Professional Documents
Culture Documents
TM
Contents
Chapter 1 Introduction to Connectra
Introduction............................................................................ 10 In This Guide.......................................................................... 11 Key Features and Benefits ....................................................... 13 Secure Web-Based Connectivity ....................................... 13 Unified Security Management.......................................... 13 Comprehensive Endpoint Security .................................... 13 Integrated Intrusion Prevention........................................ 14 Easy Deployment............................................................ 14 Central Management....................................................... 14 Local Management ......................................................... 15 Flexible Deployment Options ........................................... 15 Advanced Authentication Options .................................... 15 Choosing the Correct CD .......................................................... 16 Procedure Quick Reference ...................................................... 17
Preparing to Use the Compatibility Testing Tool ................. 28 Using the Hardware Compatibility Testing Tool................... 31 BIOS Security Configuration Recommendations ..........................32 Operating System Compatibility.................................................32 Browser Compatibility...............................................................33
Uninstalling Connectra Plug-ins...............................................105 Uninstalling the R66 Plug-in for Central Management ...... 105 Uninstalling the Connectra NGX R62CM Plug-in .............. 107 Uninstalling Plug-ins in Provider-1.................................. 109
1
page 10 page 11 page 13 page 16 page 17
Introduction
Introduction
Check Point Connectra is a comprehensive and unified remote access solution that makes corporate applications and network resources securely available to mobile and remote users. With Connectra NGX R66, remote and mobile employees, contractors, business partners, and customers can access network resources and applications through either a lightweight VPN client or simply through a Web browser. By unifying SSL and IPSec VPN technologies into a single gateway and management console, Connectra provides flexible access for end users and simple, streamlined deployment for the IT organization. Connectra offers administrators tight access controls to help ensure that only authorized users using clean hosts will gain access to corporate resources. To that end Connectra features multiple strong authentication methods and tight integration with directory services. Comprehensive endpoint security capabilities enable malware scans, compliance checks. A virtual Secure Workspace provides session confidentiality on both managed and unmanaged endpoints, such as laptops, home PCs, internet kiosks, and more. Connectra can be deployed as either a turnkey appliance, as software on open servers, or as a virtual machine on VMware ESX Server. Connectra gateways can be managed either locally or centrally through a single Check Point SMART management console, reducing the administration time required to configure, monitor, update, and audit remote access policies.
Note - Using different authentication schemes for Connectra users and VPN-1 users in a centrally managed environment may not be possible for every existing configuration. Visit https://secureknowledge.checkpoint.com and review the SecureKnowledge solution sk32656 for helpful information.
10
In This Guide
In This Guide
This guide has important information that you should read before installing or upgrading Connectra. Table 1-1 Chapter Chapter 1, Introduction to Connectra Chapter 2, Deploying Connectra Chapter 3, Connectra Requirements Description Introduces Connectra and describes its key features and benefits. Discusses the various deployment options: in the DMZ, in the LAN, and as a ClusterXL gateway cluster. Provides the minimum hardware requirements, recommended hardware, hardware compatibility testing tool, operating system and browser compatibility, and license requirements. Provides step-by-step instructions for the installation and initial configuration of Connectra.
Chapter 1
Introduction to Connectra
11
In This Guide Table 1-1 Chapter Chapter 5, Upgrading Connectra Chapter 6, Reverting to a Previous Version of Connectra Chapter 7, License Installation and User Assistance Description Provides instructions for upgrading Connectra using the CD or a downloaded file. Provides instructions for reverting to a previous Connectra version using a snapshot image file, as well as for uninstalling Connectra Plug-ins. Discusses the license types and their installation, and provides details on how to obtain further assistance.
12
Chapter 1
Introduction to Connectra
13
Key Features and Benefits Allows organizations to define endpoint security requirements to access individual resources. Safeguards confidentiality of corporate information. Prevents identity, password, and data theft on remote endpoints. Allows secure VPN access even on public or unmanaged PCs.
Easy Deployment
Integrates with existing network and security infrastructure. Enables quick and easy setup without requiring changes to servers or network configuration.
Central Management
Connectra gateways can be managed from SmartCenter and Provider-1/SiteManager-1. Full leveraging of SmartCenter architecture: Object sharing (for example, Network Objects, Applications, Users, Services). Same authentication settings, logs settings, and so on. Configuration of multiple Connectra gateways and gateway clusters from the same SmartDashboard.
14
Key Features and Benefits Identical or different settings and policies for different Connectra gateways. Single point of administration for backup and maintenance. Redundant management infrastructure is possible.
Local Management
The Check Point SmartConsole suite is utilized for configuring, monitoring, and tracking a single Connectra gateway. SmartDashboard, SmartView Monitor, and SmartView Tracker are tailored for a single Connectra gateway.
Chapter 1
Introduction to Connectra
15
CD 1: R66
Use To Install a locally managed or centrally managed Connectra gateway. Upgrade from R61, R62 or R62CM to R66.
R61, R62, or R62CM Connectra gateway. NGX R66 SmartCenter server or Provider-1/SiteManager-1 MDS.
Add central management capabilities to the SmartCenter server or Provider-1/SiteManager-1 MDS. Use this option for creating Clusters. Upgrade from R61, R62 or R62CM to centrally managed R66.
16
1: R66
None
Chapter 1
Introduction to Connectra
17
18
2
page 20 page 21 page 22 page 23
19
Deployment Overview
Deployment Overview
In general, it is recommended to deploy Connectra in the DMZ. Connectra can, however, also be deployed in other places, such as on the internal LAN. In both scenarios, SSL termination takes place at the Connectra Gateway. Web Intelligence, Application Intelligence, authentication, and authorization schemes on the Connectra Gateway are employed to protect the internal network and to inspect the traffic for harmful content before it reaches the internal servers. Connectra differs from other remote access solutions in that it has gateway based application-level and network-level protection. For example, it incorporates the Malicious Code Protector to protect against worms.
