integrity clientless security administrator guide is the industry's op en, multi-vendor...
TRANSCRIPT
Integrity Clientless Security
1-0NNN-0410-2006-11-06 (EA)
Getting Started GuideVersion 4.1
© 2006 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
TRADEMARKS:
© 2006 Check Point Software Technologies Ltd.
All rights reserved. Check Point, Application Intelligence, Check Point Express, the Check Point logo, AlertAdvisor, ClusterXL, Cooperative Enforcement, ConnectControl, Connectra, CoSa, Cooperative Security Alliance, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL, Integrity, InterSpect, IQ Engine, Open Security Extension, OPSEC, Policy Lifecycle Management, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureKnowledge, SecurePlatform, SecuRemote, SecurServer, SecureUpdate, SecureXL, SiteManager-1, SmartCenter, SmartCenter Pro, Smarter Security, SmartDashboard, SmartDefense, SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, TrueVector, UAM, User-to-Address Mapping, UserAuthority, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 VSX, Web Intelligence, ZoneAlarm, Zone Alarm Pro, Zone Labs, and the Zone Labs logo, are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726 and 6,496,935 and may be protected by other U.S. Patents, foreign patents, or pending applications.
ICS Administrator Guide 5
ContentsChapter 1 Integrity Clientless Security 4.1
Welcome ................................................................................. 9In This Guide ......................................................................... 10Integrity Clientless Security 4.1 Documentation ........................ 10
Chapter 2 IntroductionOverview ................................................................................ 11Product CD-ROMs .................................................................. 11For New Check Point Customers .............................................. 12.What’s New in ICS 4.1 ........................................................... 12
Support For Microsoft Internet Information Services (IIS) ..............12Linux and Macintosh support ......................................................12
Enhanced Antivirus Applications Support .................................. 13Enhanced Firewall Applications Support ......................................13Redesigned Scanner Policy Configuration ....................................13Secure Workspace Policy Configuration ........................................14Secure Workspace Bypass Option ................................................14Enhanced Reporting Database Performance .................................14Filtering ...................................................................................14Improved Anti-keylogger Reporting ..............................................14
Chapter 3 Getting StartedICS Terminology ..................................................................... 15Prerequisites .......................................................................... 15Systems Requirements ............................................................ 15
Server Requirements ..................................................................16Endpoint Requirements ..............................................................17Other Prerequisites ....................................................................18
Chapter 4 Installing and Reconfiguring ICSInstallation Process for Apache ................................................ 19Installation Process for Internet Information Services (IIS) ......... 21Upgrade Installation Process ................................................... 23Uninstallation Process ............................................................ 24Reconfiguration Processes ....................................................... 25
Configuring ICS to receive software updates .................................25Moving ICS to another server ......................................................26Changing the protected gateway ..................................................26Relocating the Administrator Console ..........................................27
ICS Administrator Guide 6
ICS Administrator Guide 7
Chapter
ICS Administrator Guide 9
1Integrity Clientless Security 4.1
This chapter contains the following topics:
“Welcome,” on page 9
“In This Guide,” on page 10
“Integrity Clientless Security 4.1 Documentation,” on page 10
WelcomeThank you for choosing Check Point’s IIntegrity Clientless Security. We hope that you will be satisfied with this solution and our support services. Check Point products provide your business with the most up to date and secure solutions available today.
Check Point also delivers worldwide technical services including educational, professional and support services through a network of Authorized Training Centers, Certified Support Partners and Check Point technical support personnel to ensure that you get the most out of your security investment.
In order to extend your organization’s growing security infrastructure and requirements, we recommend that you consider adopting the OPSEC platform (OpenPlatform for Security). OPSEC is the industry's open, multi-vendor security framework, which has over 350 partners and the largest selection of best-of-breed integrated applications and deployment platforms.
For additional information on Integrity Clientless Security and other security solutions, refer to: http://www.checkpoint.com or call Check Point at 1(800) 829-8391. For additional technical information, refer to: http://support.checkpoint.com.
Welcome to the Check Point family. We look forward to meeting all of your current and future network, application and management security needs.
