how to configure nokia mobile vpn

8/22/2019 How to Configure Nokia Mobile VPN

http://slidepdf.com/reader/full/how-to-configure-nokia-mobile-vpn 1/22

Nokia Mobile VPN

How to Configure Nokia

Mobile VPN

For Check Point NGX with Chal lenge-

Response Authent icat ion



Table of ContentsIntroduction......................................................................................................................................................................................3 Configuring remote client access using challenge-response authentication............................................................................4

General settings............................................................................................................................................................................4 Configure a new user group and a new user............................................................................................................................5 Configure a VPN remote-access community..............................................................................................................................9 Export INTERNAL_CA certificate.................................................................................................................................................11 Configure VPN remote-access firewall rules............................................................................................................................13 Configuring Office Mode............................................................................................................................................................16

Policy creation with the Policy Tool using exported CA certificate...........................................................................................21



Introduction This best-practices document describes how to configure Nokia Mobile VPN Client manually (without a separate devicemanagement product) using a challenge-response authentication method in the Check Point NGX R65 environments.For more details on how to use Nokia Mobile VPN Client, error code documents, and the policy format document, pleasego to http://www.nokiaforbusiness.com/>Security products >Nokia Mobile VPN >Resources.

The assumption is that Check Point NGX, Check Point SmartDashboard, and Mobile VPN Client have been installed, andall post-installation tasks have been completed before continuing with the steps listed below. After completing thesesteps, remember to save the configurations before exiting the tool.



Configuring remote client access using

challenge-response authentication

General settings

First, the administrator must activate VPN and enable Nokia Mobile VPN Client-specific features in Check Point NGX.

Start by right-clicking on the gateway object and click Edit. The gateway’s General Properties dialog box will open.

Under Check Point Products, place a check mark on the VPN item. Click OK to close the dialog.



Click on the Policy menu and select Global Properties; the Global Properties dialog will open.

In the Global Properties dialog, navigate to the Remote Access ->VPN Basic item in the tree pane. Make sure that”Support Legacy Authentication for SC (hybrid mode)” and ”Support remote access VPN using Nokia clients” areenabled. Click OK to close the dialog.

Configure a new user group and a new user

The next task is to create a new user group and add a user to that group.



Create a new user group by going to User Groups and selecting New Group.

Give a name to the new group and press OK.



Go to the Users tab. Right-click on the Users icon and select New User and then Default.

In the Log-in Name text box, enter a log-in name for the new user.

Move to the Groups tab. Select the Cr_users group and click Add to bring it to the Belongs to Groups list.



Move to the Authentication tab. From the Authentication Scheme list, select Check Point Password.

Move to the Encryption tab. Make sure that there is a check mark in the IKE item. Click Edit.

Clear the Public Key if it is enabled. Click OK to close all dialogs.



Configure a VPN remote-access community

Now the administrator needs to add the Cr_users group to the RemoteAccess VPN community.

Open the Manage menu and select VPN Communities.

Select RemoteAccess and click Edit.

Click Participating Gateways and click Add to select the gateway.



Select the gateway and click OK.

Go to the Participant User Groups and click Add.

Select Cr_users and click OK.



Export INTERNAL_CA certificate

A CA certificate is needed by Nokia Mobile VPN Client when doing challenge-response authentication.

Open the Manage menu; select Servers and OPSEC.

Select ”internal_ca” and click Edit.

Go to the Local SmartCenter Server tab and click Save As. A dialog will open.



Enter a suitable file name and select the location for saving the internal CA certificate. This file is needed for the MobileVPN Client and its policy.



Configure VPN remote-access firewall rules

Add and edit a couple of firewall rules. In the screenshot above, a few network objects are already defined but they arenot referred to in the following firewall rule examples. By default, ”Any” is used to describe any network, whethersource or destination.

Here is a sample of some completed firewall rules for VPN use. The first and last rules are optional. They are here toFilter out the clutter of log entries and provide a clean and secure Cleanup that will block any traffic not matching thesecond rule. The second rule is the important one.