20
When Connectra is placed in the DMZ, traffic initiated both from the Internet and from the LAN to Connectra is subject to firewall restrictions. By deploying Connectra in the DMZ, the need to enable direct access from the Internet to the LAN is avoided. Remote users initiate an SSL connection to the Connectra Gateway. The firewall must be configured to allow traffic from the user to the Connectra server, where SSL termination, Web and Application Intelligence inspection, authentication, and authorization take place. Requests are then forwarded to the internal servers via the firewall. Administration traffic is always SSL encrypted.
Chapter 2
Deploying Connectra
21
The remote user opens a browser and initiates an HTTPS request to the Connectra server. The SSL connection is terminated within the LAN and the clear text requests are forwarded to the internal servers. The internal servers reply in the clear to Connectra, which encrypts the reply back to the remote user. In the scenario shown in Figure 2-2, the perimeter firewall must be configured to allow encrypted SSL traffic to Connectra. In this scenario, the SSL VPN traffic passes through the Firewall as encrypted traffic, thus unavailable for inspection with traditional solutions. With Connectra, the network is fully protected with Application Intelligence and Web Intelligence.
22
Each cluster member has two interfaces: one data interface leading to the organization and to the Internet, and a second interface for synchronization. Each interface is on a different subnet. One subnet for data (in Figure 2-3, 10.0.0.1 for Member A and 10.0.0.2 for Member B). One subnet for synchronization (10.0.10.1 for Member A and 10.0.10.2 for Member B).
See Cluster Configuration Deployment Tips on page 69 for more information about Connectra clusters. Note - Clusters are not supported in locally managed R66.
Chapter 2
Deploying Connectra
23
24
3
page 26 page 26 page 27 page 32 page 32 page 33
25
If you have over 1 GB of RAM, you will need additional free disk space. In this case, an additional 2 GB of free disk space should be added for each additional 1 GB of RAM.
Recommended Hardware
Open servers and devices are tested on a regular basis by Check Point for compatibility with Connectra. For an updated list of hardware that is recommended for use with Connectra, see http://www.checkpoint.com/services/techsupport/hcl/connectra.html. Note that Connectra is also supported on VMware virtual machines. See the Connectra NGX R66 Virtual Appliance Getting Started Guide for detailed information regarding installing and configuring Connectra on VMware.
26
Chapter 3
Connectra Requirements
27
28
Preparing to Use the Compatibility Testing Tool Alternatively, using the NT command shell (cmd), run the following command on a single line (where D: is the CD-ROM drive): D:\SecurePlatform\images\cprawrite.exe D:\SecurePlatform\images\boot.img 5. Boot the machine.
bootnet.img file on the cprawrite executable. Alternatively, using NT command shell (cmd), run the following command on a single line (where D: is the
Chapter 3
Connectra Requirements
29
Preparing to Use the Compatibility Testing Tool This step writes files to the diskette, which you will transfer to the other machine (the machine on which the tool will be run). 5. Make the contents available on the network, either by allowing access to the CD drive, or by copying the CD to a hard disk and enabling access to that disk (for example, by FTP, HTTP, or NFS).
2. 3.
30
Using the Hardware Compatibility Testing Tool 6. If you are installing using a serial console, instead of the keyboard and monitor, make sure that your terminal emulation software is configured as follows: 9600 Baud rate 8 data bits No parity No flow control
Additional information can be obtained by pressing the Devices button. The devices information window lists all the devices, found on the machine (grouped according to functionality). Use the arrow keys to navigate through the list.
Chapter 3
Connectra Requirements
31
BIOS Security Configuration Recommendations Pressing Enter on a specific device displays detailed information about that device. The detailed information can be saved to a diskette, to a TFTP Server, or dumped through the Serial Console. This action may be required in cases where some of the devices are not supported.
32
Browser Compatibility
Browser Compatibility
For a list of the Web browsers (Internet Explorer, Mozilla Firefox, and so on) that are compatible with each Connectra feature, see the latest version of the Connectra release notes, available at http://www.checkpoint.com/techsupport/downloads.jsp.
Chapter 3
Connectra Requirements
33
Browser Compatibility
34
35
I want to... Perform a new installation of (locally managed) NGX R66 See Installation and Configuration Workflow on page 37. Perform a new installation of (centrally managed) NGX R66 See Installation and Configuration Workflow on page 37. Set up a Connectra NGX R66 Cluster See Cluster Configuration Deployment Tips on page 69. Install an SSL Acceleration card See SSL Acceleration Card Installation on page 71
36
To upgrade from a previous version, see chapter 5, Upgrading Connectra on page 75. For more information about Clusters, see Cluster Configuration Deployment Tips on page 69. Note that Clusters are not supported in locally managed Connectra NGX R66.
Installation
1. 2. Plan the deployment topology. If you are installing centrally managed Connectra: a. b. Add a NIC to the machine (for a Cluster Member only). Install or upgrade the SmartCenter server or Provider-1/SiteManager-1 MDS to NGX R65 and install the Connectra R66 SmartCenter Plug-in using the CD. Configure relevant firewall access rules.
c. 3.
Install Connectra using the CD. Chapter 4 Installing and Configuring Connectra 37
Installation and Initial Configuration Stages 4. 5. 6. 7. Connect to the administration user interface. Run the First Time Configuration Wizard and automatically install the Connectra package. Log in to the SmartDashboard for the first time. If you are installing centrally managed Connectra, define Connectra objects in SmartDashboard.
Post-Installation Procedures
After completing the installation, configure Connectra as follows: 8. 9. Connect Connectra to the network. Connect to the local administration portal and back up the configuration.
10. Perform detailed configuration via the SmartDashboard. 11. If you are setting up locally managed Connectra, perform a SmartDefense Update. 12. Check your setup. You can also install an SSL acceleration card. See SSL Acceleration Card Installation on page 71.
