Check Point Connectra NGX R66 Getting Started Guide

ConnectraGetting Started Guide

Version NGX R66

703140 September 9, 2008

TM

Connectra_gsg_dvd.book Tuesday, September 9, 2008 9:32 AM

Contents

Chapter 1 Introduction to Connectra

Introduction............................................................................ 10In This Guide.......................................................................... 11Key Features and Benefits ....................................................... 13

Secure Web-Based Connectivity....................................... 13Unified Security Management.......................................... 13Comprehensive Endpoint Security .................................... 13Integrated Intrusion Prevention........................................ 14Easy Deployment............................................................ 14Central Management....................................................... 14Local Management ......................................................... 15Flexible Deployment Options ........................................... 15Advanced Authentication Options .................................... 15

Choosing the Correct CD .......................................................... 16Procedure Quick Reference ...................................................... 17

Chapter 2 Deploying Connectra

Deployment Overview............................................................... 20Deploying Connectra in the DMZ............................................... 21Deploying Connectra on a LAN ................................................. 22Deploying a Connectra Cluster .................................................. 23

Chapter 3 Connectra Requirements

Minimum Hardware Requirements ............................................ 26Recommended Hardware ......................................................... 26Hardware Compatibility Testing Tool ......................................... 27

Downloading and Preparing the CD .................................. 27


4

Preparing to Use the Compatibility Testing Tool ................. 28Using the Hardware Compatibility Testing Tool................... 31

BIOS Security Configuration Recommendations ..........................32Operating System Compatibility.................................................32Browser Compatibility...............................................................33

Chapter 4 Installing and Configuring Connectra

Installation Procedure Quick Reference ......................................36Installation and Configuration Workflow......................................37

Installation and Initial Configuration Stages....................... 37Installation and Initial Configuration Procedures .........................39

Step 1: Planning the Deployment Topology ........................ 39Step 2: Preparing for Centrally Managed Connectra ............ 39Step 3: Installing Connectra Using the CD......................... 42Step 4: Connecting to the Administration User Interface ..... 45Step 5: Running the First Time Configuration Wizard.......... 46Step 6: Logging In for the First Time................................. 51Step 7: Defining Connectra Objects (Centrally Managed Connectra)...................................................................... 54

Post-Installation Procedures......................................................58Step 8: Connecting Connectra to the Network .................... 58Step 9: Backing Up the Configuration ............................... 58Step 10: Configuring Access Control ................................. 59Step 11: Performing a SmartDefense Update (Locally Managed Connectra)...................................................................... 61Step 12: Checking Your Setup.......................................... 61

Installing the NGX R66 Plug-in .................................................62Installing the Plug-in on a SmartCenter ............................. 62Installing the Plug-in on Provider-1/SiteManager-1 ............. 64Uninstalling Connectra Plug-ins........................................ 68

Cluster Configuration—Deployment Tips ....................................69SSL Acceleration Card Installation.............................................71

Installing the Card........................................................... 71Enabling the Card ........................................................... 71Disabling the Card........................................................... 71


Table of Contents 5

SSL Acceleration Card Command Syntax .......................... 72Further Information ................................................................. 73

Chapter 5 Upgrading Connectra

Upgrade Procedure Quick Reference ......................................... 76Preparing for the Upgrade to R66 ............................................. 78

Preserving Manual Changes on the Connectra Gateway....... 78Preserving the Previous Connectra Configuration .............. 79

Upgrading to Locally Managed R66 from R61/R62..................... 81Upgrading to Locally Managed R66 via the Command Line 81Completing the Upgrade by Merging Manual Changes ........ 83

Upgrading to Centrally Managed R66 from R61/R62 .................. 84Preserving Manual Changes and Previous Configuration ..... 84Setting Up the SmartCenter ............................................ 84Upgrading the Connectra Gateway via Command Line ........ 87Upgrading the Connectra Gateway via SmartUpdate........... 89Setting Up SIC Trust ...................................................... 90Completing the Upgrade by Merging Manual Changes ........ 90

Upgrading to Centrally Managed R66 from R62CM .................... 91Preserving Manual Changes and the Previous Configuration 91Setting Up the SmartCenter and Installing the R66 Plug-in 91Upgrading the Connectra Gateway Using the Command Line 94Upgrading the Connectra Gateway Using SmartUpdate ...... 96Setting Up SIC Trust ...................................................... 96Completing the Upgrade by Merging Manual Changes ........ 97

Upgrading a Connectra Cluster to R66 ...................................... 98Advanced Upgrade to R66 from R62......................................... 99

Introduction to Advanced Upgrade ................................... 99Advanced Upgrade to Locally Managed R66 ..................... 99

Chapter 6 Reverting to a Previous Version of Connectra

Reverting to a Snapshot ......................................................... 103Syntax ........................................................................ 103


6

Uninstalling Connectra Plug-ins...............................................105Uninstalling the R66 Plug-in for Central Management ...... 105Uninstalling the Connectra NGX R62CM Plug-in .............. 107Uninstalling Plug-ins in Provider-1.................................. 109

Chapter 7 License Installation and User Assistance

Installing Check Point Licenses ...............................................111For Connectra Cluster Users ........................................... 112

Where To Go From Here? ........................................................114


7

© 2003-2008 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

Please refer to http://www.checkpoint.com/copyright.html for a list of our trademarks.

For third party notices, see http://www.checkpoint.com/3rd_party_copyright.html.


http://www.checkpoint.com/copyright.html

http://www.checkpoint.com/3rd_party_copyright.html

8


9

Chapter 1Introduction to Connectra

In This Chapter

Introduction page 10

In This Guide page 11

Key Features and Benefits page 13

Choosing the Correct CD page 16

Procedure Quick Reference page 17


Introduction

10

IntroductionCheck Point Connectra is a comprehensive and unified remote access solution that makes corporate applications and network resources securely available to mobile and remote users. With Connectra NGX R66, remote and mobile employees, contractors, business partners, and customers can access network resources and applications through either a lightweight VPN client or simply through a Web browser. By unifying SSL and IPSec VPN technologies into a single gateway and management console, Connectra provides flexible access for end users and simple, streamlined deployment for the IT organization.

Connectra offers administrators tight access controls to help ensure that only authorized users using clean hosts will gain access to corporate resources. To that end Connectra features multiple strong authentication methods and tight integration with directory services. Comprehensive endpoint security capabilities enable malware scans, compliance checks. A virtual Secure Workspace provides session confidentiality on both managed and unmanaged endpoints, such as laptops, home PCs, internet kiosks, and more.

Connectra can be deployed as either a turnkey appliance, as software on open servers, or as a virtual machine on VMware ESX Server. Connectra gateways can be managed either locally or centrally through a single Check Point SMART management console, reducing the administration time required to configure, monitor, update, and audit remote access policies.

Note - Using different authentication schemes for Connectra users and VPN-1 users in a centrally managed environment may not be possible for every existing configuration. Visit https://secureknowledge.checkpoint.com and review the SecureKnowledge solution sk32656 for helpful information.


In This Guide

Chapter 1 Introduction to Connectra 11

In This GuideThis guide has important information that you should read before installing or upgrading Connectra.

Table 1-1

Chapter Description

Chapter 1, “Introduction to Connectra”

Introduces Connectra and describes its key features and benefits.

Chapter 2, “Deploying Connectra”

Discusses the various deployment options: in the DMZ, in the LAN, and as a ClusterXL gateway cluster.

Chapter 3, “Connectra Requirements”

Provides the minimum hardware requirements, recommended hardware, hardware compatibility testing tool, operating system and browser compatibility, and license requirements.

Chapter 4, “Installing and Configuring Connectra”

Provides step-by-step instructions for the installation and initial configuration of Connectra.


In This Guide

12

Chapter 5, “Upgrading Connectra”

Provides instructions for upgrading Connectra using the CD or a downloaded file.

Chapter 6, “Reverting to a Previous Version of Connectra”

Provides instructions for reverting to a previous Connectra version using a snapshot image file, as well as for uninstalling Connectra Plug-ins.

Chapter 7, “License Installation and User Assistance”

Discusses the license types and their installation, and provides details on how to obtain further assistance.

Table 1-1

Chapter Description


Key Features and Benefits


Key Features and BenefitsThe following key features and benefits assure confident, flexible remote access:

Secure Web-Based Connectivity• Increases productivity by allowing workers to work anywhere,

anytime.

• Provides users with SSL VPN access to email, applications, and shared files from a standard Web browser.

• Enables network access for client/server applications through a browser plug-in.

• Delivers clientless SSL VPN access to enterprise resources.

Unified Security Management• Helps ensure business continuity.

• Unified IPsec and SSL solution reduces Total Cost of Ownership (TCO).

• Provides secure and flexible remote access tailored to user needs.

• Includes tight, uniform access controls across all access methods.

Comprehensive Endpoint Security• Detects malware and keyloggers on remote PCs.

• Ensures session confidentiality using the Secure Workspace.

• Enforces security policy compliance before granting remote access.



14

• Allows organizations to define endpoint security requirements to access individual resources.

• Safeguards confidentiality of corporate information.

• Prevents identity, password, and data theft on remote endpoints.

• Allows secure VPN access even on public or unmanaged PCs.

Integrated Intrusion Prevention• Protects internal networks and applications from attack.

• Integrates Application Intelligence™ and Web Intelligence™ to prevent attacks and malicious activity across SSL VPN.

• Ensures the security of applications even when accessed from insecure PCs.

Easy Deployment• Integrates with existing network and security infrastructure.

• Enables quick and easy setup without requiring changes to servers or network configuration.

Central Management• Connectra gateways can be managed from SmartCenter and

Provider-1/SiteManager-1.

• Full leveraging of SmartCenter architecture:

• Object sharing (for example, Network Objects, Applications, Users, Services).

• Same authentication settings, logs settings, and so on.

• Configuration of multiple Connectra gateways and gateway clusters from the same SmartDashboard.




• Identical or different settings and policies for different Connectra gateways.

• Single point of administration for backup and maintenance.

• Redundant management infrastructure is possible.

Local Management• The Check Point SmartConsole suite is utilized for configuring,

monitoring, and tracking a single Connectra gateway.

• SmartDashboard, SmartView Monitor, and SmartView Tracker are tailored for a single Connectra gateway.

Flexible Deployment Options• Connectra is available as a turnkey appliance or as software.

• Deployment scalability to meet the price and performance needs of any sized organization.

• New Connectra Virtual Appliance (VA) offering as Connectra supports VMware ESX Server as a platform.

Advanced Authentication Options• Strong two factor authentication with an integrated SMS

One-Time Password.

• Single sign-on for Web-based and HTTP -based authentication of users using HTML forms.


Choosing the Correct CD

16

Choosing the Correct CDThe Connectra NGX R66 media pack contains two CDs. An additional DVD contains Connectra Virtual Appliance for installing Connectra on a VMware virtual machine. The following table explains the purpose of CD1 and CD2, and on which machine to install each CD.

CD Use To Install on

1: R66 Install a locally managed or centrally managed Connectra gateway.

