You are on page 1of 114

Connectra

TM

Getting Started Guide


Version NGX R66

703140 September 9, 2008

Contents
Chapter 1 Introduction to Connectra
Introduction............................................................................ 10 In This Guide.......................................................................... 11 Key Features and Benefits ....................................................... 13 Secure Web-Based Connectivity ....................................... 13 Unified Security Management.......................................... 13 Comprehensive Endpoint Security .................................... 13 Integrated Intrusion Prevention........................................ 14 Easy Deployment............................................................ 14 Central Management....................................................... 14 Local Management ......................................................... 15 Flexible Deployment Options ........................................... 15 Advanced Authentication Options .................................... 15 Choosing the Correct CD .......................................................... 16 Procedure Quick Reference ...................................................... 17

Chapter 2 Deploying Connectra


Deployment Overview............................................................... 20 Deploying Connectra in the DMZ............................................... 21 Deploying Connectra on a LAN ................................................. 22 Deploying a Connectra Cluster .................................................. 23

Chapter 3 Connectra Requirements


Minimum Hardware Requirements ............................................ 26 Recommended Hardware ......................................................... 26 Hardware Compatibility Testing Tool ......................................... 27 Downloading and Preparing the CD .................................. 27

Preparing to Use the Compatibility Testing Tool ................. 28 Using the Hardware Compatibility Testing Tool................... 31 BIOS Security Configuration Recommendations ..........................32 Operating System Compatibility.................................................32 Browser Compatibility...............................................................33

Chapter 4 Installing and Configuring Connectra


Installation Procedure Quick Reference ......................................36 Installation and Configuration Workflow......................................37 Installation and Initial Configuration Stages....................... 37 Installation and Initial Configuration Procedures .........................39 Step 1: Planning the Deployment Topology ........................ 39 Step 2: Preparing for Centrally Managed Connectra ............ 39 Step 3: Installing Connectra Using the CD ......................... 42 Step 4: Connecting to the Administration User Interface ..... 45 Step 5: Running the First Time Configuration Wizard.......... 46 Step 6: Logging In for the First Time................................. 51 Step 7: Defining Connectra Objects (Centrally Managed Connectra)...................................................................... 54 Post-Installation Procedures......................................................58 Step 8: Connecting Connectra to the Network .................... 58 Step 9: Backing Up the Configuration ............................... 58 Step 10: Configuring Access Control ................................. 59 Step 11: Performing a SmartDefense Update (Locally Managed Connectra)...................................................................... 61 Step 12: Checking Your Setup.......................................... 61 Installing the NGX R66 Plug-in .................................................62 Installing the Plug-in on a SmartCenter ............................. 62 Installing the Plug-in on Provider-1/SiteManager-1 ............. 64 Uninstalling Connectra Plug-ins........................................ 68 Cluster ConfigurationDeployment Tips ....................................69 SSL Acceleration Card Installation .............................................71 Installing the Card........................................................... 71 Enabling the Card ........................................................... 71 Disabling the Card........................................................... 71 4

SSL Acceleration Card Command Syntax .......................... 72 Further Information ................................................................. 73

Chapter 5 Upgrading Connectra


Upgrade Procedure Quick Reference ......................................... 76 Preparing for the Upgrade to R66 ............................................. 78 Preserving Manual Changes on the Connectra Gateway....... 78 Preserving the Previous Connectra Configuration .............. 79 Upgrading to Locally Managed R66 from R61/R62..................... 81 Upgrading to Locally Managed R66 via the Command Line 81 Completing the Upgrade by Merging Manual Changes ........ 83 Upgrading to Centrally Managed R66 from R61/R62 .................. 84 Preserving Manual Changes and Previous Configuration ..... 84 Setting Up the SmartCenter ............................................ 84 Upgrading the Connectra Gateway via Command Line ........ 87 Upgrading the Connectra Gateway via SmartUpdate........... 89 Setting Up SIC Trust ...................................................... 90 Completing the Upgrade by Merging Manual Changes ........ 90 Upgrading to Centrally Managed R66 from R62CM .................... 91 Preserving Manual Changes and the Previous Configuration 91 Setting Up the SmartCenter and Installing the R66 Plug-in 91 Upgrading the Connectra Gateway Using the Command Line 94 Upgrading the Connectra Gateway Using SmartUpdate ...... 96 Setting Up SIC Trust ...................................................... 96 Completing the Upgrade by Merging Manual Changes ........ 97 Upgrading a Connectra Cluster to R66 ...................................... 98 Advanced Upgrade to R66 from R62......................................... 99 Introduction to Advanced Upgrade ................................... 99 Advanced Upgrade to Locally Managed R66 ..................... 99

Chapter 6 Reverting to a Previous Version of Connectra


Reverting to a Snapshot ......................................................... 103 Syntax ........................................................................ 103 Table of Contents 5

Uninstalling Connectra Plug-ins...............................................105 Uninstalling the R66 Plug-in for Central Management ...... 105 Uninstalling the Connectra NGX R62CM Plug-in .............. 107 Uninstalling Plug-ins in Provider-1.................................. 109

Chapter 7 License Installation and User Assistance


Installing Check Point Licenses ...............................................111 For Connectra Cluster Users ........................................... 112 Where To Go From Here? ........................................................114

2003-2008 Check Point Software Technologies Ltd.


All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Please refer to http://www.checkpoint.com/copyright.html for a list of our trademarks. For third party notices, see http://www.checkpoint.com/3rd_party_copyright.html.

Chapter Introduction to Connectra


In This Chapter
Introduction In This Guide Key Features and Benefits Choosing the Correct CD Procedure Quick Reference

1
page 10 page 11 page 13 page 16 page 17

Introduction

Introduction
Check Point Connectra is a comprehensive and unified remote access solution that makes corporate applications and network resources securely available to mobile and remote users. With Connectra NGX R66, remote and mobile employees, contractors, business partners, and customers can access network resources and applications through either a lightweight VPN client or simply through a Web browser. By unifying SSL and IPSec VPN technologies into a single gateway and management console, Connectra provides flexible access for end users and simple, streamlined deployment for the IT organization. Connectra offers administrators tight access controls to help ensure that only authorized users using clean hosts will gain access to corporate resources. To that end Connectra features multiple strong authentication methods and tight integration with directory services. Comprehensive endpoint security capabilities enable malware scans, compliance checks. A virtual Secure Workspace provides session confidentiality on both managed and unmanaged endpoints, such as laptops, home PCs, internet kiosks, and more. Connectra can be deployed as either a turnkey appliance, as software on open servers, or as a virtual machine on VMware ESX Server. Connectra gateways can be managed either locally or centrally through a single Check Point SMART management console, reducing the administration time required to configure, monitor, update, and audit remote access policies.

Note - Using different authentication schemes for Connectra users and VPN-1 users in a centrally managed environment may not be possible for every existing configuration. Visit https://secureknowledge.checkpoint.com and review the SecureKnowledge solution sk32656 for helpful information.

10

In This Guide

In This Guide
This guide has important information that you should read before installing or upgrading Connectra. Table 1-1 Chapter Chapter 1, Introduction to Connectra Chapter 2, Deploying Connectra Chapter 3, Connectra Requirements Description Introduces Connectra and describes its key features and benefits. Discusses the various deployment options: in the DMZ, in the LAN, and as a ClusterXL gateway cluster. Provides the minimum hardware requirements, recommended hardware, hardware compatibility testing tool, operating system and browser compatibility, and license requirements. Provides step-by-step instructions for the installation and initial configuration of Connectra.

Chapter 4, Installing and Configuring Connectra

Chapter 1

Introduction to Connectra

11

In This Guide Table 1-1 Chapter Chapter 5, Upgrading Connectra Chapter 6, Reverting to a Previous Version of Connectra Chapter 7, License Installation and User Assistance Description Provides instructions for upgrading Connectra using the CD or a downloaded file. Provides instructions for reverting to a previous Connectra version using a snapshot image file, as well as for uninstalling Connectra Plug-ins. Discusses the license types and their installation, and provides details on how to obtain further assistance.

12

Key Features and Benefits

Key Features and Benefits


The following key features and benefits assure confident, flexible remote access:

Secure Web-Based Connectivity


Increases productivity by allowing workers to work anywhere, anytime. Provides users with SSL VPN access to email, applications, and shared files from a standard Web browser. Enables network access for client/server applications through a browser plug-in. Delivers clientless SSL VPN access to enterprise resources.

Unified Security Management


Helps ensure business continuity. Unified IPsec and SSL solution reduces Total Cost of Ownership (TCO). Provides secure and flexible remote access tailored to user needs. Includes tight, uniform access controls across all access methods.

Comprehensive Endpoint Security


Detects malware and keyloggers on remote PCs. Ensures session confidentiality using the Secure Workspace. Enforces security policy compliance before granting remote access.

Chapter 1

Introduction to Connectra

13

Key Features and Benefits Allows organizations to define endpoint security requirements to access individual resources. Safeguards confidentiality of corporate information. Prevents identity, password, and data theft on remote endpoints. Allows secure VPN access even on public or unmanaged PCs.

Integrated Intrusion Prevention


Protects internal networks and applications from attack. Integrates Application Intelligence and Web Intelligence to prevent attacks and malicious activity across SSL VPN. Ensures the security of applications even when accessed from insecure PCs.

Easy Deployment
Integrates with existing network and security infrastructure. Enables quick and easy setup without requiring changes to servers or network configuration.

Central Management
Connectra gateways can be managed from SmartCenter and Provider-1/SiteManager-1. Full leveraging of SmartCenter architecture: Object sharing (for example, Network Objects, Applications, Users, Services). Same authentication settings, logs settings, and so on. Configuration of multiple Connectra gateways and gateway clusters from the same SmartDashboard.

14

Key Features and Benefits Identical or different settings and policies for different Connectra gateways. Single point of administration for backup and maintenance. Redundant management infrastructure is possible.

Local Management
The Check Point SmartConsole suite is utilized for configuring, monitoring, and tracking a single Connectra gateway. SmartDashboard, SmartView Monitor, and SmartView Tracker are tailored for a single Connectra gateway.

Flexible Deployment Options


Connectra is available as a turnkey appliance or as software. Deployment scalability to meet the price and performance needs of any sized organization. New Connectra Virtual Appliance (VA) offering as Connectra supports VMware ESX Server as a platform.

Advanced Authentication Options


Strong two factor authentication with an integrated SMS One-Time Password. Single sign-on for Web-based and HTTP -based authentication of users using HTML forms.

Chapter 1

Introduction to Connectra

15

Choosing the Correct CD

Choosing the Correct CD


The Connectra NGX R66 media pack contains two CDs. An additional DVD contains Connectra Virtual Appliance for installing Connectra on a VMware virtual machine. The following table explains the purpose of CD1 and CD2, and on which machine to install each CD.

CD 1: R66

Use To Install a locally managed or centrally managed Connectra gateway. Upgrade from R61, R62 or R62CM to R66.

Install on New machine.

R61, R62, or R62CM Connectra gateway. NGX R66 SmartCenter server or Provider-1/SiteManager-1 MDS.

2: R66 SmartCenter Plug-in

Add central management capabilities to the SmartCenter server or Provider-1/SiteManager-1 MDS. Use this option for creating Clusters. Upgrade from R61, R62 or R62CM to centrally managed R66.

NGX R66 SmartCenter server or Provider-1/SiteManager-1 MDS.