38
Step B: Setting Up SmartCenter and Installing the Plug-in (Centrally Managed Only)
To set up the SmartCenter and install the NGX R66 Plug-in: 1. Install or upgrade the SmartCenter server or Provider-1/SiteManager-1 CMA to version NGX R65.
Chapter 4
39
Step 2: Preparing for Centrally Managed Connectra 2. For a new installation of SmartCenter, install SmartDashboard on a SmartConsole client. For a new installation of Provider-1/SiteManager-1, install the Multi Domain GUI (MDG). It is recommended to use the latest MDG that is found on CD2 in the MDG directory Install the Connectra NGX R66 Plug-in on version NGX R65 of the SmartCenter server or Provider-1/SiteManager-1 Multi Domain Server. See Installing the NGX R66 Plug-in on page 62.
3.
40
Step 2: Preparing for Centrally Managed Connectra Figure 4-1 Rules for Deploying Connectra in the DMZ
Destination Service Action Comment Connectra HTTPS (TCP/4433) Accept Administrator access. (encrypted) Accept End user access to Connectra HTTP (TCP/80), portal: HTTPS (TCP/443), Web applications, SSL (TCP/444) (or File sharing port, on which the Web mail. SSL Network Sessions initiated using Extender server is HTTP are redirected configured)], automatically to IKE_NAT_TRAVE HTTPS. All actual RSAL communication is (UDP/4500)This is encrypted. used by Endpoint Accept Connectra to LAN Connectra LAN HTTP (TCP/80), for: HTTPS (TCP/443), Web applications nbsession File sharing (TCP/139), Web mail microsoft-ds (TCP/445), nbdatagram (TCP/138), nbname (TCP/137), IMAP (TCP/143), SMTP (TCP/25) All additional Network applications that are made accessible, via the SSL Network Extender
You may need other rules, depending on your configuration: Connectra requires access to DNS servers, and possibly to WINS servers For backups, Connectra may need access to a TFTP or SCP server.
Chapter 4
41
Step 3: Installing Connectra Using the CD Connectra may need access to the SmartCenter Server or to a Customer Log Module (CLM), in order to send logs to a remote log server. For authentication, Connectra may need access to LDAP, RADIUS and ACE servers. Connectra may need access to an NTP server for clock synchronization purposes.
3.
42
4.
The Keyboard Selection screen is displayed: Figure 4-4 Keyboard Selection screen
5. 6.
Use the Tab and arrow keys to select an appropriate keyboard. Click OK. The Network Interface Configuration screen appears:
Chapter 4
43
Step 3: Installing Connectra Using the CD Figure 4-5 Network Interface Configuration screen
7.
Enter the IP address of the administration interface. On a cluster member, do not use the address of the synchronization interface. Also specify the Netmask and the Default gateway. Select OK. When prompted to start the installation process, use the arrows or the Tab key to select OK. Note - This will ERASE all data on your hard drive.
8.
9.
The Package Installation screen appears: Figure 4-6 Package Installation screen
44
Step 4: Connecting to the Administration User Interface Figure 4-7 Connection Instructions
Note - The default login name and password, and the URL for the WebUI are displayed in the message box. Connect to the WebUI only after the machine reboots. 10. Use the Tab key to select OK to reboot the machine. 11. Wait for SecurePlatform to complete booting.
2.
Chapter 4
45
cpconfig.
For more information about the on-screen options, see Running the Wizard from the WebUI on page 46.
4.
5.
46
Step 5: Running the First Time Configuration Wizard Hostname: For example, Connectra1. If the host is to be part of a cluster, ensure that all hostnames in the cluster are unique. Domain Name: For example, example.com. Although not mandatory now, this parameter is important if you want the device to be recognized within the domain. DNS Servers: The DNS server to be used when downloading SmartDefense updates and for mounting File Shares. Connectra also uses DNS lookup for any hostname-style HTTP link to an internal server, and for resolving other servers (such as Citrix servers, or any other machine whose DNS entry is properly configured on the LAN).
6. 7.
Click Next. In the Device Date and Time Setup page, set the date and time. Cluster member clocks must be synchronized to within a few seconds. Time settings may also affect the behavior of certificate validation. For a cluster, select Use a Network Time Protocol (NTP) to synchronize the clock for reliable synchronization using a time synchronization service. Set the following parameters: Primary NTP Server: The hostname of the Primary NTP Server you are using. For example, ntp.xyz.net Secondary NTP Server (optional): The hostname of the Secondary NTP Server you are using. For example,
ntp.abc.edu
Shared Secret (optional): The shared secret that cluster members will be using for communication. Synchronization period: The time, in seconds, after which cluster members will periodically synchronize their internal clocks with the NTP Server. For example, entering 60, indicates that clocks should synchronize with the server every minute. Time Zone: The time zone in which the cluster member machine is located. Chapter 4 Installing and Configuring Connectra 47
Step 5: Running the First Time Configuration Wizard 8. 9. Click Next. In the Web/SSH Clients page, any Web or SSH client authorized to access the Connectra WebUI is displayed. Click Add to add a new host. Type any as a hostname to enable access from any Web/SSH client. A hostname can also contain a wildcard or IP address range.
10. When all desired hosts appear in the Web/SSH list, click Next. 11. Select the type of management configuration you want for Connectra. Locally: To configure locally managed Connectra, where Connectra manages itself. Centrally: To configure Connectra that is managed centrally from a SmartCenter Console. Clusters are only supported in a centrally managed configuration. For more information on these configuration options see the Connectra Gateway Clusters chapter of the Connectra NGX R65 Administrative Guide.
Note - Once you select locally or centrally managed, switching to the other option will require a new installation. 12. Click Next.