New machine.

Upgrade from R61, R62 or R62CM to R66.

R61, R62, or R62CM Connectra gateway.

2: R66 SmartCenter Plug-in

Add central managementcapabilities to the SmartCenter server or Provider-1/SiteManager-1 MDS. Use this option for creating Clusters.

NGX R66 SmartCenter server or Provider-1/SiteManager-1 MDS.

Upgrade from R61, R62 or R62CM to centrally managed R66.

NGX R66 SmartCenter server or Provider-1/SiteManager-1 MDS.


Procedure Quick Reference


Procedure Quick ReferenceThis guide includes instructions for performing various installation and upgrade procedures. The following table shows where in the guide to find the instructions you need, and which CD you should use.

I want to... Required CDs

Perform a new installation of locally managed R66. See “Installing and Configuring Connectra” on page 35.

1: R66

Upgrade from R61 or R62 to R66 (local management)See “Upgrading Connectra” on page 75.

1: R66

Perform a new installation of centrally managed R66 See “Installing and Configuring Connectra” on page 35.

1: R662: R66 SmartCenter Plug-in

Upgrade from R61, R62, or R62CM to centrally managed R66 See “Upgrading Connectra” on page 75.

1: R662: R66 SmartCenter Plug-in

Advanced upgrade to locally managed NGX R66 from R61 or R62See “Advanced Upgrade to R66 from R62” on page 99.

1. R66

Revert to a snapshot image See “Reverting to a Previous Version of Connectra” on page 103.

None


Procedure Quick Reference

18


19

Chapter 2Deploying Connectra

In This Chapter

Deployment Overview page 20

Deploying Connectra in the DMZ page 21

Deploying Connectra on a LAN page 22

Deploying a Connectra Cluster page 23


Deployment Overview

20

Deployment OverviewIn general, it is recommended to deploy Connectra in the DMZ. Connectra can, however, also be deployed in other places, such as on the internal LAN. In both scenarios, SSL termination takes place at the Connectra Gateway. Web Intelligence, Application Intelligence, authentication, and authorization schemes on the Connectra Gateway are employed to protect the internal network and to inspect the traffic for harmful content before it reaches the internal servers.

Connectra differs from other remote access solutions in that it has gateway based application-level and network-level protection. For example, it incorporates the Malicious Code Protector to protect against worms.


Deploying Connectra in the DMZ

Chapter 2 Deploying Connectra 21

Deploying Connectra in the DMZFigure 2-1 shows a typical Connectra deployment in the DMZ:Figure 2-1 Connectra Deployment in the DMZ

When Connectra is placed in the DMZ, traffic initiated both from the Internet and from the LAN to Connectra is subject to firewall restrictions. By deploying Connectra in the DMZ, the need to enable direct access from the Internet to the LAN is avoided. Remote users initiate an SSL connection to the Connectra Gateway. The firewall must be configured to allow traffic from the user to the Connectra server, where SSL termination, Web and Application Intelligence inspection, authentication, and authorization take place. Requests are then forwarded to the internal servers via the firewall. Administration traffic is always SSL encrypted.


Deploying Connectra on a LAN

22

Deploying Connectra on a LANFigure 2-2 shows how Connectra can be deployed on the LAN alongside the internal servers:Figure 2-2 Connectra Deployment in the LAN

The remote user opens a browser and initiates an HTTPS request to the Connectra server. The SSL connection is terminated within the LAN and the clear text requests are forwarded to the internal servers. The internal servers reply “in the clear” to Connectra, which encrypts the reply back to the remote user. In the scenario shown in Figure 2-2, the perimeter firewall must be configured to allow encrypted SSL traffic to Connectra.

In this scenario, the SSL VPN traffic passes through the Firewall as encrypted traffic, thus unavailable for inspection with traditional solutions. With Connectra, the network is fully protected with Application Intelligence and Web Intelligence.


Deploying a Connectra Cluster

Chapter 2 Deploying Connectra 23

Deploying a Connectra ClusterFigure 2-3 shows a two-member Connectra cluster. Typically, the cluster is deployed behind the DMZ interface of a firewall, with the application servers behind the firewall in the internal networks. Figure 2-3 Connectra Clustering Topology Example

Each cluster member has two interfaces: one data interface leading to the organization and to the Internet, and a second interface for synchronization. Each interface is on a different subnet.

• One subnet for data (in Figure 2-3, 10.0.0.1 for Member A and 10.0.0.2 for Member B).

• One subnet for synchronization (10.0.10.1 for Member A and 10.0.10.2 for Member B).

See “Cluster Configuration—Deployment Tips” on page 69 for more information about Connectra clusters.

Note - Clusters are not supported in locally managed R66.


Deploying a Connectra Cluster

24


25

Chapter 3Connectra Requirements

In This Chapter

Minimum Hardware Requirements page 26

Recommended Hardware page 26

Hardware Compatibility Testing Tool page 27

BIOS Security Configuration Recommendations page 32

Operating System Compatibility page 32

Browser Compatibility page 33


Minimum Hardware Requirements

26

Minimum Hardware RequirementsThe minimum requirements for Connectra are:

• Intel Pentium III 300+ MHz or equivalent processor.

• 10 GB free disk space.

• 512 MB RAM.

• One or more supported network adapter cards (two are required for a cluster configuration).

• CD-ROM drive (bootable).

• 1024 x 768 video adapter card.

If you have over 1 GB of RAM, you will need additional free disk space. In this case, an additional 2 GB of free disk space should be added for each additional 1 GB of RAM.

Recommended HardwareOpen servers and devices are tested on a regular basis by Check Point for compatibility with Connectra. For an updated list of hardware that is recommended for use with Connectra, see http://www.checkpoint.com/services/techsupport/hcl/connectra.html.

Note that Connectra is also supported on VMware virtual machines. See the Connectra NGX R66 Virtual Appliance Getting Started Guide for detailed information regarding installing and configuring Connectra on VMware.


http://www.checkpoint.com/services/techsupport/hcl/connectra.html

http://downloads.checkpoint.com/dc/download.htm?ID=8395

Hardware Compatibility Testing Tool

Chapter 3 Connectra Requirements 27

Hardware Compatibility Testing ToolThe Hardware Compatibility Testing Tool enables you to determine whether SecurePlatform, the Connectra operating system, is supported on a specific hardware platform.

The tool detects all hardware components on the platform, checks whether they are supported, and displays its conclusions: whether Connectra can be installed on the machine (supported I/O devices found, supported mass storage device was found), and the number of supported and unsupported Ethernet controllers detected.

You can view detailed information on all the devices found on the machine.

You can save the detailed information on a diskette, on a TFTP server, or dump it via the serial port. This information can be submitted to Check Point Support in order to add support for unsupported devices.

Run the Hardware Compatibility Testing Tool in the same way that you would install Connectra on the hardware platform (for example, boot from CD, boot from diskette, and installation through network).

Downloading and Preparing the CDThe Hardware Compatibility & Testing tool is available for download as a CD ISO image (hw.iso) at http://www.checkpoint.com/services/techsupport/hcl/testing_tool.html

As Connectra NGX R66 uses the SecurePlatform v26 operating system, download the R66 with SecurePlatform v26 version of the tool.

The ISO image can be burned on a blank CD-R or CD-RW media, using a CD burning tool.

Note - You must specify that you are burning a “CD image” and not a single file


Preparing to Use the Compatibility Testing Tool

28


Run the tool either by booting from the CD that contains it, booting from a disk and accessing a local CD, or booting from a diskette and accessing the CD through the network.

If no keyboard and monitor are connected to the hardware platform, the serial console can be used to perform the hardware detection.

Booting from the CDTo boot from the CD:

1. Configure the BIOS of the machine to boot from the CD drive.

2. Insert the CD into the drive.

3. Boot the machine.

Booting from a Diskette and Accessing a Local CDThis option should be used when the hardware platform cannot be configured to boot from the CD drive (but will boot from a diskette), and has a CD drive.

To create a bootable diskette image and access a local CD:

1. Insert the CD into the CD drive.

2. Insert a diskette into the diskette drive.

3. Browse to your CDROM drive and select the SecurePlatform/images folder.

4. Drop the boot.img file on the cprawrite executable.




Alternatively, using the NT command shell (cmd), run the following command on a single line (where D: is the CD-ROM drive):


Booting from a Diskette and Accessing the CD over the NetworkUse this option when the machine to be tested has no CD drive. In this case, there will be two machines participating:

• A machine that has a CD drive.

• The machine on which you want to run the tool.

To boot from a diskette and access a CD over the network:

On the Machine with the CD Drive

Proceed as follows:

1. Insert the CD into the CD drive of a (Microsoft Windows-based) machine.

2. Insert a diskette into the diskette drive.

3. Browse to the CD drive and select the SecurePlatform/images folder.

4. Drop the bootnet.img file on the cprawrite executable.

Alternatively, using NT command shell (cmd), run the following command on a single line (where D: is the CD-ROM drive):

D:\SecurePlatform\images\cprawrite.exe D:\SecurePlatform\images\boot.img

D:\SecurePlatform\images\cprawrite.exe D:\SecurePlatform\images\bootnet.img



30

This step writes files to the diskette, which you will transfer to the other machine (the machine on which the tool will be run).

5. Make the contents available on the network, either by allowing access to the CD drive, or by copying the CD to a hard disk and enabling access to that disk (for example, by FTP, HTTP, or NFS).

On the Machine You Are Testing

Proceed as follows:

1. Insert the diskette you created in “Booting from a Diskette and Accessing a Local CD” on page 28, above, into the diskette drive of the machine you are testing.


3. Configure the properties of the interface, through which this machine is connected to the network, including its IP address, Netmask, default gateway and DNS.

You can choose to configure this interface as a dynamic IP address interface.

4. Enable access to the files on the machine with the CD drive (see “On the Machine with the CD Drive” on page 29 above).

5. Specify the following settings for the other machine:

• IP address, or hostname

• Package Directory

• User/password (if necessary)


Using the Hardware Compatibility Testing Tool


6. If you are installing using a serial console, instead of the keyboard and monitor, make sure that your terminal emulation software is configured as follows:

• 9600 Baud rate

• 8 data bits

• No parity

• No flow control

Using the Hardware Compatibility Testing Tool

The hardware tool automatically tests the hardware for compatibility.

When it finishes, the tool displays a summary page with the following information:

• Whether the platform is suitable for installing Connectra

• Number of supported and unsupported mass storage devices

• Number of supported and unsupported Ethernet Controllers

Additional information can be obtained by pressing the Devices button. The devices information window lists all the devices, found on the machine (grouped according to functionality).

Use the arrow keys to navigate through the list.

Note - A simple, “naïve” detection tool is included on the boot diskette. If for some reason, the complete detection tool is unavailable (e.g., the CDR drive is not supported), you can still use the simple tool to get some information on your hardware. The simple tool is available from the Installation Method screen, and is accessed by pressing the Probe Hardware button.


BIOS Security Configuration Recommendations

32

Pressing Enter on a specific device displays detailed information about that device.