Edit the Source field of the VPN rule by right-clicking it and select Add Users Access.



Select the Cr_users group; make sure the Location is set to ”No restriction.” Click OK to close the dialog.

Right-click the VPN field and select Edit Cell.

Select ”Only connections encrypted in specific VPN Communities.” Click Add.



Select RemoteAccess and click OK.

Click OK to close the dialog.



Configuring Office Mode

To get an internal address for Nokia Mobile VPN Client, Office Mode must be activated in the Check Point gateway.Follow these steps.

Select Manage from the main menu and click Network Objects.

Select New… ->Network.



In the Network Properties dialog, add a name to the Office Mode IP pool, define the actual IP address for that pool, andpress OK.

To add DNS server address, click New. Then select “Node” ->“Host…”



Enter the name of the DNS server object and it’s IP address.

This will be handed out to VPN client when internal addressing is used, enabling internal network DNS resolution.

Click OK to close the Host Node dialog. Both of the network objects appear in the list.

Click OK to close the Network Objects dialog.

Select the gateway, do a right-click, and select Edit.



From the gateway configuration window, select Remote Access ->Office Mode. Click “Allow Office Mode to all users.” Then select the Manual office mode method, select the Office Mode pool that was created in the previous step.

Click “Optional Parameters…” button.

Enable Primary DNS Server by placing a check mark there and in the pull-down menu, select the previously created DNSserver host object.



In the IP Lease Duration, enter the amount in minutes that the client internal addresses are valid before they arerenewed. This could be for example 60 minutes.

Click OK to close the dialog IP Pool Optional Parameters dialog..

Click OK to close the Check Point gateway properties dialog.



Policy creation with the Policy Tool using

exported CA certificate

It is time to configure the Nokia Mobile VPN Client to match the VPN policy that was created in Check Point NGX. StartNokia VPN Client Policy Tool and press the Load Template button. Select Check_Point_NGX_R65_crack.pol policy from theCheck Point directory. Then add the correct VPN gateway address and get a path to the CA certificate. Make sure thatthe Format in the Certificate Authority selection is set to BIN. The identity value field can be left empty.

Export the VPN policy by pressing the Generate VPN Policy button. Store Check_Point_NGX_R65_crack.vpn to your PC;consult theNokia Mobi le VPN Cli ent User’ s Guide , Chapter 6.1, for details on how to install the given policy file to yourdevice.



Work together. Smarter.

Nokia Inc.Nokia Inc.Nokia Inc.Nokia Inc. 102 Corporate Park Drive, White Plains, NY 10604 USA

AmericasAmericasAmericasAmericas Tel: 1 877 997 9199 • Email: [email protected]

Asia PacificAsia PacificAsia PacificAsia Pacific Tel: +65 6588 33 64 • Email: [email protected]

EuropeEuropeEuropeEurope France +33 170 708 166 • UK +44 161 601 8908 • Email: [email protected]

Middle East and AfricaMiddle East and AfricaMiddle East and AfricaMiddle East and Africa Dubai +971 4 3697600 • Email: [email protected]

Legal Notice

Reproduction, transfer, distribution or storage of part or all of the contents in this document in any form without the prior writtenpermission of Nokia is prohibited.

Nokia and Nokia Connecting People are trademarks or registered trademarks of Nokia Corporation. Other product and company namesmentioned herein may be trademarks or tradenames of their respective owners.

Nokia operates a policy of continuous development. Nokia reserves the right to make changes and improvements to any of the

products described in this document without prior notice.

Under no circumstances shall Nokia be responsible for any loss of data or income or any special, incidental, consequential or indirect

damages howsoever caused.

The contents of this document are provided “as is”. Except as required by applicable law, no warranties of any kind, either express or

implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose, are made in relation

to the accuracy, reliability or contents of this document. Nokia reserves the right to revise this document or withdraw it at any timewithout prior notice.

how to configure nokia mobile vpn

Documents