SecureClient questions

Hello !

I've got 2 questions.

1) Is Checkpoint's SecureClient with Office mode can be used without installed Policy Server on Gateway (NG R55) ?

In my case SecureClient is connecting to Firewall then getting local ip address (Office mode) but then it cannot go anywhere.

I'm not sure it's becouse of misconfiguration or lack of Policy Server installed ?

secureClient Diagnostics is indicating that Machine is not securely Configured - SCV is not verified.

---

2) DNS when using SecureClient without office mode or SecuRemote.

In that case SecureClient or SecuRemote client doesn't get local private address and therefore cannot connect to resources using dns names. it's possible only when using ip address. All resorces are within internal network with private addresses.

This is quite obvious ... becouse client is using existing network connection with DNS Servers that cannot resolve our private addresses

but is it possible somehow for clients to use internal DNS Servers without adding them manually to existing network connection ?

Is there a workround for this ?

Thanks.

for your first question, yes, SecureClient can be used without needing a policy server installed. The problem is, you've elected to enable SCV checking, and the client that is trying to connect is not matching the criteria you have configured in order for it to be considered 'secure'.

as for your second question, here is checkpoint's answer:
Solution ID: #skI2065

Product: SecuRemote
Version: NG
Last Modified: 15-Jul-2004

Solution

To set up Split DNS for VPN-1/FireWall-1 NG and SecuRemote/SecureClient NG, proceed with the following:

Create a Host Node network object in the Policy Editor
1. Select Manage > Network Objects
2. In the Network Objects dialog box, click on New and select Node > Host from the drop down list
3. In the Host Node dialog box, select General Properties in the left pane
4. In the Host Node - General Properties, enter the network object name of the internal DNS server in the Name field (ie. internal_dns)
5. Enter the IP address of the of the internal DNS in the IP Address field (ie. 192.168.2.100)
6. Click on OK in the Host Node dialog box
7. Click on Close in the Network Objects dialog box

Create a SecuRemote DNS server object in the Policy Editor
1. Select Manage > Servers
2. In the Servers dialog box, click on New and select "SecuRemote DNS..." from the drop down list
3. In the SecuRemote DNS Properties dialog box, select the General tab
4. In the General tab, enter the SecuRemote DNS server name for the SecuRemote DNS server in the Name field (ie. sr_dns_server)
5. Select the network object of the internal DNS server (ie. internal_dns) from the Host drop down list
6. In the SecuRemote DNS Properties dialog box, select the Domains tab
7. In the Domains tab, Click on Add
8. In the Domain dialog box, enter the domain suffix of the internal network in the Domain Suffix field (ie. detroit.com)
9. In the Domain Match Case section, select "Match only *.suffix" option

Note:
If internal network workstations have a name such as pcstation.sales.detroit.com (two labels preceding the domain suffix), select "Match up to ** labels preceding the suffix" option rather than the "Match only *.suffix" option. Adjust the number of labels in this option according to the maximum number of labels that may precede the domain suffix.

10. Click on OK in the Domain dialog box
11. Click on OK in the SecuRemote DNS Properties dialog box
12. Click on Close in the Servers dialog box
13. Install the security policy

Note:
After the security policy is installed on the firewall module, the SecuRemote / SecureClient needs to update/recreate the site in order to download the Split DNS information from the firewall module.

Note:
If you also wish to have the internal DNS traffic encrypted you will need to go to Global Properties > Remote Access and check the box to Encrypt DNS traffic. If you make this change you will need to install the Security Policy on the gateway and update the topology information on the client.

For the first problem it was not the SCV which blocks the connection ... but the wrong routing.

Traffic for the office mode ip pool must be directed back to client from which the SecureClient is connecting.

---

For the second problem Your solution is nice and simple ... working perfectly.


Thanks a lot.

Hello again !

I have one more request to You.

I cannot access for the moment some of Checkpoint's documents
specially those where Check Point Enterprise Support contract is needed.

Could You please if it's possible copy and paste the content of the following documents:

1)
secureknowledge.checkpoint.com/SecureKno...cument.do?id=sk10698

Securemote/SecureClient can resolve Fully Qualified Domain Name (FQDN), but not hostname
Symptoms:
·Can ping host by Fully Qualified Domain Name (e.g. computer.companyname.com)
·Unable to ping computer by hostname (e.g., computer)
·ID: sk10698 ·Product: SecuRemote ·Version: NG ·Type: Problems ·Access: Advanced

---

2)
secureknowledge.checkpoint.com/SecureKno...cument.do?id=sk15360

SecuRemote/SecureClient is not able to resolve an internal host name.
Symptoms:
·A SecuRemote/SecureClient machine, properly configured with Split DNS, can reach an host internal to the encryption domain using the Fully Qualified Domain Name (FQDN) but not by hostname.
·ID: sk15360 ·Product: SecuRemote ·Version: NG ·Type: Problems ·Access: Advanced

---

Thanks again.

1)
Cause

Operating system unable to find hostname locally, and does not know what suffix to add on to the host name for resolution to take place.

Solution

Add the appropriate suffix (e.g., companyname.com) to the DNS Suffix Search Order in the TCP/IP properties of the operating system. When the query for the host name takes place (e.g., query for "computer"), the operating system will append the suffix to the query if it cannot resolve it locally (e.g., making it "computer.companyname.com")

NOTE: On Windows 2000, it is possible to set the login domain to companyname.com, for domain used for login. When login domain includes appropriate suffix, operating system will append it to hostname (e.g., making it the same query as above, "computer.companyname.com").

2)
Cause

The TCP/IP stack of SecuRemote/SecureClient machine has not been configured to append DNS suffixes to DNS requests.

Solution

Add appropriate internal FQDN labels to DNS setup of operating system that SecuRemote/SecureClient is installed on.

Procedure:

Windows 2000

1) Right click the systray icon for LAN connection

2) Select Status option to open Local Area Connection Status dialog box

3) Click Properties button to open Local Area Connection Properties dialog box

4) Highlight Internet Protocol (TCP/IP) in Compnents checked are used by this connection window

5) Click Properties button to open Internet Properties (TCP/IP) dialog box

6) Click Advanced button to open Advanced (TCP/IP) settings

7) Select DNS tab and enable Append these DNS suffixes (in order) radio button

Add your DNS suffix (example: checkpoint.com)

9) Select OK, OK, and OK to close each box out

10) Reboot machine

hmm ... I've figured it out by myself

Thank You very much.