checkpoint ngx user authority

7/31/2019 Checkpoint NGX User Authority

1/310

Check Point UserAuthorityGuide

NGX (R60)

For additional technical information about Check Point products, consult Check Points SecureKnowledge at

http://support.checkpoint.com/kb/

See the latest version of this document in the User Center at

http://www.checkpoint.com/support/technical/documents/docs_r60.html

Part No.: 700358

April 13, 2005
http://support.checkpoint.com/kb/http://www.checkpoint.com/support/technical/documents/docs_r60.htmlhttp://www.checkpoint.com/support/technical/documents/docs_r60.htmlhttp://support.checkpoint.com/kb/


2/310

Check Point Software Technologies Ltd.U.S. Headquarters: 800 Bridge Parkway, Redwood City, CA 94065, Tel: (650) 628-2000 Fax: (650) 654-4233, [email protected] Headquarters: 3A Jabotinsky Street, Ramat Gan, 52520, Israel, Tel: 972-3-753 4555 Fax: 972-3-575 9256, http://www.checkpoint.com

2003-2005 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyrightand distributed under licensing restricting their use, copying, distribution, anddecompilation. No part of this product or related documentation may be reproduced inany form or by any means without prior written authorization of Check Point. While everyprecaution has been taken in the preparation of this book, Check Point assumes noresponsibility for errors or omissions. This publication and features described herein aresubject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth insubparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause atDFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

2003-2005 Check Point Software Technologies Ltd. All rights reserved.

Check Point, Application Intelligence, Check Point Express, the Check Point logo,AlertAdvisor, ClusterXL, Cooperative Enforcement, ConnectControl, Connectra, CoSa,Cooperative Security Alliance, Eventia, Eventia Analyzer, FireWall-1, FireWall-1 GX,FireWall-1 SecureServer, FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL,Integrity, InterSpect, IQ Engine, Open Security Extension, OPSEC, Policy LifecycleManagement, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureKnowledge,

SecurePlatform, SecuRemote, SecureXL Turbocard, SecureServer, SecureUpdate,SecureXL, SiteManager-1, SmartCenter, SmartCenter Pro, Smarter Security,SmartDashboard, SmartDefense, SmartLSM, SmartMap, SmartUpdate, SmartView,SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker,SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM,User-to-Address Mapping, UserAuthority, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge,VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1VSX, VPN-1 XL, Web Intelligence, ZoneAlarm, ZoneAlarm Pro, Zone Labs, and the ZoneLabs logo, are trademarks or registered trademarks of Check Point SoftwareTechnologies Ltd. or its affiliates. All other product names mentioned herein aretrademarks or registered trademarks of their respective owners. The products describedin this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935 and6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending

applications.

THIRD PARTIES:

Entrust is a registered trademark of Entrust Technologies, Inc. in the United States andother countries. Entrusts logos and Entrust product and service names are alsotrademarks of Entrust Technologies, Inc. Entrust Technologies Limited is a wholly ownedsubsidiary of Entrust Technologies, Inc. FireWall-1 and SecuRemote incorporatecertificate management technology from Entrust.

Verisign is a trademark of Verisign Inc.

The following statements refer to those portions of the software copyrighted by Universityof Michigan. Portions of the software copyright1992-1996 Regents of the University of

Michigan. All rights reserved. Redistribution and use in source and binary forms arepermitted provided that this notice is preserved and that due credit is given to theUniversity of Michigan at Ann Arbor. The name of the University may not be used toendorse or promote products derived from this software without specific prior writtenpermission. This software is provided as is without express or implied warranty.CopyrightSax Software (terminal emulation only).

The following statements refer to those portions of the software copyrighted by CarnegieMellon University.

Copyright 1997 by Carnegie Mellon University. All Rights Reserved.

Permission to use, copy, modify, and distribute this software and its documentation forany purpose and without fee is hereby granted, provided that the above copyright noticeappear in all copies and that both that copyright notice and this permission notice appearin supporting documentation, and that the name of CMU not be used in advertising orpublicity pertaining to distribution of the software without specific, written priorpermission.CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, INNO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT ORCONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROMLOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR INCONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

The following statements refer to those portions of the software copyrighted by The OpenGroup.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND

NONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANYCLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THESOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

The following statements refer to those portions of the software copyrighted by TheOpenSSL Project. This product includes software developed by the OpenSSL Project foruse in the OpenSSL Toolkit (http://www.openssl.org/).

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY *EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULARPURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS

CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, ORPROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANYTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THEUSE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCHDAMAGE.

The following statements refer to those portions of the software copyrighted by EricYoung. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANYEXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULARPURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR

CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, ORPROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANYTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THEUSE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCHDAMAGE. Copyright1998The Open Group.The following statements refer to those portions of the software copyrighted by Jean-loupGailly and Mark Adler Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler. Thissoftware is provided 'as-is', without any express or implied warranty. In no event will theauthors be held liable for any damages arising from the use of this software. Permissionis granted to anyone to use this software for any purpose, including commercial

applications, and to alter it and redistribute it freely, subject to the following restrictions:1. The origin of this software must not be misrepresented; you must not claim that youwrote the original software. If you use this software in a product, an acknowledgment inthe product documentation would be appreciated but is not required.

2. Altered source versions must be plainly marked as such, and must not bemisrepresented as being the original software.

3. This notice may not be removed or altered from any source distribution.

The following statements refer to those portions of the software copyrighted by the GnuPublic License. This program is free software; you can redistribute it and/or modify itunder the terms of the GNU General Public License as published by the Free SoftwareFoundation; either version 2 of the License, or (at your option) any later version. Thisprogram is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;

without even the implied warranty of MERCHANTABILITY or FITNESS FOR APARTICULAR PURPOSE. See the GNU General Public License for more details.Youshould have received a copy of the GNU General Public License along with this program;if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,USA.

The following statements refer to those portions of the software copyrighted by ThaiOpen Source Software Center Ltd and Clark Cooper Copyright (c) 2001, 2002 Expatmaintainers. Permission is hereby granted, free of charge, to any person obtaining acopy of this software and associated documentation files (the "Software"), to deal in theSoftware without restriction, including without limitation the rights to use, copy, modify,merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permitpersons to whom the Software is furnished to do so, subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies orsubstantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUTWARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITEDTO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULARPURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS ORCOPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHERLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,

ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USEOR OTHER DEALINGS IN THE SOFTWARE.GDChart is free for use in your applications and for chart generation. YOU MAY NOT re-distribute or represent the code as your own. Any re-distributions of the code MUSTreference the author, and include any and all original documentation. Copyright. BruceVerderaime. 1998, 1999, 2000, 2001. Portions copyright 1994, 1995, 1996, 1997, 1998,1999, 2000, 2001, 2002 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the National Institutes of Health. Portions copyright 1996, 1997, 1998, 1999,2000, 2001, 2002 by Boutell.Com, Inc. Portions relating to GD2 format copyright 1999,


3/310

2000, 2001, 2002 Philip Warner. Portions relating to PNG copyright 1999, 2000, 2001,2002 Greg Roelofs. Portions relating to gdttf.c copyright 1999, 2000, 2001, 2002 JohnEllson ([email protected]). Portions relating to gdft.c copyright 2001, 2002 John Ellson([email protected]). Portions relating to JPEG and to color quantization copyright2000, 2001, 2002, Doug Becker and copyright (C) 1994, 1995, 1996, 1997, 1998, 1999,2000, 2001, 2002, Thomas G. Lane. This software is based in part on the work of theIndependent JPEG Group. See the file README-JPEG.TXT for more information.Portions relating to WBMP copyright 2000, 2001, 2002 Maurice Szmurlo and Johan Vanden Brande. Permission has been granted to copy, distribute and modify gd in anycontext without fee, including a commercial application, provided that this notice ispresent in user-accessible supporting documentation. This does not affect your

ownership of the derived work itself, and the intent is to assure proper credit for theauthors of gd, not to interfere with your productive use of gd. If you have questions, ask."Derived works" includes all programs that utilize the library. Credit must be given inuser-accessible documentation. This software is provided "AS IS." The copyright holdersdisclaim all warranties, either express or implied, including but not limited to impliedwarranties of merchantability and fitness for a particular purpose, with respect to thiscode and accompanying documentation. Although their code does not appear in gd 2.0.4,the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue SoftwareCorporation for their prior contributions.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use thisfile except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0

The curl license

COPYRIGHT AND PERMISSION NOTICECopyright (c) 1996 - 2004, Daniel Stenberg, .All rights reserved.

