|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] WinME
I have users using the Windows 95, Version 4157 build working fine on WinME. Don't try to use the WinNT or Win2000 client on WinME. Good Luck. Andy Faulkner -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Sunday, November 26, 2000 2:11 PM To: [email protected] Subject: Firewall-1 Mailinglist Digest V1 #1486 Firewall-1 Mailinglist Digest Sunday, November 26 2000 Volume 01 : Number 1486 In this issue: [FW1] NAT & User Auth [FW1] SecureRemote and WinME RE: [FW1] SecureRemote and WinME [FW1] Capacity and Throughput of NAT with FW-1 Re: [FW1] http domain filter ---------------------------------------------------------------------- Date: Sat, 25 Nov 2000 17:29:49 +0000 (GMT) From: Matthew Melbourne <[email protected]> Subject: [FW1] NAT & User Auth Hi, I curently have a test FW-1 system in the lab, between two networks. The firewall interfaces are 10.0.0.1/8 and 192.168.0.11/24. This is FW-1 4.1 SP1 running under NT. I have a rule in the rulebase which states: src dst service action grp-ss wks-ss-server http, ftp accept The group grp-ss, contains two network objects, which defines address ranges within the 10.0.0.0/8 subnet. wks-ss-server has IP address 192.168.0.100. There is also a single manual entry in the Address Translation policy, which hides the grp-ss subnets behind the address grp-ss-hide (192.168.0.80) src dest service src dst service grp-ss wks-ss-server any grp-ss-hide (H) =orig =orig This works exactly as expected, wks-ss-server sees traffic from the 'grp-ss' subnets originating from the grp-ss-hide address (192.168.0.80) If the action on the rule in the rulebase is changed to "User Auth", and user access is enabled, then NAT appears to not function as expected. (The manual Address Translation rule is still present). src dst service action users@grp-ss wks-ss-server http, ftp User Auth Users are correctly authenticated and allowed access to wks-ss-server, but traffic appears to originate from the IP address of the firewall (192.168.0.11) on the 192.168.0.0/24 subnet, and not the NAT hide address of 192.168.0.80 which would be expected. The log file show that the address translations are not occurring. Cheers, Matt - -- Matthew Melbourne ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================ ------------------------------ Date: Sat, 25 Nov 2000 18:44:50 +0100 From: Cedric Amand <[email protected]> Subject: [FW1] SecureRemote and WinME Hello A quick question : SecureRemote just doesn't seem to work on Windows ME : afetr installation, the program asks for rebooting, then during boot up you get a bluescreen with GPF/system halted. only solution if you wanna boot again is to de-install SR. Does anyone know a solution to this ? Does Checkpoint EVER plan to finally be on the cutting edge ? ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================ ------------------------------ Date: Sat, 25 Nov 2000 13:33:51 -0500 From: "Woods, Curtis" <[email protected]> Subject: RE: [FW1] SecureRemote and WinME This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. - ------_=_NextPart_001_01C0570E.1BFD9210 Content-Type: text/plain; charset="iso-8859-1" I have Build 4157 working fine under ME - -----Original Message----- From: Cedric Amand To: [email protected] Sent: 11/25/00 12:44 PM Subject: [FW1] SecureRemote and WinME Hello A quick question : SecureRemote just doesn't seem to work on Windows ME : afetr installation, the program asks for rebooting, then during boot up you get a bluescreen with GPF/system halted. only solution if you wanna boot again is to de-install SR. Does anyone know a solution to this ? Does Checkpoint EVER plan to finally be on the cutting edge ? ======================================================================== ======== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ======================================================================== ======== - ------_=_NextPart_001_01C0570E.1BFD9210 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2650.12"> <TITLE>RE: [FW1] SecureRemote and WinME</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>I have Build 4157 working fine under ME</FONT> </P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Cedric Amand</FONT> <BR><FONT SIZE=3D2>To: [email protected]</FONT> <BR><FONT SIZE=3D2>Sent: 11/25/00 12:44 PM</FONT> <BR><FONT SIZE=3D2>Subject: [FW1] SecureRemote and WinME</FONT> </P> <BR> <P><FONT SIZE=3D2>Hello</FONT> </P> <P><FONT SIZE=3D2> A quick question : = SecureRemote just doesn't seem to</FONT> <BR><FONT SIZE=3D2> work on Windows ME : afetr = installation, the program asks</FONT> <BR><FONT SIZE=3D2> for rebooting, then during = boot up you get a bluescreen</FONT> <BR><FONT SIZE=3D2> with GPF/system = halted.