The detailed information can be saved to a diskette, to a TFTP Server, or dumped through the Serial Console. This action may be required in cases where some of the devices are not supported.

BIOS Security Configuration Recommendations

The following are BIOS configuration recommendations:

• Disable the “boot from floppy” option in the system BIOS, to avoid unauthorized booting from a diskette and changing system configuration.

• Apply a BIOS password to avoid changing the BIOS configuration. Make sure you memorize the password, or keep it in a safe place.

Operating System Compatibility For a list of the operating systems (Windows, Linux and MacOS-X) that are compatible with each Connectra feature, see the latest version of the Connectra release notes, available at http://www.checkpoint.com/techsupport/downloads.jsp.


http://www.checkpoint.com/techsupport/downloads.jsp

Browser Compatibility


Browser Compatibility For a list of the Web browsers (Internet Explorer, Mozilla Firefox, and so on) that are compatible with each Connectra feature, see the latest version of the Connectra release notes, available at http://www.checkpoint.com/techsupport/downloads.jsp.


http://www.checkpoint.com/techsupport/downloads.jsp

Browser Compatibility

34


35

Chapter 4Installing and Configuring Connectra

In This Chapter

Installation Procedure Quick Reference page 36

Installation and Configuration Workflow page 37

Installation and Initial Configuration Procedures page 39

Post-Installation Procedures page 58

Installing the NGX R66 Plug-in page 62

Cluster Configuration—Deployment Tips page 69

SSL Acceleration Card Installation page 71

Further Information page 73


Installation Procedure Quick Reference

36

Installation Procedure Quick Reference

Table 4-1 indicates where in this chapter to find the procedures you need, and which CD(s) you require.

Table 4-1 Installation Procedure Reference

I want to... Required CDs

Perform a new installation of (locally managed) NGX R66 See “Installation and Configuration Workflow” on page 37.

1. R66

Perform a new installation of (centrally managed) NGX R66 See “Installation and Configuration Workflow” on page 37.

1. R662. R66 SmartCenter Plug-in

Set up a Connectra NGX R66 Cluster See “Cluster Configuration—Deployment Tips” on page 69.

1. R662. R66 SmartCenter Plug-in

Install an SSL Acceleration cardSee “SSL Acceleration Card Installation” on page 71

None


Installation and Configuration Workflow

Chapter 4 Installing and Configuring Connectra 37

Installation and Configuration Workflow

Getting started with Connectra involves installation and initial configuration, followed by detailed configuration to meet your needs.

The following workflow outline and detailed instructions apply to a:

• Centrally managed Connectra gateway, including those that will be part of Connectra Cluster.

• Locally managed Connectra gateway

To upgrade from a previous version, see chapter 5, “Upgrading Connectra” on page 75.

For more information about Clusters, see “Cluster Configuration—Deployment Tips” on page 69. Note that Clusters are not supported in locally managed Connectra NGX R66.

Installation and Initial Configuration Stages

The installation and configuration of Connectra are performed in the following stages:

Installation1. Plan the deployment topology.

2. If you are installing centrally managed Connectra:

a. Add a NIC to the machine (for a Cluster Member only).

b. Install or upgrade the SmartCenter server or Provider-1/SiteManager-1 MDS to NGX R65 and install the Connectra R66 SmartCenter Plug-in using the CD.

c. Configure relevant firewall access rules.

3. Install Connectra using the CD.


Installation and Initial Configuration Stages

38

4. Connect to the administration user interface.

5. Run the First Time Configuration Wizard and automatically install the Connectra package.

6. Log in to the SmartDashboard for the first time.

7. If you are installing centrally managed Connectra, define Connectra objects in SmartDashboard.

Post-Installation ProceduresAfter completing the installation, configure Connectra as follows:

8. Connect Connectra to the network.

9. Connect to the local administration portal and back up the configuration.

10. Perform detailed configuration via the SmartDashboard.

11. If you are setting up locally managed Connectra, perform a SmartDefense Update.

12. Check your setup.

You can also install an SSL acceleration card. See “SSL Acceleration Card Installation” on page 71.


Installation and Initial Configuration Procedures


Installation and Initial Configuration Procedures

Step 1: Planning the Deployment Topology

In general, it is recommended to deploy Connectra in the DMZ. Connectra can, however, also be deployed in other places, such as in the local area network (LAN). See chapter 2, “Deploying Connectra” on page 19.

For locally managed Connectra, continue with “Step 3: Installing Connectra Using the CD” on page 42.

Step 2: Preparing for Centrally Managed Connectra

Step A: Adding a NIC (for a Cluster Member only)If the Connectra server is to be part of a ClusterXL Load Sharing or High Availability cluster, it requires two interfaces. If necessary, add a network interface card.

Step B: Setting Up SmartCenter and Installing the Plug-in (Centrally Managed Only)To set up the SmartCenter and install the NGX R66 Plug-in:

1. Install or upgrade the SmartCenter server or Provider-1/SiteManager-1 CMA to version NGX R65.



40

2. For a new installation of SmartCenter, install SmartDashboard on a SmartConsole client. For a new installation of Provider-1/SiteManager-1, install the Multi Domain GUI (MDG). It is recommended to use the latest MDG that is found on CD2 in the MDG directory

3. Install the Connectra NGX R66 Plug-in on version NGX R65 of the SmartCenter server or Provider-1/SiteManager-1 Multi Domain Server. See “Installing the NGX R66 Plug-in” on page 62.

Step C: Configuring Firewall Access RulesConfigure the firewall according to the chosen deployment. The exact set of rules depends on the selected setup and the services that Connectra will provide. A typical Security Rule Base configuration, on VPN-1 Pro, is described herein:

FireWall Rules for Connectra in a DMZ

The rules listed in Figure 4-1 apply to the deployment shown in Figure 2-1, “Connectra Deployment in the DMZ,” on page 21.




Figure 4-1 Rules for Deploying Connectra in the DMZ

You may need other rules, depending on your configuration:

• Connectra requires access to DNS servers, and possibly to WINS servers

• For backups, Connectra may need access to a TFTP or SCP server.

RuleRuleRuleRule SourceSourceSourceSource DestinationDestinationDestinationDestination ServiceServiceServiceService ActionActionActionAction CommentCommentCommentComment1 Admin

hostConnectra HTTPS (TCP/4433) Accept Administrator access.

(encrypted)2 Any Connectra HTTP (TCP/80),

HTTPS (TCP/443), SSL (TCP/444) (or port, on which the SSL Network Extender server is configured)], IKE_NAT_TRAVERSAL (UDP/4500)This is used by Endpoint

Accept End user access to portal: Web applications, File sharing Web mail. Sessions initiated using HTTP are redirected automatically to HTTPS. All actual communication is encrypted.

3 Connectra LAN HTTP (TCP/80), HTTPS (TCP/443), nbsession (TCP/139), microsoft-ds (TCP/445), nbdatagram (TCP/138), nbname (TCP/137), IMAP (TCP/143), SMTP (TCP/25) All additional Network applications that are made accessible, via the SSL Network Extender

Accept Connectra to LAN for: Web applications File sharing Web mail


Step 3: Installing Connectra Using the CD

42

• Connectra may need access to the SmartCenter Server or to a Customer Log Module (CLM), in order to send logs to a remote log server.

• For authentication, Connectra may need access to LDAP, RADIUS and ACE servers.

• Connectra may need access to an NTP server for clock synchronization purposes.

FireWall Rule for Connectra in a LANIf you choose to deploy Connectra in the LAN, as in Figure 2-2, “Connectra Deployment in the LAN,” on page 22, rule 3 is not needed.

Step 3: Installing Connectra Using the CDTo install the Connectra gateway:

1. Configure a designated machine to boot from the CD drive.

2. Place the CD into the CD ROM drive and boot.

The Pre-installation Message appears:Figure 4-2 Pre-installation Message

3. Press Enter.

The Check Point Welcome Message appears:




Figure 4-3 Welcome Message

4. Use the Tab key to select OK.

The Keyboard Selection screen is displayed:Figure 4-4 Keyboard Selection screen

5. Use the Tab and arrow keys to select an appropriate keyboard.

6. Click OK.

The Network Interface Configuration screen appears:



44

Figure 4-5 Network Interface Configuration screen

7. Enter the IP address of the administration interface. On a cluster member, do not use the address of the synchronization interface. Also specify the Netmask and the Default gateway. Select OK.

8. When prompted to start the installation process, use the arrows or the Tab key to select OK.

9. Wait while the hard disk is completely formatted.

The Package Installation screen appears:Figure 4-6 Package Installation screen

This is followed by instructions for connecting to the Web-based administrative interface:

Note - This will ERASE all data on your hard drive.


Step 4: Connecting to the Administration User Interface


Figure 4-7 Connection Instructions

10. Use the Tab key to select OK to reboot the machine.

11. Wait for SecurePlatform to complete booting.

Step 4: Connecting to the Administration User Interface

You can connect to the Administration User Interface via the console, an SSH connection, or a Web browser.

To connect to the WebUI using a Web browser:

1. When SecurePlatform has completed booting, open a supported Web browser (see “Browser Compatibility” on page 33) on a machine that has network connectivity to Connectra, and connect to the administrative user interface. By default this interface has the IP address configured earlier (in step 7), over port 4433 (an SSL port). For example: https://192.168.1.1:4433.

2. The End-User License Agreement opens. To accept its terms, click I Accept.

Note - The default login name and password, and the URL for the WebUI are displayed in the message box. Connect to the WebUI only after the machine reboots.


Step 5: Running the First Time Configuration Wizard

46


The First Time Configuration Wizard can be run in the console or the WebUI.

Running the Wizard from the ConsoleTo run the Wizard in the console:

1. Log in using the default system administrator username/password (admin/admin).

2. Run: cpconfig.

3. Follow the on-screen instructions.

For more information about the on-screen options, see “Running the Wizard from the WebUI” on page 46.

Running the Wizard from the WebUITo run the First Time Configuration Wizard using the WebUI:

1. When the login window opens, enter the default system administrator username/password (admin/admin), and click Login.

2. Change the administrator password, as prompted. The First-Time Configuration Wizard begins to run. Click Next.

3. In the Network Connections page, define the network connections. For centrally managed NGX R66, if the machine will be a Connectra cluster member, define an IP address and netmask for the synchronization network interface. Click Next.

4. In the Routing Table page configure routing. For centrally managed NGX R66, if the machine will be a Connectra cluster member, configure a default gateway on the subnet of the data interface. Click Next.

5. In the Host, Domain Name, and DNS Servers page, set the following:




• Hostname: For example, Connectra1. If the host is to be part of a cluster, ensure that all hostnames in the cluster are unique.

• Domain Name: For example, example.com. Although not mandatory now, this parameter is important if you want the device to be recognized within the domain.

• DNS Servers: The DNS server to be used when downloading SmartDefense updates and for mounting File Shares. Connectra also uses DNS lookup for any “hostname”-style HTTP link to an internal server, and for resolving other servers (such as Citrix servers, or any other machine whose DNS entry is properly configured on the LAN).

