Professional Documents
Culture Documents
Integrity Clientless Security: Getting Started Guide
Integrity Clientless Security: Getting Started Guide
Integrity Clientless Security: Getting Started Guide
1-0NNN-0410-2006-11-06 (EA)
© 2006 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their
use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by
any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book,
Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change
without notice.
TRADEMARKS:
All rights reserved. Check Point, Application Intelligence, Check Point Express, the Check Point logo, AlertAdvisor, ClusterXL,
Cooperative Enforcement, ConnectControl, Connectra, CoSa, Cooperative Security Alliance, FireWall-1, FireWall-1 GX, FireWall-1
SecureServer, FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL, Integrity, InterSpect, IQ Engine, Open Security Extension,
OPSEC, Policy Lifecycle Management, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureKnowledge, SecurePlatform,
SecuRemote, SecurServer, SecureUpdate, SecureXL, SiteManager-1, SmartCenter, SmartCenter Pro, Smarter Security,
SmartDashboard, SmartDefense, SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter,
SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, TrueVector, UAM, User-to-Address Mapping, UserAuthority,
VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 VSX,
Web Intelligence, ZoneAlarm, Zone Alarm Pro, Zone Labs, and the Zone Labs logo, are trademarks or registered trademarks of Check
Point Software Technologies Ltd. or its affiliates. All other product names mentioned herein are trademarks or registered trademarks of
their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726 and
6,496,935 and may be protected by other U.S. Patents, foreign patents, or pending applications.
Contents
Chapter 1 Integrity Clientless Security 4.1
Welcome ................................................................................. 9
In This Guide ......................................................................... 10
Integrity Clientless Security 4.1 Documentation ........................ 10
Chapter 2 Introduction
Overview ................................................................................ 11
Product CD-ROMs .................................................................. 11
For New Check Point Customers .............................................. 12
.What’s New in ICS 4.1 ........................................................... 12
Support For Microsoft Internet Information Services (IIS) ..............12
Linux and Macintosh support ......................................................12
Enhanced Antivirus Applications Support .................................. 13
Enhanced Firewall Applications Support ......................................13
Redesigned Scanner Policy Configuration ....................................13
Secure Workspace Policy Configuration ........................................14
Secure Workspace Bypass Option ................................................14
Enhanced Reporting Database Performance .................................14
Filtering ...................................................................................14
Improved Anti-keylogger Reporting ..............................................14
Welcome
Thank you for choosing Check Point’s IIntegrity Clientless Security. We hope that you will be
satisfied with this solution and our support services. Check Point products provide your
business with the most up to date and secure solutions available today.
Check Point also delivers worldwide technical services including educational, professional
and support services through a network of Authorized Training Centers, Certified Support
Partners and Check Point technical support personnel to ensure that you get the most out of
your security investment.
In order to extend your organization’s growing security infrastructure and requirements, we
recommend that you consider adopting the OPSEC platform (OpenPlatform for Security).
OPSEC is the industry's open, multi-vendor security framework, which has over 350 partners
and the largest selection of best-of-breed integrated applications and deployment platforms.
For additional information on Integrity Clientless Security and other security solutions, refer
to: http://www.checkpoint.com or call Check Point at 1(800) 829-8391. For additional
technical information, refer to: http://support.checkpoint.com.
Welcome to the Check Point family. We look forward to meeting all of your current and future
network, application and management security needs.
In This Guide
This guide provides a brief overview of the Integrity Clientless Security application and
installation procedures.
Overview
ICS is a Check Point product that provides unmanaged endpoints with protected, secure
access to your network. ICS provides fully integrated and centrally managed spyware
blocking, complete session confidentiality, and comprehensive security policy enforcement.
ICS 4.1 provides support for Windows, Linux, and Macintosh endpoints, allows use of a wider
range of Antivirus and firewall applications, and provides an enhanced Secure Workspace
application for endpoint computers.
Product CD-ROMs
The NGX R62 media pack contains the following [nn] CD-ROMs:
Filtering
ICS Reports pages now provide filtering capabilities.
ICS Terminology
[Reviewers: please feel free to suggest any terms that should be defined here.]
Prerequisites
Before you begin, make sure your system meets the following requirements:
Your gateway must be set up and functioning normally and users must be able to connect
to your gateway
You must have CGI scripts turned on
Systems Requirements
This section outlines the server and endpoint computer requirements and other prerequisites.
