Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] Check Point NG & Secure Client NG Split DNS and LMHosts

To: "Firewall-1 Mailing List (E-mail)" <[email protected]>
Subject: [FW1] Check Point NG & Secure Client NG Split DNS and LMHosts
From: "Palmer, Kevin" <[email protected]>
Date: Wed, 19 Sep 2001 12:16:49 -0400
Sender: [email protected]
Thread-index: AcFBJnyy4ntIQskHQA6Tf/KXuvDe1w==
Thread-topic: Check Point NG & Secure Client NG Split DNS and LMHosts

Everyone,

I have finally made time to install and configure two Check Point NG
firewalls. I have one remaining Secure Client issue that I am trying to
resolve. I want to configure VPN-1 and Secure Client to support split
DNS. I have tried dozens of combinations of dnsinfo.C settings along
with the Global Properties, Encrypt DNS setting, and configuring a
SecureRemote DNS server on the servers objects tab. Nothing seems to
work. I can see Check Point rewriting the userc.C and LMhosts file when
I push a new policy and update the Secure Client site. When the
dnsinfo.C syntax is correct or close, the LMHosts file and userc.C files
are updated. Unfortunately, whenever I try to ping an internal host
using host.ad.domain.com., ping returns host not found. Other attempts
to resolve internal host names fail as well.

There have been may posts to the mailing list on this topic for Check
Point 2000 / V4.1. I have not seen anything relating to this issue for
Check Point NG yet.

NG Split DNS Configuration:
Has anyone configured split DNS successfully in NG according to the
documentation in VPN.pdf, CP Management.PDF, and the following FAQ? Does
the lib\crypt.def file require modification in the same way as in CP
2000? 
http://support.checkpoint.com/kb/docs/public/securemote/ng/pdf/sc_faq.pd
f

Can split DNS in NG be configured without using a "SecuRemote DNS"
server object?

Does anyone have split DNS working in NG either alone or with LMhosts?

Thank You for Your assistance.

Kevin Palmer
Network Engineer - MCSE+I, CCSE, CCNA
Granite Solutions, Inc. 

Version Information:
VPN-1 Gateway: 	NG build 50047
			Windows 2000 SP2 & all security hotfixes

Client:			NG Secure Client build 50227
			Windows 2000 Pro SP1
Configuration Files:

*********** Section from userc.C ***********

)
:managers (
	: (<firewall external IP address>
		:obj (
			:type (node)
			: (<firewall external IP address>)
		)
		:dnsinfo (
			:dns_servers (
				: (<Int DNS Srv Obj Name>.<FW Ob Name>
					:obj (
						: (<Int DNS Ser IP
Addr>)
					)
					:topology (
						: (
							:ipaddr
(172.16.192.0)
							:ipmask
(255.255.252.0)
							:ipaddr
(172.16.196.0)
							:ipmask
(255.255.252.0)
							:ipaddr
(172.16.200.0)
							:ipmask
(255.255.252.0)
							:ipaddr
(172.16.204.0)
							:ipmask
(255.255.252.0)
							:ipaddr
(172.16.208.0)
							:ipmask
(255.255.212.0)
							:ipaddr
(172.16.216.0)
							:ipmask
(255.255.252.0)
						)
					)
					:domain (
						: (
							:dns_label_count
(14)
							:domain
(.ad.domain.com)
						)
					)
				)
			)
			:encrypt_dns (true)
			:LMdata (
				: (
					:ipaddr (<Domain Controller IP
Address>)
					:name (<DC Name>)
					:domain (<Windows Domain Name>)
				)
				: (
					:ipaddr (<Domain Controller IP
Address)
					:name (<DC Name>)
					:domain (<Windows Domain Name>)
				)
			)
		)
		:MgmtInternalCA 
		
		
*********** Entire dnsinfo.C ***********

(
	:dns_servers (
		: (<DNS Server Object Name>.<FW Object Name>
			:obj (
				: (<Int DNS Server IP Addr)
			)
			:topology (
				: (
					:ipaddr (172.16.192.0)
					:ipmask (255.255.252.0)
					:ipaddr (172.16.196.0)
					:ipmask (255.255.252.0)
					:ipaddr (172.16.200.0)
					:ipmask (255.255.252.0)
					:ipaddr (172.16.204.0)
					:ipmask (255.255.252.0)
					:ipaddr (172.16.208.0)
					:ipmask (255.255.212.0)
					:ipaddr (172.16.216.0)
					:ipmask (255.255.252.0)
				)
			)
			:domain (
				: (
					:dns_label_count (14)
					:domain (.ad.domain.com)
				)
			)
		)
	)
	:encrypt_dns (true)
	:LMdata (
		: (
			:ipaddr (<DC IP Address>)
			:name (<DC Name>)
			:domain (<Windows Domain Name>)
		)
		: (
			:ipaddr (<DC IP Address>)
			:name (<DC Name>)
			:domain (<Windows Domain Name>)
		)
	)
)


*********** Section from LMHosts ***********

172.16.y.z	<Windows DC Name>	#PRE #DOM:ad	#SecuRemote
172.16.y.z	<Windows DC Name> 	#PRE #DOM:ad	#SecuRemote

Keywords
NG Next Generation 5.0



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] Rulebase - Port assignment issues
Next by Date: Re: [FW1] What will happen if license expired
Previous by thread: RE: [FW1] Rulebase - Port assignment issues
Next by thread: [FW1] SP 5 and Stonebeat failed
Index(es):
- Date
- Thread