Permission to use, copy, modify, and distribute this software for any purpose

with or without fee is hereby granted, provided that the above copyright

notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ANDNONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OROTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OROTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE

OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.Except as contained in this notice, the name of a copyright holder shall not be used inadvertising or otherwise to promote the sale, use or other dealings in this Softwarewithout prior written authorization of the copyright holder.

The PHP License, version 3.0

Copyright (c) 1999 - 2004 The PHP Group. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, ispermitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list ofconditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list ofconditions and the following disclaimer in the documentation and/or other materialsprovided with the distribution.

3. The name "PHP" must not be used to endorse or promote products derived from thissoftware without prior written permission. For written permission, please [email protected].

4. Products derived from this software may not be called "PHP", nor may "PHP" appearin their name, without prior written permission from [email protected]. You may indicatethat your software works in conjunction with PHP by saying "Foo for PHP" instead ofcalling it "PHP Foo" or "phpfoo"

5. The PHP Group may publish revised and/or new versions of the license from time totime. Each version will be given a distinguishing version number. Once covered code hasbeen published under a particular version of the license, you may always continue to useit under the terms of that version. You may also choose to use such covered code underthe terms of any subsequent version of the license published by the PHP Group. No one

other than the PHP Group has the right to modify the terms applicable to covered codecreated under this License.

6. Redistributions of any form whatsoever must retain the following acknowledgment:

"This product includes PHP, freely available from ".

THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS'' ANDANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR APARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PHPDEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ORSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN

CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OROTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVENIF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This software consists of voluntary contributions made by many individuals on behalf ofthe PHP Group. The PHP Group can be contacted via Email at [email protected].

For more information on the PHP Group and the PHP project, please see . This product includes the Zend Engine, freely available at .

This product includes software written by Tim Hudson ([email protected]).

Copyright (c) 2003, Itai Tzur

All rights reserved.

Redistribution and use in source and binary forms, with or without modification, arepermitted provided that the following conditions are met:

Redistribution of source code must retain the above copyright notice, this list ofconditions and the following disclaimer.

Neither the name of Itai Tzur nor the names of other contributors may be used toendorse or promote products derived from this software without specific prior writtenpermission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS ANDCONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AREDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS

BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, ORCONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENTOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; ORBUSINESS

INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCEOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd

Permission is hereby granted, free of charge, to any person obtaining a copy of thissoftware and associated documentation files (the "Software"), to deal in the Softwarewithout restriction, including without limitation the rights to use, copy, modify, merge,publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons

to whom the Software is furnished to do so, subject to the following conditions: Theabove copyright notice and this permission notice shall be included in all copies orsubstantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ANDNONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHTHOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHERIN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF ORIN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS INTHE SOFTWARE.

Copyright 2003, 2004 NextHop Technologies, Inc. All rights reserved.

Confidential Copyright Notice

Except as stated herein, none of the material provided as a part of this document may becopied, reproduced, distrib-uted, republished, downloaded, displayed, posted ortransmitted in any form or by any means, including, but not lim-ited to, electronic,mechanical, photocopying, recording, or otherwise, without the prior written permission ofNextHop Technologies, Inc. Permission is granted to display, copy, distribute anddownload the materials in this doc-ument for personal, non-commercial use only,provided you do not modify the materials and that you retain all copy-right and otherproprietary notices contained in the materials unless otherwise stated. No materialcontained in this document may be "mirrored" on any server without written permission ofNextHop. Any unauthorized use of any material contained in this document may violatecopyright laws, trademark laws, the laws of privacy and publicity, and communicationsregulations and statutes. Permission terminates automatically if any of these terms orcondi-tions are breached. Upon termination, any downloaded and printed materials mustbe immediately destroyed.

Trademark Notice

The trademarks, service marks, and logos (the "Trademarks") used and displayed in thisdocument are registered and unregistered Trademarks of NextHop in the US and/or othercountries. The names of actual companies and products mentioned herein may beTrademarks of their respective owners. Nothing in th is document should be construed asgranting, by implication, estoppel, or otherwise, any l icense or right to use any Trademarkdisplayed in the document. The owners aggressively enforce their intellectual propertyrights to the fullest extent of the law. The Trademarks may not be used in any way,including in advertising or publicity pertaining to distribution of, or access to, materials in

this document, including use, without prior, written permission. Use of Trademarks as a"hot" link to any website is prohibited unless establishment of such a link is approved in

advance in writing. Any questions concerning the use of these Trademarks should bereferred to NextHop at U.S. +1 734 222 1600.


4/310

U.S. Government Restricted Rights

The material in document is provided with "RESTRICTED RIGHTS." Software andaccompanying documentation are provided to the U.S. government ("Government") in atransaction subject to the Federal Acquisition Regulations with Restricted Rights. TheGovernment's rights to use, modify, reproduce, release, perform, display or disclose are

restricted by paragraph (b)(3) of the Rights in Noncommercial Computer Software andNoncommercial Computer Soft-ware Documentation clause at DFAR 252.227-7014 (Jun1995), and the other restrictions and terms in paragraph (g)(3)(i) of Rights in Data-General clause at FAR 52.227-14, Alternative III (Jun 87) and paragraph (c)(2) of theCommer-cial

Computer Software-Restricted Rights clause at FAR 52.227-19 (Jun 1987).

Use of the material in this document by the Government constitutes acknowledgment ofNextHop's proprietary rights in them, or that of the original creator. The Contractor/Licensor is NextHop located at 1911 Landings Drive, Mountain View, California 94043.Use, duplication, or disclosure by the Government is subject to restrictions as set forth inapplicable laws and regulations.

Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty

THE MATERIAL IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTIESOF ANY KIND EITHER EXPRESS OR IMPLIED. TO THE FULLEST EXTENT POSSIBLEPURSUANT TO THE APPLICABLE LAW, NEXTHOP DISCLAIMS ALL WARRAN-TIES,

EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIEDWARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,NON INFRINGEMENT OR OTHER VIOLATION OF RIGHTS. NEITHER NEXTHOP NOR

ANY OTHER PROVIDER OR DEVELOPER OF MATERIAL CONTAINED IN THISDOCUMENT WARRANTS OR MAKES ANY REPRESEN-TATIONS REGARDING THEUSE, VALIDITY, ACCURACY, OR RELIABILITY OF, OR THE RESULTS OF THE USEOF, OR OTHER-WISE RESPECTING, THE MATERIAL IN THIS DOCUMENT.

Limitation of Liability

UNDER NO CIRCUMSTANCES SHALL NEXTHOP BE LIABLE FOR ANY DIRECT,INDIRECT, SPECIAL, INCIDENTAL OR CONSE-QUENTIAL DAMAGES, INCLUDING,BUT NOT LIMITED TO, LOSS OF DATA OR PROFIT, ARISING OUT OF THE USE, ORTHE

INABILITY TO USE, THE MATERIAL IN THIS DOCUMENT, EVEN IF NEXTHOP OR ANEXTHOP AUTHORIZED REPRESENTATIVE HAS ADVISED OF THE POSSIBILITY OFSUCH DAMAGES. IF YOUR USE OF MATERIAL FROM THIS DOCUMENT RESULTSIN

THE NEED FOR SERVICING, REPAIR OR CORRECTION OF EQUIPMENT OR DATA,YOU ASSUME ANY COSTS THEREOF. SOME STATES DO NOT ALLOW THEEXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SOTHE

ABOVE LIMITATION OR EXCLUSION MAY NOT FULLY APPLY TO YOU.