16

Procedure Quick Reference

Procedure Quick Reference


This guide includes instructions for performing various installation and upgrade procedures. The following table shows where in the guide to find the instructions you need, and which CD you should use. I want to... Perform a new installation of locally managed R66. See Installing and Configuring Connectra on page 35. Upgrade from R61 or R62 to R66 (local management) See Upgrading Connectra on page 75. Perform a new installation of centrally managed R66 See Installing and Configuring Connectra on page 35. Upgrade from R61, R62, or R62CM to centrally managed R66 See Upgrading Connectra on page 75. Advanced upgrade to locally managed NGX R66 from R61 or R62 See Advanced Upgrade to R66 from R62 on page 99. Revert to a snapshot image See Reverting to a Previous Version of Connectra on page 103. Required CDs 1: R66

1: R66

1: R66 2: R66 SmartCenter Plug-in

1: R66 2: R66 SmartCenter Plug-in 1. R66

None

Chapter 1

Introduction to Connectra

17

Procedure Quick Reference

18

Chapter Deploying Connectra


In This Chapter
Deployment Overview Deploying Connectra in the DMZ Deploying Connectra on a LAN Deploying a Connectra Cluster

2
page 20 page 21 page 22 page 23

19

Deployment Overview

Deployment Overview
In general, it is recommended to deploy Connectra in the DMZ. Connectra can, however, also be deployed in other places, such as on the internal LAN. In both scenarios, SSL termination takes place at the Connectra Gateway. Web Intelligence, Application Intelligence, authentication, and authorization schemes on the Connectra Gateway are employed to protect the internal network and to inspect the traffic for harmful content before it reaches the internal servers. Connectra differs from other remote access solutions in that it has gateway based application-level and network-level protection. For example, it incorporates the Malicious Code Protector to protect against worms.

20

Deploying Connectra in the DMZ

Deploying Connectra in the DMZ


Figure 2-1 shows a typical Connectra deployment in the DMZ: Figure 2-1 Connectra Deployment in the DMZ

When Connectra is placed in the DMZ, traffic initiated both from the Internet and from the LAN to Connectra is subject to firewall restrictions. By deploying Connectra in the DMZ, the need to enable direct access from the Internet to the LAN is avoided. Remote users initiate an SSL connection to the Connectra Gateway. The firewall must be configured to allow traffic from the user to the Connectra server, where SSL termination, Web and Application Intelligence inspection, authentication, and authorization take place. Requests are then forwarded to the internal servers via the firewall. Administration traffic is always SSL encrypted.

Chapter 2

Deploying Connectra

21

Deploying Connectra on a LAN

Deploying Connectra on a LAN


Figure 2-2 shows how Connectra can be deployed on the LAN alongside the internal servers: Figure 2-2 Connectra Deployment in the LAN

The remote user opens a browser and initiates an HTTPS request to the Connectra server. The SSL connection is terminated within the LAN and the clear text requests are forwarded to the internal servers. The internal servers reply in the clear to Connectra, which encrypts the reply back to the remote user. In the scenario shown in Figure 2-2, the perimeter firewall must be configured to allow encrypted SSL traffic to Connectra. In this scenario, the SSL VPN traffic passes through the Firewall as encrypted traffic, thus unavailable for inspection with traditional solutions. With Connectra, the network is fully protected with Application Intelligence and Web Intelligence.

22

Deploying a Connectra Cluster

Deploying a Connectra Cluster


Figure 2-3 shows a two-member Connectra cluster. Typically, the cluster is deployed behind the DMZ interface of a firewall, with the application servers behind the firewall in the internal networks. Figure 2-3 Connectra Clustering Topology Example

Each cluster member has two interfaces: one data interface leading to the organization and to the Internet, and a second interface for synchronization. Each interface is on a different subnet. One subnet for data (in Figure 2-3, 10.0.0.1 for Member A and 10.0.0.2 for Member B). One subnet for synchronization (10.0.10.1 for Member A and 10.0.10.2 for Member B).

See Cluster Configuration Deployment Tips on page 69 for more information about Connectra clusters. Note - Clusters are not supported in locally managed R66.

Chapter 2

Deploying Connectra

23

Deploying a Connectra Cluster

24

Chapter Connectra Requirements


In This Chapter
Minimum Hardware Requirements Recommended Hardware Hardware Compatibility Testing Tool BIOS Security Configuration Recommendations Operating System Compatibility Browser Compatibility

3
page 26 page 26 page 27 page 32 page 32 page 33

25

Minimum Hardware Requirements

Minimum Hardware Requirements


The minimum requirements for Connectra are: Intel Pentium III 300+ MHz or equivalent processor. 10 GB free disk space. 512 MB RAM. One or more supported network adapter cards (two are required for a cluster configuration). CD-ROM drive (bootable). 1024 x 768 video adapter card.

If you have over 1 GB of RAM, you will need additional free disk space. In this case, an additional 2 GB of free disk space should be added for each additional 1 GB of RAM.

Recommended Hardware
Open servers and devices are tested on a regular basis by Check Point for compatibility with Connectra. For an updated list of hardware that is recommended for use with Connectra, see http://www.checkpoint.com/services/techsupport/hcl/connectra.html. Note that Connectra is also supported on VMware virtual machines. See the Connectra NGX R66 Virtual Appliance Getting Started Guide for detailed information regarding installing and configuring Connectra on VMware.

26

Hardware Compatibility Testing Tool

Hardware Compatibility Testing Tool


The Hardware Compatibility Testing Tool enables you to determine whether SecurePlatform, the Connectra operating system, is supported on a specific hardware platform. The tool detects all hardware components on the platform, checks whether they are supported, and displays its conclusions: whether Connectra can be installed on the machine (supported I/O devices found, supported mass storage device was found), and the number of supported and unsupported Ethernet controllers detected. You can view detailed information on all the devices found on the machine. You can save the detailed information on a diskette, on a TFTP server, or dump it via the serial port. This information can be submitted to Check Point Support in order to add support for unsupported devices. Run the Hardware Compatibility Testing Tool in the same way that you would install Connectra on the hardware platform (for example, boot from CD, boot from diskette, and installation through network).

Downloading and Preparing the CD


The Hardware Compatibility & Testing tool is available for download as a CD ISO image (hw.iso) at http://www.checkpoint.com/services/techsupport/hcl/testing_tool.html As Connectra NGX R66 uses the SecurePlatform v26 operating system, download the R66 with SecurePlatform v26 version of the tool. The ISO image can be burned on a blank CD-R or CD-RW media, using a CD burning tool. Note - You must specify that you are burning a CD image and not a single file

Chapter 3

Connectra Requirements

27

Preparing to Use the Compatibility Testing Tool

Preparing to Use the Compatibility Testing Tool


Run the tool either by booting from the CD that contains it, booting from a disk and accessing a local CD, or booting from a diskette and accessing the CD through the network. If no keyboard and monitor are connected to the hardware platform, the serial console can be used to perform the hardware detection.

Booting from the CD


To boot from the CD: 1. 2. 3. Configure the BIOS of the machine to boot from the CD drive. Insert the CD into the drive. Boot the machine.

Booting from a Diskette and Accessing a Local CD


This option should be used when the hardware platform cannot be configured to boot from the CD drive (but will boot from a diskette), and has a CD drive. To create a bootable diskette image and access a local CD: 1. 2. 3. 4. Insert the CD into the CD drive. Insert a diskette into the diskette drive. Browse to your CDROM drive and select the

SecurePlatform/images folder. Drop the boot.img file on the cprawrite executable.

28

Preparing to Use the Compatibility Testing Tool Alternatively, using the NT command shell (cmd), run the following command on a single line (where D: is the CD-ROM drive): D:\SecurePlatform\images\cprawrite.exe D:\SecurePlatform\images\boot.img 5. Boot the machine.

Booting from a Diskette and Accessing the CD over the Network


Use this option when the machine to be tested has no CD drive. In this case, there will be two machines participating: A machine that has a CD drive. The machine on which you want to run the tool.

To boot from a diskette and access a CD over the network:

On the Machine with the CD Drive


Proceed as follows: 1. 2. 3. 4. Insert the CD into the CD drive of a (Microsoft Windows-based) machine. Insert a diskette into the diskette drive. Browse to the CD drive and select the SecurePlatform/images folder. Drop the

bootnet.img file on the cprawrite executable. Alternatively, using NT command shell (cmd), run the following command on a single line (where D: is the

CD-ROM drive): D:\SecurePlatform\images\cprawrite.exe D:\SecurePlatform\images\bootnet.img

Chapter 3

Connectra Requirements

29

Preparing to Use the Compatibility Testing Tool This step writes files to the diskette, which you will transfer to the other machine (the machine on which the tool will be run). 5. Make the contents available on the network, either by allowing access to the CD drive, or by copying the CD to a hard disk and enabling access to that disk (for example, by FTP, HTTP, or NFS).

On the Machine You Are Testing


Proceed as follows: 1. Insert the diskette you created in Booting from a Diskette and Accessing a Local CD on page 28, above, into the diskette drive of the machine you are testing. Boot the machine. Configure the properties of the interface, through which this machine is connected to the network, including its IP address, Netmask, default gateway and DNS. You can choose to configure this interface as a dynamic IP address interface. 4. 5. Enable access to the files on the machine with the CD drive (see On the Machine with the CD Drive on page 29 above). Specify the following settings for the other machine: IP address, or hostname Package Directory User/password (if necessary)

2. 3.

30

Using the Hardware Compatibility Testing Tool 6. If you are installing using a serial console, instead of the keyboard and monitor, make sure that your terminal emulation software is configured as follows: 9600 Baud rate 8 data bits No parity No flow control

Using the Hardware Compatibility Testing Tool


The hardware tool automatically tests the hardware for compatibility. Note - A simple, nave detection tool is included on the boot diskette. If for some reason, the complete detection tool is unavailable (e.g., the CDR drive is not supported), you can still use the simple tool to get some information on your hardware. The simple tool is available from the Installation Method screen, and is accessed by pressing the Probe Hardware button. When it finishes, the tool displays a summary page with the following information: Whether the platform is suitable for installing Connectra Number of supported and unsupported mass storage devices Number of supported and unsupported Ethernet Controllers

Additional information can be obtained by pressing the Devices button. The devices information window lists all the devices, found on the machine (grouped according to functionality). Use the arrow keys to navigate through the list.

Chapter 3

Connectra Requirements

31

BIOS Security Configuration Recommendations Pressing Enter on a specific device displays detailed information about that device. The detailed information can be saved to a diskette, to a TFTP Server, or dumped through the Serial Console. This action may be required in cases where some of the devices are not supported.

BIOS Security Configuration Recommendations


The following are BIOS configuration recommendations: Disable the boot from floppy option in the system BIOS, to avoid unauthorized booting from a diskette and changing system configuration. Apply a BIOS password to avoid changing the BIOS configuration. Make sure you memorize the password, or keep it in a safe place.

Operating System Compatibility


For a list of the operating systems (Windows, Linux and MacOS-X) that are compatible with each Connectra feature, see the latest version of the Connectra release notes, available at http://www.checkpoint.com/techsupport/downloads.jsp.

32

Browser Compatibility

Browser Compatibility
For a list of the Web browsers (Internet Explorer, Mozilla Firefox, and so on) that are compatible with each Connectra feature, see the latest version of the Connectra release notes, available at http://www.checkpoint.com/techsupport/downloads.jsp.

