Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[FW-1] Tokens

from Hawkins, Michael [Permanent Link]
Subject: [FW-1] Tokens
From: "Hawkins, Michael" <MHawkins AT TULLIB DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Thu, 25 Aug 2005 08:29:32 -0400 
I have been trialing RSA tokens and got it working rather well with our
AD environment.

Then the quote came along and now I'd like to look at others.

I intend to use the tokens in two ways:

i) VPN secure client authentication
ii) firewall client authentication - for our webmail server, I would
like to have the user authenticate to the firewall first before being
permitted to get to the webmail server.

What do others on the list use other than SecureID?

Mike Hawkins

Office: 212-208-3888

Mobile: 917-887-3614

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Tom
Rowan
Sent: Wednesday, August 24, 2005 10:51 AM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] Desktop Security Policy will not Install (NGX Upgraded,
Policy Server, IPSO 3.9)

All,

I am having an issue with a recent upgrade to NGX regarding installing 
the Desktop Security Policy to the Policy Server.

Background
----------

- Prior to upgrade, all running fine on NG FP3. Everything solid, no 
errors or issues.
- Management Server on Win2003, freshly built with NGX added. Config was

imported from an upgrade_export file.
- Single module on Nokia IPSO 3.9, upgraded not 'new install'.


Normal gateway policy installs fine and is fully operational.

Not all the licenses upgraded fine:
    - 75 SC user licenses (3 blocks of 25)
    - Two of these are not in Enterprise Support and didn't upgrade
    - Also, the corresponding three Policy Server licenses read: "The 
upgrade in the following case is not necessary. The NGX upgrade can 
continue and will not be affected by this error." (A manual upgrade 
using license_upgrade fails also.)

SecureClients can connect and download topology, so this is not 
affecting service.


Problem
-------

The Desktop Security Policy will not install onto the policy server:
"Memory allocation problem in Policy installation function."


Fixes So Far
------------

Initially, the policy server wasn't being started.
(ps -aux | grep dtps    =   no processes)

The following has been added to fwauthd.conf on the Nokia:

0    dtps    dtpsd    respawn    0

A 'cpstop ; cpstart' does now starts the service, but the issue is still

present.

Running 'dtps debug on' and then reviewing the dtps.elg and dtpsd.elg 
files shows that:

user_count_not_ok: Desktop Security was not installed on the Policy
Server.

There are only 22 users defined in the user list.
There is a 25 user license for SecureClient (CPVP-VSC) attached to the 
manager, but no UPGRADED license for the Policy server (CPVP-VPS) 
attached to the module.


I am 95% SURE that this will be a licensing issue.

Your thoughts?

Tom


-- 
---
Tom Rowan BSc (Hons), MBCS, CCSE+

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
The information contained in this email is confidential and may also contain 
privileged information. Sender does not waive confidentiality or legal 
privilege. If you are not the intended recipient please notify the sender 
immediately; you should not retain this message or disclose its content to 
anyone.
Internet communications are not secure or error free and the sender does not 
accept any liability for the content of the email. Although emails are 
routinely screened for viruses, the sender does not accept responsibility for 
any damage caused. Replies to this email may be monitored.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [FW-1] Tokens, Hawkins, Michael <=
Previous by Date:  Re: [FW-1] exclude application from Client Verification Scan - Connectra, Bill Mathews
Next by Date:  Re: [FW-1] VoIP Multicast, cisco4ng
Previous by Thread:  [FW-1] SecureClient authentication through Microsoft AD, Aswathanarayana Rao. G
Next by Thread:  [FW-1] Auto upgrade_export, Nate Smithson
Indexes:  [Date] [Thread] [Top] [All Lists]