Copyright ComponentOne, LLC 1991-2002. All Rights Reserved.

BIND: ISC Bind (Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC"))

Copyright 1997-2001, Theo de Raadt: the OpenBSD 2.9 Release


5/310

Table of Contents 3

Table Of Contents

Chapter 1 IntroductionThe Need for UserAuthority 11

Web Access Management (WebAccess) 11

Identity-based Access Control for Outbound Connections via VPN-1 Pro Gateway 13

Underlying Concept and Advantage 13

Typical Deployments 14UserAuthority for Enterprise Web Applications Deployment 14

Business to Consumer (B2C) Deployment 18

UserAuthority SSO for VPN-1 Pro Deployment 20

OPSEC Protocols 21

UserAuthority Management Model 21

How to Use this Guide 22

Chapter 2 UserAuthority Deployments and InstallationOverview 23Deployments 25

UserAuthority for Enterprise Web Applications 25

UserAuthority WebAccess Deployment 27

Terms in UserAuthority WebAccess Configuration 29

Workflow 31

Test Your Deployment 32

B2C 32

Workflow 36Test Your Deployment 37

Outbound Access Control 38

Workflow 39


Adding an SSO Rule 39

Citrix MetaFrame or Windows Terminal Services 42

Workflow 43


Adding an SSO Rule for Citrix MetaFrame or Windows Terminal Services 44

Combining the Deployments 45

Workflow 47


Installation and Configuration 49

Installing and Configuring UAS on VPN-1 Pro 49

Installing the UserAuthority License 49

Installing UAS on the VPN-1 Pro Gateway 50

Configuring the UAS 55Installing and Configuring the UAS on the Windows DC 61


6/310

4

Installing the UAS 61

Configuring UAS Properties 65

Configuring SecureAgent Automatic Installation 68

Installing and Configuring UserAuthority WAPS 70

Installing UserAuthority WAPS 71

Configuring UserAuthority WAPS 72

Configuring UserAuthority WAPS in SmartDashboard 75

Installing and Configuring the UserAuthority WAPI 80

Configuring UserAuthority WAPI in SmartDashboard 83

Configuring Common Suffix Domains 83

Configuring Virtual Hosts 84

Configuring a Basic Web SSO Rule 85

Configuring UserAuthority WebAccess Application Settings 87Configuring the Single Sign-On Effect 89

Configuring the Insert Header Effect 90

Defining Authentication Domains 92

Setting Up SSL Terminating Certificates on your UserAuthority WAPS Installation 94

Chapter 3 Web SSOThe Challenge 97

The UserAuthority Solution 98SSO Types for Web Applications 100

Achieving User Identity 101

Internal Users 101

Identification using the NTLM Authentication Protocol 102

Identification of Users on a Citrix or Terminal Services 103

Remote Users with a VPN Client 104

Remote Users without a VPN Client 105

Mapping User Identity to Application Information by UserAuthority 106

Using a Header for Authentication 108

Special Scenarios 108

Web SSO with an Internal Proxy 108

For security reasons, WAPS does not accept forward connections from all proxies. 109

Workflow 110


Web SSO with Citrix 110

Workflow 110

Web SSO with more than one Web site 110Workflow 111


Web SSO with Manual Identity Sharing 111

Workflow 112


Configuration 112

UserAuthority WebAccess SSO for Web Application Authentication 113

SSO for HTTP Basic Authentication 113

SSO for HTML Form Authentication 113Providing User Identity Web Applications with no Authentication Requirements 114


7/310

Table of Contents 5

Configuring Manual UserAuthority Settings 114

Manually Updating User Credentials 115

Disabling UserAuthority WebAccess for Specific IP Addresses 115

Configuring Integrated Windows Authentication 116

Troubleshooting the Establish a Trust Procedure 119

Troubleshooting the NTLM Procedure 120

Ensuring that all Local Web pages are Recognized as Intranet Sites 120

Configuring Multiple Web Sites in SmartDashboard 122

Advanced Configuration 124

Configuring UserAuthority WebAccess to Recognize Cache Proxy Users 124

Configuring Manual Identity Sharing Options 125

Creating UAS Groups 127

Chapter 4 Authorization for Web ApplicationsThe Challenge 129

The UserAuthority Access Control Solution 130

Access Control Policy 131

Creating Security and Authorization Rules 131

Access Control Enforcement 132

Access Control Scenarios 134

User Groups with Different Authorization Levels 134Enforcing SSL Encryption on Connections 136