48
Step 5: Running the First Time Configuration Wizard Locally Managed Connectra 13. If you are configuring locally managed Connectra the Connectra GUI Clients page opens: a. b. Hosts authorized to connect to Connectra are displayed. Click Add to add a new host. Type any as a hostname to enable a connection from any GUI client. A hostname can also contain a wildcard or IP address range. When all desired hosts appear in the GUI Client list, click Next. Type a user name and password of the Connectra Administrator. Click Next.
c. d. e.
Centrally Managed Connectra 14. If you are configuring centrally managed Connectra, the Secure Internal Communication page opens: Decide on a SIC Activation Key. Type it and then confirm it. SIC certificates authenticate communication between Check Point communicating components. You will need to use the same Activation Key when defining the gateway in SmartDashboard, on the same SmartCenter server where you installed the Connectra NGX R66 Plug-in. You can use the same Activation Key for all members of a cluster. Note - Components can communicate with each other only once the Certificate Authority is initialized and each component has received a SIC certificate. Both Locally and Centrally Managed:
Chapter 4
49
Step 5: Running the First Time Configuration Wizard 15. If you do not already have SmartConsole NGX R65 installed on your GUI client, in the Download SmartConsole Applications page, click Download to download the SmartConsole. When prompted, click Run. The Check Point Installation Wizard opens.
50
3.
Chapter 4
51
Step 6: Logging In for the First Time 4. Manually authenticate the SmartCenter server using the Fingerprint provided during the configuration process. You can see this Fingerprint by connecting to your SmartCenter via SSH and clicking on Product Configuration > Certificate Authority. When you have confirmed that the two fingerprints match, click Approve. Note - This step is only necessary the first time you log in. Once the SmartCenter server is authenticated, the Fingerprint is saved in the SmartConsole machines registry.
2.
52
Step 6: Logging In for the First Time Figure 4-8 SmartDashboard with Locally Managed Connectra
Chapter 4
53
Step 7: Defining Connectra Objects (Centrally Managed Connectra) Figure 4-9 SmartDashboard with Centrally Managed Connectra
54
Step 7: Defining Connectra Objects (Centrally Managed Connectra) Define and configure the topology for each gateway, cluster member, and Connectra cluster.
6. 7.
Chapter 4
55
Step 7: Defining Connectra Objects (Centrally Managed Connectra) To configure the topology of a Connectra gateway: 1. In the Connectra Properties dialog box, select Topology in the navigation tree. The Topology page opens. 2. Click Get to automatically detect interfaces or Add to manually add interfaces. When defining topology, the Get Interfaces operation does not return alias IP addresses for real interfaces. To add alias IP addresses to the object topology, define them manually. After manually adding alias IP addresses to the object topology, do not perform the Get Interfaces operation, as this will erase all manual changes to the object topology. 3. Click OK to return to the main Connectra window.
4. 5.
56
Step 7: Defining Connectra Objects (Centrally Managed Connectra) The Cluster Member Properties page opens. 6. 7. Enter each Cluster Members Name and IP Address with the highest priority members at the top. Click Communication. The Communication dialog box opens. 8. In the Activation Key field, type the activation key that you set during the Connectra initial configuration. Type it again in the Confirm Activation Key field, then click Initialize. All cluster members can have the same activation key. Wait while trust is initialized. The words Trust established appear in the Trust state field once trust is established. Click Close.
9.
10. Make sure Connectra NGX R66 appears in the Version field and click OK.
Chapter 4
57
Post-Installation Procedures
Post-Installation Procedures
Step 8: Connecting Connectra to the Network
Connecting a Standalone Connectra
Connect the Connectra network interface to the switch on which the default gateway resides.
2.
3. 58
Step 10: Configuring Access Control 4. 5. 6. 7. 8. 9. In the navigation pane, select Device > Backup. On the Backup page, click Backup Now. On the Backup to page, select where you want the backup file sent. Click Apply. When prompted, click Yes to continue. Wait a few second and then click Refresh. You should see your backup date and time in the Last successful backup field. Click Close to exit the WebUI.
10. IMPORTANT It is also recommended to create an image of the system using the snapshot command (See Preserving the Previous Connectra Configuration on page 79). To revert to the saved snapshot image, use the revert command. See Reverting to a Previous Version of Connectra on page 103.
Step 10: Configuring Access Control These tasks are described in detail in the Connectra Central Management Administration Guide and the Connectra Local Management Administration Guide.The following sections provide some useful background information.
Defining Applications
Defining an application is about deciding which internal LAN applications to expose to remote users. These typically include: Web applications File shares Native applications Citrix applications Mail services
2.
Chapter 4
61
The procedure for installing the R66 Plug-in varies slightly for each platform, but the overall workflow is the same.
In This Section
Installing the Plug-in on a SecurePlatform SmartCenter page 63 Installing the Plug-in on a Windows SmartCenter page 63 Installing the Plug-in on a Linux or Solaris SmartCenter page 64
62
Install the Connectra Plug-in package: a. b. Insert CD2 into the SmartCenter Server machine. Mount the CD by running:
cd /mnt/cdrom d. Run:
Setup.bat c. 3.
Chapter 4
63
Install the Connectra Plug-in package: a. b. Insert CD2 into the SmartCenter Server machine. Mount the CD by running:
cd /mnt/cdrom d. Run:
In This Section
Installing the Plug-in on SecurePlatform Provider-1 Activating the Connectra Plug-in on the CMA page 65 page 66
64
cd /mnt/cdrom d. Run:
./UnixInstallScript -splat 3. 4. Reboot the machine. For each CMA on which you want to manage Connectra gateways, you need to activate the Plug-in. See Activating the Connectra Plug-in on the CMA on page 66.
Chapter 4
65
Installing the Plug-in on Provider-1/SiteManager-1 b. Run from the root of the CD:
./UnixInstallScript 3. 4. Reboot the machine. For each CMA on which you want to manage Connectra gateways, you need to activate the Plug-in. See Activating the Connectra Plug-in on the CMA on page 66.