6. Click Next.

7. In the Device Date and Time Setup page, set the date and time. Cluster member clocks must be synchronized to within a few seconds. Time settings may also affect the behavior of certificate validation. For a cluster, select Use a Network Time Protocol (NTP) to synchronize the clock for reliable synchronization using a time synchronization service. Set the following parameters:

• Primary NTP Server: The hostname of the Primary NTP Server you are using. For example, ntp.xyz.net

• Secondary NTP Server (optional): The hostname of the Secondary NTP Server you are using. For example, ntp.abc.edu

• Shared Secret (optional): The shared secret that cluster members will be using for communication.

• Synchronization period: The time, in seconds, after which cluster members will periodically synchronize their internal clocks with the NTP Server. For example, entering 60, indicates that clocks should synchronize with the server every minute.

• Time Zone: The time zone in which the cluster member machine is located.



48

8. Click Next.

9. In the Web/SSH Clients page, any Web or SSH client authorized to access the Connectra WebUI is displayed. Click Add to add a new host. Type “any” as a hostname to enable access from any Web/SSH client. A hostname can also contain a wildcard or IP address range.

10. When all desired hosts appear in the Web/SSH list, click Next.

11. Select the type of management configuration you want for Connectra.

• Locally: To configure locally managed Connectra, where Connectra manages itself.

• Centrally: To configure Connectra that is managed centrally from a SmartCenter Console. Clusters are only supported in a centrally managed configuration. For more information on these configuration options see the Connectra Gateway Clusters chapter of the Connectra NGX R65 Administrative Guide.

12. Click Next.

Note - Once you select locally or centrally managed, switching to the other option will require a new installation.




Locally Managed Connectra

13. If you are configuring locally managed Connectra the Connectra GUI Clients page opens:

a. Hosts authorized to connect to Connectra are displayed. Click Add to add a new host.

b. Type “any” as a hostname to enable a connection from any GUI client. A hostname can also contain a wildcard or IP address range.

c. When all desired hosts appear in the GUI Client list, click Next.

d. Type a user name and password of the Connectra Administrator.

e. Click Next.

Centrally Managed Connectra

14. If you are configuring centrally managed Connectra, the Secure Internal Communication page opens:

• Decide on a SIC Activation Key. Type it and then confirm it. SIC certificates authenticate communication between Check Point communicating components. You will need to use the same Activation Key when defining the gateway in SmartDashboard, on the same SmartCenter server where you installed the Connectra NGX R66 Plug-in. You can use the same Activation Key for all members of a cluster.

Both Locally and Centrally Managed:

Note - Components can communicate with each other only once the Certificate Authority is initialized and each component has received a SIC certificate.



50

15. If you do not already have SmartConsole NGX R65 installed on your GUI client, in the Download SmartConsole Applications page, click Download to download the SmartConsole. When prompted, click Run.

The Check Point Installation Wizard opens.

Installing Check Point SmartConsoleTo install the Check Point SmartConsole on the GUI client:

1. Click Next to proceed with the Check Point Installation Wizard

2. Follow the on-screen instructions to download the SmartConsole.

3. Wait while the software is installed.

4. Click Next to proceed from the Download SmartConsole Applications page.

Completing the First Time Configuration To complete the Connectra First Time configuration:

1. Click Finish to complete the First Time Configuration Wizard. When prompted, click Yes to start the configuration process.

Wait for the Connectra configuration to be complete. A dialog box opens stating that the Connectra initial device configuration process is complete.

2. Click OK. The Device Status page opens, displaying information about your device.

3. Click Close to exit the WebUI.

4. If you downloaded SmartConsole Applications, dialog boxes may open telling you that SmartConsole is installing. Follow the on-screen instructions to continue.


Step 6: Logging In for the First Time



The Login ProcessFor centrally managed Connectra, administrators connect to the SmartCenter server through SmartDashboard using the same process as SmartConsole clients. First authenticate the administrator and SmartCenter server (to create a secure channel of communication), and then the selected SmartConsole starts.

After the first login, the administrator can create a certificate for subsequent logins.

For locally managed Connectra, connect directly to the Connectra gateway.

Authenticating the Administrator To authenticate the administrator:

1. Open SmartDashboard by selecting Start > Programs > Check Point SmartConsole NGX R65 > SmartDashboard.

2. Log in using the User Name and Password defined in the Configuration Tool’s Administrators page during SmartCenter server installation.

3. Specify the name or IP address of the target SmartCenter server and click OK.

Note - The first time that you start the SmartDashboard, you may be prompted to download the SmartConsole Plug-in pack. The file is approximately 70 MB in size, therefore we advise that you connect for the first time from the LAN or via high speed connection. You can also download SmartDashboard from the Administrative WebUI or from the First Time Wizard.



52

4. Manually authenticate the SmartCenter server using the Fingerprint provided during the configuration process. You can see this Fingerprint by connecting to your SmartCenter via SSH and clicking on Product Configuration > Certificate Authority. When you have confirmed that the two fingerprints match, click Approve.

Starting the SmartDashboardTo start SmartDashboard:

1. A dialog box may indicate that the SmartConsole has detected a new Plug-in installed on the Management Server. Click Update to update the SmartConsole.

2. Follow the on-screen prompts until the SmartDashboard opens. Figure 4-8 shows SmartDashboard with locally managed Connectra. Figure 4-9 shows Smart Dashboard with centrally managed Connectra, including a tab for Connectra.

Note - This step is only necessary the first time you log in. Once the SmartCenter server is authenticated, the Fingerprint is saved in the SmartConsole machine’s registry.




Figure 4-8 SmartDashboard with Locally Managed Connectra


Step 7: Defining Connectra Objects (Centrally Managed Connectra)

54

Figure 4-9 SmartDashboard with Centrally Managed Connectra


If you are upgrading from a previous version of SmartCenter or Provider-1/SiteManager-1, any Connectra objects or references defined prior to upgrading the SmartCenter or the CMA become host objects and must be redefined after the upgrade.




Define and configure the topology for each gateway, cluster member, and Connectra cluster.

Defining a Connectra Gateway To define a Connectra gateway:

1. In SmartDashboard, select the Connectra tab.

2. In the Connectra Gateways window, click New and select Connectra Gateway.

The Connectra Properties window opens.

3. In the General Properties page, type the Name and IP Address of the Connectra Gateway that you installed.

4. Click Communication.

The Communication dialog box opens.

5. In the Activation Key field, type the activation key that you set during the Connectra initial configuration. Type it again in the Confirm Activation Key field, then click Initialize.

6. Wait while trust is initialized. The words Trust established appear in the Trust state field once trust is established. Click Close.

7. Make sure Connectra NGX R66 appears in the Version field and click OK.

Configuring a Connectra Gateway’s TopologyEach Cluster member should have at least one cluster interface and one synchronization interface. For more information on configuring topology for cluster members, see “Cluster Configuration—Deployment Tips” on page 69 or the Connectra Gateway Clusters chapter of the Connectra Central Management Administration Guide.



56

To configure the topology of a Connectra gateway:

1. In the Connectra Properties dialog box, select Topology in the navigation tree.

The Topology page opens.

2. Click Get to automatically detect interfaces or Add to manually add interfaces.

When defining topology, the Get Interfaces operation does not return alias IP addresses for real interfaces. To add alias IP addresses to the object topology, define them manually. After manually adding alias IP addresses to the object topology, do not perform the Get Interfaces operation, as this will erase all manual changes to the object topology.

3. Click OK to return to the main Connectra window.

Defining a Connectra ClusterAfter defining each individual Connectra gateway, you can define Connectra Clusters.For more information on configuring topology for cluster members, see “Cluster Configuration—Deployment Tips” on page 69 or the Connectra Gateway Clusters chapter of the Connectra Central Management Administration Guide.

To define a Connectra cluster:

1. In SmartDashboard, select the Connectra tab.

2. In the Connectra Gateways window, click New and select Connectra Cluster.

The Connectra Properties window opens.

3. In the General Properties page, type the Name and IP Address (the virtual IP address of the Cluster interface) of the Connectra Cluster that you are defining.

4. In navigation tree, select Cluster Members.

5. In the Cluster Members pane, click Add to add each cluster member.




The Cluster Member Properties page opens.

6. Enter each Cluster Member’s Name and IP Address with the highest priority members at the top.

7. Click Communication.

The Communication dialog box opens.

8. In the Activation Key field, type the activation key that you set during the Connectra initial configuration. Type it again in the Confirm Activation Key field, then click Initialize. All cluster members can have the same activation key.

9. Wait while trust is initialized. The words Trust established appear in the Trust state field once trust is established. Click Close.

10. Make sure Connectra NGX R66 appears in the Version field and click OK.

Configuring Topology for a Connectra ClusterFor information and instructions on configuring topology for a Connectra Cluster, see the Connectra Cluster Topology Page section of the Connectra Gateway Clusters chapter of the Connectra Central Management Administration Guide.

For brief tips, see “Cluster Configuration—Deployment Tips” on page 69.


Post-Installation Procedures

58

Post-Installation Procedures

Step 8: Connecting Connectra to the Network

Connecting a Standalone ConnectraConnect the Connectra network interface to the switch on which the default gateway resides.

Connecting a Connectra Cluster Refer to Figure 2-3, “Connectra Clustering Topology Example,” on page 23.

When setting up a Connectra cluster, connect the cluster member data interfaces via a switch.

The synchronization network carries the most sensitive data in the organization. Keep it secure by connecting the synchronization interfaces using a cross cable, or a dedicated switch.

Make sure that each network is configured on a separate VLAN, switch or hub.

Step 9: Backing Up the ConfigurationTo connect to the WebUI and back up your system configuration:

1. From a Web browser, connect to the administration portal at https://<IP address>:4433. The default IP address is 192.168.1.1.

2. For a cluster, set up all cluster members through the previous steps, and then connect to the administration portal of the primary member.

3. Log in using the administrator user name and password.


Step 10: Configuring Access Control


4. In the navigation pane, select Device > Backup.

5. On the Backup page, click Backup Now.

6. On the Backup to page, select where you want the backup file sent. Click Apply.

7. When prompted, click Yes to continue.

8. Wait a few second and then click Refresh. You should see your backup date and time in the Last successful backup field.

9. Click Close to exit the WebUI.

10. IMPORTANT — It is also recommended to create an image of the system using the snapshot command (See “Preserving the Previous Connectra Configuration” on page 79). To revert to the saved snapshot image, use the revert command. See “Reverting to a Previous Version of Connectra” on page 103.

Step 10: Configuring Access ControlConfigure Access Control in Connectra using SmartDashboard.

Access management in Connectra is accomplished by defining users and assigning them to groups, and defining applications and associating them with the groups. In addition, Connectra associates each application with a protection level, a security requirement that the remote user must satisfy before being given access to the application.