Chapter 3

Connectra Requirements

33

Browser Compatibility

34

Chapter Installing and Configuring Connectra


In This Chapter
Installation Procedure Quick Reference Installation and Configuration Workflow Installation and Initial Configuration Procedures Post-Installation Procedures Installing the NGX R66 Plug-in Cluster Configuration Deployment Tips SSL Acceleration Card Installation Further Information

page 36 page 37 page 39 page 58 page 62 page 69 page 71 page 73

35

Installation Procedure Quick Reference

Installation Procedure Quick Reference


Table 4-1 indicates where in this chapter to find the procedures you need, and which CD(s) you require. Table 4-1 Installation Procedure Reference Required CDs 1. R66

I want to... Perform a new installation of (locally managed) NGX R66 See Installation and Configuration Workflow on page 37. Perform a new installation of (centrally managed) NGX R66 See Installation and Configuration Workflow on page 37. Set up a Connectra NGX R66 Cluster See Cluster Configuration Deployment Tips on page 69. Install an SSL Acceleration card See SSL Acceleration Card Installation on page 71

1. R66 2. R66 SmartCenter Plug-in 1. R66 2. R66 SmartCenter Plug-in None

36

Installation and Configuration Workflow

Installation and Configuration Workflow


Getting started with Connectra involves installation and initial configuration, followed by detailed configuration to meet your needs. The following workflow outline and detailed instructions apply to a: Centrally managed Connectra gateway, including those that will be part of Connectra Cluster. Locally managed Connectra gateway

To upgrade from a previous version, see chapter 5, Upgrading Connectra on page 75. For more information about Clusters, see Cluster Configuration Deployment Tips on page 69. Note that Clusters are not supported in locally managed Connectra NGX R66.

Installation and Initial Configuration Stages


The installation and configuration of Connectra are performed in the following stages:

Installation
1. 2. Plan the deployment topology. If you are installing centrally managed Connectra: a. b. Add a NIC to the machine (for a Cluster Member only). Install or upgrade the SmartCenter server or Provider-1/SiteManager-1 MDS to NGX R65 and install the Connectra R66 SmartCenter Plug-in using the CD. Configure relevant firewall access rules.

c. 3.

Install Connectra using the CD. Chapter 4 Installing and Configuring Connectra 37

Installation and Initial Configuration Stages 4. 5. 6. 7. Connect to the administration user interface. Run the First Time Configuration Wizard and automatically install the Connectra package. Log in to the SmartDashboard for the first time. If you are installing centrally managed Connectra, define Connectra objects in SmartDashboard.

Post-Installation Procedures
After completing the installation, configure Connectra as follows: 8. 9. Connect Connectra to the network. Connect to the local administration portal and back up the configuration.

10. Perform detailed configuration via the SmartDashboard. 11. If you are setting up locally managed Connectra, perform a SmartDefense Update. 12. Check your setup. You can also install an SSL acceleration card. See SSL Acceleration Card Installation on page 71.

38

Installation and Initial Configuration Procedures

Installation and Initial Configuration Procedures


Step 1: Planning the Deployment Topology
In general, it is recommended to deploy Connectra in the DMZ. Connectra can, however, also be deployed in other places, such as in the local area network (LAN). See chapter 2, Deploying Connectra on page 19. For locally managed Connectra, continue with Step 3: Installing Connectra Using the CD on page 42.

Step 2: Preparing for Centrally Managed Connectra


Step A: Adding a NIC (for a Cluster Member only)
If the Connectra server is to be part of a ClusterXL Load Sharing or High Availability cluster, it requires two interfaces. If necessary, add a network interface card.

Step B: Setting Up SmartCenter and Installing the Plug-in (Centrally Managed Only)
To set up the SmartCenter and install the NGX R66 Plug-in: 1. Install or upgrade the SmartCenter server or Provider-1/SiteManager-1 CMA to version NGX R65.

Chapter 4

Installing and Configuring Connectra

39

Step 2: Preparing for Centrally Managed Connectra 2. For a new installation of SmartCenter, install SmartDashboard on a SmartConsole client. For a new installation of Provider-1/SiteManager-1, install the Multi Domain GUI (MDG). It is recommended to use the latest MDG that is found on CD2 in the MDG directory Install the Connectra NGX R66 Plug-in on version NGX R65 of the SmartCenter server or Provider-1/SiteManager-1 Multi Domain Server. See Installing the NGX R66 Plug-in on page 62.

3.

Step C: Configuring Firewall Access Rules


Configure the firewall according to the chosen deployment. The exact set of rules depends on the selected setup and the services that Connectra will provide. A typical Security Rule Base configuration, on VPN-1 Pro, is described herein:

FireWall Rules for Connectra in a DMZ


The rules listed in Figure 4-1 apply to the deployment shown in Figure 2-1, Connectra Deployment in the DMZ, on page 21.

40

Step 2: Preparing for Centrally Managed Connectra Figure 4-1 Rules for Deploying Connectra in the DMZ

Rule Source 1 Admin host 2 Any

Destination Service Action Comment Connectra HTTPS (TCP/4433) Accept Administrator access. (encrypted) Accept End user access to Connectra HTTP (TCP/80), portal: HTTPS (TCP/443), Web applications, SSL (TCP/444) (or File sharing port, on which the Web mail. SSL Network Sessions initiated using Extender server is HTTP are redirected configured)], automatically to IKE_NAT_TRAVE HTTPS. All actual RSAL communication is (UDP/4500)This is encrypted. used by Endpoint Accept Connectra to LAN Connectra LAN HTTP (TCP/80), for: HTTPS (TCP/443), Web applications nbsession File sharing (TCP/139), Web mail microsoft-ds (TCP/445), nbdatagram (TCP/138), nbname (TCP/137), IMAP (TCP/143), SMTP (TCP/25) All additional Network applications that are made accessible, via the SSL Network Extender

You may need other rules, depending on your configuration: Connectra requires access to DNS servers, and possibly to WINS servers For backups, Connectra may need access to a TFTP or SCP server.

Chapter 4

Installing and Configuring Connectra

41

Step 3: Installing Connectra Using the CD Connectra may need access to the SmartCenter Server or to a Customer Log Module (CLM), in order to send logs to a remote log server. For authentication, Connectra may need access to LDAP, RADIUS and ACE servers. Connectra may need access to an NTP server for clock synchronization purposes.

FireWall Rule for Connectra in a LAN


If you choose to deploy Connectra in the LAN, as in Figure 2-2, Connectra Deployment in the LAN, on page 22, rule 3 is not needed.

Step 3: Installing Connectra Using the CD


To install the Connectra gateway: 1. 2. Configure a designated machine to boot from the CD drive. Place the CD into the CD ROM drive and boot.

The Pre-installation Message appears: Figure 4-2 Pre-installation Message

3.

Press Enter. The Check Point Welcome Message appears:

42

Step 3: Installing Connectra Using the CD Figure 4-3 Welcome Message

4.

Use the Tab key to select OK.

The Keyboard Selection screen is displayed: Figure 4-4 Keyboard Selection screen

5. 6.

Use the Tab and arrow keys to select an appropriate keyboard. Click OK. The Network Interface Configuration screen appears:

Chapter 4

Installing and Configuring Connectra

43

Step 3: Installing Connectra Using the CD Figure 4-5 Network Interface Configuration screen

7.

Enter the IP address of the administration interface. On a cluster member, do not use the address of the synchronization interface. Also specify the Netmask and the Default gateway. Select OK. When prompted to start the installation process, use the arrows or the Tab key to select OK. Note - This will ERASE all data on your hard drive.

8.

9.

Wait while the hard disk is completely formatted.

The Package Installation screen appears: Figure 4-6 Package Installation screen

This is followed by instructions for connecting to the Web-based administrative interface:

44

Step 4: Connecting to the Administration User Interface Figure 4-7 Connection Instructions

Note - The default login name and password, and the URL for the WebUI are displayed in the message box. Connect to the WebUI only after the machine reboots. 10. Use the Tab key to select OK to reboot the machine. 11. Wait for SecurePlatform to complete booting.

Step 4: Connecting to the Administration User Interface


You can connect to the Administration User Interface via the console, an SSH connection, or a Web browser. To connect to the WebUI using a Web browser: 1. When SecurePlatform has completed booting, open a supported Web browser (see Browser Compatibility on page 33) on a machine that has network connectivity to Connectra, and connect to the administrative user interface. By default this interface has the IP address configured earlier (in step 7), over port 4433 (an SSL port). For example: https://192.168.1.1:4433. The End-User License Agreement opens. To accept its terms, click I Accept.

2.

Chapter 4

Installing and Configuring Connectra

45

Step 5: Running the First Time Configuration Wizard

Step 5: Running the First Time Configuration Wizard


The First Time Configuration Wizard can be run in the console or the WebUI.

Running the Wizard from the Console


To run the Wizard in the console: 1. 2. 3. Log in using the default system administrator username/password (admin/admin). Run:

cpconfig.

Follow the on-screen instructions.

For more information about the on-screen options, see Running the Wizard from the WebUI on page 46.

Running the Wizard from the WebUI


To run the First Time Configuration Wizard using the WebUI: 1. 2. 3. When the login window opens, enter the default system administrator username/password (admin/admin), and click Login. Change the administrator password, as prompted. The First-Time Configuration Wizard begins to run. Click Next. In the Network Connections page, define the network connections. For centrally managed NGX R66, if the machine will be a Connectra cluster member, define an IP address and netmask for the synchronization network interface. Click Next. In the Routing Table page configure routing. For centrally managed NGX R66, if the machine will be a Connectra cluster member, configure a default gateway on the subnet of the data interface. Click Next. In the Host, Domain Name, and DNS Servers page, set the following:

4.

5.

46

Step 5: Running the First Time Configuration Wizard Hostname: For example, Connectra1. If the host is to be part of a cluster, ensure that all hostnames in the cluster are unique. Domain Name: For example, example.com. Although not mandatory now, this parameter is important if you want the device to be recognized within the domain. DNS Servers: The DNS server to be used when downloading SmartDefense updates and for mounting File Shares. Connectra also uses DNS lookup for any hostname-style HTTP link to an internal server, and for resolving other servers (such as Citrix servers, or any other machine whose DNS entry is properly configured on the LAN).

6. 7.

Click Next. In the Device Date and Time Setup page, set the date and time. Cluster member clocks must be synchronized to within a few seconds. Time settings may also affect the behavior of certificate validation. For a cluster, select Use a Network Time Protocol (NTP) to synchronize the clock for reliable synchronization using a time synchronization service. Set the following parameters: Primary NTP Server: The hostname of the Primary NTP Server you are using. For example, ntp.xyz.net Secondary NTP Server (optional): The hostname of the Secondary NTP Server you are using. For example,

ntp.abc.edu
Shared Secret (optional): The shared secret that cluster members will be using for communication. Synchronization period: The time, in seconds, after which cluster members will periodically synchronize their internal clocks with the NTP Server. For example, entering 60, indicates that clocks should synchronize with the server every minute. Time Zone: The time zone in which the cluster member machine is located. Chapter 4 Installing and Configuring Connectra 47

Step 5: Running the First Time Configuration Wizard 8. 9. Click Next. In the Web/SSH Clients page, any Web or SSH client authorized to access the Connectra WebUI is displayed. Click Add to add a new host. Type any as a hostname to enable access from any Web/SSH client. A hostname can also contain a wildcard or IP address range.

10. When all desired hosts appear in the Web/SSH list, click Next. 11. Select the type of management configuration you want for Connectra. Locally: To configure locally managed Connectra, where Connectra manages itself. Centrally: To configure Connectra that is managed centrally from a SmartCenter Console. Clusters are only supported in a centrally managed configuration. For more information on these configuration options see the Connectra Gateway Clusters chapter of the Connectra NGX R65 Administrative Guide.

Note - Once you select locally or centrally managed, switching to the other option will require a new installation. 12. Click Next.

48

Step 5: Running the First Time Configuration Wizard Locally Managed Connectra 13. If you are configuring locally managed Connectra the Connectra GUI Clients page opens: a. b. Hosts authorized to connect to Connectra are displayed. Click Add to add a new host. Type any as a hostname to enable a connection from any GUI client. A hostname can also contain a wildcard or IP address range. When all desired hosts appear in the GUI Client list, click Next. Type a user name and password of the Connectra Administrator. Click Next.

c. d. e.