Configuration 137

Defining Web Sites 138

Defining Advanced Web Site Options 141

Advanced Properties 141

Custom Rejection Policy 144

Access Control with SSO-Only Web Site 145

Defining URLs 145

Defining Security and Authorization Rules 146

Defining a Basic Access Control Policy 147

Security Rules 148

Authorization Rules 150

Advanced Configuration in SmartDashboard 152

UserAuthority WebAccess Advanced Configurations Window 153

Defining Operation Objects and Groups 154

Defining Trust Objects and Groups 159

Creating a Trust Object 159Trust Object Parameters 160

Chapter 5 Outbound Access ControlThe Challenge 167

The UserAuthority Solution 168

Identification using SecureAgent 170

Identity Sharing 170

Using Outbound Access Control with Web SSO 171Workflow 171

Retrieving Windows Groups with UserAuthority 171


8/310

6

Outbound Access Control using Citrix Terminals as TIP 172

Scenario - An Organization using Multiple Windows DCs 172

Workflow 173


Scenario - An Organization Using Multiple Domains 174

Workflow 175


Configurations 176

Adding Additional Windows DCs 176

Workflow 176

Outbound Access Control on Citrix or Windows Terminals 176

Configuring UserAuthority Domain Equality 177

Chapter 6 User Management in UserAuthorityOverview 181

Managing Users and Groups 182

Users in UserAuthority 182

User Groups in UserAuthority 182

Using a Local Check Point Database 183

Using an External Database 183

Using the Windows User Identity 184Users in the Windows Domain 184

Configuring UserAuthority to Recognize Windows User Groups 184

Chapter 7 Web Security FeaturesOverview 187

Broken Access Control 188

Broken Account and Session Management 189

Remote Administration Flaws 191Web Server and Application Misconfiguration 193

Chapter 8 Auditing in UserAuthorityOverview 195

Using Logs for Auditing 196

Auditing Outbound Traffic Using UserAuthority Outbound Access Control 198

Displaying the Resource Name in the Information Field 200

Auditing Web Access Using UserAuthority WebAccess 201Auditing User Requests 203

Auditing UserAuthority WebAccess Authorization Rejections 204

Other UserAuthority WebAccess Logs 205

Configuring UserAuthority for Auditing 206

Configuring Auditing of Requests for External Resources 206

Configuring Auditing for UserAuthority WebAccess 206

Configuring Rejection Policy Logs 207

Configuring Auditing of Requests for URLs Outside the Policy Scope 208

Configuring SSO Abuse Tracking 209Customizing Logs 210


9/310

Table of Contents 7

Disabling Specific Log Entries 211

Customizing Specific Log Entries 212

Eliminating Logging of Graphics Files 213

Chapter 9 High Availability and Load BalancingOverview 215

High Availability 215

Load Balancing 216

High Availability and Load Balancing in UserAuthority 216

Using Multiple UserAuthority WebAccess Servers 216

Using UserAuthority WAPS Clusters 216

Configuring WebAccess Cluster 218

Workflow 218

Creating a New Server Group 218

Creating a Logical Server Object 219

Defining a Security Policy for the UserAuthority WAPS Cluster Server Group 221

Using Multiple Windows DCs 222

Using a VPN-1 Pro Cluster 222

Using VPN-1 Pro Clusters 222

Synchronizing the Credentials Manager 222

Automatic Synchronization 223Using the db_sync Script 223

Chapter 10 UserAuthority CLIsUAS 226

uas debug 226

uas drv 226

uas reconf 227

uas d 227uas kill 227

uas ver 227

netsod 228

netsod debug 228

netsod drv 228

netsod d 229

netsod kill 229

netsod simple 229

netsod simple kill 229netsod ver 230

uas 230

cpstop 230

cpstart 231

cprestart 231

uagstop 231

uagstart 232

wastop 232

wastart 232

service wa_proxy 232


10/310

8

sysconfig 233

remote_wa_admin 233

wac_ver 234

ver 234

uainfo 234

Chapter 11 UserAuthority OPSEC APIsOverview 237

Programming Model 237

Defining a UAA Client 240

Client Server Configuration 240

OPSEC UserAuthority API Overview 241

UAA Client Application Structure 242

Event Handling 243

Requests 243

Key Assertions 244

Request Assertions 245

Replies 247

Connection-Based Vs. IP-Based Information in Queries 249

UAA Assertions Structure Functions 250

Processing Error Codes 250Session Management 250

Function Calls 251

Session Management 251

uaa_new_session 251

uaa_end_session 252

Assertions Management 252

uaa_assert_t_create 252

uaa_assert_t_add 252

uaa_assert_t_duplicate 253uaa_assert_t_destroy 253

uaa_assert_t_compare 254

uaa_asser_t_n_elements 254

Managing Queries 254

uaa_send_query 254

uaa_abort_query 255

Managing Updates 256

uaa_send_update 256Managing Authentication Requests 256

uaa_send_authenticate_request 256

Assertions Iteration 257

uaa_assert_t_iter_create 257

uaa_assert_t_iter_get_next 258

uaa_assert_t_iter_reset 259

uaa_assert_t_iter_destroy 259

Managing UAA Errors 259

uaa_error_str 259Debugging 260


11/310

Table of Contents 9

uaa_print_assert_t 260

Event Handlers 260

UAA_QUERY_REPLY Event Handler 261

UAA_UPDATE_REPLY Event Handler 262

UAA_AUTHENTICATE_REPLY Event Handler 263

Chapter 12 Monitoring the UserAuthority EnvironmentOverview 265

System Monitoring 266

Monitoring the System Status 266

UAS 267

UserAuthority WebAccess 268

Using UAS and UserAuthority WebAccess Logs for System Monitoring 269

Using UAS Logs 270

Monitoring Example: UAS is Offline 272

User Monitoring 273

Monitoring User Activities 273

Monitoring Example: Successful Access to a Web Application 275

Monitoring Example: SecureAgent Cannot Provide User Identity 276

Chapter 13 Troubleshooting UserAuthorityOverview 279

General Problems 280

Why is the service not available? 280

Symptom 280

Problem 280

Solutions 280

Why is there a proxy error? 281

Symptom 281Problem 282

Solutions 282

Why are users not authorized to view the page? 282

Symptom 282

Problem 282

Solutions 282

Why is there no established SIC? 283

Symptom 283

Problem 283Solutions 283

Why are users not authorized access when the policy is installed? 285

Symptom 285

Problem 285

Solutions 285

Why are there no logs in SmartView Tracker? 286

Symptom 286

Problem 286

Solutions 286

User-Related Problems 286


12/310

10

Why is the service not available to the user? 286

Symptom 286

Problem 286

Solutions 287

Why cant the user sign in with a specific user name? 287

Symptom 287

Problem 287

Solutions 288

Why does SecureAgent not identify the user? 288

Symptom 288

Problem 288

Solutions 288

Why do users receive a pop-up even when signed into the domain? 291Symptom 291

Problem 291

Solutions 291

Appendix A Integrating UserAuthority with Meta IPOverview 293

Required Components 293

Preliminary Steps 294Windows DC Configuration 294

VPN-1 Pro Policy Configuration 294

DHCP Server Configuration 296

Appendix B GlossaryAcronyms and Abbreviations 301


13/310

11

CHAPTER 1

Introduction

In This Chapter

The Need for UserAuthority

In todays business environment, enterprises need to provide employees, partners andcustomers with the ability to access and work with many different applications and

services. It is important that access to these applications be simple and convenient, and,

at the same time, secure, reliable, and easy to manage. UserAuthority is able to leverage

the security needs of your existing or new environment to higher levels.

UserAuthority can improve access control management in your enterpr ise in two major

ways: Web Access Management and identity-based access control for outbound

connections via the VPN-1 Pro gateway.

Web Access Management (WebAccess)

This solution provides the following functionalities and benefits:

Web Single Sign On (SSO): UserAuthority allows users to access all Web

applications with a single identity. There is no need for users to remember and

enter different credentials for each Web application accessed.

The Need for UserAuthority page 11

Underlying Concept and Advantage page 13

Typical Deployments page 14

OPSEC Protocols page 21

UserAuthority Management Model page 21

How to Use this Guide page 22


14/310

The Need for UserAuthority

12

Authorization: UserAuthority provides authorization on the application level.

Each user is assigned (through a User Group) specific access privileges for each

application. Privileges can determine:

The types of access that a user is granted for a specific Web application (e.g.,read only, read/write, or no access at all).

How a user can access an application (e.g., using a specific authentication

method or using encryption).

From which locations a user can access a Web application (e.g., from the local

network only, both remotely and locally, or via remote access only).

Strong authentication paradigm: UserAuthority can provide strongerauthentication methods on the application level than the basic types of

authentication implemented in Web applications (e.g.,VPN-1 Pro authentication,

Secure ID, RADIUS, TACAC).

Auditing: UserAuthority can generate logs that show user activity. These logs can

be used to track user activity, for system analysis, and for legal purposes.

Increased Security: The UserAuthority WebAccess Proxy Server (WAPS) allows

all authentication and authorization activities to be moved from the systems Webservers to a different machine located in a safe DMZ. In that way, the Web

application can be located in an internal segment and receive only authenticated

requests.

Convenience:

On the administrator level A single management method can be used for

different systems in a network. This prevents the confusion of having a different

type of management for every system. On the user level UserAuthority can eliminate the need for users to

authenticate each time they access a different Web application using different

credentials and authentication methods.

Reduced costs: UserAuthority can reduce the need for users to contact the

enterprises help desk because they have forgotten the password or username for

specific applications.

Reduced development and maintenance costs: There is no need for

programmers to make changes to an applications code; the non-intrusive

mechanism provides all the functionality without the need to change the code of

the applications. Deploying UserAuthority in an enterprise is simple and fast and

does not require structural changes in your organization, such as migrating user

databases and changing your user repository for various applications. In addition,

because UserAuthority uses the same management tools and GUI as VPN-1 Pro,

most administrators are already familiar with its operation.


15/310

Identity-based Access Control for Outbound Connections via VPN-1 Pro Gateway

Chapter 1 Introduction 13

Centralized management: A single central management function is used to

manage all access control and auditing functions for all Web applications in a

network.

High availability and load balancing: UserAuthority supports the use of clustersto ensure maximal system availability. In addition, clusters help to balance the load

between Web servers in a network with heavy traffic.

Identity-based Access Control for Outbound Connections viaVPN-1 Pro Gateway

UserAuthority can provide access control to external resources at the network level(Internet or other services outside the perimeter gateway). Through VPN-1 Pro

gateways, firewall authentication can be configured in the security policy to supply such

demand (Client, Session authentications). The major difference with UserAuthority is

the benefit of SSO to those authentications, eliminating the need for the user to

re-authenticate. UserAuthority enables the user to be identified transparently via the

gateway without human intervention. This functionality is also known as

UserAuthority SSO for VPN-1 Pro or Outbound SSO.

Underlying Concept and Advantage

One of the greatest advantages of UserAuthority is its ability to extract the user identity

from a Trusted Identification Point (TIP). UserAuthority establishes a trust relationship

with TIPs on the network to ensure that it is receiving trusted information.

UserAuthority TIPs include:

Windows logons to Domain Controllers

VPN-1 Pro authentication (SecureRemote/SecureClient) or any other

authentications to the gateways)

MS Terminal Services/Citrix MetaFrame servers

UserAuthority WebAccess authentication services

Once a user is logged on to a network (no matter where or how they logged on), the

user identity is used to provide SSO thereby enabling authentication to any Web-basedapplication on the users behalf. The users identity is also used for access control and

auditing purposes.