</FONT> </P> <P><FONT SIZE=3D2> only solution if you wanna = boot again is to de-install SR.</FONT> </P> <P><FONT SIZE=3D2> Does anyone know a solution = to this ?</FONT> <BR><FONT SIZE=3D2> Does Checkpoint EVER plan = to finally be on the cutting edge ?</FONT> </P> <BR> <BR> <BR> <P><FONT = SIZE=3D2>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D</FONT> <BR><FONT SIZE=3D2>=3D=3D=3D=3D=3D=3D=3D=3D</FONT> <BR><FONT SIZE=3D2> To unsubscribe from this = mailing list, please see the instructions</FONT> <BR><FONT SIZE=3D2>at</FONT> <BR><FONT = SIZE=3D2> &nb= sp; <A = HREF=3D"http://www.checkpoint.com/services/mailing.html"; = TARGET=3D"_blank">http://www.checkpoint.com/services/mailing.html</A></F= ONT> <BR><FONT = SIZE=3D2>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D</FONT> <BR><FONT SIZE=3D2>=3D=3D=3D=3D=3D=3D=3D=3D</FONT> </P> </BODY> </HTML> - ------_=_NextPart_001_01C0570E.1BFD9210-- ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================ ------------------------------ Date: Sun, 26 Nov 2000 22:11:51 +1100 From: "Yin To Chu" <[email protected]> Subject: [FW1] Capacity and Throughput of NAT with FW-1 This is a multi-part message in MIME format. - ------=_NextPart_000_001F_01C057F5.E0A5A510 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Hi : Just wondering who knows the max throughput and max number of sessions that can be really supported by FW-1, say on a Sun Netra T1 with 440MHz CPU and on a Nokia IP650 box? Any source reports on such stress testing? Just thinking of how many boxes are needed for NATing, say, one million of current users. Investigating Internet access from Mobile networks a few years down the track. Or investigate other boxes with better NAT capabilities. Another other suggestions : Netscreen, layer 4 switches? Thanks yt - -- - ------=_NextPart_000_001F_01C057F5.E0A5A510 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 5.50.4207.2601" name=3DGENERATOR></HEAD> <BODY> <DIV><SPAN class=3D2000><FONT face=3DArial size=3D2>Hi=20 :</FONT></SPAN></DIV> <DIV><SPAN class=3D2000><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2000><FONT face=3DArial size=3D2>Just = wondering who=20 knows the max throughput and max number of sessions that can be really = supported=20 by FW-1, say on a Sun Netra T1 with 440MHz CPU and on a Nokia IP650=20 box?</FONT></SPAN></DIV> <DIV><SPAN class=3D2000><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2000><FONT face=3DArial size=3D2>Any = source reports=20 on such stress testing?</FONT></SPAN></DIV> <DIV><SPAN class=3D2000><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2000><FONT face=3DArial size=3D2>Just = thinking of how=20 many boxes are needed for NATing, say, one million of current users.=20 Investigating Internet access from Mobile networks a few = years down=20 the track.</FONT></SPAN></DIV> <DIV><SPAN class=3D2000><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2000><FONT face=3DArial size=3D2>Or = investigate=20 other boxes with better NAT capabilities. Another other suggestions = :=20 Netscreen, layer 4 switches?</FONT></SPAN></DIV> <DIV><SPAN class=3D2000><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2000><FONT face=3DArial=20 size=3D2>Thanks</FONT></SPAN></DIV> <DIV><SPAN class=3D2000><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2000><FONT face=3DArial=20 size=3D2>yt</FONT></SPAN></DIV> <DIV><SPAN class=3D2000><FONT face=3DArial=20 size=3D2>--</FONT> </SPAN></DIV></BODY></HTML> - ------=_NextPart_000_001F_01C057F5.E0A5A510-- ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================ ------------------------------ Date: Sun, 26 Nov 2000 15:09:08 -0500 From: CryptoTech <[email protected]> Subject: Re: [FW1] http domain filter With user auth, they will be challenged each time, have you tried partially automatic client auth? [email