[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] fw-1 rainwall and secureclient
Mathew, This may or may not be a cause of your particular problem, but you should be aware that Check Point currently has a known issue with SecureClient and HA. Basically, FW-1 will not allow you to select a cluster object group as the policy server. This only affects SecureClient, not SecuRemote, and applies to any HA solution, not just RainWall. Possible workarounds: - Use SecureClient as a SecuRemote by telling it not to protect the local machine. - Put a stand alone Policy Server INSIDE the network. This will allow the HA to work with the firewalls and the user will pull the policy from the stand alone Policy Server. For more information on the problem or when it will be fixed, contact Check Point support. HTH, Mark L. Decker Rainfinity [email protected] www.rainfinity.com> -----Original Message----- > From: Mathew Anderson > > Hello - I am working with two fw-1 2000, sp2 firewalls > running on Wint 4.0 > sp6a machines. > > I am able to establish a secure client connection to each of the > firewalls, download the policy, and do what I need to do. > What I wouldlike to do next (but have been unable to do so..) > is group the two firewalls, and make a secureclient connection > to the group. > > I am using Rainwall as the HA agent. > > So, we set up HA on the firewalls, added them into a cluster. > Assigned on of the VIPs (from rainwall) to the address of the cluster. > > When, I start a secureclient connection to the cluster, the "clean up" > rule is dropping everything. The first rule, is the secure-clients@any, > internal-encryption-domain, with client encrypt. > > It looks like the VIP is not getting past. I am unable to > add the cluster to the intern-encryption-domain (fw-1 does not like > it as a destination). I have tried to add in a workstation, with the > address of the VIP, but that drops as well. Any pointers or ideas? ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|