In This Guide
ICS Administrator Guide Integrity Clientless Security 4.1 10
In This GuideThis guide provides a brief overview of the Integrity Clientless Security application and installation procedures.
Integrity Clientless Security 4.1 DocumentationTechnical documentation is available on your Integrity Clientless Security 4.1 CD-ROM at: cd_path_here. These documents can also be found at: http://www.checkpoint.com/support/technical/documents.
To find out about what's new in ICS 4.1, read the ICS 4.1 Release Notes.
For information on upgrading your current Check Point deployment, refer to the ICS Administration Guide.
Chapter
ICS Administrator Guide 11
2Introduction
This chapter contains the following topics:
“Overview,” on page 11
“Product CD-ROMs,” on page 11
“For New Check Point Customers,” on page 12
“.What’s New in ICS 4.1,” on page 12
OverviewICS is a Check Point product that provides unmanaged endpoints with protected, secure access to your network. ICS provides fully integrated and centrally managed spyware blocking, complete session confidentiality, and comprehensive security policy enforcement.
ICS 4.1 provides support for Windows, Linux, and Macintosh endpoints, allows use of a wider range of Antivirus and firewall applications, and provides an enhanced Secure Workspace application for endpoint computers.
Product CD-ROMsThe NGX R62 media pack contains the following [nn] CD-ROMs:
Table 2-1: CD1: In the Linux Directory
Linux Package Contains...
For New Check Point Customers
ICS Administrator Guide Introduction 12
For New Check Point CustomersNew Check Point customers can access the Check Point User Center
in order to:
Manage users and accounts
Activate products
Get support offers
Open service requests
Search the Technical Knowledge Base
To access the Check Point User Center, go to:
https://usercenter.checkpoint.com/pub/usercenter/get_started.html
.What’s New in ICS 4.1The following section provides an overview of NGX R62 product enhancements.
Support For Microsoft Internet Information Services (IIS)
Integrity Clientless Security 4.1 now supports Microsoft IIS 5.0 and 6.0 Web servers.
Linux and Macintosh supportLinux and Macintosh endpoints are now supported by ICS, with the following exceptions:
No support for malware scans on Linux or Macintosh endpoints.
No support for antivirus checks on Macintosh endpoints.
Table 2-1: CD1: In the Linux Directory
Linux Package Contains...
Enhanced Antivirus Applications Support
ICS Administrator Guide Introduction 13
Enhanced Antivirus Applications SupportICS supports the following antivirus applications:
Kaspersky Antivirus for Linux
avast! Linux Home Edition for Linux
F-Secure Antivirus for Windows
Panda Anti-Virus for Windows
SOFTWIN BitDefender Antivirus for Windows
Zone Labs ZoneAlarm with Antivirus for Windows
AVG Antivirus Free Edition for Windows
Alwit Avast! Antivirus for Windows
NOD32 Antivirus for Windows
AVG Antivirus Free Edition for Linux
Enhanced Firewall Applications SupportICS supports the following firewall applications:
Check Point Integrity Linux Agent for Linux
Redhat Linux built-in firewall for Linux
Mac OSX/Tiger built-in firewall for Macintosh
McAfee Personal Firewall for Windows
Computer Associates EZ Firewall for Windows
Windows XP Firewall for Windows
BlackICE PC Protection (BlackICE Defender) for Windows
Kerio Firewall for Windows
Outpost Personal Firewall for Windows
Norton Personal Firewall for Windows
Redesigned Scanner Policy ConfigurationPolicy configuration usability and performance have been improved. Policies are now configured locally in administrator’s browser. A new Save Configuration button allows you to save the policy to the ICS server and applies all changes to ICS.
Secure Workspace Policy Configuration
ICS Administrator Guide Introduction 14
Secure Workspace Policy ConfigurationA personal firewall feature is now available in Secure Workspace. It allows the ICS administrator to restrict Web sites that an endpoint can access during the session. You can use this feature to isolate an endpoint from the rest of a network and grant access only to the secured gateway.