Centrally Managed Connectra 14. If you are configuring centrally managed Connectra, the Secure Internal Communication page opens: Decide on a SIC Activation Key. Type it and then confirm it. SIC certificates authenticate communication between Check Point communicating components. You will need to use the same Activation Key when defining the gateway in SmartDashboard, on the same SmartCenter server where you installed the Connectra NGX R66 Plug-in. You can use the same Activation Key for all members of a cluster. Note - Components can communicate with each other only once the Certificate Authority is initialized and each component has received a SIC certificate. Both Locally and Centrally Managed:

Chapter 4

Installing and Configuring Connectra

49

Step 5: Running the First Time Configuration Wizard 15. If you do not already have SmartConsole NGX R65 installed on your GUI client, in the Download SmartConsole Applications page, click Download to download the SmartConsole. When prompted, click Run. The Check Point Installation Wizard opens.

Installing Check Point SmartConsole


To install the Check Point SmartConsole on the GUI client: 1. 2. 3. 4. Click Next to proceed with the Check Point Installation Wizard Follow the on-screen instructions to download the SmartConsole. Wait while the software is installed. Click Next to proceed from the Download SmartConsole Applications page.

Completing the First Time Configuration


To complete the Connectra First Time configuration: 1. Click Finish to complete the First Time Configuration Wizard. When prompted, click Yes to start the configuration process. Wait for the Connectra configuration to be complete. A dialog box opens stating that the Connectra initial device configuration process is complete. 2. 3. 4. Click OK. The Device Status page opens, displaying information about your device. Click Close to exit the WebUI. If you downloaded SmartConsole Applications, dialog boxes may open telling you that SmartConsole is installing. Follow the on-screen instructions to continue.

50

Step 6: Logging In for the First Time

Step 6: Logging In for the First Time


The Login Process
For centrally managed Connectra, administrators connect to the SmartCenter server through SmartDashboard using the same process as SmartConsole clients. First authenticate the administrator and SmartCenter server (to create a secure channel of communication), and then the selected SmartConsole starts. After the first login, the administrator can create a certificate for subsequent logins. For locally managed Connectra, connect directly to the Connectra gateway. Note - The first time that you start the SmartDashboard, you may be prompted to download the SmartConsole Plug-in pack. The file is approximately 70 MB in size, therefore we advise that you connect for the first time from the LAN or via high speed connection. You can also download SmartDashboard from the Administrative WebUI or from the First Time Wizard.

Authenticating the Administrator


To authenticate the administrator: 1. 2. Open SmartDashboard by selecting Start > Programs > Check Point SmartConsole NGX R65 > SmartDashboard. Log in using the User Name and Password defined in the Configuration Tools Administrators page during SmartCenter server installation. Specify the name or IP address of the target SmartCenter server and click OK.

3.

Chapter 4

Installing and Configuring Connectra

51

Step 6: Logging In for the First Time 4. Manually authenticate the SmartCenter server using the Fingerprint provided during the configuration process. You can see this Fingerprint by connecting to your SmartCenter via SSH and clicking on Product Configuration > Certificate Authority. When you have confirmed that the two fingerprints match, click Approve. Note - This step is only necessary the first time you log in. Once the SmartCenter server is authenticated, the Fingerprint is saved in the SmartConsole machines registry.

Starting the SmartDashboard


To start SmartDashboard: 1. A dialog box may indicate that the SmartConsole has detected a new Plug-in installed on the Management Server. Click Update to update the SmartConsole. Follow the on-screen prompts until the SmartDashboard opens. Figure 4-8 shows SmartDashboard with locally managed Connectra. Figure 4-9 shows Smart Dashboard with centrally managed Connectra, including a tab for Connectra.

2.

52

Step 6: Logging In for the First Time Figure 4-8 SmartDashboard with Locally Managed Connectra

Chapter 4

Installing and Configuring Connectra

53

Step 7: Defining Connectra Objects (Centrally Managed Connectra) Figure 4-9 SmartDashboard with Centrally Managed Connectra

Step 7: Defining Connectra Objects (Centrally Managed Connectra)


If you are upgrading from a previous version of SmartCenter or Provider-1/SiteManager-1, any Connectra objects or references defined prior to upgrading the SmartCenter or the CMA become host objects and must be redefined after the upgrade.

54

Step 7: Defining Connectra Objects (Centrally Managed Connectra) Define and configure the topology for each gateway, cluster member, and Connectra cluster.

Defining a Connectra Gateway


To define a Connectra gateway: 1. 2. In SmartDashboard, select the Connectra tab. In the Connectra Gateways window, click New and select Connectra Gateway. The Connectra Properties window opens. 3. 4. In the General Properties page, type the Name and IP Address of the Connectra Gateway that you installed. Click Communication. The Communication dialog box opens. 5. In the Activation Key field, type the activation key that you set during the Connectra initial configuration. Type it again in the Confirm Activation Key field, then click Initialize. Wait while trust is initialized. The words Trust established appear in the Trust state field once trust is established. Click Close. Make sure Connectra NGX R66 appears in the Version field and click OK.

6. 7.

Configuring a Connectra Gateways Topology


Each Cluster member should have at least one cluster interface and one synchronization interface. For more information on configuring topology for cluster members, see Cluster Configuration Deployment Tips on page 69 or the Connectra Gateway Clusters chapter of the Connectra Central Management Administration Guide.

Chapter 4

Installing and Configuring Connectra

55

Step 7: Defining Connectra Objects (Centrally Managed Connectra) To configure the topology of a Connectra gateway: 1. In the Connectra Properties dialog box, select Topology in the navigation tree. The Topology page opens. 2. Click Get to automatically detect interfaces or Add to manually add interfaces. When defining topology, the Get Interfaces operation does not return alias IP addresses for real interfaces. To add alias IP addresses to the object topology, define them manually. After manually adding alias IP addresses to the object topology, do not perform the Get Interfaces operation, as this will erase all manual changes to the object topology. 3. Click OK to return to the main Connectra window.

Defining a Connectra Cluster


After defining each individual Connectra gateway, you can define Connectra Clusters.For more information on configuring topology for cluster members, see Cluster Configuration Deployment Tips on page 69 or the Connectra Gateway Clusters chapter of the Connectra Central Management Administration Guide. To define a Connectra cluster: 1. 2. In SmartDashboard, select the Connectra tab. In the Connectra Gateways window, click New and select Connectra Cluster. The Connectra Properties window opens. 3. In the General Properties page, type the Name and IP Address (the virtual IP address of the Cluster interface) of the Connectra Cluster that you are defining. In navigation tree, select Cluster Members. In the Cluster Members pane, click Add to add each cluster member.

4. 5.

56

Step 7: Defining Connectra Objects (Centrally Managed Connectra) The Cluster Member Properties page opens. 6. 7. Enter each Cluster Members Name and IP Address with the highest priority members at the top. Click Communication. The Communication dialog box opens. 8. In the Activation Key field, type the activation key that you set during the Connectra initial configuration. Type it again in the Confirm Activation Key field, then click Initialize. All cluster members can have the same activation key. Wait while trust is initialized. The words Trust established appear in the Trust state field once trust is established. Click Close.

9.

10. Make sure Connectra NGX R66 appears in the Version field and click OK.

Configuring Topology for a Connectra Cluster


For information and instructions on configuring topology for a Connectra Cluster, see the Connectra Cluster Topology Page section of the Connectra Gateway Clusters chapter of the Connectra Central Management Administration Guide. For brief tips, see Cluster Configuration Deployment Tips on page 69.

Chapter 4

Installing and Configuring Connectra

57

Post-Installation Procedures

Post-Installation Procedures
Step 8: Connecting Connectra to the Network
Connecting a Standalone Connectra
Connect the Connectra network interface to the switch on which the default gateway resides.

Connecting a Connectra Cluster


Refer to Figure 2-3, Connectra Clustering Topology Example, on page 23. When setting up a Connectra cluster, connect the cluster member data interfaces via a switch. The synchronization network carries the most sensitive data in the organization. Keep it secure by connecting the synchronization interfaces using a cross cable, or a dedicated switch. Make sure that each network is configured on a separate VLAN, switch or hub.

Step 9: Backing Up the Configuration


To connect to the WebUI and back up your system configuration: 1. From a Web browser, connect to the administration portal at https://<IP address>:4433. The default IP address is 192.168.1.1. For a cluster, set up all cluster members through the previous steps, and then connect to the administration portal of the primary member. Log in using the administrator user name and password.

2.

3. 58

Step 10: Configuring Access Control 4. 5. 6. 7. 8. 9. In the navigation pane, select Device > Backup. On the Backup page, click Backup Now. On the Backup to page, select where you want the backup file sent. Click Apply. When prompted, click Yes to continue. Wait a few second and then click Refresh. You should see your backup date and time in the Last successful backup field. Click Close to exit the WebUI.

10. IMPORTANT It is also recommended to create an image of the system using the snapshot command (See Preserving the Previous Connectra Configuration on page 79). To revert to the saved snapshot image, use the revert command. See Reverting to a Previous Version of Connectra on page 103.

Step 10: Configuring Access Control


Configure Access Control in Connectra using SmartDashboard. Access management in Connectra is accomplished by defining users and assigning them to groups, and defining applications and associating them with the groups. In addition, Connectra associates each application with a protection level, a security requirement that the remote user must satisfy before being given access to the application. Access Control is configured in the following stages: 1. 2. 3. 4. 5. 6. Define applications Define users Define user groups Associate users with groups Associate applications with groups Install the Security Policy Chapter 4 Installing and Configuring Connectra 59

Step 10: Configuring Access Control These tasks are described in detail in the Connectra Central Management Administration Guide and the Connectra Local Management Administration Guide.The following sections provide some useful background information.

Defining Applications
Defining an application is about deciding which internal LAN applications to expose to remote users. These typically include: Web applications File shares Native applications Citrix applications Mail services

Setting Protection Levels for Applications


Connectra associates each application with a protection level. The protection level is a security requirement that the remote user must satisfy before being given access to the application. For example, the user must be authenticated using a certificate.

Defining Users and Groups


Access to internal corporate applications is based on group membership. To access a particular application, remote users must belong to a group with the relevant authorization (as well as satisfy the security requirements of the application). These groups can be defined on Connectras internal user database, on LDAP or Radius servers. The LDAP group can be a branch in a tree, or an LDAP group that contains users from different branches.

Associating Applications With Groups


You must associate the applications with groups. This association means authorizing certain user groups to use those applications. 60

Step 11: Performing a SmartDefense Update (Locally Managed Connectra)

Step 11: Performing a SmartDefense Update (Locally Managed Connectra)


SmartDefense updates add new defense mechanisms to the SmartDefense console, and bring existing defense mechanisms up-to-date. Note - Perform a SmartDefense update immediately after installing Connectra so that the networks accessible through Connectra are fully protected. To update SmartDefense: 1. In the SmartDefense tab, click Online Update. The update begins and a dialog box notifies you that SmartDefense is being updated from one version number to another. 2. 3. Click Continue to proceed with the update. Enter your User Center username and password. The available new updates are displayed. 4. Click Download Updates. You are informed that the SmartDefense content was updated successfully. 5. Select Policy > Install Policy to apply the updates.

Step 12: Checking Your Setup


1. After installing the Security Policy, browse to the User portal and login using the credentials of the defined user. The user portal is at https://<IP address> Verify that you can access the defined application.

2.

