000020193 - How to set up Check Point Firewall-1 using Check Point ClusterXL High Availability software to authenticate to RSA ACE/Server

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000020193
Applies ToRSA ACE/Server 5.0.3 (no longer supported as of 8-15-2004)
RSA ACE/Agent 4.4.3
Microsoft Windows 2000
Check Point Firewall-1 NG Feature Pack 3
Check Point ClusterXL
Check Point ClusterXL is a software-based load sharing and high availability solution for Check Point gateway deployments. Click here for more information.
IssueHow to set up Check Point Firewall-1 using Check Point ClusterXL High Availability software to authenticate to RSA ACE/Server
Both Firewalls have an ACE/Agent installed on them
Both Firewalls share 1 main Virtual (Cluster) IP Address and hostname
Also both Firewalls have their own host IP addresses and names:

Firewall Machine 1:
                xxx.xxx.xxx.xxx                firewall1-int
                xxx.xxx.xxx.xxx                firewall1-dmz
                xxx.xxx.xxx.xxx                firewall1-ext

Firewall Machine 2:
                xxx.xxx.xxx.xxx                firewall2-int
                xxx.xxx.xxx.xxx                firewall2-dmz
                xxx.xxx.xxx.xxx                firewall2-ext
RSA ACE/Server can only see the firewall's internal NIC's
ResolutionFollow these steps to implement this solution:

1. Define an Agent Host in the RSA ACE/Server database with the Cluster details (virtual name and IP address) as the Primary. Then add Secondary nodes for the other NIC's.

2. On both firewalls, add the Cluster IP address into the 'IP Address Override' field so the ACE/Agent will use this IP address for node secret creation. For further info on how to do this, please see the solution titled How to override the primary address with RSA ACE/Agent 4.4 for Windows NT.

3. Perform a successful authentication going through the primary firewall

4. Copy the whole 'ACECLIENT' registry entry from 'HKEY_LOCAL_MACHINE/SOFTWARE/SDTI' on the primary firewall machine to 'HKEY_LOCAL_MACHINE/SOFTWARE/SDTI' on the secondary firewall machine

5. Reboot the secondary firewall machine to ensure the registry changes are committed

You can now test this by stopping the Check Point Firewall services on the Primary machine and then authenticating with the Secondary machine.
Legacy Article IDa15360

Attachments

    Outcomes