66
Installing the Plug-in on Provider-1/SiteManager-1 Create a customer with a Plug-in. In the Add Customer Wizard, in the Management Plug-ins page, activate the Plug-in.
In the MDG Customer Contents page, either right-click a customer and select Configure Customer, or double-click the customer, go to the Plug-ins tab, and select the Connectra Plug-in. From the MDGs Management Plug-ins View, activate the Plug-in in one of the following ways: Right-click a customer and select Activate Plug-in on Customers. Right-click the PIConR66 and select Activate this Plug-in. Select Activate Plug-in on Customers from the Plug-in menu.
Chapter 4
67
68
Licensing
Ensure all cluster members are licensed for the same number of users. They do not necessarily have to have identical licenses. Connectra cluster members must run the same software version.
Interface Configuration
The synchronization interfaces of the cluster members reside on the SAME subnet. The data interfaces of the cluster members must reside on the SAME subnet, DIFFERENT from the synchronization subnet.
Chapter 4
69
Cluster ConfigurationDeployment Tips Use different interfaces for the data and synchronization networks. The recommended setting is to use eth0 for data and eth1 for synchronization.
Physical Connectivity
Synchronization in a two-member cluster can be done using a cross-cable between the two members. A cluster with more than two members requires a switch/hub for synchronization.
Configuration
Cluster member clocks must be synchronized. Use an NTP server or manually synchronize the clocks. Connectra clients access Connectra via two IP address/port combinations: one for the Connectra portal and another for SSL Network Extender. If you wish to use the same IP address for both, configure the portal to listen on port 443 and SSL Network Extender to listen on port 444.
Administration
Cluster members become active after the Security Policy is installed.
70
cvpnstop
2. Run:
hw_acceleration start
3. Run:
cvpnstart
cvpnstop
Chapter 4
71
hw_acceleration stop
3. Run:
cpvnstart
Syntax
hw_acceleration{ start | stop | diag | stat}
Table 4-2 Parameter SSL Acceleration Card Commands Meaning Enable the card Disable the card Check if the card is installed and working properly Get statistics of card activity
72
Further Information
Further Information
For further instructions on configuring the Connectra gateway or a Connectra ClusterXL Load Sharing or High Availability cluster, refer to the Connectra Administration Guide appropriate for your configuration, or to the online help.
Chapter 4
73
Further Information
74
5
page 76 page 78 page 81 page 91 page 98 page 99
75
Locally Upgrade on the same managed R66 machine:Upgrading to Locally Managed R66 from R61/R62 on page 81 or Upgrade across different machines: Advanced Upgrade to Locally Managed R66 on page 99 Centrally Upgrading to Centrally managed R66 Managed R66 from R62CM on page 91
R62CM
1. R66 2. R66 SmartCenter Plug-in 1. R66 2. R66 SmartCenter Plug-in 1. R66 2. R66 SmartCenter Plug-in
R61/R62
Centrally Upgrading to Centrally managed R66 Managed R66 from R61/R62 on page 84 Upgrading to Centrally Managed R66 from R62CM on page 91
Table 5-2 lists the upgrade scenarios that are not supported by Connectra NGX R66 and indicates the alternative upgrade paths.
76
Upgrade Procedure Quick Reference Table 5-2 Upgrade From Upgrade Scenarios Not Supported with Connectra NGX R66 Upgrade To Alternative Path First upgrade to Connectra NGX R61. See Connectra NGX R61 Getting Started Guide Connectra NGX R62CM Getting Started Guide; Upgrading a Connectra Cluster to R66 on page 98 Connectra NGX R62CM Getting Started Guide; Upgrading to Centrally Managed R66 from R61/R62 on page 84 Upgrading to Centrally Managed R66 from R62CM on page 91
Locally Upgrade to centrally managed R66 managed R66 with with Clusters Clusters. To do this, you must first fully upgrade to Connectra NGX R62CM. Centrally First fully upgrade to managed R66 Connectra NGX R62CM, then upgrade to centrally managed R66.
R61/62
R62CM
Advanced upgrade to centrally managed R66 R66 locally or centrally managed using the WebUI
R61/62/ 62CM
Use the instructions Upgrade Procedure provided in this Getting Quick Reference on Started Guide for an page 76 alternative scenario.
Chapter 5
Upgrading Connectra
77
To preserve manually configured changes made before the upgrade, back up the following files on the Connectra gateway:
Chapter 5
Upgrading Connectra
79
Preserving the Previous Connectra Configuration Table 5-3 Parameter Snapshot command parameters Meaning Obtain usage. Generate debug information. IP address and TFTP server from which the snapshot is made as well as the snapshots filename. IP address of SCP server from which the snapshot is made, the username and password used to access the SCP Server, and the filename of the snapshot.
-h -d --tftp <ServerIP> <Filename> --scp <ServerIP> <Username> <Password> <Filename> --file <Filename>
80
mount /dev/cdrom 2. To enter the cpshell (this is only necessary if the shell has been manually changed from the default), type:
cpshell 3. Type:
patch add cd
Chapter 5
Upgrading Connectra
81
Upgrading to Locally Managed R66 via the Command Line 4. 5. 6. When prompted, Choose a patch to install, type 1 to choose the Connectra NGX R66 Upgrade Package. When prompted, type Y to confirm the MD5 checksum that appears on the screen. You are prompted to select a management option. Note that this step determines whether you upgrade to locally or centrally managed Connectra R66. Type 1 to choose Locally managed. When prompted, type a new Administrator name and Password. Type W and then Y to give the new administrator read/write access and permission to manage other administrators. You are prompted to create a backup image for automatic revert. This snapshot captures a current picture of your operating system and Connectra configuration. Type Y to create a snapshot that you can revert to if necessary. Note - The upgrade to R66 is not reversible and replaces your entire operating system. We highly recommend creating a snapshot at this time to preserve your current settings. See Reverting to a Previous Version of Connectra page 103 for instructions on how to revert to a snapshot image if necessary. 10. Wait while the operating system upgrades. This takes approximately ten minutes. 11. When prompted that the upgrade has finished successfully, remove the CD from the CDROM drive. 12. Reboot your system to complete the upgrade.