Chapter 4

Installing and Configuring Connectra

61

Installing the NGX R66 Plug-in

Installing the NGX R66 Plug-in


The Connectra NGX R66 Plug-in adds Connectra central management capabilities to an NGX R65 SmartCenter server or Provider-1/SiteManager-1. If you are working in a High Availability environment, install the Plug-in on each member. Install the R66 Plug-in as part of the following procedures: Installation and Initial Configuration Procedures: Step 2: Preparing for Centrally Managed Connectra on page 39 Upgrading to Centrally Managed R66 from R61/R62: Setting Up the SmartCenter on page 84 Upgrading to Centrally Managed R66 from R62CM: Setting Up the SmartCenter and Installing the R66 Plug-in on page 91 Upgrading a Connectra Cluster to R66 on page 98

The procedure for installing the R66 Plug-in varies slightly for each platform, but the overall workflow is the same.

Installing the Plug-in on a SmartCenter


The Plug-in for R66 can be installed on a SmartCenter, on the SecurePlatform, Windows, Linux, or Solaris platforms.

In This Section
Installing the Plug-in on a SecurePlatform SmartCenter page 63 Installing the Plug-in on a Windows SmartCenter page 63 Installing the Plug-in on a Linux or Solaris SmartCenter page 64

62

Installing the Plug-in on a SmartCenter

Installing the Plug-in on a SecurePlatform SmartCenter


To install the Plug-in on a SmartCenter on SecurePlatform: 1. 2. 3. Install SmartCenter server NGX R65. Log in to expert mode by running, password.

expert and entering your

Install the Connectra Plug-in package: a. b. Insert CD2 into the SmartCenter Server machine. Mount the CD by running:

mount /dev/cdrom c. Go to the CD directory by running:

cd /mnt/cdrom d. Run:

./UnixInstallScript -splat 4. Reboot the machine.

Installing the Plug-in on a Windows SmartCenter


To install the Plug-in on SmartCenter on the Windows platform: 1. 2. Install SmartCenter server NGX R65. Install the Connectra Plug-in package: a. b. Insert CD2 into the SmartCenter Server machine. From the root of the CD, run:

Setup.bat c. 3.

Follow the instructions in the wizard.

Reboot the machine.

Chapter 4

Installing and Configuring Connectra

63

Installing the Plug-in on Provider-1/SiteManager-1

Installing the Plug-in on a Linux or Solaris SmartCenter


To install the Plug-in on a SmartCenter on either Linux or SecurePlatform: 1. 2. 3. Install SmartCenter server NGX R65. Log in to expert mode by running, password.

expert and entering your

Install the Connectra Plug-in package: a. b. Insert CD2 into the SmartCenter Server machine. Mount the CD by running:

mount /dev/cdrom c. Go to the CD directory by running:

cd /mnt/cdrom d. Run:

./UnixInstallScript 4. Reboot the machine.

Installing the Plug-in on Provider-1/SiteManager-1


The Plug-in for R66 can be installed on Provider-1/SiteManager-1, on the SecurePlatform, Linux, or Solaris platforms.

In This Section
Installing the Plug-in on SecurePlatform Provider-1 Activating the Connectra Plug-in on the CMA page 65 page 66

Installing the Plug-in on Linux or Solaris Provider-1 page 65

64

Installing the Plug-in on Provider-1/SiteManager-1

Installing the Plug-in on SecurePlatform Provider-1


To install the Plug-in on Provider-1 on SecurePlatform: 1. 2. Install NGX R65 on the Provider-1/SiteManager-1 Multi Domain Server. Install the Connectra Plug-in package on the Multi-Domain Server: a. b. Insert CD2 into the Provider-1/SiteManager-1 Multi Domain Server machine. Mount the CD by running:

mount /dev/cdrom c. Go to the CD directory by running:

cd /mnt/cdrom d. Run:

./UnixInstallScript -splat 3. 4. Reboot the machine. For each CMA on which you want to manage Connectra gateways, you need to activate the Plug-in. See Activating the Connectra Plug-in on the CMA on page 66.

Installing the Plug-in on Linux or Solaris Provider-1


To install the Plug-in on Provider-1 on Linux: 1. 2. Install Provider-1/SiteManager-1 Multi Domain Server NGX R65. Install the Connectra Plug-in package on the Multi-Domain Server: a. Insert CD2 into the Provider-1/SiteManager-1 Multi Domain Server machine.

Chapter 4

Installing and Configuring Connectra

65

Installing the Plug-in on Provider-1/SiteManager-1 b. Run from the root of the CD:

./UnixInstallScript 3. 4. Reboot the machine. For each CMA on which you want to manage Connectra gateways, you need to activate the Plug-in. See Activating the Connectra Plug-in on the CMA on page 66.

Activating the Connectra Plug-in on the CMA


To activate the Connectra Plug-in, use one of the following procedures:

66

Installing the Plug-in on Provider-1/SiteManager-1 Create a customer with a Plug-in. In the Add Customer Wizard, in the Management Plug-ins page, activate the Plug-in.

In the MDG Customer Contents page, either right-click a customer and select Configure Customer, or double-click the customer, go to the Plug-ins tab, and select the Connectra Plug-in. From the MDGs Management Plug-ins View, activate the Plug-in in one of the following ways: Right-click a customer and select Activate Plug-in on Customers. Right-click the PIConR66 and select Activate this Plug-in. Select Activate Plug-in on Customers from the Plug-in menu.

Chapter 4

Installing and Configuring Connectra

67

Uninstalling Connectra Plug-ins Click the Plug-in icon on the toolbar.

Uninstalling Connectra Plug-ins


While Connectra R66 cannot be uninstalled from the Connectra gateway machine, you can uninstall the central management capabilities. To do this, you must uninstall both the R62CM Plug-in (where relevant) and the R66 Plug-in for Central Management. See Uninstalling Connectra Plug-ins on page 105.

68

Cluster ConfigurationDeployment Tips

Cluster Configuration Deployment Tips


This section includes information that will help you understand the process of configuring a Connectra gateway cluster, in order to make it a successful and trouble free process. The Connectra Central management Administration Guide includes full details of setting up a Connectra cluster. It is strongly recommended that you read the relevant guide before setting up your Connectra cluster. Install and configure the Connectra gateway cluster members, as described in Installation and Configuration Workflow on page 37.

Licensing
Ensure all cluster members are licensed for the same number of users. They do not necessarily have to have identical licenses. Connectra cluster members must run the same software version.

Cluster and Cluster Member Interfaces


Communication into the organization for users is done using the virtual IP address of the Cluster Interface, and not the member IP addresses. To change the configuration of a cluster member, connect to it directly using the IP address of the cluster member, and not to the virtual IP address of the Cluster Interface.

Interface Configuration
The synchronization interfaces of the cluster members reside on the SAME subnet. The data interfaces of the cluster members must reside on the SAME subnet, DIFFERENT from the synchronization subnet.

Chapter 4

Installing and Configuring Connectra

69

Cluster ConfigurationDeployment Tips Use different interfaces for the data and synchronization networks. The recommended setting is to use eth0 for data and eth1 for synchronization.

Physical Connectivity
Synchronization in a two-member cluster can be done using a cross-cable between the two members. A cluster with more than two members requires a switch/hub for synchronization.

Configuration
Cluster member clocks must be synchronized. Use an NTP server or manually synchronize the clocks. Connectra clients access Connectra via two IP address/port combinations: one for the Connectra portal and another for SSL Network Extender. If you wish to use the same IP address for both, configure the portal to listen on port 443 and SSL Network Extender to listen on port 444.

Administration
Cluster members become active after the Security Policy is installed.

70

SSL Acceleration Card Installation

SSL Acceleration Card Installation


A hardware-based SSL acceleration card is available to improve the SSL performance of the Connectra gateway. The card speeds up the SSL/TLS public key exchange, and reduces CPU utilization by redirecting CPU-intensive calculations to dedicated hardware. The acceleration card is pre-installed on Connectra 6000. Otherwise it must be purchased and installed separately.

Installing the Card


For details on how to install the acceleration card, see the documentation supplied with the card.

Enabling the Card


To enable the card on Connectra: 1. From the console, run:

cvpnstop
2. Run:

hw_acceleration start
3. Run:

cvpnstart

Disabling the Card


To disable the card: 1. From the console, run:

cvpnstop

Chapter 4

Installing and Configuring Connectra

71

SSL Acceleration Card Command Syntax 2. Run:

hw_acceleration stop
3. Run:

cpvnstart

SSL Acceleration Card Command Syntax


The following table lists the SSL Acceleration Card commands. The card must be activated before running the diag and stat parameters.

Syntax
hw_acceleration{ start | stop | diag | stat}
Table 4-2 Parameter SSL Acceleration Card Commands Meaning Enable the card Disable the card Check if the card is installed and working properly Get statistics of card activity

start stop diag stat

72

Further Information

Further Information
For further instructions on configuring the Connectra gateway or a Connectra ClusterXL Load Sharing or High Availability cluster, refer to the Connectra Administration Guide appropriate for your configuration, or to the online help.

Chapter 4

Installing and Configuring Connectra

73

Further Information

74

Chapter Upgrading Connectra


In This Chapter
Upgrade Procedure Quick Reference Preparing for the Upgrade to R66 Upgrading to Locally Managed R66 from R61/R62 Upgrading to Centrally Managed R66 from R62CM Upgrading a Connectra Cluster to R66 Advanced Upgrade to R66 from R62

5
page 76 page 78 page 81 page 91 page 98 page 99

Upgrading to Centrally Managed R66 from R61/R62 page 84

75

Upgrade Procedure Quick Reference

Upgrade Procedure Quick Reference


Table 5-1 indicates where in this chapter to find the procedures you need, and which CD you should use. Table 5-1 Upgrade From R61/R62 Upgrade Procedure Quick Reference Upgrade To Link to Procedure Required CD(s) 1. R66

Locally Upgrade on the same managed R66 machine:Upgrading to Locally Managed R66 from R61/R62 on page 81 or Upgrade across different machines: Advanced Upgrade to Locally Managed R66 on page 99 Centrally Upgrading to Centrally managed R66 Managed R66 from R62CM on page 91

R62CM

1. R66 2. R66 SmartCenter Plug-in 1. R66 2. R66 SmartCenter Plug-in 1. R66 2. R66 SmartCenter Plug-in

R61/R62

Centrally Upgrading to Centrally managed R66 Managed R66 from R61/R62 on page 84 Upgrading to Centrally Managed R66 from R62CM on page 91

Connectra Connectra Cluster on Cluster on R61/R62/ R66 R62CM

Table 5-2 lists the upgrade scenarios that are not supported by Connectra NGX R66 and indicates the alternative upgrade paths.

76

Upgrade Procedure Quick Reference Table 5-2 Upgrade From Upgrade Scenarios Not Supported with Connectra NGX R66 Upgrade To Alternative Path First upgrade to Connectra NGX R61. See Connectra NGX R61 Getting Started Guide Connectra NGX R62CM Getting Started Guide; Upgrading a Connectra Cluster to R66 on page 98 Connectra NGX R62CM Getting Started Guide; Upgrading to Centrally Managed R66 from R61/R62 on page 84 Upgrading to Centrally Managed R66 from R62CM on page 91

Version R66 older than R61 R61 or R62 with Clusters

Locally Upgrade to centrally managed R66 managed R66 with with Clusters Clusters. To do this, you must first fully upgrade to Connectra NGX R62CM. Centrally First fully upgrade to managed R66 Connectra NGX R62CM, then upgrade to centrally managed R66.

R61/62

R62CM

Advanced upgrade to centrally managed R66 R66 locally or centrally managed using the WebUI

Perform an upgrade on the same machine instead of across different machines.

R61/62/ 62CM

Use the instructions Upgrade Procedure provided in this Getting Quick Reference on Started Guide for an page 76 alternative scenario.

