Hello, Robby Rufener opened a new thread about this and confirmed he had in fact used for a while and with success the "change password" stuff using SDL.
Besides that, a CP pre-sales guy confirmed you are supposed to have Secure Client licenses in order to use SDL. So I have all, I needed. In case you guys don't read the other thread, I thank you all for your help. Regards On 3/29/07, Ray <[EMAIL PROTECTED]> wrote:
SDL is the only way you can get them notified proactively. You are correct that the password expiration warning only occurs during an actual logon to the domain. When they use SecuRemote or SecureClient, their logon is to their computer with cached credentials. They never really logon to the domain itself. We looked at an Exchange add-on that would send people emails when their password was within the 15 days, but there was no way to limit the emails to just the remote people, so we gave up on it. At any time, they can do a Ctrl+Alt+Del while connected and change their password. We just make people set an Outlook reminder of when they have to change their password and they do it on their own., Yes, we do get some who refuse to do so and then they get locked out of their computer when disconnected (because the cached credentials also expire). After they've had to ship their computer in a few times or have to drive to one of our facilities to plug in once, they usually get dilligent about changing it on time. The later versions of SR/SC are supposed to know when you are inside the encryption domain (via the assigned IP address) and not prompt you to login while in the office. I've never used SDL in production because I don't believe in allowing remote access with just a user name and password. Ray >From: Sergio Alvarez <[EMAIL PROTECTED]> >Reply-To: Mailing list for discussion of Firewall-1 ><[email protected]> >To: [email protected] >Subject: [FW-1] AD Domain Password change vía SecuRemote >Date: Wed, 28 Mar 2007 19:45:58 -0600 > >Hello, > >I have this customer currently running NGX R60 (HA cluster, everything >running on SPLAT), they have a large number of remote users getting >connected all the time to the network via SecuRemote. > >Recently the IT department decided to deploy a new security policy in which >every user of their Active Directory Domain must change his/her password >every 90 days. There is no problem with the regular LAN users as when they >login to the domain in the morning will start getting warnings about their >passwords expiring in a few days and the option to change it, but with the >remote users this whole deal is different. When they first start working >with the company, somebody from the IT staff configures their laptops to >belong to the domain, they go home and never return back to the office. >Since SecuRemote gets connected once the machine is up and running, they >never get the warning messages or the option to change their passwords. > >There is a feature available in Secure Client named Secure Domain Logon >(SDL) which actually makes the client initiate the VPN before the Domain >login process and the documentation says the idea is to allow for the login >process to occur in a secure manner, but that is pretty much the whole >description on the feature. > >I have done some research about this in the SK, with no success. > >So my questions are: > >1) Does anybody know if SDL will actually help with this issue? > >2) If so, does anybody know if Secure Client licensing is supposed to be >required to use such feature? (Office Mode, for example, is supposed to be >used only with such licensing, but the documentation has always lacked of >detailed information about this licensing issues) > >3) If SDL is not the way to go, has anybody else had to deal with this >password change deal before? > >I would really appreciate any help with this issue. > >Regards > > >-- >Sergio Alvarez >(506)8301342 > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[EMAIL PROTECTED] >================================================= _________________________________________________________________ i'm making a difference.Make every IM count for the cause of your choice. Join Now. http://clk.atdmt.com/MSN/go/msnnkwme0080000001msn/direct/01/?href=http://im.live.com/messenger/im/home/?source=hmtagline ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
-- Sergio Alvarez (506)8301342 ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
