|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] SecureRemote and WINS
Scott, Look at the IP NAT pools on the firewall object - this allows you to resolve the routing issue with externally valid addresses. Create a pool using a free IP range that is internally routeable (192.168.x.y or 172.16-32.x.y) Ensure the local IP range is routed correctly on your core routers so that the internal network knows where to send data back to.If you run a routing protocol between the firewalls internal NIC (only) and your core network then simply adding a route that points to the firewalls internal IP address will work here. This works fine for me on all my systems. Cheers Tim -----Original Message----- From: Scott Hunter [mailto:[email protected]] Sent: 09 December 2000 17:46 To: 'CryptoTech' Cc: '[email protected]' Subject: RE: [FW1] SecureRemote and WINS Thank you once again for your input. A friend pointed me to CP doc that had a sample dnsinfo.C with both split DNS and LMdata entries that I modified for our network and it works like a champ. I don't have the link to the doc nor my dnsinfo.C at my disposal at the moment, but I will post it if anyone is interested. Just email me directly. It adds entries to the lmhosts file, which I don't really care for. I would prefer that it updated the WINS entry of the IP stack. I can't browse the network which some of my users would want. I guess I have to settle for that until I can come up with another solution and if anyone has one, I am all ears (eyes?). Also, pushing a policy to the 4.1 FW1 and doing and update on my SecureRemote client is all I have had to do whenever I modified the dnsinfo.C. Try it. I swear it works on my FW. Lastly, my friend had a good idea for distributing the customized userc.C. Simply modify the one in the client distribution before rolling it out. The install distribution is not compressed. Sweet and simple. Why didn't I think of that? (no comments, Ed) By the way. Someone mentioned that one security flaw in the CheckPoint VPN architecture is the fact that since you don't get an IP address on the inside of your network like you do with other VPN systems you must configure all services inside your network to allow connections from pretty much anywhere. Not a big deal unless your firewall is comprimised, then it is a very big deal. I have seen many posts asking how to resolve this or work around it and it seems that the best solution would be to get an internal IP address and route internal traffic through it just like other systems. Is this possible with CP VPN and SR? PPTP through a SR tunnel is a pretty cumbersome solution. Scott -----Original Message----- From: CryptoTech [mailto:[email protected]] Sent: Friday, December 08, 2000 5:57 PM To: Scott Hunter Cc: '[email protected]' Subject: Re: [FW1] SecureRemote and WINS Scott, Your format is incorrect. You're parenthetical structure is off. Also, in the dnsinfo file attached, which is the same one that I use, I had to put the LMdata information at the top. And yes, you DO have to stop and start the management module if you change, or add a dnsinfo.C file. I have used this and it will retain the old dnsinfo data until you restart the firewall management process. Cheers, CryptoTech Scott Hunter wrote: Since that post, I found the split DNS document and implemented that and DNS resolution is working. I am not crazy about the idea that I have to manually distribute a userc.C to all my SecureRemote clients, btw. I also stumbled upon some info on how to push LMdata info and I tried it but it is not working. I may have some syntax problems in my dninfo.C. Here is what it looks like now: ----------------SNIP---------------------- ( :dns_servers ( : (kirk.scotty :obj ( : (10.0.10.11) ) :topology ( : ( :ipaddr (10.0.10.0) :ipmask (255.255.255.0) ) ) :domain ( : ( :dns_label_count (12) :domain (.trek.com) ) ) ) ) :encrypt_dns (true) ) ( :LMdata ( : ( :ipaddr (10.0.10.11) :name (KIRK) :domain (TREK) ) : ( :ipaddr (10.0.10.193) :name (SPOCK) ) ) ) ----------------SNIP---------------------- Where kirk is my PDC,DNS and WINS server, scotty is my FW1 and spock is a BDC. Trek is the NT domain and trek.com is Internet domain name. These names have been changed to protect the innocent. Thanks for responding! -----Original Message----- From: CryptoTech [ mailto:[email protected] <mailto:[email protected]> ] Sent: Thursday, December 07, 2000 7:10 PM To: Scott Hunter Cc: '[email protected]' Subject: Re: [FW1] SecureRemote and WINS Scott, In my setup, after I pushed DNS config and WINS resolver info to the client, he was able to browse based on the contents of the wins server. Are you saying that this is not working for you? CryptoTech Scott Hunter wrote: I have scoured this mailing list archive but I still can't find any info on how to resolve internal Windows machine names when using SecureRemote. I wish I could just add an WINS server entry that would get sent out as part of userc.c so that the remote machine would attempt a lookup on an internal WINS server. I tried manually entering the WINS server in the IP settings for the dialup connection, but then it doesn't get DNS server entries and nothing resolves. I know you can populate the LMHOSTS file with PDC and BDC info, but does anyone know if you can populate it with master browser or WINS entries? Even with PPTP you get a DHCP address with all of the internal networking info and everything resolves. Any thoughts? Am I going to have to have my ISP add all the IP address for all the servers? That's bad for two reasons. One, many people want to access machines that get their addresses via DHCP and two, it doesn't scale. There must be an automated way of doing this. Something you can roll out with the SecureRemote client. If I could send everyone an LMHOSTS file that would point everyone to the WINS server that would be good enough, but I don't want to roll out an LMHOSTS file every day. ************************************************************************ The information in this email is confidential and is intended solely for the addressee(s). Access to this email by anyone else is unauthorised. If you are not an intended recipient, you must not read, use or disseminate the information contained in the email. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of The Capital Markets Company. http://www.capco.com *********************************************************************** Scott,
Look
at the IP NAT pools on the firewall object - this allows you to resolve the
routing issue with externally valid addresses.
Create
a pool using a free IP range that is internally routeable (192.168.x.y or
172.16-32.x.y)
Ensure
the local IP range is routed correctly on your core routers so that the internal
network knows where to send data back to.If you run a routing protocol between
the firewalls internal NIC (only) and your core network then simply adding
a route that points to the firewalls internal IP address will work
here.
This
works fine for me on all my systems.
Cheers
Tim
Scott,
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