Chapter 5

Upgrading Connectra

77

Preparing for the Upgrade to R66

Preparing for the Upgrade to R66


In This Section
Preserving Manual Changes on the Connectra Gateway page 78 Preserving the Previous Connectra Configuration page 79

Preserving Manual Changes on the Connectra Gateway


The upgrade process retains all configuration settings and end-user settings from the previous installation that were made via the Connectra administration portal or SmartDashboard. Nonetheless, certain manually configured changes are not preserved following the upgrade, and so must be saved before the upgrade, and manually restored after the upgrade. During the lifetime of a Connectra installation, several configuration changes may be manually applied using the SSH command shell. Such changes may include: Changes to Connectra configuration files (*.conf files) made to configure the Apache Web server or for debugging purposes. Replacement of Connectra binary files or libraries (Support Hotfixes). Changes to Connectra scripts (such as File Share implementation, certificate creation, and cvpnstop/cvpnstart).

To preserve manually configured changes made before the upgrade, back up the following files on the Connectra gateway:

$CVPNDIR/conf/* $CVPNDIR/var/* $CVPNDIR/htdocs/Mail/data $CVPNDIR/htdocs/Mail/attachments $WEBISDIR/conf/*


78

Preserving the Previous Connectra Configuration

Preserving the Previous Connectra Configuration


Note - The NGX R66 package cannot be uninstalled. To make it possible to revert to a previous version, create a snapshot image before installing the package. You can then use the revert command to revert to the previous Connectra version. See Reverting to a Previous Version of Connectra on page 103.

Creating a Snapshot Image


Before upgrading to a new version, it is recommended that you create an image of the entire system using the snapshot tool, either locally or on a TFTP or SCP server. This feature greatly reduces the risks of configuration changes. With a snapshot image you can restore the installation to the state before the upgrade, using the revert command. At boot time you are given the option of booting from any of the available snapshots. Running the snapshot command without any additional flags uses default backup settings and creates a local snapshot. Create a Snapshot image via the Command line. Snapshot Command Syntax snapshot [-h] [-d] [[--tftp <ServerIP> <Filename>] |[--scp <ServerIP> <Username> <Password> <Filename>] |[--file <Filename>]]

Chapter 5

Upgrading Connectra

79

Preserving the Previous Connectra Configuration Table 5-3 Parameter Snapshot command parameters Meaning Obtain usage. Generate debug information. IP address and TFTP server from which the snapshot is made as well as the snapshots filename. IP address of SCP server from which the snapshot is made, the username and password used to access the SCP Server, and the filename of the snapshot.

-h -d --tftp <ServerIP> <Filename> --scp <ServerIP> <Username> <Password> <Filename> --file <Filename>

When the snapshot is made locally, specify a filename.

80

Upgrading to Locally Managed R66 from R61/R62

Upgrading to Locally Managed R66 from R61/R62


In This Section
Upgrading to Locally Managed R66 via the Command Line page 81 Completing the Upgrade by Merging Manual Changes page 83 Note - You must upgrade to locally managed R66 using the command line. Upgrades are not supported by the WebUI.

Upgrading to Locally Managed R66 via the Command Line


Before upgrading, follow the procedures in Preserving Manual Changes on the Connectra Gateway on page 78. Upgrading to Connectra NGX R66 involves installing a package file. To upgrade from Version NGX R61 or R62 to NGX R66 via the command line: 1. Insert CD1 into the CDROM drive of the Connectra machine and mount the CD by typing:

mount /dev/cdrom 2. To enter the cpshell (this is only necessary if the shell has been manually changed from the default), type:

cpshell 3. Type:

patch add cd

Chapter 5

Upgrading Connectra

81

Upgrading to Locally Managed R66 via the Command Line 4. 5. 6. When prompted, Choose a patch to install, type 1 to choose the Connectra NGX R66 Upgrade Package. When prompted, type Y to confirm the MD5 checksum that appears on the screen. You are prompted to select a management option. Note that this step determines whether you upgrade to locally or centrally managed Connectra R66. Type 1 to choose Locally managed. When prompted, type a new Administrator name and Password. Type W and then Y to give the new administrator read/write access and permission to manage other administrators. You are prompted to create a backup image for automatic revert. This snapshot captures a current picture of your operating system and Connectra configuration. Type Y to create a snapshot that you can revert to if necessary. Note - The upgrade to R66 is not reversible and replaces your entire operating system. We highly recommend creating a snapshot at this time to preserve your current settings. See Reverting to a Previous Version of Connectra page 103 for instructions on how to revert to a snapshot image if necessary. 10. Wait while the operating system upgrades. This takes approximately ten minutes. 11. When prompted that the upgrade has finished successfully, remove the CD from the CDROM drive. 12. Reboot your system to complete the upgrade.

7. 8. 9.

82

Completing the Upgrade by Merging Manual Changes

Completing the Upgrade by Merging Manual Changes


If you made configuration changes by manually editing configuration files before the upgrade: 1. 2. Verify that the functionality of the manual change works properly after the upgrade. If necessary, merge the changes back to the same locations in the upgraded installation.

Chapter 5

Upgrading Connectra

83

Upgrading to Centrally Managed R66 from R61/R62

Upgrading to Centrally Managed R66 from R61/R62


In This Section
Preserving Manual Changes and Previous Configuration page 84 Setting Up the SmartCenter Upgrading the Connectra Gateway via SmartUpdate Setting Up SIC Trust page 84 page 89 page 90 Upgrading the Connectra Gateway via Command Line page 87

Completing the Upgrade by Merging Manual Changes page 90 Note - You must upgrade to centrally managed R66 using the command line or SmartUpdate. Upgrades are not supported by the WebUI.

Preserving Manual Changes and Previous Configuration


Follow all the procedures in Preserving Manual Changes on the Connectra Gateway on page 78.

Setting Up the SmartCenter


Upgrading to R62CM and Importing Previous Configuration
The SmartCenter must have the Connectra R62CM Plug-in installed and be fully upgraded to R62CM before you install the R66 Plug-in for Central Management. This includes using Connectras Configuration Import Utility to import your R61/62 management

84

Setting Up the SmartCenter configuration to the SmartCenter. For instructions on upgrading to R62CM from R61 or R62, see the Connectra R62CM Getting Started Guide. The R62CM Plug-in and Compatibility Package can be downloaded from the Check Point Download Center or found on the NGX R66 CD2 under /Utilities/R62CM/. Note - We recommend creating a database revision before installing the Connectra NGX R66 Plug-in. See the Check Point R65 SmartCenter Administration Guide for more information. To install the R66 Plug-in on the R65 SmartCenter or Provider-1/SiteManager-1 CMA: 1. 2. Install or upgrade the SmartCenter server or Provider-1/SiteManager-1 CMA to version NGX R65. For a new installation of SmartCenter, install SmartDashboard on a SmartConsole client. For a new installation of Provider-1/SiteManager-1, install the Multi Domain GUI (MDG). If upgrading, the SmartDashboard or MDG will automatically update during the first connection to a SmartCenter with the Plug-in installed. Install the R62CM Plug-in and Compatibility Package found on NGX R66 CD2 under /Utilities/R62CM/. Follow the instructions for upgrading to R62CM in the Connectra R62CM Getting Started Guide. Import your R61/62 management configuration to the SmartCenter using R62CMs Connectra Configuration Import Utility. Follow the instructions in the Connectra R62CM Getting Started Guide. Reboot SmartCenter or Provider-1/SiteManager-1.

3.

4.

5.

Chapter 5

Upgrading Connectra

85

Setting Up the SmartCenter

Installing the R66 Plug-in


1. Install the R66 Plug-in on version R65 of the SmartCenter server or Provider-1/SiteManager-1 Multi Domain Server. See Installing the NGX R66 Plug-in on page 62. Reboot SmartCenter or Provider-1/SiteManager-1.

2. 3.

After the reboot, open SmartDashboard. SmartDashboard may update itself; It then displays an additional tab for Connectra. Figure 5-1 Smart Dashboard with Centrally Managed Connectra

4.

In SmartDashboard, switch to the Connectra tab.

86

Upgrading the Connectra Gateway via Command Line 5. If Connectra objects were already defined prior to upgrading SmartCenter or the CMA: After the upgrade of SmartCenter or the CMA, Connectra objects and references in SmartDashboard become host objects and must be redefined. 6. Define the Connectra objects. (Do not set up Secure Internal Communication (SIC) at this point): a. b. c. Create the Connectra gateway or gateway cluster object. For a Connectra gateway cluster, define cluster members. If there is SIC trust with the cluster members, reset SIC. Define the topology. When defining topology, the Get Interfaces operation does not return alias IP addresses for real interfaces. To add alias IPs to the object topology, define them manually. After manually adding alias IP addresses to the object topology, do not perform the Get Interfaces operation, as this will erase all manual changes to the object topology. When defining topology for a Connectra cluster, it is very important that the topology is complete. Make sure you have selected at least one cluster interface and one synchronization interface, and that each cluster member has its interfaces defined.

Upgrading the Connectra Gateway via Command Line


Upgrading to Connectra NGX R66 involves installing a package file on the Connectra gateway machine. Perform this update using the command line or SmartUpdate. To upgrade an existing Connectra NGX R61, R62, or R62CM gateway to NGX R66 via the command line:

Chapter 5

Upgrading Connectra

87

Upgrading the Connectra Gateway via Command Line 1. 2. Prepare the SmartCenter and R66 Plug-in as described in Setting Up the SmartCenter on page 84. Insert CD1 into the CDROM drive of the Connectra machine and mount the CD by typing:

mount /dev/cdrom 3. To enter the cpshell (this is only necessary if the shell has been manually changed from the default), type:

cpshell 4. Type:

patch add cd 5. 6. 7. When prompted, Choose a patch to install, type 1 to choose the Connectra NGX R66 Upgrade Package. When prompted, type Y to confirm the MD5 checksum that appears on the screen. You are prompted to select a management option. Note that this step determines whether you upgrade to locally or centrally managed Connectra R66. Type 2 to choose Centrally managed. Type Y to confirm the upgrade. You are prompted to create a backup image for automatic revert. This snapshot captures a current picture of your operating system and Connectra configuration. Type Y to create a snapshot that you can revert to if necessary. Note - The upgrade to R66 is not reversible and replaces your entire operating system. We highly recommend creating a snapshot at this time to preserve your current settings. See Reverting to a Previous Version of Connectra page 103for instructions on how to revert to a snapshot image if necessary.

8. 9.

88

Upgrading the Connectra Gateway via SmartUpdate 10. Enter and re-enter a SIC shared secret that you will confirm later when logging in to the SmartDashboard. 11. Wait while the operating system upgrades. This takes approximately ten minutes. 12. When prompted that the upgrade has finished successfully, remove the CD from the CDROM drive. 13. Reboot your system.

Upgrading the Connectra Gateway via SmartUpdate


Upgrading to Connectra NGX R66 involves installing a package file on the Connectra gateway machine. Perform this update using the command line or SmartUpdate. To upgrade an existing Connectra NGX R61, R62, or R62CM gateway to NGX R66 via SmartUpdate: 1. 2. 3. 4. 5. 6. 7. 8. Prepare the SmartCenter and R66 Plug-in as described in Setting Up the SmartCenter on page 84. Insert CD1 into the CDROM Drive of your Connectra machine. From the SmartDashboard, click Window > SmartUpdate. Add the package for Connectra NGX R66 to the SmartUpdate Repository by clicking Packages > Add > From CD. Type your User Center username and password. Select the package for Connectra NGX R66. Click OK. Install the Connectra NGX R66 package. Right-click the target Connectra gateway object and select Upgrade all to upgrade all gateways at once. If you made manual configuration changes, continue with Completing the Upgrade by Merging Manual Changes. Chapter 5 Upgrading Connectra 89

9.

