Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Securemote VPN - SDL Login to a Windows 2000 Domain using Active Directory Services

To: [email protected]
Subject: Re: [FW-1] Securemote VPN - SDL Login to a Windows 2000 Domain using Active Directory Services
From: Jim Laverty <[email protected]>
Date: Fri, 19 Oct 2001 19:25:28 -0400
Comments: To: "Palmer, Kevin" <[email protected]>
In-reply-to: <[email protected] et.gsite.com>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

I've tried it over a T1, in which I was the only user and there is still a
lag.  I've sniffed the sessions of a local login vs. a SR login.  I see
many LDAP lookups (for both sessions) and netlogin calls only on the
Securemote login.  If you load tcpdump on the inside and outside
interfaces, you will see a lot of pausing going on between ADS and the client.

I've also noticed a lot of fragmentation, even with the _fw_dont_fragment
option.

At 06:26 PM 10/19/2001 , Palmer, Kevin wrote:

Jim,

I'm having the same problem. I am running NG HF2 on W2K SP2 with all of
the security hotfixes (as of 10/01). I have yet to see a broadband user
log into the domain with SDL in under 5 minutes.

As a test, I'm going to connect my notebook to the public Internet side
of the firewall and time how long it takes to log in from a 10Mbps
ethernet connection.

Kevin Palmer
Granite Solutions

-----Original Message-----
From: Jim Laverty [mailto:[email protected]]
Sent: Friday, October 19, 2001 11:30 AM
To: [email protected]
Subject: [FW-1] Securemote VPN - SDL Login to a Windows 2000 Domain
using Active Directory Services
Importance: High


We have been using Securemote on Win2K clients to login to a Windows
2000
domain (non-mixed mode), running active directory services (ADS).  We're
using Nokia's 3.4.1 IPSO and FW-1 4.1 SP-5 (plus the latest SP-5
hotfix).  Since I have installed SP-5 our login times over broadband
connections has been about 8-12 minutes, we were seeing 2 minute logins.

I've been on the phone with Nokia and now they say Checkpoint does not
support Secure Domain Login (SDL) with Windows 2000 and ADS.  Has anyone
else gotten this to work on SP-5 and if so, have you see the performance
hit?

I'm running tcpdump (on the firewalls) and Sniffer Pro (on the ADS and
client boxes).  I'm seeing lots of fragmentation on the firewall, even
with
the modzap hack for fragmentation.

Any suggestions are welcome.

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================


===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

Follow-Ups:
- Re: [FW-1] Securemote VPN - SDL Login to a Windows 2000 Domain using Active Directory Services
  - From: James Oryszczyn <[email protected]>

Prev by Date: [FW-1] NG and Secure Domain Login Slow
Next by Date: Re: [FW-1] Any truly global managed security companies out there?
Previous by thread: [FW-1] NG and Secure Domain Login Slow
Next by thread: Re: [FW-1] Securemote VPN - SDL Login to a Windows 2000 Domain using Active Directory Services
Index(es):
- Date
- Thread