Secure Workspace Bypass OptionYou can now allow selected endpoint computers to bypass Secure Workspace, even if Secure Workspace is required by your security policy.
Enhanced Reporting Database PerformanceReporting database performance was significantly improved. ICS now supports up to 100,000 scans in a single database. The reporting database can now be extended up to 1Gb in size.
FilteringICS Reports pages now provide filtering capabilities.
Improved Anti-keylogger ReportingThe Anti-keylogger Report page now provides filtering and search capabilities. The report page layout was redesigned to be more user-friendly.
Chapter
ICS Administrator Guide 15
3Getting Started
This chapter contains the following topics:
“Prerequisites,” on page 15
“Systems Requirements,” on page 15
“Server Requirements,” on page 16
“Endpoint Requirements,” on page 17
“Other Prerequisites,” on page 18
ICS Terminology[Reviewers: please feel free to suggest any terms that should be defined here.]
PrerequisitesBefore you begin, make sure your system meets the following requirements:
Your gateway must be set up and functioning normally and users must be able to connect to your gateway
You must have CGI scripts turned on
Systems RequirementsThis section outlines the server and endpoint computer requirements and other prerequisites.
Server Requirements
ICS Administrator Guide Getting Started 16
Server Requirements
Linux Requirements
Linux Kernel 2.4
Debian GNU/Linux 3.1
Fedora Core 4
Novell Linux Desktop 9.1
Intel x86 32-bit compatible processor
CPU 400 MHz Pentium II
RAM 64 Mb
20 Mb of available hard-disk space
Apache 1.3, 2.0, or later, with the following modules enabled:
mod_cgi
mod_rewrite
mod_auth (1.3 and 2.0 only)
mod_auth_basic (2.2 and later only)
mod_authn_file (2.2 and later only)
Windows Requirements
Windows 2000 Server or Windows 2003 Server
Intel x86 32-bit compatible processor
400 MHz Pentium II
RAM 256 Mb
20 Mb of available hard-disk space
One of the following Web servers:
Apache 1.3, 2.0, or later with the following modules enabled:
mod_cgi
mod_rewrite
mod_auth (1.3 and 2.0 only)
mod_auth_basic (2.2 and later only)
mod_authn_file (2.2 and later only)
Microsoft Internet Information Services (IIS) 5.0 or 6.0
Endpoint Requirements
ICS Administrator Guide Getting Started 17
Administrator Client Requirements
Internet Explorer 6.0 or later configured to allow cookies, run ActiveX components or Sun Java applets enabled or Microsoft Java VM enabled.
Mozilla Firefox 1.5 or later configured to allow cookies and Sun Java applets support enabled.
Endpoint RequirementsFor endpoint computers to be successfully serviced by Integrity Clientless Security, they must meet the endpoint requirements outlined in this section. When a user tries to access your gateway without the proper browser or settings, an error message is displayed detailing the browser requirements. You can choose to allow access for endpoint computers that do not meet your requirements, however, those computers will not be serviced by ICS.
Supported Operating Systems
For information about allowing access for endpoint computers that are running unsupported operating systems see “Configuring ICS to fail open,” on page 23.
For Integrity Security Scanner:
Windows 98/ME
Windows NT4 SP6
Windows 2000
Windows XP
Mac OS X (spyware and AV detection not supported)
Linux based on kernel 2.4 (spyware detection not supported)
For Integrity Secure Workspace:
Windows 2000
Windows XP
For Advanced Anti-Keylogging:
Windows 2000
Windows XP
Java applet caching must be disabled.
Other Prerequisites
ICS Administrator Guide Getting Started 18
Supported Browsers
Internet Explorer 5.5 or later configured to allow cookies, run ActiveX components or Sun Java applets enabled or Microsoft Java VM enabled.
