SDL is the only way you can get them notified proactively. You are correct
that the password expiration warning only occurs during an actual logon to
the domain. When they use SecuRemote or SecureClient, their logon is to
their computer with cached credentials. They never really logon to the
domain itself.
We looked at an Exchange add-on that would send people emails when their
password was within the 15 days, but there was no way to limit the emails to
just the remote people, so we gave up on it.
At any time, they can do a Ctrl+Alt+Del while connected and change their
password.
We just make people set an Outlook reminder of when they have to change
their password and they do it on their own., Yes, we do get some who refuse
to do so and then they get locked out of their computer when disconnected
(because the cached credentials also expire). After they've had to ship
their computer in a few times or have to drive to one of our facilities to
plug in once, they usually get dilligent about changing it on time.
The later versions of SR/SC are supposed to know when you are inside the
encryption domain (via the assigned IP address) and not prompt you to login
while in the office. I've never used SDL in production because I don't
believe in allowing remote access with just a user name and password.
Ray
From: Sergio Alvarez <[EMAIL PROTECTED]>
Reply-To: Mailing list for discussion of Firewall-1
<[email protected]>
To: [email protected]
Subject: [FW-1] AD Domain Password change vía SecuRemote
Date: Wed, 28 Mar 2007 19:45:58 -0600
Hello,
I have this customer currently running NGX R60 (HA cluster, everything
running on SPLAT), they have a large number of remote users getting
connected all the time to the network via SecuRemote.
Recently the IT department decided to deploy a new security policy in which
every user of their Active Directory Domain must change his/her password
every 90 days. There is no problem with the regular LAN users as when they
login to the domain in the morning will start getting warnings about their
passwords expiring in a few days and the option to change it, but with the
remote users this whole deal is different. When they first start working
with the company, somebody from the IT staff configures their laptops to
belong to the domain, they go home and never return back to the office.
Since SecuRemote gets connected once the machine is up and running, they
never get the warning messages or the option to change their passwords.
There is a feature available in Secure Client named Secure Domain Logon
(SDL) which actually makes the client initiate the VPN before the Domain
login process and the documentation says the idea is to allow for the login
process to occur in a secure manner, but that is pretty much the whole
description on the feature.
I have done some research about this in the SK, with no success.
So my questions are:
1) Does anybody know if SDL will actually help with this issue?
2) If so, does anybody know if Secure Client licensing is supposed to be
required to use such feature? (Office Mode, for example, is supposed to be
used only with such licensing, but the documentation has always lacked of
detailed information about this licensing issues)
3) If SDL is not the way to go, has anybody else had to deal with this
password change deal before?
I would really appreciate any help with this issue.
Regards
--
Sergio Alvarez
(506)8301342
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
_________________________________________________________________
i'm making a difference. Make every IM count for the cause of your choice.
Join Now.
http://clk.atdmt.com/MSN/go/msnnkwme0080000001msn/direct/01/?href=http://im.live.com/messenger/im/home/?source=hmtagline
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
