[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Securemote VPN - SDL Login to a Windows 2000 Domain using Active Directory Services
SDL and Active directory will be supported with Service Pack 5 of Secure Remote 4.1 and FR 1 of NG. Checkpoint with SDL will not send the srv records requests (LDAP and Kerberos) down the VPN Tunnel. I have gotten a hotfix and it works with 4.1 SP4. The Hotfix for NG with be included in the FR1. Checkpoint would not complie a hotfix for me. James ----- Original Message ----- From: "Jim Laverty" <[email protected]> To: <[email protected]> Sent: Friday, October 19, 2001 6:25 PM Subject: Re: [FW-1] Securemote VPN - SDL Login to a Windows 2000 Domain using Active Directory Services > I've tried it over a T1, in which I was the only user and there is still a > lag. I've sniffed the sessions of a local login vs. a SR login. I see > many LDAP lookups (for both sessions) and netlogin calls only on the > Securemote login. If you load tcpdump on the inside and outside > interfaces, you will see a lot of pausing going on between ADS and the client. > > I've also noticed a lot of fragmentation, even with the _fw_dont_fragment > option. > > At 06:26 PM 10/19/2001 , Palmer, Kevin wrote: > >Jim, > > > >I'm having the same problem. I am running NG HF2 on W2K SP2 with all of > >the security hotfixes (as of 10/01). I have yet to see a broadband user > >log into the domain with SDL in under 5 minutes. > > > >As a test, I'm going to connect my notebook to the public Internet side > >of the firewall and time how long it takes to log in from a 10Mbps > >ethernet connection. > > > >Kevin Palmer > >Granite Solutions > > > >-----Original Message----- > >From: Jim Laverty [mailto:[email protected]] > >Sent: Friday, October 19, 2001 11:30 AM > >To: [email protected] > >Subject: [FW-1] Securemote VPN - SDL Login to a Windows 2000 Domain > >using Active Directory Services > >Importance: High > > > > > >We have been using Securemote on Win2K clients to login to a Windows > >2000 > >domain (non-mixed mode), running active directory services (ADS). We're > >using Nokia's 3.4.1 IPSO and FW-1 4.1 SP-5 (plus the latest SP-5 > >hotfix). Since I have installed SP-5 our login times over broadband > >connections has been about 8-12 minutes, we were seeing 2 minute logins. > > > >I've been on the phone with Nokia and now they say Checkpoint does not > >support Secure Domain Login (SDL) with Windows 2000 and ADS. Has anyone > >else gotten this to work on SP-5 and if so, have you see the performance > >hit? > > > >I'm running tcpdump (on the firewalls) and Sniffer Pro (on the ADS and > >client boxes). I'm seeing lots of fragmentation on the firewall, even > >with > >the modzap hack for fragmentation. > > > >Any suggestions are welcome. > > > >=============================================== > >To unsubscribe from this mailing list, > >please see the instructions at > >http://www.checkpoint.com/services/mailing.html > >=============================================== > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|