be
> required to use such feature? (Office Mode, for
example, is supposed to be
> used only with such licensing, but the documentation
has always lacked of
> detailed information about this licensing issues)
>
> 3) If SDL is not the way to go, has anybody else had to
deal with this
> password change deal before?
>
> I would really appreciate any help with this issue.
>
> Regards
>
>
> --
> Sergio Alvarez
> (506)8301342
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>
--
Sergio Alvarez
(506)8301342
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
|