Mozilla Firefox 1.0 or later configured to allow cookies and Sun Java applets support enabled
Netscape Navigator 8.0 or later configured to allow cookies and Sun Java applets support enabled
Firefox 1.0.4 or later configured to allow cookies and Sun Java applets support enabled (Linux only)
Konqueror browser (latest version available for distribution; Linux only)
Safari browser configured to allow cookies and Sun Java applets support enabled (Macintosh only)
Java Requirements
ICS supports two Java implementations. Endpoint computers must have one of the following to be serviced by ICS:
Microsoft JVM version 5.5.3810.0 or higher
Sun JRE version 1.4.2 or higher
Other PrerequisitesBefore installing ICS, you must already have configured the Web site you are going to protect. You should perform tests to make sure that your users have access to the Web site. It is important to make sure that your users already have access to the Web site before you begin to implement ICS.
The ICS server software must be installed on the same physical server computer as the Web server. For Windows gateway servers ensure that your server machine name does not include the “_” character. If your gateway server has a “_” character in its name, Internet Explorer browsers will not process cookies sent from that server.
If you will need a new authorization account for ICS administration, you need to make sure the appropriate utilities are accessible.
It is recommended that you configure your Web server so that ICS administration pages are only accessible using the HTTPS protocol.
Java applet caching must be disabled.
Integrity Security Scanner cannot scan endpoint computers running Java Runtime Environment versions 1.4.2_07 through 1.4.2_10 with Firefox or Netscape Web browsers.
Chapter
ICS Administrator Guide 19
4Installing and Reconfiguring ICS
This chapter contains the following topics:
“Installation Process for Apache,” on page 19
“Installation Process for Internet Information Services (IIS),” on page 21
“Upgrade Installation Process,” on page 23
“Uninstallation Process,” on page 24
“Reconfiguration Processes,” on page 25
“Where To From Here?,” on page 27
Installation Process for ApacheUse the following instructions to install your ICS Server on Apache HTTP Web server.
To install ICS on Apache HTTP Server:
1. Extract the files.
Extract the appropriate file to a dedicated ICS folder on the same server as the gateway you are going to protect. This folder must be accessible to the Apache server with read/write permissions. The ics_server sub-folder will be created automatically.
For Windows, use ics_4.1.zip
For Linux, use ics_4.1.tgz
2. Change directories to ics_server/bin/ and execute the appropriate installation script:
ics_server/bin/install.sh for Linux servers
ics_server/bin/install.exe for Windows servers
3. Follow the installation instructions.
When prompted, provide:
Installation Process for Apache
ICS Administrator Guide Installing and Reconfiguring ICS 20
The full URL to the gateway you want to protect, in the form of http://server:port/path_to_gateway.
The full URL to the ICS Web location, in the form of http://server:port/path. The Server name or IP should be the same as for the gateway. Be sure to make note of the location you specify here. You will later use this URL to access the Administrator Console.
These URLs may be entered as command line parameters if you are running the install script from a batch file. Command line of the installation script should be the following: install.sh | install.exe [portal_url URL] [ics_url URL], where [portal_url] and [ics_url] are the parameter names and [URL] is the required form of the corresponding URL.
4. Set your password.
The default authorization for the ICS configuration scripts is saved in ics_server/bin/data/.htpasswd file. You should change the username and password (installation default for both is icsadm) in this file as soon as possible using the appropriate utility to manage password files. The default username and password is icsadm/icsadm.
5. Add the contents of ics_server/ics-apache.conf to your Apache Web server configuration file (usually httpd.conf).
Either use the include directive or copy the ics-apache.conf file to the folder that was automatically included by Apache during configuration.
6. Restart the Apache server to apply the ICS settings.
On Linux servers, use the appropriate command. For example: /etc/init.d/httpd restart.
On Windows servers, use the Apache administration console or restart the service manually using the list of system services.
If Virtual Host entries are set up in your Apache configuration, then you must add the first three lines (starting with ‘Rewrite’) from ics-apache.conf into every Virtual Host entry that corresponds to a portal you are going to protect with ICS.
If you install more than one ICS server on a single Apache server, you must modify the ics-apache.conf files generated by the installers. The check-prg identifiers at line RewriteMap check-prg prg:/path/to/filter must be unique for each ICS server.
For example, check-prg1, check-prg2, and check-prg3.
You must use the same identifier within the file, at line 'RewriteRule ^ (/path/to/portal.*)$ ${check-prg:%{HTTP_COOKIE}}$1?%{QUERY_STRING} [NE,L]'.