Setting Up SIC Trust

Setting Up SIC Trust


You must set up a SIC connection between Connectra and the SmartCenter in order for them to communicate. To set up SIC between the Connectra gateway and the SmartCenter: 1. Connect to the Connectra gateway in one of the following ways: Via the Web GUI: Open a Web browser on a machine that has network connectivity to the Connectra, and browse to https://<machine_IP>:4433. From the command line: Open an SSH connection to Connectra, or connect to it via a console.

2.

Reset SIC (if there was a prior SIC trust) and enter a shared secret. Do this in either of the following ways: Via the Web GUI, go to Product Configuration > SIC, enter the Activation Key and click Initialize. From the command line, run cpconfig. Type 6 to select Secure Internal Communication.

3.

Complete the SIC trust establishment. Open the Connectra gateway or gateway cluster object in SmartDashboard, In the General Properties page, in the Communication window, enter the same one time password supplied in the gateway side.

Completing the Upgrade by Merging Manual Changes


If you made configuration changes by manually editing configuration files before the upgrade: 1. 2. Verify that the functionality of the manual change works properly after the upgrade. If necessary, merge the changes back to the same locations in the upgraded installation.

90

Upgrading to Centrally Managed R66 from R62CM

Upgrading to Centrally Managed R66 from R62CM


In This Section
Preserving Manual Changes and Previous Configuration page 84 Setting Up the SmartCenter Upgrading the Connectra Gateway via SmartUpdate Setting Up SIC Trust page 84 page 89 page 90 Upgrading the Connectra Gateway via Command Line page 87

Completing the Upgrade by Merging Manual Changes page 90 Note - You must upgrade to centrally managed R66 using the command line or SmartUpdate. Upgrades are not supported by the WebUI.

Preserving Manual Changes and the Previous Configuration


Follow all the procedures in Preserving Manual Changes on the Connectra Gateway page 78.

Setting Up the SmartCenter and Installing the R66 Plug-in


Important: The SmartCenter should have the Connectra R62CM Plug-in installed and be fully upgraded to R62CM before installing the R66 Plug-in for Central Management. This includes using Connectras Configuration Import Utility to import your management configuration to the SmartCenter. For instructions on upgrading to R62CM from R61 or R62, see the Connectra R62CM Getting Started

Chapter 5

Upgrading Connectra

91

Setting Up the SmartCenter and Installing the R66 Plug-in Guide. The R62CM Plug-in and Compatibility Package can be downloaded from the Check Point Download Center or found on the NGX R66 CD2 under /Utilities/R62CM/. Note - We recommend creating a database revision before installing the Connectra NGX R66 Plug-in. See the Check Point R65 SmartCenter Administration Guide for more information. To install the R66 Plug-in on the R66 SmartCenter or Provider-1/SiteManager-1 CMA: 1. 2. Install or upgrade the SmartCenter server or Provider-1/SiteManager-1 CMA to version NGX R65. For a new installation of SmartCenter, install SmartDashboard on a SmartConsole client. For a new installation of Provider-1/SiteManager-1, install the Multi Domain GUI (MDG). If upgrading, the SmartDashboard or MDG will automatically update in order to manage Connectra. Install the R66 Plug-in on version R65 of the SmartCenter server or Provider-1/SiteManager-1 Multi Domain Server. See Installing the NGX R66 Plug-in on page 62. Note - If your SmartCenter is not already upgraded to R62CM, you must upgrade it before upgrading to centrally managed R66. See important above. 4. 5. Reboot SmartCenter or Provider-1/SiteManager-1. After the reboot, open SmartDashboard. SmartDashboard displays an additional tab for Connectra.

3.

92

Setting Up the SmartCenter and Installing the R66 Plug-in Figure 5-2 Smart Dashboard with Centrally Managed Connectra

6. 7.

In SmartDashboard, switch to the Connectra tab. If Connectra objects were already defined prior to upgrading SmartCenter or the CMA: After the upgrade of SmartCenter or the CMA, Connectra objects and references in SmartDashboard become host objects and must be redefined.

8.

Define the Connectra objects. (Do not set up Secure Internal Communication (SIC) at this point):

Chapter 5

Upgrading Connectra

93

Upgrading the Connectra Gateway Using the Command Line a. b. c. Create the Connectra gateway or gateway cluster object. For a Connectra gateway cluster, define cluster members. If there is SIC trust with the cluster members, reset SIC. Define the topology. When defining topology, the Get Interfaces operation does not return alias IP addresses for real interfaces. To add alias IP addresses to the object topology, define them manually. After manually adding alias IPs to the object topology, do not perform the Get Interfaces operation, as this will erase all manual changes to the object topology. When defining topology for a Connectra cluster, it is very important that the topology is complete. Make sure you have selected at least one cluster interface and one synchronization interface, and that each cluster member has its interfaces defined.

Upgrading the Connectra Gateway Using the Command Line


Upgrading to Connectra NGX R66 involves installing a package file on the Connectra gateway machine. Perform this update using the command line or SmartUpdate. To upgrade an existing Connectra NGX R61, R62, or R62CM gateway to NGX R66 via the command line: 1. 2. Prepare the SmartCenter and R66 Plug-in as described in Setting Up the SmartCenter on page 84. Insert CD1 into the CDROM drive of the Connectra machine and mount the CD by typing:

mount /dev/cdrom

94

Upgrading the Connectra Gateway Using the Command Line 3. To enter the cpshell (this is only necessary if the shell has been manually changed from the default), type:

cpshell 4. Type:

patch add cd 5. 6. 7. 8. When prompted, Choose a patch to install, type 1 to choose the Connectra NGX R66 Upgrade Package. When prompted, type Y to confirm the MD5 checksum that appears on the screen. When prompted, type Y to confirm that you want to perform the upgrade. You are prompted to create a backup image for automatic revert. This snapshot captures a current picture of your operating system and Connectra configuration. Type Y to create a snapshot that you can revert to if necessary. Note - The upgrade to R66 is not reversible and replaces your entire operating system. We highly recommend creating a snapshot at this time to preserve your current settings. See Reverting to a Previous Version of Connectra page 103for instructions on how to revert to a snapshot image if necessary. 9. Enter and re-enter a SIC shared secret that you will confirm later when logging in to SmartDashboard.

10. Wait while the operating system upgrades. This will take approximately ten minutes. 11. When prompted that the upgrade has finished successfully, remove the CD from the CDROM drive. 12. Reboot your system. 13. Repeat the steps above on each gateway that must be updated.

Chapter 5

Upgrading Connectra

95

Upgrading the Connectra Gateway Using SmartUpdate

Upgrading the Connectra Gateway Using SmartUpdate


Upgrading to Connectra NGX R66 involves installing a package file on the Connectra gateway machine. Perform this update using the command line or SmartUpdate. Using SmartUpdate, you can upgrade all Connectra gateways at once. To upgrade an existing Connectra NGX R61, R62, or R62CM gateway to NGX R66 via SmartUpdate: 1. 1. 2. 3. 4. 5. 6. Prepare the SmartCenter and R66 Plug-in as described in Setting Up the SmartCenter on page 84. From SmartDashboard, click Window > SmartUpdate. Add the package for Connectra NGX R66 to the SmartUpdate Repository by clicking Packages > Add > From CD. Enter your User Center username and password. Select the package for Connectra NGX R66. Click Download. Install the Connectra NGX R66 package. Right-click the target Connectra gateway object and select Upgrade all to upgrade all gateways at the same time. If you made manual configuration changes, continue with Completing the Upgrade by Merging Manual Changes. The first time that you start the SmartDashboard, you are prompted to download the SmartConsole Plug-in pack. The files size is approximately 50 MB, therefore we advise attempting the first connection from the LAN or via high speed connection.

7. 8.

Setting Up SIC Trust


You must set up a SIC connection between Connectra and the SmartCenter in order for them to communicate. 96

Completing the Upgrade by Merging Manual Changes To set up SIC between the Connectra gateway and the SmartCenter: 1. Connect to the Connectra gateway in one of the following ways: Via the Web GUI: Open a Web browser on a machine that has network connectivity to the Connectra, and browse to https://<machine_IP >:4433. From the command line: Open an SSH connection to Connectra, or connect to it via a console.

2.

Reset SIC (if there was a prior SIC trust) and enter a one time password. Do this in one of two ways: Via the Web GUI, go to Product Configuration > SIC, enter the Activation Key and click Initialize. From the command line, run cpconfig. Type 6 to select Secure Internal Communication.

3.

Complete the SIC trust establishment. Open the Connectra gateway or gateway cluster object in SmartDashboard. In the General Properties page, in the Communication window, enter the same one-time password supplied in the gateway side.

Completing the Upgrade by Merging Manual Changes


If you made configuration changes by manually editing configuration files before the upgrade: 1. 2. Verify that the functionality of the manual change works properly after the upgrade. If necessary, merge the changes back to the same locations in the upgraded installation.

Chapter 5

Upgrading Connectra

97

Upgrading a Connectra Cluster to R66

Upgrading a Connectra Cluster to R66


Connectra Clusters are only supported on centrally managed R66. If you have R61 or R62 and wish to upgrade to centrally managed R66, you must first upgrade the Cluster members Connectra gateways and SmartCenter server to R62CM For instructions on upgrading to R62CM, see the Connectra R62CM Getting Started Guide. The R62CM Plug-in and Compatibility Package can be downloaded from the Check Point Download Center or found on the NGX R66 CD2 under

/Utilities/R62CM/
If you currently have locally supported clusters, see For Connectra Cluster Users on page 112 for licensing information. To upgrade a Connectra cluster from NGX R62CM to NGX R66: 1. 2. 3. Install the R66 Plug-in on the NGX R65 SmartCenter. See Setting Up the SmartCenter on page 84. Upgrade each Connectra gateway, as described in Upgrading to Centrally Managed R66 from R62CM on page 91. Define each cluster member in SmartDashboard. See Step 7: Defining Connectra Objects (Centrally Managed Connectra) on page 54 and Cluster Configuration Deployment Tips on page 69.

98

Advanced Upgrade to R66 from R62

Advanced Upgrade to R66 from R62


In This Section
Introduction to Advanced Upgrade Advanced Upgrade to Locally Managed R66 page 99 page 99

Introduction to Advanced Upgrade


Perform an advanced upgrade from Connectra NGX R62 to Connectra NGX R66 in order to: Migrate to a new Connectra server. Avoid risking the production server in case the upgrade fails.

The advanced upgrade procedure involves two machines. The first machine is the working production machine. Connectra is installed from scratch on the second machine and the configuration of the first machine is imported to it. Advanced upgrade is only supported when upgrading from locally managed Connectra R62 to locally managed Connectra NGX R66.

Advanced Upgrade to Locally Managed R66


Preparing for Advanced Upgrade to Locally Managed R66
Prepare a new machine, to which the Connectra configuration will be imported. The following conditions must be met: IP addresses on the new and old machines must match.

Chapter 5

Upgrading Connectra

99

Advanced Upgrade to Locally Managed R66 NIC configuration on new and old machines must match.

The following are not preserved in the upgrade. Be sure to track them so you can re-apply them after Connectra is upgraded: Manual changes to Connectra configuration files. See Preserving Manual Changes on the Connectra Gateway on page 78. All settings in the Device menu of the administrator portal. The Internal Certificate Authority (ICA).

Advanced Upgrade Procedure to Locally Managed R66


To perform an advanced upgrade from Connectra NGX R62 to locally managed NGX R66: 1. 2. Insert CD1 into the original machine. Type:

mount/dev/cdrom 3. On the CD, browse to the location of the export utility. Locate the upgrade_export tools in:

/linux/Utilities/UpgradeTools/ 4. Create an exportable configuration file by running the command:

upgrade_export <path_&_filename_of_tgz> where <path_and_filename_of_tgz> is the destination path of the configuration (.tgz) file. 5. 6. Wait while the database files are exported. Install new NGX R66 machine as per Installation and Initial Configuration Procedures on page 39. The new machine must have the same IP address as the old machine. The IP address can be changed later.