Access Control is configured in the following stages:

1. Define applications

2. Define users

3. Define user groups

4. Associate users with groups

5. Associate applications with groups

6. Install the Security Policy


Step 10: Configuring Access Control

60

These tasks are described in detail in the Connectra Central Management Administration Guide and the Connectra Local Management Administration Guide.The following sections provide some useful background information.

Defining ApplicationsDefining an application is about deciding which internal LAN applications to expose to remote users. These typically include:

• Web applications

• File shares

• Native applications

• Citrix applications

• Mail services

Setting Protection Levels for ApplicationsConnectra associates each application with a protection level. The protection level is a security requirement that the remote user must satisfy before being given access to the application. For example, the user must be authenticated using a certificate.

Defining Users and GroupsAccess to internal corporate applications is based on group membership. To access a particular application, remote users must belong to a group with the relevant authorization (as well as satisfy the security requirements of the application). These groups can be defined on Connectra’s internal user database, on LDAP or Radius servers. The LDAP group can be a branch in a tree, or an LDAP group that contains users from different branches.

Associating Applications With GroupsYou must associate the applications with groups. This association means authorizing certain user groups to use those applications.


Step 11: Performing a SmartDefense Update (Locally Managed Connectra)


Step 11: Performing a SmartDefense Update (Locally Managed Connectra)

SmartDefense updates add new defense mechanisms to the SmartDefense console, and bring existing defense mechanisms up-to-date.

To update SmartDefense:

1. In the SmartDefense tab, click Online Update.

The update begins and a dialog box notifies you that SmartDefense is being updated from one version number to another.

2. Click Continue to proceed with the update.

3. Enter your User Center username and password.

The available new updates are displayed.

4. Click Download Updates.

You are informed that the SmartDefense content was updated successfully.

5. Select Policy > Install Policy to apply the updates.

Step 12: Checking Your Setup1. After installing the Security Policy, browse to the User portal

and login using the credentials of the defined user. The user portal is at https://<IP address>

2. Verify that you can access the defined application.

Note - Perform a SmartDefense update immediately after installing Connectra so that the networks accessible through Connectra are fully protected.


Installing the NGX R66 Plug-in

62

Installing the NGX R66 Plug-in The Connectra NGX R66 Plug-in adds Connectra central management capabilities to an NGX R65 SmartCenter server or Provider-1/SiteManager-1. If you are working in a High Availability environment, install the Plug-in on each member.

Install the R66 Plug-in as part of the following procedures:

• “Installation and Initial Configuration Procedures”: “Step 2: Preparing for Centrally Managed Connectra” on page 39

• “Upgrading to Centrally Managed R66 from R61/R62”: “Setting Up the SmartCenter” on page 84

• “Upgrading to Centrally Managed R66 from R62CM”: “Setting Up the SmartCenter and Installing the R66 Plug-in” on page 91

• “Upgrading a Connectra Cluster to R66” on page 98

The procedure for installing the R66 Plug-in varies slightly for each platform, but the overall workflow is the same.

Installing the Plug-in on a SmartCenterThe Plug-in for R66 can be installed on a SmartCenter, on the SecurePlatform, Windows, Linux, or Solaris platforms.

In This Section

Installing the Plug-in on a SecurePlatform SmartCenter page 63

Installing the Plug-in on a Windows SmartCenter page 63

Installing the Plug-in on a Linux or Solaris SmartCenter page 64


Installing the Plug-in on a SmartCenter


Installing the Plug-in on a SecurePlatform SmartCenter To install the Plug-in on a SmartCenter on SecurePlatform:

1. Install SmartCenter server NGX R65.

2. Log in to expert mode by running, expert and entering your password.

3. Install the Connectra Plug-in package:

a. Insert CD2 into the SmartCenter Server machine.

b. Mount the CD by running:

c. Go to the CD directory by running:

d. Run:

4. Reboot the machine.

Installing the Plug-in on a Windows SmartCenter To install the Plug-in on SmartCenter on the Windows platform:




b. From the root of the CD, run:

c. Follow the instructions in the wizard.


mount /dev/cdrom

cd /mnt/cdrom

./UnixInstallScript -splat

Setup.bat


Installing the Plug-in on Provider-1/SiteManager-1

64

Installing the Plug-in on a Linux or Solaris SmartCenterTo install the Plug-in on a SmartCenter on either Linux or SecurePlatform:


2. Log in to expert mode by running, expert and entering your password.





d. Run:



The Plug-in for R66 can be installed on Provider-1/SiteManager-1, on the SecurePlatform, Linux, or Solaris platforms.

In This Section

mount /dev/cdrom

cd /mnt/cdrom

./UnixInstallScript

Installing the Plug-in on SecurePlatform Provider-1 page 65

Installing the Plug-in on Linux or Solaris Provider-1 page 65

Activating the Connectra Plug-in on the CMA page 66




Installing the Plug-in on SecurePlatform Provider-1To install the Plug-in on Provider-1 on SecurePlatform:

1. Install NGX R65 on the Provider-1/SiteManager-1 Multi Domain Server.

2. Install the Connectra Plug-in package on the Multi-Domain Server:

a. Insert CD2 into the Provider-1/SiteManager-1 Multi Domain Server machine.



d. Run:


4. For each CMA on which you want to manage Connectra gateways, you need to activate the Plug-in. See “Activating the Connectra Plug-in on the CMA” on page 66.

Installing the Plug-in on Linux or Solaris Provider-1To install the Plug-in on Provider-1 on Linux:

1. Install Provider-1/SiteManager-1 Multi Domain Server NGX R65.

2. Install the Connectra Plug-in package on the Multi-Domain Server:

a. Insert CD2 into the Provider-1/SiteManager-1 Multi Domain Server machine.

mount /dev/cdrom

cd /mnt/cdrom

./UnixInstallScript -splat



66

b. Run from the root of the CD:


4. For each CMA on which you want to manage Connectra gateways, you need to activate the Plug-in. See “Activating the Connectra Plug-in on the CMA” on page 66.

Activating the Connectra Plug-in on the CMATo activate the Connectra Plug-in, use one of the following procedures:

./UnixInstallScript




• Create a customer with a Plug-in. In the Add Customer Wizard, in the Management Plug-ins page, activate the Plug-in.

• In the MDG Customer Contents page, either right-click a customer and select Configure Customer, or double-click the customer, go to the Plug-ins tab, and select the Connectra Plug-in.

• From the MDG’s Management Plug-ins View, activate the Plug-in in one of the following ways:

• Right-click a customer and select Activate Plug-in on Customers.

• Right-click the PIConR66 and select Activate this Plug-in.

• Select Activate Plug-in on Customers from the Plug-in menu.


Uninstalling Connectra Plug-ins

68

• Click the Plug-in icon on the toolbar.

Uninstalling Connectra Plug-insWhile Connectra R66 cannot be uninstalled from the Connectra gateway machine, you can uninstall the central management capabilities. To do this, you must uninstall both the R62CM Plug-in (where relevant) and the R66 Plug-in for Central Management. See “Uninstalling Connectra Plug-ins” on page 105.


Cluster Configuration—Deployment Tips



This section includes information that will help you understand the process of configuring a Connectra gateway cluster, in order to make it a successful and trouble free process.

The Connectra Central management Administration Guide includes full details of setting up a Connectra cluster. It is strongly recommended that you read the relevant guide before setting up your Connectra cluster.

• Install and configure the Connectra gateway cluster members, as described in “Installation and Configuration Workflow” on page 37.

Licensing

• Ensure all cluster members are licensed for the same number of users. They do not necessarily have to have identical licenses.

• Connectra cluster members must run the same software version.

Cluster and Cluster Member Interfaces

• Communication into the organization for users is done using the virtual IP address of the Cluster Interface, and not the member IP addresses.

• To change the configuration of a cluster member, connect to it directly using the IP address of the cluster member, and not to the virtual IP address of the Cluster Interface.

Interface Configuration

• The synchronization interfaces of the cluster members reside on the SAME subnet.

• The data interfaces of the cluster members must reside on the SAME subnet, DIFFERENT from the synchronization subnet.



70

• Use different interfaces for the data and synchronization networks. The recommended setting is to use eth0 for data and eth1 for synchronization.

Physical Connectivity

• Synchronization in a two-member cluster can be done using a cross-cable between the two members. A cluster with more than two members requires a switch/hub for synchronization.

Configuration

• Cluster member clocks must be synchronized. Use an NTP server or manually synchronize the clocks.

• Connectra clients access Connectra via two IP address/port combinations: one for the Connectra portal and another for SSL Network Extender. If you wish to use the same IP address for both, configure the portal to listen on port 443 and SSL Network Extender to listen on port 444.

Administration

• Cluster members become active after the Security Policy is installed.


SSL Acceleration Card Installation


SSL Acceleration Card InstallationA hardware-based SSL acceleration card is available to improve the SSL performance of the Connectra gateway. The card speeds up the SSL/TLS public key exchange, and reduces CPU utilization by redirecting CPU-intensive calculations to dedicated hardware.

The acceleration card is pre-installed on Connectra 6000. Otherwise it must be purchased and installed separately.

Installing the CardFor details on how to install the acceleration card, see the documentation supplied with the card.

Enabling the CardTo enable the card on Connectra:

1. From the console, run:

2. Run:

3. Run:

Disabling the CardTo disable the card:

1. From the console, run:

cvpnstop

hw_acceleration start

cvpnstart

cvpnstop


SSL Acceleration Card Command Syntax

72

2. Run:

3. Run:

SSL Acceleration Card Command SyntaxThe following table lists the SSL Acceleration Card commands. The card must be activated before running the diag and stat parameters.

Syntaxhw_acceleration{ start | stop | diag | stat}

Table 4-2 SSL Acceleration Card Commands

hw_acceleration stop

cpvnstart

Parameter Meaning

start Enable the card

stop Disable the card

diag Check if the card is installed and working properly

stat Get statistics of card activity


Further Information


Further InformationFor further instructions on configuring the Connectra gateway or a Connectra ClusterXL Load Sharing or High Availability cluster, refer to the Connectra Administration Guide appropriate for your configuration, or to the online help.


Further Information

74


75

Chapter 5Upgrading Connectra

In This Chapter

Upgrade Procedure Quick Reference page 76

Preparing for the Upgrade to R66 page 78

Upgrading to Locally Managed R66 from R61/R62 page 81

Upgrading to Centrally Managed R66 from R61/R62 page 84

Upgrading to Centrally Managed R66 from R62CM page 91

Upgrading a Connectra Cluster to R66 page 98

Advanced Upgrade to R66 from R62 page 99


Upgrade Procedure Quick Reference

76

Upgrade Procedure Quick ReferenceTable 5-1 indicates where in this chapter to find the procedures you need, and which CD you should use.

Table 5-2 lists the upgrade scenarios that are not supported by Connectra NGX R66 and indicates the alternative upgrade paths.

