Wow, I was not aware of any of this. The research I did
just covered how
to use the certificates with SecuRemote and how to generate
one with the
user account, I missed this whole piece on certificate
management.
Thanks much for the information, I will dig into this.
John
Ray
<sixsigma44 HOTMA
IL.COM>
To
Sent by: Mailing FW-1-MAILINGLISTAMADEUS.US.CHECKPO
list for INT.COM
discussion of
cc
Firewall-1
<FW-1-MAILINGLIST
Subject
AMADEUS.US.CHECK Re: [FW-1]
Problem renewing
POINT.COM> SecuRemote
certificate
09/05/2007 08:49
PM
Please respond to
Mailing list for
discussion of
Firewall-1
<FW-1-MAILINGLIST
AMADEUS.US.CHECK
POINT.COM>
Actually they worked quite well for us (300+ remote users)
and they are a
heck of a lot more secure than user name & password.
There's an SK article on how to set it up. You have to
generate an
administrator certificate that is put into your browser
store. Then you run
this command on the SmartCenter to authorize the certificate
and to turn on
the interface. Then you go to https://<Smart
CenterIP>:18265 and you have a
browser interface to the entire certificate authority with
access
authenticated by the admin certificate you created. You can
search, renew,
create, whatever.
Ray
>From: John Lindblom <jlindblomMICO.COM>
>Reply-To: Mailing list for discussion of Firewall-1
><FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM>
>To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
>Subject: Re: [FW-1] Problem renewing SecuRemote
certificate
>Date: Wed, 5 Sep 2007 09:36:01 -0500
>
>I'm not sure what you mean by "web interface to the
ICA", I'm only
familiar
>with the SPLAT web access.
>
>It sounds like certificates could be a pain.
>
>
>
>
>
> Ray
> <sixsigma44HOTMA
> IL.COM>
To
> Sent by: Mailing
FW-1-MAILINGLISTAMADEUS.US.CHECKPO
> list for INT.COM
> discussion of
cc
> Firewall-1
> <FW-1-MAILINGLIST
Subject
> AMADEUS.US.CHECK Re: [FW-1]
Problem renewing
> POINT.COM> SecuRemote
certificate
>
>
> 09/04/2007 06:16
> PM
>
>
> Please respond to
> Mailing list for
> discussion of
> Firewall-1
> <FW-1-MAILINGLIST
> AMADEUS.US.CHECK
> POINT.COM>
>
>
>
>
>
>
>Sneaker-net. 
>
>
>Once it's expired, it's expired. You will need to issue
a new certificate
>and get it to them somehow or use the "pull"
method where they enter the
>code they receive by email to get a new certificate.
>
>If you're running current versions of FW-1 and
SecuRemote/SecureClient,
the
>
>automatic renewal process works fine as long as they
connect once when
they
>
>are inside the renewal period. That's 60 days by
default. I raised mine to
>90.
>
>I use the web interface to the ICA (the one on port
18265 of the
>SmartCenter) and run queries occasionally to make sure I
don't let one
>expire.
>
>Ray
>
>
>
> >From: John Lindblom <jlindblomMICO.COM>
> >Reply-To: Mailing list for discussion of
Firewall-1
> ><FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM>
> >To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
> >Subject: Re: [FW-1] Problem renewing SecuRemote
certificate
> >Date: Tue, 4 Sep 2007 08:43:07 -0500
> >
> >This raises a question for me.
> >
> >How are end user certificates handled when they
expire if they can't be
> >renewed? I just started using certificates and I
need to plan for
issues
> >with expiration.
> >
> >John
> >
> >
> >
> > Richard Newton
> > <rnewton99GMAIL.
> > COM>
>To
> > Sent by: Mailing
>FW-1-MAILINGLISTAMADEUS.US.CHECKPO
> > list for INT.COM
> > discussion of
>cc
> > Firewall-1
> > <FW-1-MAILINGLIST
>Subject
> > AMADEUS.US.CHECK Re: [FW-1]
Problem renewing
> > POINT.COM>
SecuRemote certificate
> >
> >
> > 09/03/2007 09:27
> > PM
> >
> >
> > Please respond to
> > Mailing list for
> > discussion of
> > Firewall-1
> > <FW-1-MAILINGLIST
> > AMADEUS.US.CHECK
> > POINT.COM>
> >
> >
> >
> >
> >
> >
> >Ray -- Thanks so much. It looks like this did the
trick. (It was the
>VPN
> >cert on the firewall that was expired.)
> >
> >~~Richard~~
> >
> >On 9/3/07, Ray <sixsigma44hotmail.com> wrote:
> > >
> > > Which certificate is expired? The one that
the SecuRemote uses to
> > > authenticate themselves to the firewall or
the actual VPN certificate
>on
> > > the
> > > firewall?
> > >
> > > If it is an end user certificate, it cannot
be renewed once it's
> >expired.
> > >
> > > If it's the one for the firewall, try
un-checking VPN on the firewall
> > > object, save the firewall object, open the
firewall object, re-check
> >VPN,
> > > save the firewall object and push the
policy.
> > >
> > > Ray
> > >
> >
> >=================================================
> >To set vacation, Out-Of-Office, or away messages,
> >send an email to LISTSERVamadeus.us.checkpoint.com
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list,
> >please see the instructions at
> >http:
//www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your
> >subscription options, email
> >fw-1-ownerts.checkpoint.com
> >=================================================
> >
> >=================================================
> >To set vacation, Out-Of-Office, or away messages,
> >send an email to LISTSERVamadeus.us.checkpoint.com
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list,
> >please see the instructions at
> >http:
//www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your
> >subscription options, email
> >fw-1-ownerts.checkpoint.com
> >=================================================
>
>________________________________________________________
_________
>Share your special parenting moments!
>http://www.reallivemoms.com?ocid=TXT_TAGHM&loc=us
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to LISTSERVamadeus.us.checkpoint.com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http:
//www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>fw-1-ownerts.checkpoint.com
>=================================================
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to LISTSERVamadeus.us.checkpoint.com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http:
//www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>fw-1-ownerts.checkpoint.com
>=================================================
____________________________________________________________
_____
Can you find the hidden words? Take a break and play
Seekadoo!
http://club.live.com/seekadoo.aspx?icid=seek_hotmai
ltextlink1
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
|