If you do not do this, the settings you configure on the additional ICS servers will not take effect.
Installation Process for Internet Information Services
ICS Administrator Guide Installing and Reconfiguring ICS 21
Installation Process for Internet Information Services (IIS)
Use the following instructions to install your ICS Server on Microsoft Internet Information Services (IIS) Web server.
To install ICS on Microsoft Internet Information Services (IIS):
1. Extract the files.
Extract the files in ics_4.1.zip to a dedicated ICS folder on the same server as the gateway you are going to protect. This folder must be accessible to the IIS server with read/write permissions. The ics_server sub-folder will be created automatically.
2. Create a new virtual directory for your Web site in Internet Information Services using the IIS Manager, with the following options:
Specify a short name (or alias) for the virtual directory. This alias should be used during ICS installation to define the path to the ICS server.
Set the ics_server directory as the Web Site Content Directory.
Select the Execute option for the ics_server/bin sub-directory to allow Internet Information Services to execute ICS CGI scripts.
3. Change directories to ics_server/bin/ and execute the ics_server/bin/install.exe installation application.
4. Follow the installation instructions.
When prompted, provide:
The full URL to the gateway you want to protect, in the form of http://server:port/path_to_gateway.
The full URL to the ICS Web location, in the form of http://server:port/path. The Server name or IP should be the same as for the gateway. Be sure to make note of the location you specify here. You will later use this URL to access the Administrator Console.
These URLs may be entered as command line parameters if you are running the install script from a batch file. Command line of the installation script should be the following: install.sh | install.exe [portal_url URL] [ics_url URL], where [portal_url] and [ics_url] are the parameter names and [URL] is the required form of the corresponding URL.
5. In IIS Manager, add ics_filter.dll to the list of ISAPI filters by performing the following tasks:
a. Add the filter ics_server/bin/ics_filter.dll.
b. Assign a name (for example, ICSFilter) to the filter.
Perform this step using cmd.exe; do not perform it from the Windows GUI.
Installation Process for Internet Information Services
ICS Administrator Guide Installing and Reconfiguring ICS 22
6. Grant read/write permissions for the ics_server\bin\data directory to the following IIS accounts:
Account responsible for CGI applications
Administrator account that you want to make responsible for the ICS portal.
This step allows ICS CGI scripts to access the \bin\data directory.
7. Grant write permissions for the ics_server\components directory to the following IIS accounts:
Account responsible for CGI applications
Administrator account that you want to make responsible for the ICS portal.
This step allows ICS CGI scripts to access the \components directory.
8. Establish authentication so that only the administrator account responsible for the ICS portal has Read and Execute permissions for the following CGI scripts and HTML pages:
/bin/ctool.cgi
/bin/report.cgi
/ctool/ctoolx.html
/ctool/swsx.html
Anonymous access should be disabled for these CGI scripts and HTML pages.
9. If you are running Internet Information Services version 6.0 only, perform the following steps:
a. Add ICS4 as a new Web Service Extension, and set the following Web extension permissions to allowed:
\bin\ctool.cgi
\bin\report.cgi
\bin\translator.cgi
\bin\ics_filter.dll
b. Enable the .tpl file extension with a MIME type of text/plain for your Web site in IIS Manager.
10. Restart the Internet Information Services server to apply the ICS settings.
Upgrade Installation Process
ICS Administrator Guide Installing and Reconfiguring ICS 23
Upgrade Installation ProcessUse the following instructions to upgrade an older version of ICS to the current release version.
To upgrade ICS from release 4.0 or 4.0 HFA1 to the current release version
1. Stop your Web server application.
2. Stop all running instances of the report.cgi application.
3. Remove the ISAPI filter for ICS from your Web Site properties (IIS only).
4. Copy policy.xml from /bin/data to a temporary directory.
5. Extract the files to the directory where you want to install ICS.
6. Install the current version of ICS, using the appropriate instructions for your Web server application:
For Apache installation instructions, see “Installation Process for Apache,” on page 19.