7. 8. 9.
82
Chapter 5
Upgrading Connectra
83
Completing the Upgrade by Merging Manual Changes page 90 Note - You must upgrade to centrally managed R66 using the command line or SmartUpdate. Upgrades are not supported by the WebUI.
84
Setting Up the SmartCenter configuration to the SmartCenter. For instructions on upgrading to R62CM from R61 or R62, see the Connectra R62CM Getting Started Guide. The R62CM Plug-in and Compatibility Package can be downloaded from the Check Point Download Center or found on the NGX R66 CD2 under /Utilities/R62CM/. Note - We recommend creating a database revision before installing the Connectra NGX R66 Plug-in. See the Check Point R65 SmartCenter Administration Guide for more information. To install the R66 Plug-in on the R65 SmartCenter or Provider-1/SiteManager-1 CMA: 1. 2. Install or upgrade the SmartCenter server or Provider-1/SiteManager-1 CMA to version NGX R65. For a new installation of SmartCenter, install SmartDashboard on a SmartConsole client. For a new installation of Provider-1/SiteManager-1, install the Multi Domain GUI (MDG). If upgrading, the SmartDashboard or MDG will automatically update during the first connection to a SmartCenter with the Plug-in installed. Install the R62CM Plug-in and Compatibility Package found on NGX R66 CD2 under /Utilities/R62CM/. Follow the instructions for upgrading to R62CM in the Connectra R62CM Getting Started Guide. Import your R61/62 management configuration to the SmartCenter using R62CMs Connectra Configuration Import Utility. Follow the instructions in the Connectra R62CM Getting Started Guide. Reboot SmartCenter or Provider-1/SiteManager-1.
3.
4.
5.
Chapter 5
Upgrading Connectra
85
2. 3.
After the reboot, open SmartDashboard. SmartDashboard may update itself; It then displays an additional tab for Connectra. Figure 5-1 Smart Dashboard with Centrally Managed Connectra
4.
86
Upgrading the Connectra Gateway via Command Line 5. If Connectra objects were already defined prior to upgrading SmartCenter or the CMA: After the upgrade of SmartCenter or the CMA, Connectra objects and references in SmartDashboard become host objects and must be redefined. 6. Define the Connectra objects. (Do not set up Secure Internal Communication (SIC) at this point): a. b. c. Create the Connectra gateway or gateway cluster object. For a Connectra gateway cluster, define cluster members. If there is SIC trust with the cluster members, reset SIC. Define the topology. When defining topology, the Get Interfaces operation does not return alias IP addresses for real interfaces. To add alias IPs to the object topology, define them manually. After manually adding alias IP addresses to the object topology, do not perform the Get Interfaces operation, as this will erase all manual changes to the object topology. When defining topology for a Connectra cluster, it is very important that the topology is complete. Make sure you have selected at least one cluster interface and one synchronization interface, and that each cluster member has its interfaces defined.
Chapter 5
Upgrading Connectra
87
Upgrading the Connectra Gateway via Command Line 1. 2. Prepare the SmartCenter and R66 Plug-in as described in Setting Up the SmartCenter on page 84. Insert CD1 into the CDROM drive of the Connectra machine and mount the CD by typing:
mount /dev/cdrom 3. To enter the cpshell (this is only necessary if the shell has been manually changed from the default), type:
cpshell 4. Type:
patch add cd 5. 6. 7. When prompted, Choose a patch to install, type 1 to choose the Connectra NGX R66 Upgrade Package. When prompted, type Y to confirm the MD5 checksum that appears on the screen. You are prompted to select a management option. Note that this step determines whether you upgrade to locally or centrally managed Connectra R66. Type 2 to choose Centrally managed. Type Y to confirm the upgrade. You are prompted to create a backup image for automatic revert. This snapshot captures a current picture of your operating system and Connectra configuration. Type Y to create a snapshot that you can revert to if necessary. Note - The upgrade to R66 is not reversible and replaces your entire operating system. We highly recommend creating a snapshot at this time to preserve your current settings. See Reverting to a Previous Version of Connectra page 103for instructions on how to revert to a snapshot image if necessary.
8. 9.
88
Upgrading the Connectra Gateway via SmartUpdate 10. Enter and re-enter a SIC shared secret that you will confirm later when logging in to the SmartDashboard. 11. Wait while the operating system upgrades. This takes approximately ten minutes. 12. When prompted that the upgrade has finished successfully, remove the CD from the CDROM drive. 13. Reboot your system.
9.
2.
Reset SIC (if there was a prior SIC trust) and enter a shared secret. Do this in either of the following ways: Via the Web GUI, go to Product Configuration > SIC, enter the Activation Key and click Initialize. From the command line, run cpconfig. Type 6 to select Secure Internal Communication.
3.
Complete the SIC trust establishment. Open the Connectra gateway or gateway cluster object in SmartDashboard, In the General Properties page, in the Communication window, enter the same one time password supplied in the gateway side.
90
Completing the Upgrade by Merging Manual Changes page 90 Note - You must upgrade to centrally managed R66 using the command line or SmartUpdate. Upgrades are not supported by the WebUI.
