CheckPoint Firewall-1

SecureClient

Hotel Mode

Table of Content

1 INTRODUCTION ................................................................................................................................ 3

2 CONNECTING TO HOT SPOTS ....................................................................................................... 4

3 HOT SPOT REGISTRATION ............................................................................................................. 4

4 CONFIGURING HOT SPOT REGISTRATION .................................................................................. 5

4.1 CONFIGURE MANUALLY ................................................................................................................ 5 4.1.1 SecureClient .......................................................................................................................... 5 4.1.2 Management Station ............................................................................................................. 6

4.2 CONFIGURE FOM THE GUI IN NGX AND ABOVE .............................................................................. 7 4.3 OPTIONS...................................................................................................................................... 8

4.3.1 Local subnet access only ...................................................................................................... 8 4.3.2 Track ...................................................................................................................................... 8 4.3.3 Maximum time to complete registration ................................................................................. 8 4.3.4 Allow access to maximum of # addresses ............................................................................ 8 4.3.5 Ports to be opened during registration .................................................................................. 8

1 Introduction Wireless Hotspot is a wireless broadband Internet access service available at public locations such as airport lounges, coffee shops and hotels. When using Hotspot application, a user launches a web browser and attempts to connect to the Internet. When this occurs, the browser is automatically redirected by the Hotspot server to the Hotspot Welcome page for registration. during the registration process, the user fills in the required information. Once the registration is complete, the user may continue surfing the Internet. Hotspot allows users with restrictive outbound policies and/or Hub Mode to register with Hotspot. When a user selects to allow Hotspot, SecureClient modifies the desktop security policy and/or Hub Mode routing to enable Hotspot registration. This modification is restricted by time, number of IP addresses and ports. SecureClient records the IP addresses and ports that were accessed during the registration phase.

2 Connecting to Hot Spots If you need to register to a Hot Spot, on the connection window’s Options buttons, select Register to Hot Spot/Hotel.

This suspends SecureClient’s settings for several minutes. During this time, SecureClient will not attempt to connect to the site, giving you enough time to register.

3 Hot Spot Registration Enabling Hotspot registration can be done by either right clicking the system tray icon or by selecting the Options button in the Connect window. Once Register to Hot Spot/Hotel is selected, a balloon message appears indicating the time period allowed for registration.

4 Configuring Hot Spot Registration

4.1 Configure Manually

4.1.1 SecureClient

Enabling the Hotspot option is configured using the userc.c file. The Hotspot set (with defaults) is as follows: :hotspot(

:enabled (false) :log (false) :connect_timeout (600) :max_ip_count (5) :block_hotspot_after_connect (false) :max_trials (0) :local_subnets (false) :ports(

:(80) :(443) :(8080)

)

)

Option Default Description

Enabled false Set to true to enable a user to perform Hotspot registration

Log false Set to true to send logs with the list of IP addresses and ports accessed during Registration

Connect_timeout 600 Maximum number of seconds to complete registration

block_hotspot_after_connect false If set to true upon successful connect, the recorded ports and addresses will not remain open

max_trials 0 This value represents the maximum number of unsuccessful hotspot registration attempts that an end user may perform. Once this limit is reached, the user will not be allowed to attempt registration again. The counter is reset upon reboot, or upon a successful VPN connect. In addition, if you modify the max_trials value, the modification will take affect only upon successful connect, or reboot. max_trials 0 If the max_trials value is set to 0, an unlimited number of trials is allowed

local_subnets false Restrict access to local subnets only ports 80, 443, 8080 Restrict access to specific ports

Parameter Default Description

scc sethotspotreg This command line interface now includes HotSpot/Hotel registration support.

4.1.2 Management Station

To configure this on the management station will require modifying the objects_5_0.C file, which is not supported, or use dbedit or guidbedit to modify the file. The registration section needs to be modified under properties->firewall_properties. :properties ( : (firewall_properties … Various Sections …

:registration ( :AdminInfo ( :chkpf_uid ("{D43FF3FE-D67E-11D9-9BD9-000000007F7F}") :ClassName (hotspot) ) :ports ( : (443) : (80) : (8080) ) :block_hotspot_after_connect (false) :connect_timeout (600) :enabled (false) :is_dirty (true) :local_subnets (false) :log (false) :max_ip_count (5) :max_trials (0) ) The same options are available as would be in configuring the userc.C file on the SecureClient.

4.2 Configure fom the GUI in NGX and above From FireWall-1 NGX R60 the configuration of Hot Spot Registration is available through the GUI and can be found under the following Policy > Global Properties > Remote Access > Hot Spot/Hotel Registration. Select Enable registration to configure settings. Uncheck the menu option to cancel registration. When the feature is enabled, you have several minutes to complete registration.

Below are the default settings when the service is enabled.

4.3 Options

4.3.1 Local subnet access only

When enabled this allows the SecureClient to access all services on the local subnet that it is attached to, this allows more access than just the specified ports.

4.3.2 Track

This can be specified whether Registration access should be logged or not.

4.3.3 Maximum time to complete registration

This specifies in seconds how long a user has after they boot there machine to complete registration with a Hot Spot. If registration with a Hot Spot is not completed in the specified time a restart of the machine will be required.

4.3.4 Allow access to maximum of # addresses

This specifies how many addresses the machine can access during the time period before the SecureClient policy is enforced.

4.3.5 Ports to be opened during registration

These are the ports that the client can access to register with a Hot Spot. Up to a maximum of 10 TCP ports can be specified which will be available for the time period.