Permanently disabling the policy in SecureClient

[jrdld]

I have a need for some machines to use SecureClient because we need Office Mode, which SecuRemote does not support. However, we don't want these particular users to have the firewall policy installed. I know they can manually disable it, but I'd like to create a package for these users that has it permanently disabled.

I initially thought that a build with the no_policy setting in userc.C would do this, but as soon as they connect to the gateway for the first time, it installs and enables the policy.

Can anyone help?

JR

[Lackie]

You can always put in a desktop policy for those users to allow anything. The policy will still be there but won't block or disallow any actions.

[jrdld]

Thanks Lackie, but there's a problem with this, if I understand correctly how SecureClient work. When they're disconnected from the VPN, the "allusers@any" rules come into force, so the policy can't distinguish between the users that I want to have a firewall and those that I don't.

JR

[Sergej]

Hi,

I'm trying to solve exactly the same problem. I need office and visitor modes, but users and Windows administrators hate integrated CP firewall. Actually WinXP SP2 have the better one. I waiting for CheckPoint support answer for now.
I even thinking to switch to a Native Windows L2TP client (as it is always "office moded").

[Sergej]

Quote:

Originally Posted by Sergej

I waiting for CheckPoint support answer for now.

Here is the reply from CheckPoint Tech-Support. I did not try this by myself.

- SecureClient cannot be running without firewall, however the customer can use "any any accept" policy;
- there is no direct procedure for default policy change, however there is workaround described bellow.

###########
Applying SecureClient R56 initial Policy without logging in to Policy Server

Solution:
In R56 SecureClient, you can apply an initial Desktop Policy at first boot after installation of preconfigured package, without logging in to Policy Server. This provides additional security for remote users immediately after a new installation.

Procedure:

1) Install SecureClient on a test machine and connect to Policy Server, to download correct Policy.

2) Save all "SecuRemote\Policy\local.*" files.

3) Save "SecuRemote\initialpolicy.bat."

4) Open installation "tar.gz" (zipped) file of R56 client.

5) Place both files copied from "\Policy" directory and "initialpolicy.bat" in the extracted files directory.

6) Edit "product.ini."

7) Add "initialpolicy.bat" to [install] section. This will run copied "initialpolicy.bat."

8) Package extracted files using Packaging Tool or other means.

NOTE: You can also leave the package unzipped, and simply run "setup.exe."

After installation, SecureClient will have an initial Policy without logging in to Policy Server.

NOTE: If you have user groups defined on the firewall, include the \policy\group_file.

###########

[jrdld]

Thanks Sergei. But I think this is basically what I've already tried by another means, and my guess it will only work until you connect to the gateway. Then it will pull down whatever policy is available, and you're firewalled again.

Their "any any" suggestion is ok if you don't want any of your clients to have a firewall policy, but not if you want a policy for some clients but not for others.

If you try it, let us know what you find. I am out of the office this week so cannot test it myself.

[Sergej]

There is also possible to disable policy (default policy) via CLI: “C:\Program Files\CheckPoint\SecuRemote\bin>scc sp off" (api_manual_slan_control in userc.C must be "true")

[inquisitor]

Quote:

Originally Posted by Sergej

There is also possible to disable policy (default policy) via CLI: “C:\Program Files\CheckPoint\SecuRemote\bin>scc sp off" (api_manual_slan_control in userc.C must be "true")

Great hint Sergej! Helped me much! Thank you!

Inq.

[jrdld]

I found a way to do this without anything to be done at the command line: exclude the users concerned from the user group that has access to the Policy Server on the gateway. In NG R56 AI, you edit the firewall object, go to Authentication, and look in the "Policy Server" section. The "Users" field there shows the user group that will be able to download a policy. If you have users that you want NOT to get a firewall, simply make sure they're not in this group.

My guess is that this is how Check Point intended it to be done. Office Mode assignments still work, as do topology updates. ASD downloads do not; but then since we have two different SC builds that's how we want it - we only publish updates for the firewalled SC package.

JR