Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] fw-1 rainwall and secureclient

To: "Mathew Anderson" <[email protected]>, <[email protected]>
Subject: RE: [FW1] fw-1 rainwall and secureclient
From: "Mark Decker" <[email protected]>
Date: Thu, 14 Dec 2000 16:37:08 -0800
Importance: Normal
In-reply-to: <Pine.LNX.4.8020.7869-100000@staff>
Reply-to: <[email protected]>
Sender: [email protected]

Mathew,

This may or may not be a cause of your particular problem, but you
should be aware that Check Point currently has a known issue with
SecureClient and HA.  Basically, FW-1 will not allow you to select a
cluster object group as the policy server.  This only affects
SecureClient, not SecuRemote, and applies to any HA solution, not just
RainWall.

Possible workarounds:
- Use SecureClient as a SecuRemote by telling it not to protect the
local machine.
- Put a stand alone Policy Server INSIDE the network.  This will allow
the HA to work with the firewalls and the user
will pull the policy from the stand alone Policy Server.

For more information on the problem or when it will be fixed, contact
Check Point support.

HTH,

Mark L. Decker
Rainfinity
[email protected]
www.rainfinity.com> -----Original Message-----
> From: Mathew Anderson
>
> Hello - I am working with two fw-1 2000, sp2 firewalls
> running on Wint 4.0
> sp6a machines.
>
> I am able to establish a secure client connection to each of the
> firewalls, download the policy, and do what I need to do.
> What I wouldlike to do next (but have been unable to do so..)
> is group the two firewalls, and make a secureclient connection
> to the group.
>
> I am using Rainwall as the HA agent.
>
> So, we set up HA on the firewalls, added them into a cluster.
> Assigned on of the VIPs (from rainwall) to the address of the cluster.
>
> When, I start a secureclient connection to the cluster, the "clean up"
> rule is dropping everything.  The first rule, is the
secure-clients@any,
> internal-encryption-domain, with client encrypt.
>
> It looks like the VIP is not getting past.  I am unable to
> add the cluster to the intern-encryption-domain (fw-1 does not like
> it as a destination). I have tried to add in a workstation, with the
> address of the VIP, but that drops as well.  Any pointers or ideas?



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- [FW1] fw-1 rainwall and secureclient
  - From: Mathew Anderson <[email protected]>

Prev by Date: Re: [FW1] VPN Source Address Issue
Next by Date: [FW1] SNMP on FW-1 machine
Previous by thread: [FW1] fw-1 rainwall and secureclient
Next by thread: [FW1] CPMAD
Index(es):
- Date
- Thread