Table 5-1 Upgrade Procedure Quick Reference

Upgrade

From

Upgrade To Link to Procedure Required CD(s)

R61/R62 Locally managed R66

Upgrade on the same machine:“Upgrading to Locally Managed R66 from R61/R62” on page 81orUpgrade across different machines: “Advanced Upgrade to Locally Managed R66” on page 99

1. R66

R62CM Centrally managed R66

“Upgrading to Centrally Managed R66 from R62CM” on page 91

1. R66 2. R66 SmartCenter Plug-in

R61/R62 Centrally managed R66

“Upgrading to Centrally Managed R66 from R61/R62” on page 84


Connectra Cluster on R61/R62/R62CM

Connectra Cluster on R66




Upgrade Procedure Quick Reference

Chapter 5 Upgrading Connectra 77

Table 5-2 Upgrade Scenarios Not Supported with Connectra NGX R66

Upgrade

From

Upgrade To Alternative Path See

Version older than R61

R66 First upgrade to Connectra NGX R61.

Connectra NGX R61 Getting Started Guide

R61 or R62 with Clusters

Locally managed R66 with Clusters

Upgrade to centrally managed R66 with Clusters. To do this, you must first fully upgrade to Connectra NGX R62CM.

Connectra NGX R62CM Getting Started Guide;“Upgrading a Connectra Cluster to R66” on page 98

R61/62 Centrally managed R66

First fully upgrade to Connectra NGX R62CM, then upgrade to centrally managed R66.

Connectra NGX R62CM Getting Started Guide;“Upgrading to Centrally Managed R66 from R61/R62” on page 84

R62CM Advanced upgrade tocentrally managed R66

Perform an upgrade on the same machine instead of across different machines.


R61/62/62CM

R66 locally or centrally managed using the WebUI

Use the instructions provided in this Getting Started Guide for an alternative scenario.

“Upgrade Procedure Quick Reference” on page 76


Preparing for the Upgrade to R66

78

Preparing for the Upgrade to R66In This Section

Preserving Manual Changes on the Connectra Gateway

The upgrade process retains all configuration settings and end-user settings from the previous installation that were made via the Connectra administration portal or SmartDashboard. Nonetheless, certain manually configured changes are not preserved following the upgrade, and so must be saved before the upgrade, and manually restored after the upgrade.

During the lifetime of a Connectra installation, several configuration changes may be manually applied using the SSH command shell. Such changes may include:

• Changes to Connectra configuration files (*.conf files) made to configure the Apache Web server or for debugging purposes.

• Replacement of Connectra binary files or libraries (Support Hotfixes).

• Changes to Connectra scripts (such as File Share implementation, certificate creation, and cvpnstop/cvpnstart).

To preserve manually configured changes made before the upgrade, back up the following files on the Connectra gateway:

$CVPNDIR/conf/* $CVPNDIR/var/* $CVPNDIR/htdocs/Mail/data $CVPNDIR/htdocs/Mail/attachments$WEBISDIR/conf/*

Preserving Manual Changes on the Connectra Gateway page 78

Preserving the Previous Connectra Configuration page 79


Preserving the Previous Connectra Configuration



Creating a Snapshot ImageBefore upgrading to a new version, it is recommended that you create an image of the entire system using the snapshot tool, either locally or on a TFTP or SCP server. This feature greatly reduces the risks of configuration changes.

With a snapshot image you can restore the installation to the state before the upgrade, using the revert command. At boot time you are given the option of booting from any of the available snapshots.

Running the snapshot command without any additional flags uses default backup settings and creates a local snapshot.

Create a Snapshot image via the Command line.

Snapshot Command Syntax

Note - The NGX R66 package cannot be uninstalled. To make it possible to revert to a previous version, create a snapshot image before installing the package. You can then use the revert command to revert to the previous Connectra version. See “Reverting to a Previous Version of Connectra” on page 103.

snapshot [-h] [-d] [[--tftp <ServerIP> <Filename>] |[--scp <ServerIP> <Username> <Password> <Filename>] |[--file <Filename>]]



80

Table 5-3 Snapshot command parameters

Parameter Meaning

-h Obtain usage.

-d Generate debug information.

--tftp <ServerIP> <Filename>

IP address and TFTP server from which the snapshot is made as well as the snapshot’s filename.

--scp <ServerIP> <Username><Password> <Filename>

IP address of SCP server from which the snapshot is made, the username and password used to access the SCP Server, and the filename of the snapshot.

--file <Filename>

When the snapshot is made locally, specify a filename.


Upgrading to Locally Managed R66 from R61/R62


Upgrading to Locally Managed R66 from R61/R62

In This Section

Upgrading to Locally Managed R66 via the Command Line

Before upgrading, follow the procedures in “Preserving Manual Changes on the Connectra Gateway” on page 78.

Upgrading to Connectra NGX R66 involves installing a package file.

To upgrade from Version NGX R61 or R62 to NGX R66 via the command line:

1. Insert CD1 into the CDROM drive of the Connectra machine and mount the CD by typing:

2. To enter the cpshell (this is only necessary if the shell has been manually changed from the default), type:

3. Type:

Upgrading to Locally Managed R66 via the Command Line page 81

Completing the Upgrade by Merging Manual Changes page 83

Note - You must upgrade to locally managed R66 using the command line. Upgrades are not supported by the WebUI.

mount /dev/cdrom

cpshell

patch add cd


Upgrading to Locally Managed R66 via the Command Line

82

4. When prompted, Choose a patch to install, type 1 to choose the Connectra NGX R66 Upgrade Package.

5. When prompted, type Y to confirm the MD5 checksum that appears on the screen.

6. You are prompted to select a management option. Note that this step determines whether you upgrade to locally or centrally managed Connectra R66. Type 1 to choose Locally managed.

7. When prompted, type a new Administrator name and Password.

8. Type W and then Y to give the new administrator read/write access and permission to manage other administrators.

9. You are prompted to create a backup image for automatic revert. This snapshot captures a current picture of your operating system and Connectra configuration. Type Y to create a snapshot that you can revert to if necessary.

10. Wait while the operating system upgrades. This takes approximately ten minutes.

11. When prompted that the upgrade has finished successfully, remove the CD from the CDROM drive.

12. Reboot your system to complete the upgrade.

Note - The upgrade to R66 is not reversible and replaces your entire operating system. We highly recommend creating a snapshot at this time to preserve your current settings. See Reverting to a Previous Version of Connectra page 103 for instructions on how to revert to a snapshot image if necessary.


Completing the Upgrade by Merging Manual Changes



If you made configuration changes by manually editing configuration files before the upgrade:

1. Verify that the functionality of the manual change works properly after the upgrade.

2. If necessary, merge the changes back to the same locations in the upgraded installation.


Upgrading to Centrally Managed R66 from R61/R62

84

Upgrading to Centrally Managed R66 from R61/R62

In This Section

Preserving Manual Changes and Previous Configuration

Follow all the procedures in “Preserving Manual Changes on the Connectra Gateway” on page 78.

Setting Up the SmartCenter

Upgrading to R62CM and Importing Previous ConfigurationThe SmartCenter must have the Connectra R62CM Plug-in installed and be fully upgraded to R62CM before you install the R66 Plug-in for Central Management. This includes using Connectra’s Configuration Import Utility to import your R61/62 management

Preserving Manual Changes and Previous Configuration page 84

Setting Up the SmartCenter page 84

Upgrading the Connectra Gateway via Command Line page 87

Upgrading the Connectra Gateway via SmartUpdate page 89

Setting Up SIC Trust page 90


Note - You must upgrade to centrally managed R66 using the command line or SmartUpdate. Upgrades are not supported by the WebUI.




configuration to the SmartCenter. For instructions on upgrading to R62CM from R61 or R62, see the Connectra R62CM Getting Started Guide. The R62CM Plug-in and Compatibility Package can be downloaded from the Check Point Download Center or found on the NGX R66 CD2 under /Utilities/R62CM/.

To install the R66 Plug-in on the R65 SmartCenter or Provider-1/SiteManager-1 CMA:


2. For a new installation of SmartCenter, install SmartDashboard on a SmartConsole client. For a new installation of Provider-1/SiteManager-1, install the Multi Domain GUI (MDG). If upgrading, the SmartDashboard or MDG will automatically update during the first connection to a SmartCenter with the Plug-in installed.

3. Install the R62CM Plug-in and Compatibility Package found on NGX R66 CD2 under /Utilities/R62CM/. Follow the instructions for upgrading to R62CM in the Connectra R62CM Getting Started Guide.

4. Import your R61/62 management configuration to the SmartCenter using R62CM’s Connectra Configuration Import Utility. Follow the instructions in the Connectra R62CM Getting Started Guide.

5. Reboot SmartCenter or Provider-1/SiteManager-1.

Note - We recommend creating a database revision before installing the Connectra NGX R66 Plug-in. See the Check Point R65 SmartCenter Administration Guide for more information.



86

Installing the R66 Plug-in1. Install the R66 Plug-in on version R65 of the SmartCenter

server or Provider-1/SiteManager-1 Multi Domain Server. See “Installing the NGX R66 Plug-in” on page 62.


3. After the reboot, open SmartDashboard. SmartDashboard may update itself; It then displays an additional tab for Connectra.

Figure 5-1 Smart Dashboard with Centrally Managed Connectra

4. In SmartDashboard, switch to the Connectra tab.


Upgrading the Connectra Gateway via Command Line


5. If Connectra objects were already defined prior to upgrading SmartCenter or the CMA:

After the upgrade of SmartCenter or the CMA, Connectra objects and references in SmartDashboard become host objects and must be redefined.

6. Define the Connectra objects. (Do not set up Secure Internal Communication (SIC) at this point):

a. Create the Connectra gateway or gateway cluster object.

b. For a Connectra gateway cluster, define cluster members. If there is SIC trust with the cluster members, reset SIC.

c. Define the topology. When defining topology, the Get Interfaces operation does not return alias IP addresses for real interfaces. To add alias IPs to the object topology, define them manually. After manually adding alias IP addresses to the object topology, do not perform the Get Interfaces operation, as this will erase all manual changes to the object topology.

When defining topology for a Connectra cluster, it is very important that the topology is complete. Make sure you have selected at least one cluster interface and one synchronization interface, and that each cluster member has its interfaces defined.


Upgrading to Connectra NGX R66 involves installing a package file on the Connectra gateway machine. Perform this update using the command line or SmartUpdate.

To upgrade an existing Connectra NGX R61, R62, or R62CM gateway to NGX R66 via the command line:



88

1. Prepare the SmartCenter and R66 Plug-in as described in “Setting Up the SmartCenter” on page 84.



4. Type:



7. You are prompted to select a management option. Note that this step determines whether you upgrade to locally or centrally managed Connectra R66. Type 2 to choose Centrally managed.

8. Type Y to confirm the upgrade.


mount /dev/cdrom

cpshell

patch add cd

Note - The upgrade to R66 is not reversible and replaces your entire operating system. We highly recommend creating a snapshot at this time to preserve your current settings. See Reverting to a Previous Version of Connectra page 103for instructions on how to revert to a snapshot image if necessary.


Upgrading the Connectra Gateway via SmartUpdate


10. Enter and re-enter a SIC shared secret that you will confirm later when logging in to the SmartDashboard.

11. Wait while the operating system upgrades. This takes approximately ten minutes.


13. Reboot your system.

Upgrading the Connectra Gateway via SmartUpdate


To upgrade an existing Connectra NGX R61, R62, or R62CM gateway to NGX R66 via SmartUpdate:


2. Insert CD1 into the CDROM Drive of your Connectra machine.

3. From the SmartDashboard, click Window > SmartUpdate.

4. Add the package for Connectra NGX R66 to the SmartUpdate Repository by clicking Packages > Add > From CD.

5. Type your User Center username and password.

6. Select the package for Connectra NGX R66.

7. Click OK.

8. Install the Connectra NGX R66 package. Right-click the target Connectra gateway object and select Upgrade all to upgrade all gateways at once.

9. If you made manual configuration changes, continue with “Completing the Upgrade by Merging Manual Changes”.


Setting Up SIC Trust

90

Setting Up SIC TrustYou must set up a SIC connection between Connectra and the SmartCenter in order for them to communicate.

To set up SIC between the Connectra gateway and the SmartCenter:

1. Connect to the Connectra gateway in one of the following ways:

• Via the Web GUI: Open a Web browser on a machine that has network connectivity to the Connectra, and browse to https://<machine_IP>:4433.

• From the command line: Open an SSH connection to Connectra, or connect to it via a console.

2. Reset SIC (if there was a prior SIC trust) and enter a shared secret. Do this in either of the following ways:

• Via the Web GUI, go to Product Configuration > SIC, enter the Activation Key and click Initialize.

• From the command line, run cpconfig. Type 6 to select Secure Internal Communication.

3. Complete the SIC trust establishment. Open the Connectra gateway or gateway cluster object in SmartDashboard, In the General Properties page, in the Communication window, enter the same one time password supplied in the gateway side.






Upgrading to Centrally Managed R66 from R62CM


Upgrading to Centrally Managed R66 from R62CM

In This Section

Preserving Manual Changes and the Previous Configuration

Follow all the procedures in Preserving Manual Changes on the Connectra Gateway page 78.

Setting Up the SmartCenter and Installing the R66 Plug-in

Important: The SmartCenter should have the Connectra R62CM Plug-in installed and be fully upgraded to R62CM before installing the R66 Plug-in for Central Management. This includes using Connectra’s Configuration Import Utility to import your management configuration to the SmartCenter. For instructions on upgrading to R62CM from R61 or R62, see the Connectra R62CM Getting Started

Preserving Manual Changes and Previous Configuration page 84

Setting Up the SmartCenter page 84

Upgrading the Connectra Gateway via Command Line page 87

Upgrading the Connectra Gateway via SmartUpdate page 89

Setting Up SIC Trust page 90


Note - You must upgrade to centrally managed R66 using the command line or SmartUpdate. Upgrades are not supported by the WebUI.



92

Guide. The R62CM Plug-in and Compatibility Package can be downloaded from the Check Point Download Center or found on the NGX R66 CD2 under /Utilities/R62CM/.

To install the R66 Plug-in on the R66 SmartCenter or Provider-1/SiteManager-1 CMA:


2. For a new installation of SmartCenter, install SmartDashboard on a SmartConsole client. For a new installation of Provider-1/SiteManager-1, install the Multi Domain GUI (MDG). If upgrading, the SmartDashboard or MDG will automatically update in order to manage Connectra.

3. Install the R66 Plug-in on version R65 of the SmartCenter server or Provider-1/SiteManager-1 Multi Domain Server. See “Installing the NGX R66 Plug-in” on page 62.


5. After the reboot, open SmartDashboard. SmartDashboard displays an additional tab for Connectra.

Note - We recommend creating a database revision before installing the Connectra NGX R66 Plug-in. See the Check Point R65 SmartCenter Administration Guide for more information.

Note - If your SmartCenter is not already upgraded to R62CM, you must upgrade it before upgrading to centrally managed R66. See “important” above.




Figure 5-2 Smart Dashboard with Centrally Managed Connectra

6. In SmartDashboard, switch to the Connectra tab.

7. If Connectra objects were already defined prior to upgrading SmartCenter or the CMA:

After the upgrade of SmartCenter or the CMA, Connectra objects and references in SmartDashboard become host objects and must be redefined.

8. Define the Connectra objects. (Do not set up Secure Internal Communication (SIC) at this point):


Upgrading the Connectra Gateway Using the Command Line

94

a. Create the Connectra gateway or gateway cluster object.

b. For a Connectra gateway cluster, define cluster members. If there is SIC trust with the cluster members, reset SIC.

c. Define the topology. When defining topology, the Get Interfaces operation does not return alias IP addresses for real interfaces. To add alias IP addresses to the object topology, define them manually. After manually adding alias IPs to the object topology, do not perform the Get Interfaces operation, as this will erase all manual changes to the object topology.

When defining topology for a Connectra cluster, it is very important that the topology is complete. Make sure you have selected at least one cluster interface and one synchronization interface, and that each cluster member has its interfaces defined.



To upgrade an existing Connectra NGX R61, R62, or R62CM gateway to NGX R66 via the command line:



mount /dev/cdrom





4. Type:



7. When prompted, type Y to confirm that you want to perform the upgrade.


9. Enter and re-enter a SIC shared secret that you will confirm later when logging in to SmartDashboard.

10. Wait while the operating system upgrades. This will take approximately ten minutes.


12. Reboot your system.

13. Repeat the steps above on each gateway that must be updated.

cpshell

patch add cd

Note - The upgrade to R66 is not reversible and replaces your entire operating system. We highly recommend creating a snapshot at this time to preserve your current settings. See Reverting to a Previous Version of Connectra page 103for instructions on how to revert to a snapshot image if necessary.


Upgrading the Connectra Gateway Using SmartUpdate

96

Upgrading the Connectra Gateway Using SmartUpdate

Upgrading to Connectra NGX R66 involves installing a package file on the Connectra gateway machine. Perform this update using the command line or SmartUpdate. Using SmartUpdate, you can upgrade all Connectra gateways at once.

To upgrade an existing Connectra NGX R61, R62, or R62CM gateway to NGX R66 via SmartUpdate:


1. From SmartDashboard, click Window > SmartUpdate.

2. Add the package for Connectra NGX R66 to the SmartUpdate Repository by clicking Packages > Add > From CD.

3. Enter your User Center username and password.

4. Select the package for Connectra NGX R66.

5. Click Download.

6. Install the Connectra NGX R66 package. Right-click the target Connectra gateway object and select Upgrade all to upgrade all gateways at the same time.

7. If you made manual configuration changes, continue with “Completing the Upgrade by Merging Manual Changes”.

8. The first time that you start the SmartDashboard, you are prompted to download the SmartConsole Plug-in pack. The file’s size is approximately 50 MB, therefore we advise attempting the first connection from the LAN or via high speed connection.

Setting Up SIC TrustYou must set up a SIC connection between Connectra and the SmartCenter in order for them to communicate.




To set up SIC between the Connectra gateway and the SmartCenter:

1. Connect to the Connectra gateway in one of the following ways:

• Via the Web GUI: Open a Web browser on a machine that has network connectivity to the Connectra, and browse to https://<machine_IP >:4433.

• From the command line: Open an SSH connection to Connectra, or connect to it via a console.

2. Reset SIC (if there was a prior SIC trust) and enter a one time password. Do this in one of two ways:

• Via the Web GUI, go to Product Configuration > SIC, enter the Activation Key and click Initialize.

• From the command line, run cpconfig. Type 6 to select Secure Internal Communication.

3. Complete the SIC trust establishment. Open the Connectra gateway or gateway cluster object in SmartDashboard. In the General Properties page, in the Communication window, enter the same one-time password supplied in the gateway side.






Upgrading a Connectra Cluster to R66

98

Upgrading a Connectra Cluster to R66 Connectra Clusters are only supported on centrally managed R66. If you have R61 or R62 and wish to upgrade to centrally managed R66, you must first upgrade the Cluster member’s Connectra gateways and SmartCenter server to R62CM For instructions on upgrading to R62CM, see the Connectra R62CM Getting Started Guide. The R62CM Plug-in and Compatibility Package can be downloaded from the Check Point Download Center or found on the NGX R66 CD2 under /Utilities/R62CM/

If you currently have locally supported clusters, see “For Connectra Cluster Users” on page 112 for licensing information.

To upgrade a Connectra cluster from NGX R62CM to NGX R66:

1. Install the R66 Plug-in on the NGX R65 SmartCenter. See “Setting Up the SmartCenter” on page 84.

2. Upgrade each Connectra gateway, as described in “Upgrading to Centrally Managed R66 from R62CM” on page 91.

3. Define each cluster member in SmartDashboard. See “Step 7: Defining Connectra Objects (Centrally Managed Connectra)” on page 54 and “Cluster Configuration—Deployment Tips” on page 69.


Advanced Upgrade to R66 from R62


Advanced Upgrade to R66 from R62In This Section

Introduction to Advanced UpgradePerform an advanced upgrade from Connectra NGX R62 to Connectra NGX R66 in order to:

• Migrate to a new Connectra server.

• Avoid risking the production server in case the upgrade fails.

The advanced upgrade procedure involves two machines. The first machine is the working production machine. Connectra is installed from scratch on the second machine and the configuration of the first machine is imported to it.

Advanced upgrade is only supported when upgrading from locally managed Connectra R62 to locally managed Connectra NGX R66.

Advanced Upgrade to Locally Managed R66

Preparing for Advanced Upgrade to Locally Managed R66 Prepare a new machine, to which the Connectra configuration will be imported.

The following conditions must be met:

• IP addresses on the new and old machines must match.

Introduction to Advanced Upgrade page 99

Advanced Upgrade to Locally Managed R66 page 99



100

• NIC configuration on new and old machines must match.

The following are not preserved in the upgrade. Be sure to track them so you can re-apply them after Connectra is upgraded:

• Manual changes to Connectra configuration files. See “Preserving Manual Changes on the Connectra Gateway” on page 78.

• All settings in the Device menu of the administrator portal.

• The Internal Certificate Authority (ICA).

Advanced Upgrade Procedure to Locally Managed R66To perform an advanced upgrade from Connectra NGX R62 to locally managed NGX R66:

1. Insert CD1 into the original machine.

2. Type:

3. On the CD, browse to the location of the export utility. Locate the upgrade_export tools in:

4. Create an exportable configuration file by running the command:

where <path_and_filename_of_tgz> is the destination path of the configuration (.tgz) file.

5. Wait while the database files are exported.

6. Install new NGX R66 machine as per “Installation and Initial Configuration Procedures” on page 39.

The new machine must have the same IP address as the old machine. The IP address can be changed later.

mount/dev/cdrom

/linux/Utilities/UpgradeTools/

upgrade_export <path_&_filename_of_tgz>




7. Copy the exported .tgz file via FTP in binary mode to any location on the new Connectra machine.

8. On the new Connectra machine, go to:

9. Run:

where <path_and_filename_of_tgz> is the destination path of the configuration (.tgz) file and <connectra_object_name> is the name of your Connectra gateway.

10. Reboot.

Completing the Advanced Upgrade to R66If you made configuration changes by manually editing configuration files before the upgrade:



Reapply all settings under the Device menu of the administrator portal (including administrator settings and routing) from the old machine to the new machine.

If there was a mismatch in the primary or secondary IP addresses of the NICs, between the two machines, you must reconfigure IP address assignments for the Portal and SSL Network Extender.

$FWDIR/bin/upgrade_tools

upgrade_import -n <path_&_filename_of_tgz> <connectra_object_name>

Note - The configuration (.tgz) file contains your Connectra configuration. It is recommended to back it up on a different machine and delete it from the Connectra machine after completing the import process.



102

To reconfigure IP address assignments for the Portal and SSL Network Extender:

1. In SmartDashboard, select your Connectra Gateway and click Edit.

2. Select Topology from the navigation tree in the Connectra Properties page.

3. Click Portal Customization settings or VPN Clients settings and edit the machine’s interface.


103

Chapter 6Reverting to a Previous Version of Connectra

In This Chapter

Reverting to a SnapshotConnectra NGX R66 cannot be uninstalled. To make it possible to revert to a previous version, create a snapshot image before installing. See “Preserving the Previous Connectra Configuration” on page 79.

If the upgrade did not succeed, you can revert to a previous installed state by rebooting the system from a snapshot file. Running the revert command without any additional flags uses default backup settings and reboots the system from a local snapshot. The revert command functionality can also be accessed from the Snapshot image management boot option.

Syntax

Reverting to a Snapshot page 103

Uninstalling Connectra Plug-ins page 105

revert [-h] [-d] [[--tftp <ServerIP> <Filename>] |[--scp <ServerIP> <Username> <Password> <Filename>] |[--file <Filename>]]


Syntax

104

Table 6-1 Revert Command Parameters

Parameter Meaning

-h Obtain usage

-d Debug flag

--tftp <ServerIP> <Filename>

IP address and TFTP server from which the snapshot is rebooted, as well as the filename of the snapshot.

--scp <ServerIP> <Username> <Password><Filename>

IP address of SCP server from which the snapshot is rebooted, the username and password used to access the SCP Server, and the filename of the snapshot.

--file <Filename> When the snapshot is created locally, specify a filename.


Uninstalling Connectra Plug-ins

Chapter 6 Reverting to a Previous Version of Connectra 105

Uninstalling Connectra Plug-insWhile the Connectra NGX R66 Gateway cannot be uninstalled, the Plug-in for central management can be uninstalled. If you want to uninstall Connectra NGX R66’s central management capabilities, you must uninstall both the R66 Plug-in for Central Management and the R62CM Plug-in from your SmartCenter machines, Log Servers, Eventia Reporter, and any remote objects on which the Plug-ins may have been installed. In a High Availability environment, perform the uninstallations on each member.

Uninstalling the R66 Plug-in for Central Management

Before Uninstalling the R66 Plug-in:If you have the Connectra NGX R66 Plug-in installed on a SmartCenter, Log Server, Eventia Reporter, or other remote objects, and you want to uninstall the Plug-in from them, you must first do the following:

1. Delete all Connectra objects from SmartDashboard.

2. Synchronize the remote servers’ databases with the SmartCenter by installing the Database on all remote objects that have the Plug-in installed. In the SmartDashboard, select Policy > Install Database for each remote object.

Note - If you do not install the Database, the Plug-in uninstallation on these objects will fail, but it will succeed on the SmartCenter. Therefore, you will not be able to install the Database on the remote objects, nor will you be able to remove the R66 Plug-in from the remote objects.


Uninstalling the R66 Plug-in for Central Management

106

Uninstalling the R66 Plug-in1. From the command line, run the pre-uninstall verifier as follows:

In Linux, Solaris, or SecurePlatform:

a. Run:

b. Run:

c. Read the results. If it says you can remove the Plug-in, proceed to step 2.

In Windows:

a. From c:\Program Files\CheckPoint\PIconR66\R66\bin\

run:

2. Remove the R66 Plug-in:

• In Linux or SecurePlatform, run:

• In Solaris, run:

then choose the package number corresponding to CPPIconR65-R66-00.

• In Windows, use Add/Remove Programs to remove the Check Point Connectra NGX R66 Plug-in.

3. Restart the system.

cd /opt/CPPIconR66-R65/bin/

./plugin_preuninstall_verifier

plugin_preuninstall_verifier.exe

rpm –e CPPIconR65-R66-00

pkgrm


Uninstalling the Connectra NGX R62CM Plug-in


Removing the R66 Compatibility PackageRemove the Compatibility Package only after uninstalling the R66 Plug-in.

1. Remove the R66 Compatibility Package as follows:



then choose the package number corresponding to CPCON65CMP-R66-00.

• In Windows, use Add/Remove Programs to remove the Check Point NGX R66 Connectra Compatibility Package.



To remove the Connectra NGX R62CM Plug-in:

1. From the command line, run the pre-uninstall verifier as follows:

In Linux, Solaris, or SecurePlatform:

a. Run:

b. Run:

c. Read the results. If it says you can remove the Plug-in, proceed to step 2.

rpm –e CPCON65CMP-R66-00

pkgrm

cd /opt/CPPIconnectra-R65/bin/

./plugin_preuninstall_verifier



108

In Windows:

a. From c:\Program Files\CheckPoint\PIconnectra\R65\bin\ run:

2. Remove the R62CM Plug-in:



then choose the package corresponding to CPPIconnectraR65-R65-00.

• In Windows, use Add/Remove Programs to remove the Check Point Connectra NGX R62A Plug-in. Also remove the Check Point Plug-in NGX R65_HF_284 if relevant.


Removing the R62CM Compatibility PackageRemove the R62CM Compatibility Package only after uninstalling the R62CM Plug-in.

1. Remove the R62CM Compatibility Package as follows:



then choose the package corresponding to CPCON62CMP-R65.

• In Windows, use Add/Remove Programs to remove the Check Point NGX R62A Compatibility Package R65.

plugin_preuninstall_verifier.exe

rpm –e CPPIconnectraR65-R65-00

pkgrm

rpm –e CPCON62CMP-R65-00

pkgrm


Uninstalling Plug-ins in Provider-1



Uninstalling Plug-ins in Provider-1Before uninstalling the R66 or R62CM Plug-ins on Provider-1, you must first deactivate the Plug-ins on all customers of the MDS from which you want to remove a Plug-in.

Deactivating Plug-ins on the MDSTo deactivate Plug-ins on the MDS:

1. Go to Management Plug-ins in the selection bar of the MDG.

2. Double-click on a customer.

3. Go to the Plug-ins tab.

4. Select the plug-in to deactivate: PIconR66-R65 for Connectra NGX R66 or PIconnectra for Connectra NGX R62CM.

5. Click Remove.

6. Click OK.

7. Follow the steps in “Uninstalling the R66 Plug-in for Central Management” on page 105 or “Uninstalling the R62CM Plug-in in Provider-1” on page 109.

Uninstalling the R62CM Plug-in in Provider-1To remove the Connectra Central Management Plug-in in Provider-1:

1. In the Provider-1 MDS, deactivate the Connectra Central Management Plug-in (PIConnectra) on all customers.

2. On the command line, run:

rm -f/opt/CPPIconnectra-R65/conf/PluginTableTypePairs.conf ; touch/opt/CPPIconnectra-R65/conf/PluginTableTypePairs.conf


Uninstalling Plug-ins in Provider-1

110

3. Run the pre-uninstall verifier:

4. Remove the Connectra Central Management Plug-in:

• Use rpm -e CPPIconnectra-R65 on Linux and SecurePlatform

• Use pkgrm CPPIconnectra-R65 on Solaris

5. Run mdsstop/mdsstart.

/opt/CPPIconnectra-R65/bin/plugin_preuninstall_verifier


111

Chapter 7License Installation and User Assistance

In This Chapter

Installing Check Point LicensesCheck Point software is activated with a License Key. You can obtain this License Key by registering the Certificate Key that appears on the back of the software media pack, in the Check Point User Center. Note that you may need multiple licenses for different products included with Connectra NGX R66. The Certificate Key is used to obtain a License Key for products that you are evaluating.

To purchase the required Check Point products, contact your reseller.

Installing Check Point Licenses page 111

Where To Go From Here? page 114

Note - Check Point software that has not yet been purchased, will work for a period of 15 days. You are required to go through the User Center in order to register this software.


For Connectra Cluster Users

112

If you are upgrading from a Connectra appliance to Connectra software, you will not automatically get a 15 day trial on the software. We recommend purchasing a license with the software in advance. Alternatively, you can remove all licenses and then you will automatically get a 15 day trial period.

Connectra enforces the license installed on the gateway by counting the number of concurrent sessions taking place on the portal. If the limit has been reached, warning messages are sent to the log.

Check Point products are activated as follows:

1. Activate the Certificate Key shown on the back of the media pack via Check Point User Center.

http://www.checkpoint.com/usercenter

The Certificate Key activation process consists of:

• Adding the Certificate Key

• Activating the products

• Choosing the type of license

• Entering the software details

2. Once you have a new License Key, you can install it on the Connectra machine.

3. Select Settings > Device > Licenses.

4. Click New. You can either enter the license details individually, or paste them directly from the clipboard.

For Connectra Cluster UsersUnlike previous versions of Connectra, in Connectra NGX R66, clusters can only be managed centrally, from an R65 SmartCenter or Provider-1 with the Connectra R66 Plug-in.


http://www.checkpoint.com/usercenter

For Connectra Cluster Users

Chapter 7 License Installation and User Assistance 113

Customers who:

a. currently have a Connectra High Availability product, or are buying a new such product, and

b. are under a valid service agreement.

should find a new product and license named "SmartCenter for Connectra Clusters" in their User Center account. If you are a customer satisfying these two conditions but do not see this new product in your User Center account, please contact Check Point's account services.

This new license entitles customers to install a Check Point SmartCenter R65 on a dedicated server and manage their Connectra clusters from that server. For information on upgrading to centrally managed Connectra R66, see “Upgrading Connectra” on page 75.


Where To Go From Here?

114

Where To Go From Here?You have now learned the basics that you need to get started. The next step is to obtain more detailed knowledge of your Check Point products. For thorough information see the Connectra Central Management Administration Guide, Version R66 or the Connectra Local Management Administration Guide, Version R66.

Check Point documentation provides additional information and is available in PDF format on the Check Point CD as well as on the Technical Support download site at: http://www.checkpoint.com/support/technical/documents.

See the Check Point Services website http://www.checkpoint.com/techsupport/ or see the SecureKnowledge self-service database of technical information at http://support.checkpoint.com/.


http://www.checkpoint.com/techsupport/

http://www.checkpoint.com/support/technical/documents

http://www.checkpoint.com/support/technical/documents

http://support.checkpoint.com/

Check Point Connectra NGX R66 Getting Started Guide

Documents

Transcript of Check Point Connectra NGX R66 Getting Started Guide