Server Requirements
Linux Requirements
Linux Kernel 2.4
Debian GNU/Linux 3.1
Fedora Core 4
Novell Linux Desktop 9.1
Intel x86 32-bit compatible processor
CPU 400 MHz Pentium II
RAM 64 Mb
20 Mb of available hard-disk space
Apache 1.3, 2.0, or later, with the following modules enabled:
mod_cgi
mod_rewrite
mod_auth (1.3 and 2.0 only)
mod_auth_basic (2.2 and later only)
mod_authn_file (2.2 and later only)
Windows Requirements
Windows 2000 Server or Windows 2003 Server
Intel x86 32-bit compatible processor
400 MHz Pentium II
RAM 256 Mb
20 Mb of available hard-disk space
One of the following Web servers:
Apache 1.3, 2.0, or later with the following modules enabled:
mod_cgi
mod_rewrite
mod_auth (1.3 and 2.0 only)
mod_auth_basic (2.2 and later only)
mod_authn_file (2.2 and later only)
Microsoft Internet Information Services (IIS) 5.0 or 6.0
Endpoint Requirements
For endpoint computers to be successfully serviced by Integrity Clientless Security, they must
meet the endpoint requirements outlined in this section. When a user tries to access your
gateway without the proper browser or settings, an error message is displayed detailing the
browser requirements. You can choose to allow access for endpoint computers that do not
meet your requirements, however, those computers will not be serviced by ICS.
Supported Browsers
Internet Explorer 5.5 or later configured to allow cookies, run ActiveX components or Sun
Java applets enabled or Microsoft Java VM enabled.
Mozilla Firefox 1.0 or later configured to allow cookies and Sun Java applets support
enabled
Netscape Navigator 8.0 or later configured to allow cookies and Sun Java applets support
enabled
Firefox 1.0.4 or later configured to allow cookies and Sun Java applets support enabled
(Linux only)
Konqueror browser (latest version available for distribution; Linux only)
Safari browser configured to allow cookies and Sun Java applets support enabled
(Macintosh only)
Java Requirements
ICS supports two Java implementations. Endpoint computers must have one of the following
to be serviced by ICS:
Microsoft JVM version 5.5.3810.0 or higher
Sun JRE version 1.4.2 or higher
Integrity Security Scanner cannot scan endpoint computers running Java Runtime
Environment versions 1.4.2_07 through 1.4.2_10 with Firefox or Netscape Web
browsers.
Other Prerequisites
Before installing ICS, you must already have configured the Web site you are going to protect.
You should perform tests to make sure that your users have access to the Web site. It is
important to make sure that your users already have access to the Web site before you begin
to implement ICS.
The ICS server software must be installed on the same physical server computer as the Web
server. For Windows gateway servers ensure that your server machine name does not include
the “_” character. If your gateway server has a “_” character in its name, Internet Explorer
browsers will not process cookies sent from that server.
If you will need a new authorization account for ICS administration, you need to make sure
the appropriate utilities are accessible.
It is recommended that you configure your Web server so that ICS administration pages are
only accessible using the HTTPS protocol.
The full URL to the gateway you want to protect, in the form of http://server:port/
path_to_gateway.
The full URL to the ICS Web location, in the form of http://server:port/path. The
Server name or IP should be the same as for the gateway. Be sure to make note of the
location you specify here. You will later use this URL to access the Administrator
Console.
These URLs may be entered as command line parameters if you are running the install
script from a batch file. Command line of the installation script should be the following:
install.sh | install.exe [portal_url URL] [ics_url URL], where [portal_url] and [ics_url] are
the parameter names and [URL] is the required form of the corresponding URL.
4. Set your password.
The default authorization for the ICS configuration scripts is saved in ics_server/bin/data/
.htpasswd file. You should change the username and password (installation default for
both is icsadm) in this file as soon as possible using the appropriate utility to manage
password files. The default username and password is icsadm/icsadm.
5. Add the contents of ics_server/ics-apache.conf to your Apache Web server configuration
file (usually httpd.conf).
Either use the include directive or copy the ics-apache.conf file to the folder that was
automatically included by Apache during configuration.
If Virtual Host entries are set up in your Apache configuration, then you must add
the first three lines (starting with ‘Rewrite’) from ics-apache.conf into every Virtual
Host entry that corresponds to a portal you are going to protect with ICS.
If you install more than one ICS server on a single Apache server, you must modify
the ics-apache.conf files generated by the installers. The check-prg
identifiers at line RewriteMap check-prg prg:/path/to/filter must be unique
for each ICS server.
You must use the same identifier within the file, at line 'RewriteRule ^ (/path/to/
portal.*)$ ${check-prg:%{HTTP_COOKIE}}$1?%{QUERY_STRING} [NE,L]'.
If you do not do this, the settings you configure on the additional ICS servers will not
take effect.
Perform this step using cmd.exe; do not perform it from the Windows GUI.
6. Grant read/write permissions for the ics_server\bin\data directory to the following IIS
accounts:
Account responsible for CGI applications
Administrator account that you want to make responsible for the ICS portal.
This step allows ICS CGI scripts to access the \bin\data directory.
7. Grant write permissions for the ics_server\components directory to the following IIS
accounts:
Account responsible for CGI applications
Administrator account that you want to make responsible for the ICS portal.
This step allows ICS CGI scripts to access the \components directory.