Extracting the user identity from the TIP enables the following benefits:

Once a user is logged on to the system and identified by UserAuthority, there is no

need to authenticate again, even when accessing a Web application.

Pure SSO, requiring only the initial network log on to a TIP. No otherauthentication is required.


16/310

Typical Deployments

14

Utilization of existing authentication in the network environment to retrieve user

identification, without requiring the end user to identify to an additional

identification mechanism.

Integration of network level authentication with Web applications.

Deployment does not require any changes to Web applications.

Typical Deployments

This section describes three common types of deployments, and the particular benefits

of integrating UserAuthority into each of the deployment types. A detailed description

of the various UserAuthority deployment types, and how they are set up andimplemented, is presented in Chapter 2, UserAuthority Deployments and

Installation.

The first and the second deployment examples illustrate Web Access Management

scenarios. The last one illustrates identity-based access control for outbound

connections via a VPN-1 Pro gateway.

UserAuthority for Enterprise Web Applications DeploymentThis deployment typically includes both local and remote users who access various Web

applications. The deployment contains various Web servers, a firewall, and both local

and remote clients.

FIGURE 1-1 illustrates this deployment without UserAuthority.


17/310

UserAuthority for Enterprise Web Applications Deployment


FIGURE 1-1 Enterprise with Web Applications Deployment without UserAuthority

In this deployment, each Web server must provide a means for user authentication. This

can become complicated and might not meet the needs of the enterprise. The

drawbacks of this type of deployment include:

An administrator cannot control user activities or audit them.

An administrator must manage multiple user databases with different authentication

means and passwords, or users must authenticate themselves each time they access a

different Web server or Web application.

The inability to accommodate a need to authorize different users to carry out

different activities. For example, when dealing with employee information, the

enterprise authorizes HR managers to have read/write access, lets only the CEOread the information, and forbids any other users from accessing this information.

In this deployment, access rights must be configured individually in each

application, according to each separate applications method for configuring access

rights.

The inability to accommodate a need to perform various actions in different ways.

For example, if the authorized user tries to carry out an action from home, the user

might be a required to carry out the action using a VPN tunnel, however this is notrequired when the user carries out the same action from the local network.


18/310

Typical Deployments

16

No auditing or different auditing for some users.

FIGURE 1-2 shows this same type of deployment with UserAuthority.

FIGURE 1-2 Enterprise with Web Applications Deployment with UserAuthority

Two UserAuthority components have been added in this deployment; the

UserAuthority Server installed on the VPN-1 Pro gateway and the WAPS.

UserAuthority eliminates the need for multiple authentications by users. This is carried

out by the UserAuthority Server and WebAccess, working with the VPN-1 Pro

component on the gateway and the Windows Domain Controller (DC).

In this example, a users Web requests go to the WAPS. UserAuthority WebAccess

queries various components to retrieve the users identity. FIGURE 1-2 indicates four

areas that can be queried for user identity in this deployment.

Windows DC: UserAuthority WebAccess queries the Windows DC to get theusers identity through Windows Integrated Authentication (NTLM protocol).

VPN tunnel encryption: Remote users who sign on using a VPN client send

encrypted information that contains the users identity. UserAuthority WebAccess

recognizes requests that come over a VPN tunnel and queries VPN-1 Pro for the

user identity based on the information provided.

VPN-1 Pro: In some cases there is manual identification to VPN-1 Pro. In this

case, user identification is retrieved from the User list in VPN-1 Pro.

U A th it f E t i W b A li ti D l t


19/310

UserAuthority for Enterprise Web Applications Deployment


UserAuthority WebAccess: Users who did not sign on to a network through the

Windows DC or a VPN tunnel might not be recognized by UserAuthority

WebAccess. In this case the user is prompted to manually authenticate to

UserAuthority WebAccess the first time a Web application is requested.Authentication is carried out against the user database on the VPN-1 Pro gateway

with the UserAuthority Server.

These four areas constitute Trusted Identification Points (TIPs) because a trust has been

established with each of these components (the VPN-1 Pro, Windows DC, and

UserAuthority WebAccess) so that UserAuthority WebAccess knows it is receiving

trusted information. For more information on setting up a trust relationship between

components in the system, see Chapter 2, UserAuthority Deployments andInstallation.

UserAuthority also supports retrieving the user identity on Citrix or Windows terminal

systems. In this case, the UserAuthority Server is also installed on the Citrix MetaFrame

server or Windows Terminal Services. UserAuthority is able to retrieve the user identity

from information provided by the users client connection to the server, even though a

user is not identified directly in a terminal configuration. For more information on

Citrix or Windows terminal deployments, see Chapter 2, UserAuthority Deploymentsand Installation.

UserAuthoritys ability to automatically identify users in this deployment is used to

provide:

Web SSO: Web SSO takes the user identity and matches it to specific credentials

for a requested Web application. These credentials are inserted automatically into

the applications authentication page on behalf of the user. This is all donetransparently, so that the user does not have to sign on to individual applications.

The sign on that is performed when the user first signs on to the system is the only

sign on that is necessary. For more information, see Chapter 3, Web SSO.

Web application authorization: UserAuthority uses the identity that was

retrieved from a TIP to match users to defined User Groups. These groups grant

users specific access to Web applications. Users are granted or denied access based

on the defined criteria. For more information, see Chapter 4, Authorization forWeb Applications.

Unified Authorization and Authentication policy: A single policy can be used

to handle all authentication and authorization to Web servers from anywhere.

Reduced need for authentication: Most users can be identified without

authentication (e.g., LAN users, VPN users).

Single auditing system: One system monitors all user activities, regardless of how

many Web servers are in the deployment.

Typical Deployments


20/310

Typical Deployments

18

Improved authentication and security: UserAuthority improves authentication

and security methods by:

Using strong authentication methods for access to your system.

Allowing only identified and authorized requests to be sent by the proxy to the

Web server.

Business to Consumer (B2C) Deployment

Many enterprises offer services to customers through the Internet. One example is a

health maintenance organization that provides customers with the ability to view their

medical records online. FIGURE 1-3 shows a B2C deployment without UserAuthority.FIGURE 1-3 B2C Deployment without UserAuthority WebAccess

In this deployment, users access the Web servers directly. This does not allow the

enterprise to control customer actions when they sign on. This control is very

important because the information provided to customers is very sensitive. Only

authorized users should be able to access the information, and customers should only be

able to access their own information.



21/310



By installing UserAuthority Server and UserAuthority WebAccess, an enterprise can

easily:

Allow only known users to carry out various requests and access specific

applications.

Authorize specific users to carry out specifically defined operations.

Provide unified access, authentication, and authorization to different Web services

and Web servers.

Implement a secure method of authentication within the enterprise.

FIGURE 1-4 shows a B2C deployment that utilizes the features of UserAuthority

WebAccess.FIGURE 1-4 B2C Deployment with UserAuthority WebAccess

In this deployment we have added the UserAuthority Server installed on the VPN-1

Pro gateway and the WAPS.

Typical Deployments


22/310

yp p y

20

WAPS provides additional advantages to B2C deployments:

Requests can be distributed to multiple Web servers according to the Web servers

content. This is important because a request that originates outside the network is

not sent directly to a Web server that contains sensitive content. The WAPS sits ina protected segment (such as a DMZ) and then transfers the requests to the correct

Web server only after they have been authorized.

UserAuthority WebAccess can personalize a home page by inserting personal

information on the page. When a user accesses an enterprises Web site, the user is

greeted and possibly given personal instructions. UserAuthority WebAccess does

this by inserting the users identification information into a header that provides the

personal information to the Web page. This identity is kept between servers andservices.

UserAuthority can be smoothly integrated with VPN-1 Pro. There is no need to

change VPN-1 Pro policy by opening special ports for UserAuthority WebAccess

communication.

For more information, see Chapter 4, Authorization for Web Applications.

UserAuthority SSO for VPN-1 Pro Deployment

UserAuthority can provide authorization to external resources at the network level.