For Internet Information Services, see “Installation Process for Internet Information Services (IIS),” on page 21.
7. Copy policy.xml from the temporary directory to /bin/data.
8. Change directories to ics_server/bin and perform the appropriate command for your operating system:
Linux: db_upgrade.sh
Windows: report.cgi convert
This step updates the scan reporting database report.db. This process may last up to several hours, depending on your server hardware and the size of the report database.
To upgrade ICS from release 3.7 to the current release version
1. Stop your Web server application.
2. Remove the ISAPI filter for ICS from your Web Site properties (IIS only).
3. Copy the enforcement_rules.xml file from /sre/data to a temporary directory.
4. Change directories to the ICS 3.7 server location and run the command:
uninstall.sre.bat
This uninstalls the ICS 3.7 application.
5. Extract the installation files to the directory where you want to install ICS 4.1.
6. Install the current version of ICS, using the appropriate instructions for your Web server application:
For Apache installation instructions, see “Installation Process for Apache,” on page 19.
Uninstallation Process
ICS Administrator Guide Installing and Reconfiguring ICS 24
For Internet Information Services, see “Installation Process for Internet Information Services (IIS),” on page 21.
7. Move the enforcement_rules.xml file from the temporary directory where you saved it to the ics_server/ctool directory.
This step does not migrate anti-spyware rules; you must recreate them in the Administrator console.
8. Open the ICS Administrator console.
You will receive a message stating that the old policy has been found and that it will be migrated.
9. Perform the following steps:
a. Open the Policy Manager page and check that your saved policies have been copied over correctly.
Due to restrictions in the Custom Rules format in ICS 4.1 (such as file path and registry format), some rules that were valid in ICS 3.7 may be invalid in ICS 4.1. If you created your own enforcement rules in ICS 3.7 and imported them into ICS 4.1, those rules must be recreated and saved in the ICS 4.1 Enforcement Rules page.
b. Click Gateway Configuration, then click Save Configuration.
c. Close the ICS Administrator console.
d. Change directories to ics_server/ctool and remove the enforcement_rules.xml file.
Uninstallation ProcessUse the following instructions to uninstall ICS.
To uninstall ICS
1. Stop the Web server.
2. Stop all running instances of report.cgi.
3. If you are running Apache Web server, remove the ics-apache.conf configuration from apache configs (from httpd.conf or automatically included subfolders).
4. If you are running Microsoft IIS, perform the following steps:
a. Remove the Virtual Directory which you created for ICS.
b. Remove ics_filter.dll from the ISAPI filters for your Web server.
c. Remove the Web Service Extension which you created for ICS (for IIS 6.0 only).
The protected gateway URL must be the same as the one protected by the ICS 3.7 installation.
Reconfiguration Processes
ICS Administrator Guide Installing and Reconfiguring ICS 25
d. Remove the .tpl file extension MIME type which you created for ICS (for IIS 6.0 only).
5. Delete the ics_server folder.
6. Restart the Web server.
Reconfiguration ProcessesIf needed, you can use parameters to reconfigure ICS after the initial installation. Use the reconfiguration parameters to:
Configure ICS to receive software updates. “Configuring ICS to receive software updates,” on page 25
Move ICS to another server. “Moving ICS to another server,” on page 26.
Change the protected gateway. “Changing the protected gateway,” on page 26.
Relocate the Administrator Console. “Relocating the Administrator Console,” on page 27.
Configuring ICS to receive software updatesTo configure ICS to receive software updates, you must:
Download a license file for ICS.
Set the http_proxy variable.
Downloading a license file for ICS
ICS requires a valid license file in order to download software updates.
To download a license file
1. Sign up for a Check Point User Center account at https://usercenter.checkpoint.com.
You will be provided a user ID and password. Please save them for future reference.
2. In the Check Point User Center, activate your ICS product.
The User Center generates a unique license file cp.lic.