Chapter 5
Upgrading Connectra
91
Setting Up the SmartCenter and Installing the R66 Plug-in Guide. The R62CM Plug-in and Compatibility Package can be downloaded from the Check Point Download Center or found on the NGX R66 CD2 under /Utilities/R62CM/. Note - We recommend creating a database revision before installing the Connectra NGX R66 Plug-in. See the Check Point R65 SmartCenter Administration Guide for more information. To install the R66 Plug-in on the R66 SmartCenter or Provider-1/SiteManager-1 CMA: 1. 2. Install or upgrade the SmartCenter server or Provider-1/SiteManager-1 CMA to version NGX R65. For a new installation of SmartCenter, install SmartDashboard on a SmartConsole client. For a new installation of Provider-1/SiteManager-1, install the Multi Domain GUI (MDG). If upgrading, the SmartDashboard or MDG will automatically update in order to manage Connectra. Install the R66 Plug-in on version R65 of the SmartCenter server or Provider-1/SiteManager-1 Multi Domain Server. See Installing the NGX R66 Plug-in on page 62. Note - If your SmartCenter is not already upgraded to R62CM, you must upgrade it before upgrading to centrally managed R66. See important above. 4. 5. Reboot SmartCenter or Provider-1/SiteManager-1. After the reboot, open SmartDashboard. SmartDashboard displays an additional tab for Connectra.
3.
92
Setting Up the SmartCenter and Installing the R66 Plug-in Figure 5-2 Smart Dashboard with Centrally Managed Connectra
6. 7.
In SmartDashboard, switch to the Connectra tab. If Connectra objects were already defined prior to upgrading SmartCenter or the CMA: After the upgrade of SmartCenter or the CMA, Connectra objects and references in SmartDashboard become host objects and must be redefined.
8.
Define the Connectra objects. (Do not set up Secure Internal Communication (SIC) at this point):
Chapter 5
Upgrading Connectra
93
Upgrading the Connectra Gateway Using the Command Line a. b. c. Create the Connectra gateway or gateway cluster object. For a Connectra gateway cluster, define cluster members. If there is SIC trust with the cluster members, reset SIC. Define the topology. When defining topology, the Get Interfaces operation does not return alias IP addresses for real interfaces. To add alias IP addresses to the object topology, define them manually. After manually adding alias IPs to the object topology, do not perform the Get Interfaces operation, as this will erase all manual changes to the object topology. When defining topology for a Connectra cluster, it is very important that the topology is complete. Make sure you have selected at least one cluster interface and one synchronization interface, and that each cluster member has its interfaces defined.
mount /dev/cdrom
94
Upgrading the Connectra Gateway Using the Command Line 3. To enter the cpshell (this is only necessary if the shell has been manually changed from the default), type:
cpshell 4. Type:
patch add cd 5. 6. 7. 8. When prompted, Choose a patch to install, type 1 to choose the Connectra NGX R66 Upgrade Package. When prompted, type Y to confirm the MD5 checksum that appears on the screen. When prompted, type Y to confirm that you want to perform the upgrade. You are prompted to create a backup image for automatic revert. This snapshot captures a current picture of your operating system and Connectra configuration. Type Y to create a snapshot that you can revert to if necessary. Note - The upgrade to R66 is not reversible and replaces your entire operating system. We highly recommend creating a snapshot at this time to preserve your current settings. See Reverting to a Previous Version of Connectra page 103for instructions on how to revert to a snapshot image if necessary. 9. Enter and re-enter a SIC shared secret that you will confirm later when logging in to SmartDashboard.
10. Wait while the operating system upgrades. This will take approximately ten minutes. 11. When prompted that the upgrade has finished successfully, remove the CD from the CDROM drive. 12. Reboot your system. 13. Repeat the steps above on each gateway that must be updated.
Chapter 5
Upgrading Connectra
95
7. 8.
Completing the Upgrade by Merging Manual Changes To set up SIC between the Connectra gateway and the SmartCenter: 1. Connect to the Connectra gateway in one of the following ways: Via the Web GUI: Open a Web browser on a machine that has network connectivity to the Connectra, and browse to https://<machine_IP >:4433. From the command line: Open an SSH connection to Connectra, or connect to it via a console.
2.
Reset SIC (if there was a prior SIC trust) and enter a one time password. Do this in one of two ways: Via the Web GUI, go to Product Configuration > SIC, enter the Activation Key and click Initialize. From the command line, run cpconfig. Type 6 to select Secure Internal Communication.
3.
Complete the SIC trust establishment. Open the Connectra gateway or gateway cluster object in SmartDashboard. In the General Properties page, in the Communication window, enter the same one-time password supplied in the gateway side.
Chapter 5
Upgrading Connectra
97
/Utilities/R62CM/
If you currently have locally supported clusters, see For Connectra Cluster Users on page 112 for licensing information. To upgrade a Connectra cluster from NGX R62CM to NGX R66: 1. 2. 3. Install the R66 Plug-in on the NGX R65 SmartCenter. See Setting Up the SmartCenter on page 84. Upgrade each Connectra gateway, as described in Upgrading to Centrally Managed R66 from R62CM on page 91. Define each cluster member in SmartDashboard. See Step 7: Defining Connectra Objects (Centrally Managed Connectra) on page 54 and Cluster Configuration Deployment Tips on page 69.
98
The advanced upgrade procedure involves two machines. The first machine is the working production machine. Connectra is installed from scratch on the second machine and the configuration of the first machine is imported to it. Advanced upgrade is only supported when upgrading from locally managed Connectra R62 to locally managed Connectra NGX R66.
Chapter 5
Upgrading Connectra
99
Advanced Upgrade to Locally Managed R66 NIC configuration on new and old machines must match.
The following are not preserved in the upgrade. Be sure to track them so you can re-apply them after Connectra is upgraded: Manual changes to Connectra configuration files. See Preserving Manual Changes on the Connectra Gateway on page 78. All settings in the Device menu of the administrator portal. The Internal Certificate Authority (ICA).
mount/dev/cdrom 3. On the CD, browse to the location of the export utility. Locate the upgrade_export tools in:
upgrade_export <path_&_filename_of_tgz> where <path_and_filename_of_tgz> is the destination path of the configuration (.tgz) file. 5. 6. Wait while the database files are exported. Install new NGX R66 machine as per Installation and Initial Configuration Procedures on page 39. The new machine must have the same IP address as the old machine. The IP address can be changed later.