Most enterprises already use VPN-1 Pro authentication rules that require client or

session authentication to external resources. UserAuthority expands on this by

providing SSO to the VPN-1 Pro as well as auditing capabilities.

FIGURE 1-5 SSO for VPN-1 Pro Deployment

UserAuthority eliminates the need for a user to authenticate each time an external

resource is accessed. This is done by using the information on the Windows DC to

identify the user. When the user requests an external resource, the UserAuthority

Server on the VPN-1 Pro gateway queries the UserAuthority Server installed in a

Windows DC. The UserAuthority Server on the Windows DC sends a query to a

desktop application called SmartAgent, which identifies the user according to theWindows DC identification that was used at sign-on.

UserAuthority SSO for VPN-1 Pro Deployment


23/310


This information is sent back to the UserAuthority Server on the VPN-1 Pro gateway

to provide authentication on behalf of the user. In this way, the user is automatically

authenticated each time without the need to re-authenticate each time a request for

external resources is made. This scenario is illustrated in FIGURE 1-5.

UserAuthority can be also configured to create logs each time a user requests an

external resource. This provides information on how users are accessing external

resources. Logs can provide various types of information, such as whether users are

violating enterprise policy or whether there are communications problems when trying

to access external resources.

UserAuthority extends the capabilities of VPN-1 Pro authentication by providing SSO,

which eliminates the need for users to authenticate to VPN-1 Pro and provides auditing

capabilities for requests to external resources. For more information, see Chapter 5,

Outbound Access Control.

OPSEC Protocols

UserAuthority supports all Check Point Open Platform for Security (OPSEC)

standards. OPSEC provides a single integration framework by using the OPSECSoftware Development Kit (SDK) for integration with Check Point VPN-1 Pro.

OPSEC APIs provide solutions for third-party and in-house integration.

The UAA (UserAuthority) API set can be used to create a single authorization solution

for any application. For example, an enterprise might want to use a single user

identification for applications that are not Web-based (such as a client installation) in

addition to their Web applications. The UAA OPSEC API enables the integration of

any application that requires authentication and authorization, and provides allUserAuthority benefits to the application.

Integration can be easily programmed by in-house programmers using the OPSEC

APIs. In addition, it is possible to turn to an OPSEC partner to develop a solution for

the enterprise. OPSEC partners are a group of professional programmers who use the

OPSEC standard.

For information on the OPSEC UAA API set, see Chapter 11, UserAuthority OPSECAPIs.

UserAuthority Management Model

Granular administration of UserAuthority allots different administrators or managers

various privileges. Work can be divided between administrators according to their

specialties.

How to Use this Guide


24/310

22

The three types of administrators who administer UserAuthority are:

Security Administrator: This administrator is usually the main VPN-1 Pro

administrator and is responsible for all security issues in the enterprise. The Security

Administrator can monitor and enforce security requirements on the Web server.This provides two advantages:

The administrator can set enforcement not only per machine, but according to a

specific URL.

Because the policy is enforced on the Web server, not the VPN-1 Pro, it is

enforced for requests that do not pass through the VPN-1 Pro gateway.

Web Security Administrator: This person is responsible for all or most parts of

the Web site security as well as the overall security issues related to Web-based

applications. This administrator can set rules that have to do with all Web-based

security issues, but should not have access to other security issues. These rules are

defined in the Web Access tab in Check Points SmartDashboard.

Application Manager: This administrator is responsible for specific applications

on the Web server. Unlike the Web security administrator, the Application Manager

can only change policy for specific URLs as defined in the Web Access tab.

How to Use this Guide

This guide provides step-by-step instructions for configuring UserAuthority.

In order to assist you in the deployment of UserAuthority, this guide contains various

scenarios that suit the deployments of most enterprises. These scenarios are followed by

detailed workflows that can be used to help with your deployment. You can also

combine the deployments and workflows described in this guide to best suit thedeployment in your enterprise.

Please note that Chapter 2 provides the foundation for the deployment of

UserAuthority in its most basic form. Subsequent chapters elaborate on these

deployments. In addition some configurations have been excluded from these

deployments. These configurations can easily be added once your network has been

deployed with User Authority.


25/310

23

CHAPTER 2

UserAuthorityDeployments andInstallation

In This Chapter

Overview

This chapter describes typical UserAuthority deployments and how to install and

configure the UserAuthority Server (UAS) and WebAccess components used in thedeployments.

The following deployments are described in this chapter:

UserAuthority for Enterprise Web Applications. This deployment is used

when an enterprise wants to implement Web Single Sign-On (SSO). This type of

SSO enables users to access multiple Web applications without having to be

authenticated each time an application is accessed. For more information on WebSSO, see Chapter 3, Web SSO.

Business to Consumer (B2C). This deployment is used when the enterprise

needs to implement authorization for Web applications and/or when using a single

authentication method for many applications.

Overview page 23

Deployments page 25

Installation and Configuration page 49

Overview


26/310

24

In this deployment, an enterprise has many users accessing the network from the

Internet. Administrators need to provide specific access rights for each user. Users

can be assigned access to specific applications, at specific times, using a specific

authentication scheme, and may have different capabilities (such as read-onlyaccess). The B2C deployment allows these rights to be easily assigned and managed.

For more information, see Chapter 4, Authorization for Web Applications.

Outbound Access Control. This deployment is used to provide authorization of

users when they access external resources and for monitoring users requests to

access external resources. In this deployment, an administrator defines rules that

allow users on an internal network to access external systems (for example, Internet

or external subnets) without having to repeatedly authenticate to the VPN-1 Progateway. In other words, UserAuthority is configured to eliminate the need to

authenticate to VPN-1 Pro each time a request for an external resource is made. In

addition, each time a request to access an external resource is made, a log entry is

created. The administrator can configure UserAuthority to make these logs

available, so the administrator can view a list of user activities. For more

information, see Chapter 5, Outbound Access Control.

UserAuthority installed on Citrix MetaFrame or Windows TerminalServices. This deployment also provides user authorization, auditing and Web

SSO. The main difference between this deployment and the Enterprise with Web

Applications deployment is that the client computers are connected to a Citrix

MetaFrame or Windows Terminal Services. In this case, all users access applications

from the same source (the terminal), which has only one IP address. UserAuthority

uses port information to get the user identity in order to authorize and/or

authenticate the user.

Although each of these deployments can adequately serve an enterprise, it is possible to

combine them to create the deployment that best fits the enterprises network.

Combining the Deployments on page 45 describes how various components of the

deployments can be integrated.

The deployments described in this chapter are presented as follows:

a general workflow for each process is described;

the necessary components for the deployment are given;

detailed step-by-step procedures are then described.

This chapter also explains how to carry out the basic installations and configurations for

the UAS, WebAccess Proxy Server (WAPS), and other components that are necessary to

carry out the deployments described in this chapter. The configurations described are

the simplest configurations necessary to deploy UserAuthority. In most cases, additional

UserAuthority for Enterprise Web Applications


27/310

Chapter 2 UserAuthority Deployments and Installation 25

configuration is not required, however, in complex networks, more advanced

configurations are possible. These configurations are described in later chapters of this

book.

Deployments

In This Section

This section presents some typical deployments to assist a network administrator in

determining the most suitable type of deployment for the enterprises network. This

section also describes how the elements in each deployment complement one anotherand how they can be combined.


This section describes UserAuthority deployment in an Enterprise with Web

applications. The users in this example include employees or members of the enterprise,

who can access the network from inside the enterprise and/or remotely (with or

without a VPN client).

In this deployment, UserAuthority:

Provides SSO to users, which improves the security and convenience of accessing

the enterprise Web application.

Enforces security and authorization rules for your organization, which allows only

authorized and secure access to the enterprise Web applications.

When a user accesses a Web application, WebAccess retrieves the user identity, decideswhether the request is authorized, and performs SSO.

A network security administrator does not have to search for individual security

solutions for each application because Check Points security is transparently integrated

with the application.

For more information, see Chapter 3, Web SSO.

