|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] SecuRemote, Split DNS, Split FW & Management Console - SOLVED!
I was having problems getting SecurRemote Client and Split DNS working on my firewall system. My trouble was that I could not get DNS to work properly over the VPN. Everything else was working fine. I could ping by IP address, I could connect to my NT servers, I could telnet, etc, etc.. The only thing not working was DNS, not even NSLOOKUP. I resolved the problem by unchecking the two "Accept Domain Name Over UDP" and "Accept Domain Name Over TCP" properties in Policy, Properties, Security Policy. This removed the two "implied" rules in the security policy. I then added an explicit rule of "any any dns accept" AFTER my secureremote clientencrypt rule. Voila! It's working now. I'm guessing that since the implied rules came into play as rule zero, before the clientencrypt rule, they were being dropped (even though they weren't showing as drops in the log). Since this was a setup where the management console was on a separate box from the firewall I also had some problems getting the VPN up initially. I'll summarize all the steps in the hopes of helping others out. 1. Your firewall object must be defined with the IP address of your external interface. 2. If your management console has an illegal address you must give it a valid external address using static NAT. 3. You must create a rule that allows anyone to connect to the FW1_TOPO service on your MANAGEMENT console. The rule you must add is "any mgmtconsole fw1_topo accept". By default, the policy is supposed to allow this service. However, the implied rules in the policy only allow clients to connect to the built-in group named "~FW1 Host". Apparently this group does not include machines with only a management console function and no firewall, hence the need to add your own. 4. You edit the crypt.def and the dnsinfo.C files on the MANAGEMENT console only. You don't have to edit these files on the FW itself. 5. When adding a site on the SecuRemote Client, you give the IP address of your MANAGEMENT console, not the IP address of your FW. 6. Disable the implied DNS rules in policy properties by unchecking the two "Accept Domain Name Over UDP" and "Accept Domain Name Over TCP" properties in Policy, Properties, Security Policy. Then, add an explicit rule of "any any dns accept" AFTER your secureremote clientencrypt rule. 7. To check that your dnsinfo.C updates are making it to the client, view the userc.C file in the "c:\program files\checkpoint\securemote\database" directory on the client PC. Search for the text "dnsinfo". Beneath this text you should see the contents of the dnsinfo.c file you edited up on the MANAGEMENT console. 8. Don't forget to kill and restart the Securemote service and then Update the topology after you make changes. 9. Download the document titled "Firewall-1Version 4.0 SecuRemote Split/Encrypted DNS Quick Reference Guide Revision 1.4" from the Checkpoint techsupport public site for some very cryptic examples of how to edit dnsinfo.C and crypt.def. I'm using FW v4.1 so I don't know if this applies to earlier versions exactly. Items 3, 4, 6, and 7 were particularly troublesome to figure out. Hope this helps, ---------------------------------------------------------------------------------------- Greg Winkler Systems Manager, IT&S Huntsman Corporation Internet Mail: [email protected] Voice:Fax:================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
