VPN credential syncing-secureclient

[topher]

Today a remote user’s cert expired.
I revoked the cert extended the expiration date and initiated a new cert. i saved the policy (not push) and relayed the registration key via phone to the local tech. the new cert was generated successfully, & they where able to login to HQ, but when the user tried to RDP to a remote office they received notification there login had expired.
Do i need to open the policy on each remote fw cluster and save/push the policy or will all vpn user credentials get re-synced across all fw's?

[mcnallym]

To update the user database then yes need to install the security policy to all gateways to get an updated user database to them. There is a knowledgebase article that allows you to modify so that you can actually push a user database to the gateways not a whole policy install.

I am tied up at the moment or would give you a link, however there is definitely a Check Point knowledgebase article that will tell you how to do.

[topher]

many thanks mcnallym,
i've had a look for the knowledgebase article but haven't found it. i'd really appreciate it if you could post that link.

[mcnallym]

Is #sk18666


Product: VPN-1 Pro (VPN-1/FW-1)
Version: NGX, NG AI, NG
Last Modified: 29-Aug-2006







Symptoms



By default, the option to install the User Database on a Security Gateway is disabled.


Solution



To enable the option to install the User Database on a Security Gateway, proceed as follows:

Run cpstop on the SmartCenter Server.

Backup the objects_5_0.C file located in $FWDIR/conf.

Open objects_5_0.C.
Note: It is recommended that you use dbedit or GUIdbedit to modify the objects_5_0.C file.

Find :allow_install_users_db_on_module (false) and change the value "false" to "true".

Save the file.

Rename or delete any files named objects_5_0.C.bak or objects_5_0.C.backup located in $FWDIR/conf.

Run cpstart.

Now, you can install the database on Security Gateways, as well as on the SmartCenter Server.

Alternatively, you can selectively install the database without modifying objects_5_0.C by running: fwm dbload <module>.

[topher]

thanks for the prompt reply mcnallym, your a star

[RayPesek]

There is a second SK article that says doing this is a really bad idea. I don't know why there isn't a reference to it in that article.

If you use Install Database instead of a policy push, the database can get out of sync with the rulebase. That's why this is disabled by default and has been for the past few major releases.

Ray