UserAuthority for Enterprise Web Applications page 25

B2C page 32

Outbound Access Control page 38

Citrix MetaFrame or Windows Terminal Services page 42

Combining the Deployments page 45

Deployments


28/310

26

The following components are required for this deployment:

UAS installed on the VPN-1 Pro module

WAPS installed and located in the DMZ (or segment separated from the local

network) or the WebAccess Plug-In (WAPI) installed on each Web server

VPN-1 Pro management installed on a gateway or other server

SmartDashboard installed on a gateway or other server.

At least one Web server

Windows Domain Controller (DC)

Local Internet Explorer client

Remote computer client (with or without VPN client)

For information on installing the various components, see For information on installing

the various components, see Workflow on page 31.

FIGURE 2-1 illustrates the deployment for an enterprise with Web applications.

FIGURE 2-1 Sample Deployment for an Enterprise with Web Applications

In this deployment, when a user requests access to a Web application, the request is

routed to the WAPS.



29/310


UserAuthority WebAccess then queries one or more TIPs to identify the user as

follows:

VPN-1 Pro gateway: Users who access a network through a VPN tunnel

authenticate through the VPN-1 Pro gateway. Windows DC: If the client computers are in a Windows Domain and UAS on the

VPN-1 Pro gateway cannot identify the user, WAPS mediates its internal

authentication protocol (NTLM) with the Windows DC, enabling WAPS to obtain

the user identity that was provided to the Windows Domain in the login process.

Citrix or Windows Terminal Services deployments: UAS was on the VPN-1

Pro gateway obtains the user identification from UAS installed on the Terminal

Services.

UserAuthority WebAccess: In cases where User identity cannot be obtained

from another Trusted Identification Point (TIP), authentication takes place

according to VPN-1 Pro policy.

For more information, see Achieving User Identity on page 101.

After identification, WebAccess uses the identity information to:

Provide SSO: Credentials required by an application are injected into theapplications authentication page on behalf of the user. These credentials are stored

in the UserAuthority Credentials Manager. Web SSO is performed in a

non-intrusive way that does not require any changes to the key application code.

For more information on defining SSO in WebAccess, see Web SSO.

Provide authorization: UserAuthority WebAccess matches the identity

information to the rules defined in the WebAccess rule base. These rules determine

whether the user is authorized to view or work on the requested Web application.For more information, see Chapter 4, Authorization for Web Applications.

UserAuthority WebAccess Deployment

WebAccess can be deployed in two ways.

UserAuthority WebAccess Proxy Serer (WAPS)

WAPS is deployed on a dedicated machine. All requests for applications on the Webservers in the protected segment of the network are sent to the WAPS. The advantage

to this type of deployment is that the WAPS is deployed in a DMZ or similar restricted

zone in the LAN. Users requesting access to an application are not allowed to enter an

enterprises protected zone before being authenticated and authorized by the WAPS.

Deployments


30/310

28

The WAPS is deployed as a reverse proxy. A reverse proxy is a proxy for the server. In

this case the client requests the IP of the proxy, which forwards the request to the

WAPS. If the users request is authorized, it is forwarded to the appropriate Web server,

which provides the requested Web application.The WAPS has the following security advantages:

Authentication takes place outside the enterprises trusted zone. No access is

permitted to the trusted zone if the requesting client is not authenticated or

authorized.

The network is protected from attack because authorization is carried out in a

protected zone (DMZ). All outside access is through standard HTTP and HTTPS

ports. A client computer only has access to the local network through the WAPS.

All authentication is centralized, eliminating the need to configure authentication

on each individual Web server in the network and greatly reducing costs.

Security can be provided easily because it is necessary to strengthen security at one

central point only, and not at multiple points throughout the network.

Other advantages of the WAPS include:

The WAPS is easy to maintain because it supports multiple Web servers with onlyone installation.

The WAPS supports all Web servers (not only IIS).

The WAPS supports Integrated Windows Authentication.

UserAuthority WebAccess Plug-In (WAPI)

WAPI is deployed directly on the Web server that hosts the Web applications. In this

case, the request is sent directly to the Web server with the requested Web application

and WAPI is configured to intercept all requests so they can be authenticated and

authorized.

Deploying the WAPI can be advantageous in networks with only a few Web servers.

Because the requests are sent directly to the actual Web server, an additional server is

not necessary. The WAPI must be configured individually for each Web server. In a

network with a large number of Web servers, the WAPI must be installed on each one.This requires a greater amount of effort in terms of initial configuration and

maintenance (for example, upgrades).

FIGURE 2-2 shows a deployment with the WAPS. This scenario has one Web server,

which is located in the DMZ.



31/310


FIGURE 2-2 Sample Deployment for an Enterprise with an Internal Web Application usingUserAuthority WAPI

Terms in UserAuthority WebAccess Configuration

When you install WebAccess, a set of configuration options must be defined. These

options are displayed as part of the installation process. Most of the configurations are

the same for both the WAPS and the WAPI. However, for the WAPS, you must alsoconfigure virtual hosts. Common Suffix Domains are configured when there is more

than one Web server in the deployment.

Virtual Hosts

A virtual host is a Web server that holds the Web applications. When you deploy the

WAPS, you create a virtual host that defines how internal Web servers are assigned. (For

information on how to configure virtual hosts, see Configuring Virtual Hosts onpage 84).

Note - The WAPI is available for IIS servers only. For other servers, you must use the

UserAuthority WAPS.

Note - The WAPI deployment is best used when there is only one Web server or there is noaccess to the enterprises Web applications from outside the network. The WAPI does not

support Integrated Windows Authentication.

Deployments


32/310

30

The network administrator defines the IP address of the server that is published (the

WAPS) and maps it to the Web server that holds the pages that are requested (the virtual

host). In cases where more than one Web server is used, a different virtual host is defined

for each Web server. It is also possible to define rules so that requests to the proxy can bemade through SSL and requests to the Web servers are sent by ordinary HTTP. Because

the client request is sent directly to the WAPS, the user only sees the address of the

WAPS.

Any information on the address or IP of the actual page the client requested remains

hidden. This is advantageous for security because the requester does not receive

information about the original server, which might contain additional sensitive

information. FIGURE 2-3 shows an example of the use of virtual hosts.FIGURE 2-3 Virtual Hosts

In FIGURE 2-3, the following servers are defined using the common suffix

.myEnterprise.com:

Webserver 1 is defined as webserver1.myEnterprise.com so that all requests to this

domain arrive at the proxy and are sent to 10.10.5.2 according to the virtual host

definition.

Webserver 2 is defined as webserver2.myEnterprise.com so that all requests to this

domain arrive at the proxy and are sent to 10.10.5.3 according to the virtual host

definition.

Common Suffix Domain

Common Suffix Domains are configured when there is more than one Web server in

the deployment.

The Common Suffix Domain is the last part of the domain. For example, in the

domain a.myEnterprise.com, the suffix domain is myEnterprise.com. Where there is

more than one Web server (for example, a.myEnterprise.com and b.myEnterprise.com),the Common Suffix Domain (shared by both domains) is .myEnterprise.com.



33/310


When a user is identified, UserAuthority WebAccess places a cookie on the client. The

cookie contains encoded information that includes the user identity key. The cookie is

sent to the Web server for each request and UserAuthority WebAccess uses the cookie

identity key to recognize the user making the request. A cookie is sent by the browserif the requested domain includes the cookies domain.

UserAuthority WebAccess uses the Common Suffix Domain to make the cookie

available to all Web servers in the deployment. When you define a Common Suffix

Domain, all domains in the deployment will have the same suffix as is defined in the

Common Suffix Domain. In the Common Suffix Domain configuration, you can also

define how to handle requests that do not have the common suffix.

Workflow

The following workflow shows the steps needed to deploy UserAuthority in an

enterprise with Web applications.

To carry out the deployment:

1 Install the UAS on the VPN-1 Pro gateway (see Installing and Configuring UAS

on VPN-1 Pro on page 49).2 Install the WAPS on a separate server. Make sure to configure a virtual host and

then indicate a Common Suffix Domain for all the Web servers in the deployment.

