secure domain logon

[imdavies]

Hello Folks,

I am a complete newbie to checkpoint hardware and software, and find myself managing a VPN through a Checkpoint VPN-1 Edge. I apologise if I have put this in the wrong forum.

The firewall is managed centrally through a smartCentre at our head office but I do have access to the smartcentre if required.

My questions relates to domain authorisation, it seems that my remote workers authenticate with the edge, but are required to authenticate again whenever they try to access a share on the LAN. Whenever I try it I am told by the VPN Client that a domain controller could not be found.

I tried to use secure domain logon, and have selected the use dial up box (as we connect using 3G cards) but the connection fails every time saying I am not connected to the network, I then logon to the laptop remotely with cached credentials, and manually connect to the 3G network and the vpn.

I can reach the network shares but have to use a local user account rather than a domain user name to authenticate.

Any Ideas?

[chillyjim]

For SDL to work on a wireless connection (or any connection for that matter) the network connection needs to be up BEFORE login. This isn't normally a problem for wired connections, but most wireless and AFAIK all cell modems will not connect before login nor stay connected after a logout.

That said, if your remotes are domain members, you should be able to log in with cached credentials and life should still be good (At least that's how its working for me). Make sure your uses are logging into the domain and not the local system, which is what it sounds like to me.

[imdavies]

chillyjim,

Thanks for your reply, I am not sure what you mean by "local system" so below is what the users do in detail malong with some setup information on the checkpoint box.

1) login to laptop using cached domain credentials
2) connect to 3G network
3) connect to VPN using secureclient and different credentials setup in the checkpoint
4) (an example) launch outlook and login using domain credentials
or
5) (another example) open network share and login using local credentials i.e. server/username rather than domain/username

The checkpoint is set to use office mode but the IP range allocated is not within the normal DHCP range used by the server. I suspect this is a problem as in effect they are on a different subnet xxx.xxx.34.xxx is used on the LAN xxx.xxx.35.xxx is used through the checkpoint.

Any further suggestions or advice would be gratefully appreciated.

Thanks

Ian

[chillyjim]

Quote:

Originally Posted by imdavies

The checkpoint is set to use office mode but the IP range allocated is not within the normal DHCP range used by the server. I suspect this is a problem as in effect they are on a different subnet xxx.xxx.34.xxx is used on the LAN xxx.xxx.35.xxx is used through the checkpoint.

Two options, make sure x.x.35.x is routed to the firewall OR on the network object for this network, set it up for "hide" NAT and hide behind the gateway.