protected] wrote: > I would love to do that, but the domain objects won't take in a rule when > using User Auth! You have to put the domain objects in that particular > user's permissions. Then I still get the same problem, users are being > prompted when they come across a resource they don't have access to. This > is very frustrating! > > Cheers, > > Jamie > > -----Original Message----- > From: CryptoTech [mailto:[email protected]] > Sent: Tuesday, November 21, 2000 8:53 PM > To: MIS Security Alerts > Cc: [email protected] > Subject: Re: [FW1] http domain filter > > I would just set up domain objects and use them in the destination field. > This way they are evaluated upon use (then cached per the DNS valid > interval.) This should work quite well. > > The resource idea is not bad, but tends to work better if you just used ip > addrs. > > so just create domain objects like yahoo.com, <sitename.com>, and so on. > > HTH, > CryptoTech > > [email protected] wrote: > > > I am trying to set up simple access rules for 4 different groups. These > > groups have a variety of different access to sites like av.com, yahoo.com, > > etc. I am toying with a few ideas and I want to bounce it off a few > people. > > My desired result is to use something like domain objects so that I don't > > have to manually input any changes when yahoo gets a new server. I have > > gotten it to work using URI resources and it works great, BUT (and you > knew > > there was a but) when someone access a site they don't have permissions > to, > > it just comes up with user/pass prompts until it finally moves to an Error > > 407 - not "Access Denied." Here is what I have found the reason to be: > the > > rule setup to allow users to these sites is below > > > > Group1@internal any http->www.yahoo.com User Auth Account > > > > It looks as though because the destination is any I will never see that > > access denied error. A solution was to use the domain objects in the dest > > field, only they are not allowed when using User Auth. Now this may > appear > > to be cosmetic only and not bother fixing, but when I user accesses > > yahoo.com, several gif's on that page are called from other URL's. So, in > > order to load the page the users will get frustrated after trying their > > user/pass so many times. It will eventually load without those gif's. If > I > > specify the IP of yahoo.com as the dest, the page loads no problem and > just > > ignores the gif's (no prompts because access is denied). > > > > Anyone know the secret or have a few moments to spare and test my > theories? > > > > Cheers, > > > > Jamie Doherty > > > > The information transmitted by the following E-Mail is intended only for > the addressee and may contain confidential and/or privileged material. Any > interception, review, retransmission, dissemination, or other use, or taking > any action upon this information by persons or entities other than the > intended recipient is prohibited by law and may subject them to criminal or > civil liability. If you received this communication in error, please contact > us immediately atext. 3600 and delete the communication from > any computer or network system. > > > > > ============================================================================ > ==== > > To unsubscribe from this mailing list, please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > > ============================================================================ > ==== > > ============================================================================ > ==== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================================ > ==== > > The information transmitted by the following E-Mail is intended only for the addressee and may contain confidential and/or privileged material. Any interception, review, retransmission, dissemination, or other use, or taking any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication in error, please contact us immediately atext. 3600 and delete the communication from any computer or network system. > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================ ------------------------------ End of Firewall-1 Mailinglist Digest V1 #1486 ********************************************* ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