Make sure to configure WebAccess in SmartDashboard as well.

OR

If you are deploying the WAPI, install it on each Web server in your deployment.

For information on UserAuthority WebAccess installation and configuration, seeInstalling and Configuring UserAuthority WAPS on page 70 orInstalling and

Configuring the UserAuthority WAPI on page 80.

3 Configure the deployment to trust Windows Domain as an Identification Point.

A If you deploy the WAPS, configure Integrated Windows Authentication (see

Configuring Integrated Windows Authentication on page 116. If you

deploy the WAPI, install a UAS on the Windows DC, and configure

automatic SecureAgent installations (see Installing and Configuring the UAS

on the Windows DC on page 61).

B If your network includes Citrix/Terminal Services users you need to install a

UAS on the Citrix/Terminal Services. See Installing and Configuring the

UAS on the Windows DC on page 61. The installation and configuration

are the same. You do not need to configure SecureAgent.

Deployments


34/310

32

4 Install a basic UserAuthority WebAccess policy. see Configuring a Basic Web SSO

Rule on page 85.

5 Manage users in VPN-1 Pro by defining at least one user in a user database and/or

connecting to an existing LDAP server. For more information on creating databases,see the instruction guides provided with the database software and hardware. For

more information, see Chapter 6, User Management in UserAuthority.

Test Your Deployment

1 Enter your Web site in such a way that you will be recognized by a TIP (for

example, from the local network or from SecureClient/SecureRemote).

If your application uses HTML form authentication, the application login page

should be displayed with a UserAuthority widget.

If your application uses basic authentication, a UserAuthority update page should

be displayed.

2 Enter your credentials.

3 Close your Web browser.

4 Enter the Web application again in such a way that you will be recognized by a TIP.

You automatically enter the application without seeing the login page.

B2C

A Business to Customer (B2C) deployment is used by enterprises that offer special

services to customers, clients or agents through the Internet. A typical example is a

company that sells books or toys and has customers who access the network from the

Internet. Security is important in this case because the company database might contain

sensitive information, such as customer financial details. It is important that only users

authorized to receive specific information can get that information, and only thatinformation.

In this deployment, the client computers belong to users who do not belong to the

enterprise. They do not have a VPN client, therefore identification is usually carried

out by UserAuthority WebAccess. UserAuthority provides two advantages in this type

of deployment:

Note - If a WebAccess Authentication page is displayed, a problem has occurred in the

identification process.

If you wish to test your deployment without TIP identification, see Test Your Deployment

on page 37.

B2C

h d f d b


35/310


External Authorization Point: The remote users identification is captured by

UserAuthority WebAccess. Thereafter, UserAuthority WebAccess performs

authentication to the Web application on behalf of the user.

Single Sign-On: Users are authorized without having to authenticate to eachapplication that they request, and only authorized users can access the enterprises

Web applications.

Authorization policy answers the following criteria:

Who can do what and when it can be done.

How a Web site or application can be accessed.

A network administrator first sets an authorization policy in UserAuthority thatdetermines who can access applications, which applications they can access, and how

they can access them (i.e., read-only access or full access). It is also possible to

determine when a user has read-only access or even when they cannot access the

application.

The authorization policy determines how an application is accessed, for example,

whether access can be made over a non-secure connection or only over an SSL-secured

connection.

UserAuthority provides the means to implement authorization policy on an application

level. This means that users can only access those applications to which they are

specifically given access. Therefore, not all users who have permission to cross the

WAPS can access the same information. This is important for enterprises that provide

sensitive information, such as personal medical information or bank account

information. Users can sign on and gain access to the network, but depending on their

authorization rights, they can only gain access to their own information.

For more information on Authorization for Web Applications, see Chapter 4,

Authorization for Web Applications.

The following components are required for this deployment:

UAS installed on a VPN-1 Pro module. (A third-party firewall gateway can be used,

in this case the VPN-1 Pro module is installed on the same machine as

UserAuthority WebAccess. See FIGURE 2-5.)

WAPS installed and located in a DMZ (or segment separate from the local network)

or WAPI installed on each Web server. (For a description of WAPS and WAPI and

the differences between them, see UserAuthority WebAccess Deployment on

page 27).

VPN-1 Pro management installed on a gateway or other server.

SmartDashboard installed on a gateway or other server. At least one Web server.

Deployments

A i l k if f i i i h W b i


36/310

34

An internal network if necessary for maintaining the Web site.

For information on installing the various components, see Workflow on page 31.

FIGURE 2-4 shows a B2C deployment with multiple Web servers and WAPS located

in the DMZ:

FIGURE 2-4 B2C Deployment

In this deployment, remote users connect to the system through UserAuthority

WebAccess. FIGURE 2-4 shows the system deploying the WAPS in the DMZ. It is

also possible to deploy a WAPI on each of the Web servers. In this case, a separate

WAPS is not necessary.

The WAPS configuration is recommended because fewer UserAuthority WebAccess

installations are necessary, and it assures that no user can access the applications Web

servers without being authenticated. For more information on the advantages of

deploying both types of UserAuthority WebAccess, see UserAuthority WebAccess

Deployment on page 27.

B2C

For security reasons the WAPS is typically located on a segment separate from the Web


37/310


For security reasons, the WAPS is typically located on a segment separate from the Web

servers. This is usually in a DMZ, however, the network administrator can deploy the

network in whatever configuration best fits the enterprise. This includes configurations

where the WAPS is deployed on the same segment as the Web servers. Security isachieved by defining VPN-1 Pro policy so that all access to the network passes through

UserAuthority WebAccess.

UserAuthority WebAccess authenticates the client using a defined authentication

process. The first time a user accesses the system, an HTML authentication page is

displayed requesting the user credentials. For the remainder of the session,

UserAuthority WebAccess remembers the user identity. It is also possible to configure

the network so that a user does not have to enter credentials for successive sessions, iflogging on from the same client.

A B2C deployment can be deployed with a third-party (non-Check Point) firewall. In

this case, the VPN-1 Pro module is installed as a secure server on the same computer as

the UAS and WebAccess.

FIGURE 2-5 shows how UserAuthority is deployed when using a third-party firewall:

FIGURE 2-5 B2C Deployment with Third-Party Firewall Gateway

Deployments

In the B2C deployment the following takes place:


38/310

36

In the B2C deployment, the following takes place:

1 The user accesses the companys Web resources using a Web browser.

2 When the user accesses a Web resource for the first time, the VPN-1 Pro allows therequest to arrive at UserAuthority WebAccess, which asks for the users identity.

3 UserAuthority WebAccess queries the UAS on the VPN-1 Pro gateway for the

users identity. If UserAuthority already knows the users identity (from a TIP, such

as a VPN tunnel or Windows domain), the identity is passed back to UserAuthority

WebAccess for authorization. If the identity is unknown, UserAuthority WebAccess

sends an authentication page and requests the users identification information.

4 UserAuthority WebAccess then matches the user against the defined UserAuthority

WebAccess rules.

5 Users who match the defined rules are authorized to access the requested Web

resource and are provided with SSO. For more information on configuring

authorization rules, see Chapter 4, Authorization for Web Applications.

Workflow

To carry out the deployment:

1 Install the UAS on the VPN-1 Pro gateway. (If you are using a third-party firewall,

install UAS on the same computer as UserAuthority WebAccess.) For more

information, see Installing and Configuring UAS on VPN-1 Pro on page 49.

2 Install the WAPS on a separate server. Make sure to configure a virtual host and

then indicate a Common Suffix Domain for all the Web servers in the deployment.OR

If you are deploying the WAPI, install it on each Web server in your deployment.

Make sure to configure WebAccess in SmartDashboard as well.

For information on UserAuthority WebAccess installation and configuration, see

Installing and Configuring UserAuthority WAPS on page 70 orInstalling and

Configuring the UserAuthority WAPI on page 80.

3 Install a default UserAuthority WebAccess policy, see Configuring a Bas

checkpoint ngx user authority

Documents