[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] user rule
Actually, Camille never once mentioned having a licensed encryption module with her FW or the consolidated VPN-1 module. Without that, SecureRemote or any Macintosh IPSEC-complient client won't do much good at all. Camille-- Do you have encryption on your FW so you can set-up a VPN tunnel or are you just looking to punch a hole through for one user coming in the clear? Chris -----Original Message----- From: Sprouse, Ben To: 'Vincent, Mike'; ''Camille Edge' '; '[email protected] ' Sent: 2/6/01 9:04 AM Subject: RE: [FW1] user rule I would agree....securemote currently is only available as a win client app. -----Original Message----- From: Vincent, Mike [ mailto:[email protected] <mailto:[email protected]> ] Sent: Tuesday, February 06, 2001 8:43 AM To: ''Camille Edge' '; '[email protected] ' Subject: RE: [FW1] user rule I know you said you did not want a third party product but you could have the user run an IPSEC client on his Macintosh and set up a shared secret VPN. You would have to allow all possible addresses in his DHCP scope in your VPN rule. That would at least add authentication and encryption. If I remember correctly www.netlock.com and www.nia.com offer IPSEC clients for Macintosh. Mike -----Original Message----- From: Sprouse, Ben To: 'Camille Edge'; [email protected] Sent: 2/6/01 7:52 AM Subject: RE: [FW1] user rule I would suggest getting this person SeceRemote, it is a part of FW-1/VPN-1 and available free for download at checkpoint's site. You would need to setup user authentication object within the policy database and create a rule similar to the one below: The user objects you create would need to be setup with the right encryption (IKE, FWZ). We use IKE since it is the easiest to setup and a shared secret is all you need for the firewall and the client authentication. The SecuRemote is free for download, BUT you MUST get a license for it from your reseller or checkpoint. The license is free, but it is REQUIRED in order for SR. SecuRemote User objects (or a group) --> Allowed destination --> Allowed Services or Groups access to --> Client Encrypt This rule would is pretty plain, but it works. \You can restrict the SR users to certain networks or server objects if you want to further lock down their access. I am curious as to why they cnnot get a static IP though...oh well I hope this answers your question... Regards, Benjamin Sprouse Senior Network Architect eMarketWorld.com, Inc. 700 E. Franklin St. Suite 600A-700A Richmond, VA. [email protected] -----Original Message----- From: Camille Edge [ mailto:[email protected] <mailto:[email protected]> < mailto:[email protected] <mailto:[email protected]> > ] Sent: Monday, February 05, 2001 10:48 PM To: [email protected] Subject: [FW1] user rule Hi all I have a question that I didn't find an answer to already and I've searched the archives here, phoneboy and checkpoint's websites. If it is out there I apologize, but any help you could give I would appreciate. I want to setup a rule to allow an external user access inside my firewall. The user does not always have a static IP address when they are online and can not get one from their ISP. However I know the IP range the user would be coming from. I don't want to give access to other users from that ISP only this one person. How do I do this? I figured I must use some sort of user specific authentication, but I'm not sure what. Currently I don't have anything setup and really don't want to have to get a third party product such as secure id for just one user. That just wouldn't be cost effective. The user has a Mac so I don't think that the secure remote client would work since it doesn't support Macs from what I can tell. How would I write the rule and what objects would I need to create? Thanks cee ======================================================================== ======== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html <http://www.checkpoint.com/services/mailing.html> < http://www.checkpoint.com/services/mailing.html <http://www.checkpoint.com/services/mailing.html> > ======================================================================== ======== ======================================================================== ======== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html <http://www.checkpoint.com/services/mailing.html> ======================================================================== ======== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|