Manualshelf

Technical data

ManualsBrandsCheck Point Software Technologies ManualsNetworkingVSX-1 3070
61626364656667686970
Configuring VSX
Check Point VSX Administration Guide NGX R67 | 64
SecurID
SecurID requires users to possess a token authenticator and to supply a password. Token authenticators
generate one-time passwords that are synchronized to an RSA ACE/server. Hardware tokens are key-ring
or credit card-sized devices, while software tokens reside on the PC or device from which the user wants to
authenticate. All tokens generate a random, one-time use access code that changes approximately every
minute. When a user attempts to authenticate to a protected resource, the one-time use code must be
validated by the ACE/server.
Configuring RADIUS or TACACS/TACACS+
Two options are available for enabling connectivity between Virtual Systems and external authentication
servers:
Shared: Servers are accessible from VSX gateways and clusters
Private: Servers are accessible from Virtual Systems
Shared
When the shared option is configured, all authentication servers are accessible by all Virtual Systems
through the VSX gateway. This is the default option.
1. To configure the shared option, use the database tool GuiDBedit to set the
shared_external_server property to TRUE (default setting).
2. The Virtual Systems use the IP address of the VSX gateway. Therefore, connections to external servers
have the VSX machine's IP address as their source address, a unique IP address for each cluster
member. Virtual Systems on the same cluster member have identical source addresses when accessing
the external management server.
3. Verify that the Authentication Server is located on the same network segment as the VSX gateway.
4. Members of the cluster must not perform hide NAT on the external server service. To prevent Hide NAT:
a) On the management server, open the /opt/CPvsxngxcmp-R67/lib/table.def file for editing.
5. To the no_hide_services_ports table, add the service of the authentication scheme you wish to
use. For example UDP 5500 for SecurID. The line should read:
no_hide_services_ports = { <500, 17>, <259, 17>, <1701,
17>, <123, 17>, <5500,17> };
6. Reinstall the policy on the Virtual System.
Private
When the private option is configured, authentication servers are accessed directly by the Virtual System.
The Virtual system and the authentication server are located on the same network segment.
Connections to the external authentication server use the Virtual System's cluster IP address as the
source address.
To configure the private option, use the database tool GUIDBedit to set the
shared_external_server property to FALSE.
Once the private option has been configured, it is not possible for the Virtual System to connect to other
authentication servers in the VSX management network unless an explicit path is created through a
Virtual Router or Virtual Switch.
There is no need to edit the table.def file.
Configuring SecurID ACE/Server
There are two options available for enabling connectivity between Virtual Systems and a SecurID
ACE/Server:
Shared: Servers are accessible from VSX gateways and clusters