[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] VPN setup problems
Here's my two cents worth. In my experience, RDP must be allowed, either through the implied rules, or by creating your own rule which duplicates what the "allow FW-1 control connections" implied rules would have done. SecurRemote clients use RDP to keep contact with the VPN gateway's. This is how they 1) Pick an initial gateway to use as the entry point, 2) Failover to an alternate gateway should the primary fail. In my case, I disabled the implied rules and attempted to build my own. It was not successful at first. Apparently, the impled rules, enable, what I'll call, due to my lack of understanding, "other" features in the rule base. I turned off control connections, and created my own rule allowing RDP between the SR clients and the gateways - attempting to duplicate the implied rule that is created by allowing control connections. What I found was that the clients were not selecting the appropriate primary gateway, and they would not failover to the backups. At checkpoints direction I did the following: 1. Create a new user defined service definition called FW1_RDP (note that the implied rule normally uses the service named RDP). For this new service use a MATCH field of "0". That is a number zero. Use a PROLOGUE field of "acccept_fw1_rdp;". Without the " marks of course. 2. Alter my rules to use this new FW1_RDP service instead of the old RDP service. This solved my problems. And by the way we were using IKE all along so I disagree (very politely) that IKE precludes the need for RDP. In my case RDP is still necessary. Now when I did this I was running SP3 and the flaws in RDP were still present. If you are at SP5 with the RDP hotfix, why are you disabling the allow control connections? It seems a lot of trouble. Are they still OTHER problems with the few remaining implied rules that allowing control connections creates? ---------------------------------------------------------------------------------------- Greg Winkler Systems Manager, IT&S Huntsman Corporation Internet Mail: [email protected] Voice:Fax:"MALIN, ALEX (PB)" <[email protected]> Sent by: Mailing list for discussion To: [email protected] of Firewall-1 cc: <[email protected] Subject: Re: [FW-1] VPN setup problems point.com> 12/12/01 11:13 AM Please respond to Mailing list for discussion of Firewall-1 You can use IKE instead of FWZ as the encryption scheme. With IKE, you won't need to accept control connections. Using IKE will also provide stronger privacy protection. Alex Malin -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Wednesday, December 12, 2001 3:12 PM To: [email protected] Subject: [FW-1] VPN setup problems Hi, I am running SBFC2.0.35sp5, checkpoint 4.1sp5-rdp-hotfix on a solaris box. Now I have setup a securemote VPN. However this only works as long as "Accept VPN-1 FW-1 Control Connections" in the properties tab is enabled. Anybody running a VPN without that setup successfully? When the box is unchecked the node itself not the cluster IP replies to IKE request, so reply packets are dropped by the firewall as those are not in the state table. I've built me rulebase according to the implied rules which I really want to enable and there aren't any drops/rejects in the logviewer either. I don't want to enable above property as RDP is enabled by default and this protocol has had quite a few errors in the past. Any help/ hint/ comment is really appreciated. Regards, Egonle -- __________________________________________________________________ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= If you have any questions on how to change your subscription options, email Ron Alcatraz at: [email protected] ================================================= ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= If you have any questions on how to change your subscription options, email Ron Alcatraz at: [email protected] ================================================= ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= If you have any questions on how to change your subscription options, email Ron Alcatraz at: [email protected] ================================================= ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= If you have any questions on how to change your subscription options, email Ron Alcatraz at: [email protected] =================================================
|