100

Advanced Upgrade to Locally Managed R66 7. 8. Copy the exported .tgz file via FTP in binary mode to any location on the new Connectra machine. On the new Connectra machine, go to:

$FWDIR/bin/upgrade_tools 9. Run:

upgrade_import -n <path_&_filename_of_tgz> <connectra_object_name> where <path_and_filename_of_tgz> is the destination path of the configuration (.tgz) file and <connectra_object_name> is the name of your Connectra gateway. Note - The configuration (.tgz) file contains your Connectra configuration. It is recommended to back it up on a different machine and delete it from the Connectra machine after completing the import process. 10. Reboot.

Completing the Advanced Upgrade to R66


If you made configuration changes by manually editing configuration files before the upgrade: 1. 2. Verify that the functionality of the manual change works properly after the upgrade. If necessary, merge the changes back to the same locations in the upgraded installation.

Reapply all settings under the Device menu of the administrator portal (including administrator settings and routing) from the old machine to the new machine. If there was a mismatch in the primary or secondary IP addresses of the NICs, between the two machines, you must reconfigure IP address assignments for the Portal and SSL Network Extender.

Chapter 5

Upgrading Connectra 101

Advanced Upgrade to Locally Managed R66 To reconfigure IP address assignments for the Portal and SSL Network Extender: 1. 2. 3. In SmartDashboard, select your Connectra Gateway and click Edit. Select Topology from the navigation tree in the Connectra Properties page. Click Portal Customization settings or VPN Clients settings and edit the machines interface.

102

Chapter Reverting to a Previous Version of Connectra


In This Chapter
Reverting to a Snapshot Uninstalling Connectra Plug-ins

page 103 page 105

Reverting to a Snapshot
Connectra NGX R66 cannot be uninstalled. To make it possible to revert to a previous version, create a snapshot image before installing. See Preserving the Previous Connectra Configuration on page 79. If the upgrade did not succeed, you can revert to a previous installed state by rebooting the system from a snapshot file. Running the revert command without any additional flags uses default backup settings and reboots the system from a local snapshot. The revert command functionality can also be accessed from the Snapshot image management boot option.

Syntax
revert [-h] [-d] [[--tftp <ServerIP> <Filename>] | [--scp <ServerIP> <Username> <Password> <Filename>] | [--file <Filename>]] 103

Syntax Table 6-1 Parameter Revert Command Parameters Meaning Obtain usage Debug flag IP address and TFTP server from which the snapshot is rebooted, as well as the filename of the snapshot. IP address of SCP server from which the snapshot is rebooted, the username and password used to access the SCP Server, and the filename of the snapshot. When the snapshot is created locally, specify a filename.

-h -d --tftp <ServerIP> <Filename> --scp <ServerIP> <Username> <Password> <Filename> --file <Filename>

104

Uninstalling Connectra Plug-ins

Uninstalling Connectra Plug-ins


While the Connectra NGX R66 Gateway cannot be uninstalled, the Plug-in for central management can be uninstalled. If you want to uninstall Connectra NGX R66s central management capabilities, you must uninstall both the R66 Plug-in for Central Management and the R62CM Plug-in from your SmartCenter machines, Log Servers, Eventia Reporter, and any remote objects on which the Plug-ins may have been installed. In a High Availability environment, perform the uninstallations on each member.

Uninstalling the R66 Plug-in for Central Management


Before Uninstalling the R66 Plug-in:
If you have the Connectra NGX R66 Plug-in installed on a SmartCenter, Log Server, Eventia Reporter, or other remote objects, and you want to uninstall the Plug-in from them, you must first do the following: 1. 2. Delete all Connectra objects from SmartDashboard. Synchronize the remote servers databases with the SmartCenter by installing the Database on all remote objects that have the Plug-in installed. In the SmartDashboard, select Policy > Install Database for each remote object. Note - If you do not install the Database, the Plug-in uninstallation on these objects will fail, but it will succeed on the SmartCenter. Therefore, you will not be able to install the Database on the remote objects, nor will you be able to remove the R66 Plug-in from the remote objects.

Chapter 6

Reverting to a Previous Version of Connectra 105

Uninstalling the R66 Plug-in for Central Management

Uninstalling the R66 Plug-in


1. From the command line, run the pre-uninstall verifier as follows: In Linux, Solaris, or SecurePlatform: a. Run:

cd /opt/CPPIconR66-R65/bin/ b. Run:

./plugin_preuninstall_verifier c. Read the results. If it says you can remove the Plug-in, proceed to step 2.

In Windows: a. From run: plugin_preuninstall_verifier.exe 2. Remove the R66 Plug-in: In Linux or SecurePlatform, run:

c:\Program Files\CheckPoint\PIconR66\R66\bin\

rpm e CPPIconR65-R66-00 pkgrm then choose the package number corresponding to CPPIconR65-R66-00. 3. In Windows, use Add/Remove Programs to remove the Check Point Connectra NGX R66 Plug-in. In Solaris, run:

Restart the system.

106

Uninstalling the Connectra NGX R62CM Plug-in

Removing the R66 Compatibility Package


Remove the Compatibility Package only after uninstalling the R66 Plug-in. 1. Remove the R66 Compatibility Package as follows: In Linux or SecurePlatform, run:

rpm e CPCON65CMP-R66-00 pkgrm then choose the package number corresponding to CPCON65CMP-R66-00. 2. In Windows, use Add/Remove Programs to remove the Check Point NGX R66 Connectra Compatibility Package. In Solaris, run:

Restart the system.

Uninstalling the Connectra NGX R62CM Plug-in


To remove the Connectra NGX R62CM Plug-in: 1. From the command line, run the pre-uninstall verifier as follows: In Linux, Solaris, or SecurePlatform: a. Run:

cd /opt/CPPIconnectra-R65/bin/ b. Run:

./plugin_preuninstall_verifier c. Read the results. If it says you can remove the Plug-in, proceed to step 2.

Chapter 6

Reverting to a Previous Version of Connectra 107

Uninstalling the Connectra NGX R62CM Plug-in In Windows: a. From

c:\Program Files\CheckPoint\PIconnectra\R65\bin\ run:

plugin_preuninstall_verifier.exe 2. Remove the R62CM Plug-in: In Linux or SecurePlatform, run:

rpm e CPPIconnectraR65-R65-00 pkgrm then choose the package corresponding to CPPIconnectraR65-R65-00. In Windows, use Add/Remove Programs to remove the Check Point Connectra NGX R62A Plug-in. Also remove the Check Point Plug-in NGX R65_HF_284 if relevant. In Solaris, run:

3.

Restart the system.

Removing the R62CM Compatibility Package


Remove the R62CM Compatibility Package only after uninstalling the R62CM Plug-in. 1. Remove the R62CM Compatibility Package as follows: In Linux or SecurePlatform, run:

rpm e CPCON62CMP-R65-00 In Solaris, run:

pkgrm then choose the package corresponding to CPCON62CMP-R65. In Windows, use Add/Remove Programs to remove the Check Point NGX R62A Compatibility Package R65.

108

Uninstalling Plug-ins in Provider-1 2. Restart the system.

Uninstalling Plug-ins in Provider-1


Before uninstalling the R66 or R62CM Plug-ins on Provider-1, you must first deactivate the Plug-ins on all customers of the MDS from which you want to remove a Plug-in.

Deactivating Plug-ins on the MDS


To deactivate Plug-ins on the MDS: 1. 2. 3. 4. 5. 6. 7. Go to Management Plug-ins in the selection bar of the MDG. Double-click on a customer. Go to the Plug-ins tab. Select the plug-in to deactivate: PIconR66-R65 for Connectra NGX R66 or PIconnectra for Connectra NGX R62CM. Click Remove. Click OK. Follow the steps in Uninstalling the R66 Plug-in for Central Management on page 105 or Uninstalling the R62CM Plug-in in Provider-1 on page 109.

Uninstalling the R62CM Plug-in in Provider-1


To remove the Connectra Central Management Plug-in in Provider-1: 1. 2. In the Provider-1 MDS, deactivate the Connectra Central Management Plug-in (PIConnectra) on all customers. On the command line, run:

rm -f/opt/CPPIconnectra-R65/conf/ PluginTableTypePairs.conf ; touch/opt/CPPIconnectra-R65/conf/PluginTableTypePai rs.conf

Chapter 6

Reverting to a Previous Version of Connectra 109

Uninstalling Plug-ins in Provider-1 3. Run the pre-uninstall verifier:

/opt/CPPIconnectra-R65/bin/plugin_preuninstall_veri fier
4. Remove the Connectra Central Management Plug-in: 5. Use rpm -e CPPIconnectra-R65 on Linux and SecurePlatform Use

pkgrm CPPIconnectra-R65 on Solaris Run mdsstop/mdsstart.

110

7 Chapter License Installation and User Assistance


In This Chapter
Installing Check Point Licenses Where To Go From Here? page 111 page 114

Installing Check Point Licenses


Check Point software is activated with a License Key. You can obtain this License Key by registering the Certificate Key that appears on the back of the software media pack, in the Check Point User Center. Note that you may need multiple licenses for different products included with Connectra NGX R66. The Certificate Key is used to obtain a License Key for products that you are evaluating. To purchase the required Check Point products, contact your reseller. Note - Check Point software that has not yet been purchased, will work for a period of 15 days. You are required to go through the User Center in order to register this software.

111

For Connectra Cluster Users If you are upgrading from a Connectra appliance to Connectra software, you will not automatically get a 15 day trial on the software. We recommend purchasing a license with the software in advance. Alternatively, you can remove all licenses and then you will automatically get a 15 day trial period. Connectra enforces the license installed on the gateway by counting the number of concurrent sessions taking place on the portal. If the limit has been reached, warning messages are sent to the log. Check Point products are activated as follows: 1. Activate the Certificate Key shown on the back of the media pack via Check Point User Center. http://www.checkpoint.com/usercenter The Certificate Key activation process consists of: 2. 3. 4. Adding the Certificate Key Activating the products Choosing the type of license Entering the software details

Once you have a new License Key, you can install it on the Connectra machine.

Select Settings > Device > Licenses.


Click New. You can either enter the license details individually, or paste them directly from the clipboard.

For Connectra Cluster Users


Unlike previous versions of Connectra, in Connectra NGX R66, clusters can only be managed centrally, from an R65 SmartCenter or Provider-1 with the Connectra R66 Plug-in.

112

For Connectra Cluster Users Customers who: a. b. currently have a Connectra High Availability product, or are buying a new such product, and are under a valid service agreement.

should find a new product and license named "SmartCenter for Connectra Clusters" in their User Center account. If you are a customer satisfying these two conditions but do not see this new product in your User Center account, please contact Check Point's account services. This new license entitles customers to install a Check Point SmartCenter R65 on a dedicated server and manage their Connectra clusters from that server. For information on upgrading to centrally managed Connectra R66, see Upgrading Connectra on page 75.

Chapter 7

License Installation and User Assistance 113

Where To Go From Here?

Where To Go From Here?


You have now learned the basics that you need to get started. The next step is to obtain more detailed knowledge of your Check Point products. For thorough information see the Connectra Central Management Administration Guide, Version R66 or the Connectra Local Management Administration Guide, Version R66. Check Point documentation provides additional information and is available in PDF format on the Check Point CD as well as on the Technical Support download site at: http://www.checkpoint.com/support/technical/documents. See the Check Point Services website http://www.checkpoint.com/techsupport/ or see the SecureKnowledge self-service database of technical information at http://support.checkpoint.com/.

114

You might also like