100
Advanced Upgrade to Locally Managed R66 7. 8. Copy the exported .tgz file via FTP in binary mode to any location on the new Connectra machine. On the new Connectra machine, go to:
$FWDIR/bin/upgrade_tools 9. Run:
upgrade_import -n <path_&_filename_of_tgz> <connectra_object_name> where <path_and_filename_of_tgz> is the destination path of the configuration (.tgz) file and <connectra_object_name> is the name of your Connectra gateway. Note - The configuration (.tgz) file contains your Connectra configuration. It is recommended to back it up on a different machine and delete it from the Connectra machine after completing the import process. 10. Reboot.
Reapply all settings under the Device menu of the administrator portal (including administrator settings and routing) from the old machine to the new machine. If there was a mismatch in the primary or secondary IP addresses of the NICs, between the two machines, you must reconfigure IP address assignments for the Portal and SSL Network Extender.
Chapter 5
Advanced Upgrade to Locally Managed R66 To reconfigure IP address assignments for the Portal and SSL Network Extender: 1. 2. 3. In SmartDashboard, select your Connectra Gateway and click Edit. Select Topology from the navigation tree in the Connectra Properties page. Click Portal Customization settings or VPN Clients settings and edit the machines interface.
102
Reverting to a Snapshot
Connectra NGX R66 cannot be uninstalled. To make it possible to revert to a previous version, create a snapshot image before installing. See Preserving the Previous Connectra Configuration on page 79. If the upgrade did not succeed, you can revert to a previous installed state by rebooting the system from a snapshot file. Running the revert command without any additional flags uses default backup settings and reboots the system from a local snapshot. The revert command functionality can also be accessed from the Snapshot image management boot option.
Syntax
revert [-h] [-d] [[--tftp <ServerIP> <Filename>] | [--scp <ServerIP> <Username> <Password> <Filename>] | [--file <Filename>]] 103
Syntax Table 6-1 Parameter Revert Command Parameters Meaning Obtain usage Debug flag IP address and TFTP server from which the snapshot is rebooted, as well as the filename of the snapshot. IP address of SCP server from which the snapshot is rebooted, the username and password used to access the SCP Server, and the filename of the snapshot. When the snapshot is created locally, specify a filename.
-h -d --tftp <ServerIP> <Filename> --scp <ServerIP> <Username> <Password> <Filename> --file <Filename>
104
Chapter 6
cd /opt/CPPIconR66-R65/bin/ b. Run:
./plugin_preuninstall_verifier c. Read the results. If it says you can remove the Plug-in, proceed to step 2.
In Windows: a. From run: plugin_preuninstall_verifier.exe 2. Remove the R66 Plug-in: In Linux or SecurePlatform, run:
c:\Program Files\CheckPoint\PIconR66\R66\bin\
rpm e CPPIconR65-R66-00 pkgrm then choose the package number corresponding to CPPIconR65-R66-00. 3. In Windows, use Add/Remove Programs to remove the Check Point Connectra NGX R66 Plug-in. In Solaris, run:
106
rpm e CPCON65CMP-R66-00 pkgrm then choose the package number corresponding to CPCON65CMP-R66-00. 2. In Windows, use Add/Remove Programs to remove the Check Point NGX R66 Connectra Compatibility Package. In Solaris, run:
cd /opt/CPPIconnectra-R65/bin/ b. Run:
./plugin_preuninstall_verifier c. Read the results. If it says you can remove the Plug-in, proceed to step 2.
Chapter 6
rpm e CPPIconnectraR65-R65-00 pkgrm then choose the package corresponding to CPPIconnectraR65-R65-00. In Windows, use Add/Remove Programs to remove the Check Point Connectra NGX R62A Plug-in. Also remove the Check Point Plug-in NGX R65_HF_284 if relevant. In Solaris, run:
3.
pkgrm then choose the package corresponding to CPCON62CMP-R65. In Windows, use Add/Remove Programs to remove the Check Point NGX R62A Compatibility Package R65.
108
Chapter 6
/opt/CPPIconnectra-R65/bin/plugin_preuninstall_veri fier
4. Remove the Connectra Central Management Plug-in: 5. Use rpm -e CPPIconnectra-R65 on Linux and SecurePlatform Use
110
111
For Connectra Cluster Users If you are upgrading from a Connectra appliance to Connectra software, you will not automatically get a 15 day trial on the software. We recommend purchasing a license with the software in advance. Alternatively, you can remove all licenses and then you will automatically get a 15 day trial period. Connectra enforces the license installed on the gateway by counting the number of concurrent sessions taking place on the portal. If the limit has been reached, warning messages are sent to the log. Check Point products are activated as follows: 1. Activate the Certificate Key shown on the back of the media pack via Check Point User Center. http://www.checkpoint.com/usercenter The Certificate Key activation process consists of: 2. 3. 4. Adding the Certificate Key Activating the products Choosing the type of license Entering the software details
Once you have a new License Key, you can install it on the Connectra machine.
112
For Connectra Cluster Users Customers who: a. b. currently have a Connectra High Availability product, or are buying a new such product, and are under a valid service agreement.
should find a new product and license named "SmartCenter for Connectra Clusters" in their User Center account. If you are a customer satisfying these two conditions but do not see this new product in your User Center account, please contact Check Point's account services. This new license entitles customers to install a Check Point SmartCenter R65 on a dedicated server and manage their Connectra clusters from that server. For information on upgrading to centrally managed Connectra R66, see Upgrading Connectra on page 75.
Chapter 7
114