3. Download the cp.lic license file from the Check Point User Center and save it to:
<ics_server>/bin/data/cp.lic
Moving ICS to another server
ICS Administrator Guide Installing and Reconfiguring ICS 26
4. Ensure that the Apache Web server has read permission for cp.lic.
Setting the http_proxy variable
The ICS server requires access to the Internet for software updates. ICS includes the CURL library for external HTTP communication. If you use a proxy server for Internet access, you must set the http_proxy environment variable.
To set the http_proxy environment variable
1. Get the name and port number of the proxy server.
You will need this information for the http_proxy variable.
2. Define the variable by using one of the following methods:
define http_proxy in the .htaccess file in the /ics_server/bin folder.
define http_proxy in the httpd.conf configuration file for the Apache server.
export the definition as a global environment variable.
define http_proxy in the Environment Variables (Windows only).
Moving ICS to another serverUse the following instructions to move ICS server to another location. This location must be on the same server computer as the Apache Web server.
To move the ICS server:
1. In the new location, run the executable with the ‘reconfigure’ parameter.
install.sh reconfigure for Linux servers
install.exe reconfigure for Windows servers
2. If you are using Apache, add the content of the new ics-apache.conf file to the Apache Web server configuration file.
Either use the ‘include’ directive or copy the ics-apache.conf file to the folder that was automatically included by Apache during configuration.
3. If you are using Internet Information Services, restart the Web server.
Changing the protected gatewayUse the instructions in this section if you need to reconfigure ICS to protect a different gateway. The gateway must be on the same server computer as the Apache Web server.
If Virtual Host entries are set up in your Apache configuration, then you must add the first three lines (starting with ‘Rewrite’) from ics-apache.conf into every Virtual Host entry that corresponds to a portal you are going to protect with ICS.
Relocating the Administrator Console
ICS Administrator Guide Installing and Reconfiguring ICS 27
To change the protected gateway:
1. In the new location, run the executable with the ‘portal_url’ parameter and the URL of the new portal.
install.sh portal_url http://www.<your new portal url> for Linux servers
install.exe portal_url http://www.<your new portal url> for Windows servers
2. If you are using Apache, add the contents of the new ics-apache.conf file to the Apache Web server configuration file.
Either use the ‘include’ directive or copy the ics-apache.conf file to the folder that was automatically included by Apache during configuration.
3. If you are using Internet Information Services, restart the Web server.
Relocating the Administrator ConsoleUse the instructions in this section to change the ICS Web location. This is the location that administrators use to access the Administrator Console.
To relocate the Administrator Console:
1. In the new location, run the executable with the ‘ics_url’ parameter and the URL of the new portal.
install.sh ics_url http://www.<your new Web location URL> for Linux servers
install.exe ics_url http://www.<your new Web location URL> for Windows servers
2. Add the contents of the new ics-apache.conf file to the Apache Web server configuration file.
Either use the ‘include’ directive or copy the ics-apache.conf file to the folder that was automatically included by Apache during configuration.
Where To From Here?You have now learned the basics that you need to get started. The next step is to obtain more advanced knowledge of your Check Point software.
If Virtual Host entries are set up in your Apache configuration, then you must add the first three lines (starting with ‘Rewrite’) from ics-apache.conf into every Virtual Host entry that corresponds to a portal you are going to protect with ICS.
If Virtual Host entries are set up in your Apache configuration, then you must add the first three lines (starting with ‘Rewrite’) from ics-apache.conf into every Virtual Host entry that corresponds to a portal you are going to protect with ICS.
Where To From Here?
ICS Administrator Guide Installing and Reconfiguring ICS 28
Check Point documentation is also available in PDF format on the Check Point CD and the Technical Support download site at: http://www.checkpoint.com/support/technical/documents
Be sure to also use the Check Point Online Help when you are working with the ICS Administrator Console.
For additional technical information about Check Point products, consult Check Point’s SecureKnowledge at: https://secureknowledge.checkpoint.com
Where To From Here?
ICS Administrator Guide Installing and Reconfiguring ICS 29
Where To From Here?
ICS Administrator Guide Installing and Reconfiguring ICS 30
Where To From Here?
ICS Administrator Guide Installing and Reconfiguring ICS 31
Where To From Here?
ICS Administrator Guide Installing and Reconfiguring ICS 32