Manualshelf

Technical data

ManualsBrandsCheck Point Software Technologies ManualsNetworkingVSX-1 3070
61626364656667686970
Configuring VSX
Check Point VSX Administration Guide NGX R67 | 65
Private: Servers are accessible from Virtual Systems
In both instances, the SecurID ACE/Server sends a shared key (called a "node secret") to its peer
ACE/Clients. This key is unique per IP address, and is sent once for each IP address.
Note - Users cannot authenticate to a Virtual System using SecurID
when SSL Network Extender and SecureClient are active.
Shared
To configure the shared option, use the database tool GUIDBedit to set the
shared_external_server property to TRUE.
Members of the cluster must not perform Hide NAT on the external server service.
To prevent Hide NAT:
1. On the management server, open the /opt/CPvsxngxcmp-R67/lib/table.def file for editing.
2. Add the UDP 5500 service to the no_hide_services_ports table. The line should read as follows:
no_hide_services_ports = { <500, 17>, <259, 17>, <1701,
17>, <123, 17>, <5500,17> };
3. Reinstall the policy on the Virtual Systems.
To generate an sdconf.rec file, perform the following procedure on the ACE/Server.
4. Generate the sdconf.rec file with the IP address of the VSX gateway: VS(0).
5. Copy the sdconf.rec file to the appropriate cluster member.
a) When a Virtual System connects to a VSX gateway at VS(0), place the sdconf.rec in the
/var/ace directory. Create this directory if it does not exist.
b) In all other cases, place sdconf.rec in $FWDIR/CTX/CTX000X/conf.
Private
When using the private option for accessing external servers, all the members use the same cluster IP
address as the source address for connections to the ACE/Server.
To configure the private option, use the database tool GUIDBedit to set the
shared_external_server property to FALSE.
After the first connection that uses SecurID authentication, the ACE Server creates a shared key called
securid. This "node secret" key is created only once, and sent to the $FWDIR/CTX/CTX000X/conf
directory of the active cluster member.
To make this shared key available to the other member gateways, manually copy the "node secret" key
from the first gateway. (The ACE/Server will not recreate the key.)
To generate an sdconf.rec file, perform the following procedure on the ACE/Server.
1. Generate the sdconf.rec file with the cluster IP of the Virtual System.
2. Copy the sdconf.rec file to the relevant cluster member.
a) When a Virtual System connects to a VSX gateway at VS(0), place the sdconf.rec in the /var/ace
directory. Create this directory if it does not exist.
b) In all other cases, place sdconf.rec in $FWDIR/CTX/CTX000X/conf.
For Both Shared and Private Options on SecureID Connections
In order that the active cluster member uses the cluster IP address as part of the hash performed on
securID traffic, perform the following steps on all cluster members:
1. Create a file named /$FWDIR/CTX/CTX<VSID>/conf/sdopts.rec
2. Enter the client IP address: