CPUG: The Check Point User Group - View Single Post

chris.vincent · #1 (**permalink**) 2006-09-20

Hello,

We are currently using SecureClient NGXR60 Build 191 and making specific use of the Secure Domain Logon (SDL) and hotspot registration feature.

We are also trialling the iPassConnect client v3.50 build 153.

The integration from within windows works well, after enabling hotspot registration from the SecureClient (SC) we are able to connect to WiFi hotspots using the iPass client which then calls the SC software and establishes a VPN to our gateway. We need to use the Hotspot registration feature as we do not allow our users to disable the security policy.

The problem we have is when we attempt to do this process prior to the windows logon. Ultimately we need to be able to create an encrypted logon session to our domain controller (SDL) from any remote access location using iPassConnect. The steps that we need to enable are;

1) Workstation boots to windows logon GINA.
2) Hotspot registration needs to be enabled.
3) iPassConnect client is launched and connects to a remote access point.
4) SecureClient is launched and secure VPN to gateway is established
5) User logs onto domain controller using an encrypted logon session.

However both SDL and the iPassConnect client change the GINA.dll and cannot be used in conjunction to allow the above steps.

The only way we can see to allow us to perform the above steps would be to use the iPass GINA, which once connected to a remote access point would then call the SecureClient and allow an encrypted logon session to our domain controller. This would remove the need for SDL, however the problem lies in the fact that we need to be able to enable hotspot registration on startup for a limited period to allow the iPassConnect client to connect to a remote access point. At the moment because hot spot registration is not enabled on startup, attempted connections to remote access points using iPass are blocked by the Desktop security policy.

Therefore is there any way Hotspot registration can be enabled on startup or is there an alternative means to allow us to meet our objective?