[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] SecureRemote
If I understand Robert's question, your concern is more packet source than security, i.e. want to make SR requests to internet sites look like they're originating from your internal network. This is useful if, for example, you connect to sites that validate you based on source IP address. Unfortunately, I don't think it will work. The only way I can think of to do it is to make your encryption domain 0.0.0.0 mask 0.0.0.0, use IP Pool NAT, and use source routing to bounce the SR requests off an internal router and back out to the internet. Would be messy, but might just work, as the FW will NAT before passing it to the OS to route. I don't think the 0.0.0.0 encryption domain will do it by itself, but you can give it a try. Let me know how it goes - I'm intrigued... Dan Hitchcock CCNA, MCSE Network Engineer Xylo, Inc. (formerly employeesavings.com)The work/life solution for corporate thought leaders -----Original Message----- From: CryptoTech [mailto:[email protected]] Sent: Tuesday, November 07, 2000 9:13 PM To: WEIZENECKER, Robert, GCM Cc: [email protected] Subject: Re: [FW1] SecureRemote Since the configuration you refer to is extremely inefficient (I did not say it was not secure,) I can think of only one way, and that is to use secureclient, set a policy of allow encrypted only and require that your remote users specify an internal proxy (not the firewall) to get outside requests. That is, to the best of my experience, the cleanest way to do it. HTH, CryptoTech "WEIZENECKER, Robert, GCM" wrote: > Is it possible to setup SecureRemote so clients can only connect to the > Firewall \ VPN and browse the internet through the firewall (Effectively > disabling Split-tunnel as referred to on other VPN devices.) ? I would like > to force all traffic from the client to the VPN then back out to the > internet. > > Thanks in advance for your help. > > Rob Weizenecker > > ********************************************************************** > This e-mail is intended only for the addressee named above. > As this e-mail may contain confidential or privileged information, > if you are not the named addressee, you are not authorised to > retain, read, copy or disseminate this message or any part of it. > ************************************************************************ > > > ============================================================================ ==== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================================ ==== ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|