Thanks Romey, I don't really have much knowledge related with Microsoft stuff or Windows Domains, so do you know how exactly does that Kerberos change password works?
I'm thinking first of all that if this is something the DC initiates to the users and these are SecuRemote users going through an IP Pool NAT, most likely it will not work. On any case my questions about SDL are because I believe this whole password change thing happens only during domain logon, do you know if I'm right or not? Thanks again. Regards On 3/28/07, Cecoban, S. A. de C. V. - Romey Valadez <[EMAIL PROTECTED]> wrote:
Hi, May be you need allow Kerberos change password protocol(for windows the ports are tcp/464 and udp/464), Check this references: http://www.faqs.org/rfcs/rfc3244.html http://www.faqs.org/faqs/kerberos-faq/general/section-70.html I hope this can help you Regards. -----Mensaje original----- De: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] nombre de Sergio Alvarez Enviado el: Miércoles, 28 de Marzo de 2007 07:46 p.m. Para: [email protected] Asunto: [FW-1] AD Domain Password change vía SecuRemote Hello, I have this customer currently running NGX R60 (HA cluster, everything running on SPLAT), they have a large number of remote users getting connected all the time to the network via SecuRemote. Recently the IT department decided to deploy a new security policy in which every user of their Active Directory Domain must change his/her password every 90 days. There is no problem with the regular LAN users as when they login to the domain in the morning will start getting warnings about their passwords expiring in a few days and the option to change it, but with the remote users this whole deal is different. When they first start working with the company, somebody from the IT staff configures their laptops to belong to the domain, they go home and never return back to the office. Since SecuRemote gets connected once the machine is up and running, they never get the warning messages or the option to change their passwords. There is a feature available in Secure Client named Secure Domain Logon (SDL) which actually makes the client initiate the VPN before the Domain login process and the documentation says the idea is to allow for the login process to occur in a secure manner, but that is pretty much the whole description on the feature. I have done some research about this in the SK, with no success. So my questions are: 1) Does anybody know if SDL will actually help with this issue? 2) If so, does anybody know if Secure Client licensing is supposed to be required to use such feature? (Office Mode, for example, is supposed to be used only with such licensing, but the documentation has always lacked of detailed information about this licensing issues) 3) If SDL is not the way to go, has anybody else had to deal with this password change deal before? I would really appreciate any help with this issue. Regards -- Sergio Alvarez (506)8301342 ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
-- Sergio Alvarez (506)8301342 ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