8. Establish authentication so that only the administrator account responsible for the ICS
portal has Read and Execute permissions for the following CGI scripts and HTML pages:
/bin/ctool.cgi
/bin/report.cgi
/ctool/ctoolx.html
/ctool/swsx.html
Anonymous access should be disabled for these CGI scripts and HTML pages.
9. If you are running Internet Information Services version 6.0 only, perform the following
steps:
a. Add ICS4 as a new Web Service Extension, and set the following Web extension
permissions to allowed:
\bin\ctool.cgi
\bin\report.cgi
\bin\translator.cgi
\bin\ics_filter.dll
b. Enable the .tpl file extension with a MIME type of text/plain for your Web site in IIS
Manager.
10. Restart the Internet Information Services server to apply the ICS settings.
To upgrade ICS from release 4.0 or 4.0 HFA1 to the current release version
1. Stop your Web server application.
2. Stop all running instances of the report.cgi application.
3. Remove the ISAPI filter for ICS from your Web Site properties (IIS only).
4. Copy policy.xml from /bin/data to a temporary directory.
5. Extract the files to the directory where you want to install ICS.
6. Install the current version of ICS, using the appropriate instructions for your Web server
application:
For Apache installation instructions, see “Installation Process for Apache,” on page
19.
For Internet Information Services, see “Installation Process for Internet Information
Services (IIS),” on page 21.
7. Copy policy.xml from the temporary directory to /bin/data.
8. Change directories to ics_server/bin and perform the appropriate command for your
operating system:
Linux: db_upgrade.sh
Windows: report.cgi convert
This step updates the scan reporting database report.db. This process may last up to
several hours, depending on your server hardware and the size of the report database.
For Internet Information Services, see “Installation Process for Internet Information
Services (IIS),” on page 21.
The protected gateway URL must be the same as the one protected by the ICS 3.7
installation.
7. Move the enforcement_rules.xml file from the temporary directory where you saved it to
the ics_server/ctool directory.
This step does not migrate anti-spyware rules; you must recreate them in the
Administrator console.
8. Open the ICS Administrator console.
You will receive a message stating that the old policy has been found and that it will be
migrated.
9. Perform the following steps:
a. Open the Policy Manager page and check that your saved policies have been copied
over correctly.
Due to restrictions in the Custom Rules format in ICS 4.1 (such as file path and
registry format), some rules that were valid in ICS 3.7 may be invalid in ICS 4.1. If
you created your own enforcement rules in ICS 3.7 and imported them into ICS 4.1,
those rules must be recreated and saved in the ICS 4.1 Enforcement Rules page.
b. Click Gateway Configuration, then click Save Configuration.
c. Close the ICS Administrator console.
d. Change directories to ics_server/ctool and remove the enforcement_rules.xml file.
Uninstallation Process
Use the following instructions to uninstall ICS.
To uninstall ICS
1. Stop the Web server.
2. Stop all running instances of report.cgi.
3. If you are running Apache Web server, remove the ics-apache.conf configuration from
apache configs (from httpd.conf or automatically included subfolders).
d. Remove the .tpl file extension MIME type which you created for ICS (for IIS 6.0
only).
5. Delete the ics_server folder.
6. Restart the Web server.
Reconfiguration Processes
If needed, you can use parameters to reconfigure ICS after the initial installation. Use the
reconfiguration parameters to:
Configure ICS to receive software updates. “Configuring ICS to receive software
updates,” on page 25
Move ICS to another server. “Moving ICS to another server,” on page 26.
Change the protected gateway. “Changing the protected gateway,” on page 26.
Relocate the Administrator Console. “Relocating the Administrator Console,” on page 27.
4. Ensure that the Apache Web server has read permission for cp.lic.
If Virtual Host entries are set up in your Apache configuration, then you must add
the first three lines (starting with ‘Rewrite’) from ics-apache.conf into every Virtual
Host entry that corresponds to a portal you are going to protect with ICS.
3. If you are using Internet Information Services, restart the Web server.
2. If you are using Apache, add the contents of the new ics-apache.conf file to the Apache
Web server configuration file.
Either use the ‘include’ directive or copy the ics-apache.conf file to the folder that was
automatically included by Apache during configuration.
If Virtual Host entries are set up in your Apache configuration, then you must add
the first three lines (starting with ‘Rewrite’) from ics-apache.conf into every Virtual
Host entry that corresponds to a portal you are going to protect with ICS.
3. If you are using Internet Information Services, restart the Web server.
If Virtual Host entries are set up in your Apache configuration, then you must add
the first three lines (starting with ‘Rewrite’) from ics-apache.conf into every Virtual
Host entry that corresponds to a portal you are going to protect with ICS.
Check Point documentation is also available in PDF format on the Check Point CD and the
Technical Support download site at:
http://www.checkpoint.com/support/technical/documents
Be sure to also use the Check Point Online Help when you are working with the ICS
Administrator Console.
For additional technical information about Check Point products, consult Check Point’s
SecureKnowledge at:
https://secureknowledge.checkpoint.com