Table of Contents:

1. Introduction
2. Verifying the identity of the Endpoint Server which manages the clients
3. Configuring Server Verification
4. Forcing a minimal allowed Endpoint Security Client version for Remote Access connection
5. Appendix - How to prevent Remote Access VPN clients (Standalone clients) from connecting to the Security Gateway

 

(1) Introduction

E80.62 HFA1 Endpoint Security Client incorporates a new mechanism that verifies the identity of the Endpoint Security Management Server which manages the clients. When working with Remote Access VPN client it is recommended to use this verification to enhance the security of your environment

 

(2) Verifying the identity of the Endpoint Server which manages the clients

The verification is based on the Endpoint Security Management Server certificate issuer (the Internal CA).

The administrator should first configure the SHA-1 Fingerprint of the Endpoint Security Server's Internal CA on each Security Gateway and then enforce a minimum client version. Then, when the Remote Access VPN client initiates a connection, the fingerprint provided by the client is compared to the one configured on the Security Gateway:

• If the fingerprints are equal, then the identity of the Endpoint Security Management Server is verified, and the client will be able to establish a VPN connection to the Security Gateway.
• If the fingerprints are different, then the identity of the Endpoint Security Management Server is NOT verified, and the client will NOT be able to establish a VPN connection to the Security Gateway. In this case, the user will be notified that the server cannot be verified.
• If no SHA-1 hash is configured on the Security Gateway, then no verification will be performed.

 

(3) Configuring Server Verification

1. In SmartDashboard:

   1. Connect with SmartDashboard to Security Management Server / Domain Management Server, which manages the Endpoint Security Management Server.

   2. Open the internal_ca object properties:

      • Either go to Manage menu - click on Servers and OPSEC Applications... - select the internal_ca object - click on Edit... button:

        

      • Or go to Servers and OPSEC view - expand Servers - expand Trusted CAs - right-click on internal_ca object - click on Edit...:

        

   3. Go to middle tab Local Security Management Serve - click on View... button:

      
      
      

   4. The Certificate Authority Certificate View window displays the SHA-1 Fingerprint (hash) of the Internal CA certificate.

      Example:

      

   5. Copy the SHA-1 Fingerprint (e.g., to a Notepad).

2. On Security Gateway / each cluster member:

   Important Note: In cluster environment, this procedure must be performed on all members of the cluster.

   1. Connect to command line.

   2. Log in to Expert mode.

   3. Backup the current $FWDIR/conf/trac_client_1.ttm file:

      [Expert@HostName:0]# cp -v $FWDIR/conf/trac_client_1.ttm $FWDIR/conf/trac_client_1.ttm_ORIGINAL

   4. Edit the current $FWDIR/conf/trac_client_1.ttm file:

      [Expert@HostName:0]# vi $FWDIR/conf/trac_client_1.ttm

   5. Add a new section in the file with SHA-1 Fingerprint copied from Internal CA Certificate.

      Change from:

      ... ... ...
      :internal_ca_dn (
              :gateway (
                      :default (client_decide)
              )
      )
      :tunnel_idleness_timeout (
              :gateway (
                      :ext (tunnel_idleness_timeout)
                      :default (client_decide)
              )
      )
      ... ... ...
      

      to:

      ... ... ...
      :internal_ca_dn (
              :gateway (
                      :default (client_decide)
              )
      )
      :internal_ca_sha1_hash (
              :gateway (
                      :default (<SHA-1_Fingerprint_from_Internal_CA_Certificate>)
              )
      )
      :tunnel_idleness_timeout (
              :gateway (
                      :ext (tunnel_idleness_timeout)
                      :default (client_decide)
              )
      )
      ... ... ...
      

   6. Save the changes and exit from Vi editor.

3. In SmartDashboard:

   • Install policy on Security Gateway / Cluster.

 

(4) Forcing a minimal allowed Endpoint Security Client version for Remote Access connection

To complete this procedure, the administrator should allow only Endpoint Security clients of version E80.62 HFA1 and above (Enhanced VPN Client Verification functionality was introduced in Endpoint Security Client E80.62 HFA1) by defining the minimal Endpoint Security Client version for Remote Access connection. Endpoint Security Clients with version lower than the defined minimal version will not be able to connect to the Security Gateway.

The new minimum version capability is available in sk108192: R77.30 - Security and stability enhancements for Security Gateway (Hotfix #5).
It is applicable for managed VPN client only (Endpoint Security Suite clients).

 

(5) Appendix - How to prevent Remote Access VPN clients (Standalone clients) from connecting to the Security Gateway

Follow these steps in SmartDashboard to prevent standalone clients from connecting to the Security Gateway:

1. Block all the VPN client types except Endpoint Security VPN:

   1. Open Security Gateway object.

   2. Go to VPN Clients pane.

   3. Clear all boxes except "Endpoint Security VPN".

   4. Click on OK.

2. Add the "All Users - Any - Block" rule to Desktop Policy:

   1. Go to Desktop tab of SmartDashboard.

   2. In the Outbound Rules section, add the following rule:

      No.	Desktop	Destination	Service	Action
      1	All Users	Any	Any	Block

3. Install the Desktop Policy on the Security Gateway.

Notes:

• By configuring these settings, only Endpoint Security VPN client (standalone) and Endpoint Security client (full suite) will be able to connect to the Security Gateway.
• By adding the above Desktop Policy, only Endpoint Security client (full suite) will be able to access the encryption domain.