Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] SecurID troubleshooting checklist

To: [email protected]
Subject: [FW1] SecurID troubleshooting checklist
From: Imre Kertesz <[email protected]>
Date: Mon, 30 Oct 2000 16:51:55 -0700
References: <4D9EE0A4BFECD311B7CA8364E@srv_web.corp.xylo.com>
Sender: [email protected]

Troubleshooting checklist:
*Fact: ACE/Agent does not need to be installed on the firewall machine. FW-1
includes the functionality required to perform this function.

1. Make sure that the binding order of the FW-1 machine's network interfaces list
the external NIC on top (first). On ACE/Server, make sure that this external
interface is the primary interface of the firewall client object. All other
interfaces are listed as Secondary Nodes. Failing this, recreate the ACE/Server
firewall client object, alternating the positions of the interfaces (i.e. an
internal NIC as the primary, the external NIC as a secondary). This DOES matter.

2. Make sure that the encryption type is configured correctly (DES vs. SDI) Most of
the time DES is the winner - check your FW-1 machine to verify.

3. Make sure that the ACE/Server firewall client object has the correct type of
server. UNIX=unix FW-1 (nuff said), NetOS=FW-1 on NT. Communication Server will work
for NT but thats not what it was designed for and results may vary.

4. For the various node authentication failure issues, delete the 'securid' file
from the FW-1 machine, uncheck the 'sent node secret' box in the ACE/Server firewall
client object, and try authentication again. ACE/Server cannot overwrite a
contaminated 'securid' file (certificate) from the FW-1 box - it has to be done
manually.

5. Authenticate locally with the keyfob on the ACE/Server first to rule out the
possibility of a synchronizaiton or passcode error.

6. Above all, if any ACE/Server configuration changes are made, recopy the
sdconf.rec file to the FW-1 box.

There are other goodies to check but these have been the most helpful for me.

Cheers - I

Dan Hitchcock wrote:

> I've successfully configured SecurID before without installing the ACE/Agent
> on the firewall.  Per Checkpoint documentation, all you need to do is copy
> the sdconf.rec file to the system32 directory of your NT box and reboot.  If
> this has changed in SP2 of 4.1, please post.
>
> A side note:  I would expect that the SecurID client would be the managment
> station, not the inspection module.  However, my last implementation had the
> inspection module and the management station on the same box, so I can't
> verify that.
>
> Dan Hitchcock
> CCNA, MCSE
> Network Engineer
> Xylo, Inc. (formerly employeesavings.com)
>> The work/life solution for corporate thought leaders
>
> -----Original Message-----
> From: Fabiola Mayorca [mailto:[email protected]]
> Sent: Monday, October 30, 2000 8:27 AM
> To: Matthew Melbourne; [email protected]
> Subject: Re: [FW1] FW-1 4.1, SecureRemote and RSA SecurID
>
> Hello Matthew,
>
> I've worked with RSA SecurID too, and you have to install the ACE/Agent on
> the Windows machine. There is no other way. The ACE/Agent for Windows NT can
> be found in your sw package of RSA.
> If you know spanish, I can send a complete procedure in how to configure.
> Best regards,
>
> Fabiola Mayorca
>
> -----------------------------------------------------
> Fabiola Daniela Mayorca Arellano
> CCSE & CCSA
> Telefónica Sistemas, sucursal Perú.  Los Sauces 374 Piso 10/11
> Edificio La Torre Roja.  San Isidro - Lima 27
> Latin America
>
> ----- Original Message -----
> From: Matthew Melbourne <[email protected]>
> To: <[email protected]>
> Sent: Friday, October 27, 2000 2:37 PM
> Subject: [FW1] FW-1 4.1, SecureRemote and RSA SecurID
>
> >
> > Hi,
> >
> > We are using FW-1 4.1 SP1 under Windows NT. We would like to use RSA
> SecurID
> > to authenticate SecureRemote connections. However, the inspection module
> is
> > communicating with the ACE/Server (version 4.1), but authentications are
> > failing. We have been hold that we need to install the ACE/Agent on
> > the firewall. I was under the impression that the FW-1 inspection module
> had
> > the necessary APIs to communicate with the ACE/Server, without a need for
> > a separate ACE/Agent.
> >
> > Is it possible to get RSA Authentication working, without installing the
> > ACE/Agent software?
> >
> > Cheers,
> >
> > Matt
> >
> > --
> > Matthew Melbourne
> >
> >

________________________________
Imre Kertesz III, CISSP
Evident Solutions, Inc.
Lab:Cell:================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- RE: [FW1] FW-1 4.1, SecureRemote and RSA SecurID
  - From: Dan Hitchcock <[email protected]>

Prev by Date: [FW1] Delays with IKE/ESP
Next by Date: RE: [FW1] E-Safe
Previous by thread: Re: [FW1] FW-1 4.1, SecureRemote and RSA SecurID
Next by thread: [FW1] PPTP through Check Point FW-1 using static NAT
Index(es):
- Date
- Thread