Wow, I was not aware of any of this. The research I did just covered how
to use the certificates with SecuRemote and how to generate one with the
user account, I missed this whole piece on certificate management.
Thanks much for the information, I will dig into this.
John
Ray
<[EMAIL PROTECTED]
IL.COM> To
Sent by: Mailing [EMAIL PROTECTED]
list for INT.COM
discussion of cc
Firewall-1
<FW-1-MAILINGLIST Subject
@AMADEUS.US.CHECK Re: [FW-1] Problem renewing
POINT.COM> SecuRemote certificate
09/05/2007 08:49
PM
Please respond to
Mailing list for
discussion of
Firewall-1
<FW-1-MAILINGLIST
@AMADEUS.US.CHECK
POINT.COM>
Actually they worked quite well for us (300+ remote users) and they are a
heck of a lot more secure than user name & password.
There's an SK article on how to set it up. You have to generate an
administrator certificate that is put into your browser store. Then you run
this command on the SmartCenter to authorize the certificate and to turn on
the interface. Then you go to https://<SmartCenterIP>:18265 and you have a
browser interface to the entire certificate authority with access
authenticated by the admin certificate you created. You can search, renew,
create, whatever.
Ray
>From: John Lindblom <[EMAIL PROTECTED]>
>Reply-To: Mailing list for discussion of Firewall-1
><[email protected]>
>To: [email protected]
>Subject: Re: [FW-1] Problem renewing SecuRemote certificate
>Date: Wed, 5 Sep 2007 09:36:01 -0500
>
>I'm not sure what you mean by "web interface to the ICA", I'm only
familiar
>with the SPLAT web access.
>
>It sounds like certificates could be a pain.
>
>
>
>
>
> Ray
> <[EMAIL PROTECTED]
> IL.COM>
To
> Sent by: Mailing
[EMAIL PROTECTED]
> list for INT.COM
> discussion of
cc
> Firewall-1
> <FW-1-MAILINGLIST
Subject
> @AMADEUS.US.CHECK Re: [FW-1] Problem renewing
> POINT.COM> SecuRemote certificate
>
>
> 09/04/2007 06:16
> PM
>
>
> Please respond to
> Mailing list for
> discussion of
> Firewall-1
> <FW-1-MAILINGLIST
> @AMADEUS.US.CHECK
> POINT.COM>
>
>
>
>
>
>
>Sneaker-net. :-)
>
>
>Once it's expired, it's expired. You will need to issue a new certificate
>and get it to them somehow or use the "pull" method where they enter the
>code they receive by email to get a new certificate.
>
>If you're running current versions of FW-1 and SecuRemote/SecureClient,
the
>
>automatic renewal process works fine as long as they connect once when
they
>
>are inside the renewal period. That's 60 days by default. I raised mine to
>90.
>
>I use the web interface to the ICA (the one on port 18265 of the
>SmartCenter) and run queries occasionally to make sure I don't let one
>expire.
>
>Ray
>
>
>
> >From: John Lindblom <[EMAIL PROTECTED]>
> >Reply-To: Mailing list for discussion of Firewall-1
> ><[email protected]>
> >To: [email protected]
> >Subject: Re: [FW-1] Problem renewing SecuRemote certificate
> >Date: Tue, 4 Sep 2007 08:43:07 -0500
> >
> >This raises a question for me.
> >
> >How are end user certificates handled when they expire if they can't be
> >renewed? I just started using certificates and I need to plan for
issues
> >with expiration.
> >
> >John
> >
> >
> >
> > Richard Newton
> > <[EMAIL PROTECTED]
> > COM>
>To
> > Sent by: Mailing
>[EMAIL PROTECTED]
> > list for INT.COM
> > discussion of
>cc
> > Firewall-1
> > <FW-1-MAILINGLIST
>Subject
> > @AMADEUS.US.CHECK Re: [FW-1] Problem renewing
> > POINT.COM> SecuRemote certificate
> >
> >
> > 09/03/2007 09:27
> > PM
> >
> >
> > Please respond to
> > Mailing list for
> > discussion of
> > Firewall-1
> > <FW-1-MAILINGLIST
> > @AMADEUS.US.CHECK
> > POINT.COM>
> >
> >
> >
> >
> >
> >
> >Ray -- Thanks so much. It looks like this did the trick. (It was the
>VPN
> >cert on the firewall that was expired.)
> >
> >~~Richard~~
> >
> >On 9/3/07, Ray <[EMAIL PROTECTED]> wrote:
> > >
> > > Which certificate is expired? The one that the SecuRemote uses to
> > > authenticate themselves to the firewall or the actual VPN certificate
>on
> > > the
> > > firewall?
> > >
> > > If it is an end user certificate, it cannot be renewed once it's
> >expired.
> > >
> > > If it's the one for the firewall, try un-checking VPN on the firewall
> > > object, save the firewall object, open the firewall object, re-check
> >VPN,
> > > save the firewall object and push the policy.
> > >
> > > Ray
> > >
> >
> >=================================================
> >To set vacation, Out-Of-Office, or away messages,
> >send an email to [EMAIL PROTECTED]
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list,
> >please see the instructions at
> >http://www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your
> >subscription options, email
> >[EMAIL PROTECTED]
> >=================================================
> >
> >=================================================
> >To set vacation, Out-Of-Office, or away messages,
> >send an email to [EMAIL PROTECTED]
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list,
> >please see the instructions at
> >http://www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your
> >subscription options, email
> >[EMAIL PROTECTED]
> >=================================================
>
>_________________________________________________________________
>Share your special parenting moments!
>http://www.reallivemoms.com?ocid=TXT_TAGHM&loc=us
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to [EMAIL PROTECTED]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[EMAIL PROTECTED]
>=================================================
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to [EMAIL PROTECTED]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[EMAIL PROTECTED]
>=================================================
_________________________________________________________________
Can you find the hidden words? Take a break and play Seekadoo!
http://club.live.com/seekadoo.aspx?icid=seek_hotmailtextlink1
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
