Am having the same problem and got this back from Checkpoint support:

Here are the list of ports that need to be open...

The filtering device has the following ports blocked:

-Protocol 94, 50 and 51.

Fix: 1. To download the topology, you need to open TCP port 256, whatever

encryption scheme is used .

* If using SecuRemote 4.1, then by default the topology will be downloaded

* If using SecuRemote 4.1 with FireWall-1 3.0b or 4.0, SecuRemote will

first try to get the topology on port 264; if it is not successful

after 30 seconds, it will try on port 256.

See the Solution: <a href="primus://:36.0.126090.2471847">Topology Download

problems with SecuRemote 4.1/FireWall-1 4.1</a> to learn more about

* If using SecuRemote 3.0 or 4.0 with FireWall-1 4.1, add a rule in

FireWall-1, that accepts connections from SecuRemote users to the SecuRemote

2. To establish a connection between SecuRemote Client and the server:

If using the FWZ encryption scheme, open UDP port 259 for the Authentication.

NOTE: If not using encapsulation, create rules to allow the actual traffic.

If using encapsulation, just add one rule allowing traffic on protocol

94 (0x5e) which is the new IP protocol number.

For ISAKMP, open UDP port 500 (ISAKMP service) for Authentication, and

allow traffic on protocol 50 (0x32) and 51 (0x33) which are the new

protocol numbers for ISAKMP.

NOTE: If the Firewall in the middle is FireWall-1 then you just need

Haven't had a chance to try this stuff yet. If you do and get it working let me know please. I'm going to try again late this week or early next week.

Hi steve,

Check the following:

Check the encryption/authentication methods on firewall and server.

Define the FW boxes as 'Communicaton Server' on the ACE Server machine. Be sure that Sent Node Secret check box is blank.

When defining the FW as clients on the server, make sure that the primary node address is the IP address that the hostname of the FW resolves to. You can do this by typing in 'hostname' on the firewall console and then pinging the answer you get back.

Define the secondary nodes of the firewall.

Check that the user is defined properly in the security policy.

Check NAT rules. If any NAT is being done, make sure there is a rule at the top of the policy that allows the FW's and SecurID server to talk untranslated.

After copy the 'sdconf.rec' file into /var/ace directory, delete /var/ace/securid and bounce FireWall-1 (fwstop; fwstart).

After the first successful communication between Firewall and ACE server, a file called 'securid' will get created under '/var/ace' directory.

Hope this help you.

Victor Barrientos
Tivoli certified Consultant
RSA Security Certified RSA ACE/Server Engineer
) Office: +54 11 4819 3903
) Fax: +54 11 4811 7103
+ Office eMail: vbarriento@unifon.com.ar
+ Alternative eMail: vbarrientos@usa.net
: Unifon Web Site: http://www.unifon.com.ar

----- Original Message -----

From: Steve Peters <Steve.Peters@marchFIRST.com>

To: 'Victor Barrientos' <vbarrientos@usa.net>

Sent: Tuesday, October 03, 2000 5:22 PM

Subject: Ace Server/FW1 Question

> Hi I've read the posts on the newsgroup about ACE Server and FW1 and was
> hoping you could help. I have a question. I have created a user and allowed
> secureID as the auth method, I also have put the sdconf.rec file in /var/ace
> directory. But when I telnet to 259 and enter the username it prompts me
> with the PASSCODE: prompt but when I enter the information I get the
> following message "Unable to activate SecurID authentication" and in the fw
> log I see a reject with the following in the Info section " reason SecurID
> communication problem.
> Any ideas? Anything would help,
>
> Thanks
> Steve Peters
> marchFIRST