CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8, 7/6, 8/3.
2. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > SecureClient/SecuRemote
Site Says It Is Not a Certificate Authority Site Says It Is Not a Certificate Authority
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2005-08-13
Senior Member
  
Join Date: 2005-08-12
Posts: 162
Rep Power: 4
roadrunner has an average reputation (10+)
Default Site Says It Is Not a Certificate Authority
Site Says It Is Not a Certificate Authority
When you try and add a firewall as a site in SecuRemote, you see the following error message:


Error: Site xxx.xxx.xxx.xxx says that it is not a Certificate Authority. Check whether you have got the right IP address for xxx.xxx.xxx.xxx, and check with the FW-1 system manager there whether xxx.xxx.xxx.xxx is indeed a FW-1 control station.
If the management console and firewall module are on separate boxes, you add the IP address of the management console for the firewall in question. You can use the firewall module only if you have SecuRemote licenses installed on the firewall module. Conversely:


The management console must have a routable address. If it does not have a routable address, you will need to set up a static address translation for it.
SecuRemote Clients must be able to access the management console or firewall via the "FW1_topo" service (TCP port 264) if you are using Secure Client 4.1 (4110 and above builds of SecuRemote) with FireWall-1 4.1. You must allow the 'FW1' service (TCP port 256) if you are using a SecuRemote 4.0 client or using FireWall-1 4.0.
Your Certificate Authority must have an FWZ CA key generated or be configured with IKE. Look at your firewall object, ensure FWZ or IKE is checked in the encryption tab, and make sure a CA key is generated for FWZ.
If you are using Secure Client 4.1 with FireWall-1 4.0, you must have FWZ checked in your VPN tab and have encryption keys defined even if you only intend on using ISAKMP. What the user will actually use for encryption is determined in his user record in FireWall-1. Note you can get around this limitation if you uncheck the "Respond to Cleartext Topology Requests" in Policy Properties, Encryption tab.
In 4.1 SP5 and above, you will want to ensure that "Respond to Unauthenticated Topology Requests" is disabled. In NG, this option is not present.
If you just recently installed your SecuRemote licenses, you will need to restart FireWall-1 before the licenses will take effect.

-- PhoneBoy - 13 Apr 2004


FAQForm
FAQs.Class: SecureClientFAQs, TroubleshootingFAQs
FAQs.OS:
FAQs.Version:
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT -7. The time now is 17:14.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.4
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.2.0