Supporting A Zone Labs Integrity Server; Overview Of Integrity Server And Security Appliance Interaction - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 13
Configuring AAA Servers and the Local Database
If the primary DN field is not present in the certificate, the security appliance uses the secondary DN
Note
field value as the username for the authorization request.
For example, consider a user certificate that contains the following Subject DN fields and values:
Cn=anyuser,OU=sales;O=XYZCorporation;L=boston;S=mass;C=us;ea=anyuser@example.com
If the Primary DN = EA (E-mail Address) and the Secondary DN = CN (Common Name), then the
username used in the authorization request would be anyuser@example.com.
Supporting a Zone Labs Integrity Server
This section introduces the Zone Labs Integrity Server, also called Check Point Integrity Server, and
presents an example procedure for configuring the security appliance to support the Zone Labs Integrity
Server. The Integrity server is a central management station for configuring and enforcing security
policies on remote PCs. If a remote PC does not conform to the security policy dictated by the Integrity
Server, it will not be granted access to the private network protected by the Integrity Server and security
appliance.
This section includes the following topics:
•
•
Overview of Integrity Server and Security Appliance Interaction
The VPN client software and the Integrity client software are co-resident on a remote PC. The following
steps summarize the actions of the remote PC, security appliance, and Integrity server in the
establishment of a session between the PC and the enterprise private network:
1.
2.
3.
4.
5.
6.
The current release of the security appliance supports one Integrity Server at a time even though the user
Note
interfaces support the configuration of up to five Integrity Servers. If the active Server fails, configure
another Integrity Server on the security appliance and then reestablish the client VPN session.
OL-12172-03
Overview of Integrity Server and Security Appliance Interaction, page 13-17
Configuring Integrity Server Support, page 13-18
The VPN client software (residing on the same remote PC as the Integrity client software) connects
to the security appliance and tells the security appliance what type of firewall client it is.
Once it approves the client firewall type, the security appliance passes Integrity server address
information back to the Integrity client.
With the security appliance acting as a proxy, the Integrity client establishes a restricted connection
with the Integrity server. A restricted connection is only between the Integrity client and server.
The Integrity server determines if the Integrity client is in compliance with the mandated security
policies. If the client is in compliance with security policies, the Integrity server instructs the
security appliance to open the connection and provide the client with connection details.
On the remote PC, the VPN client passes connection details to the Integrity client and signals that
policy enforcement should begin immediately and the client can no enter the private network.
Once the connection is established, the server continues to monitor the state of the client using client
heartbeat messages.
Cisco Security Appliance Command Line Configuration Guide
Supporting a Zone Labs Integrity Server
.
13-17
Advertisement
Table of Contents
Troubleshooting
