[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] securemote+ip pool nat+ X11
It took me a long time, but I finally got it to run. Here are the steps I used to make it work. I got them from a collections of news groups, checkpoint and phoneboy. 1. Make sure the Exceed X-Server is running on the client. 2. Create a service of type Other, in the match field enter "tcp,dport>=6000,dport<=6063,<dst,0> in userc_rules" 3. Create a rule Source = X-Servers Destination = NAT Pool IP's Service = Name of the Service Created in Step 2 And X11. 4. Create a script file on the X-Server with the following lines : #!/bin/ksh /bin/ksh /usr/dt/bin/Xsession -display `who am i | sed -e "s/^.*(//" -e "s/).*/:0/"` 5. Add the line " DISPLAY=`who am i | sed -e "s/^.*(//" -e "s/).*/:0/"` " to your .profile (Solaris Only) or whatever file you use for environmental variables. 6. Create a new XStart on the client with the following configurations : Start Method - Telnet Program Type - X Window Login - user id Password - Password Host - Name or IP of the X Server Host Type - Type of Unix Command - /home/user/script file created in step 4 Here is how it all works. Step 1, you have to have the X-Server listening on the Client for the connections back from the X-Server. Step 2 create service for Step 3 (Duh !) Step 3 This allows the connections back from the X-Server to the client. Step 4 this was the problem for me, the X-Server kept trying to display back to itself the X Session. This line pulls the NAT pool IP address from the client connection and uses it for the display. Step 5 also puts this into the environmental variable, In my case something in the X-Server was also using this variable, you may not need it. Step 6 is setting up the client to use the script you created in step 4. Hopefully if all will work after this. On a side note, we had clients using the Linksys router/firewall, they had to take an additional step of mapping ports 6000-6063 to the IP address of the client machine to make it work. Good Luck ! Thanks, Scott Davis Internet Security Specialist T.Rowe Price -----Original Message----- From: Jesus Calvo Hernandez [mailto:[email protected]] Sent: Thursday, December 20, 2001 2:45 PM To: [email protected] Subject: [FW-1] securemote+ip pool nat+ X11 Hi all I´ve got a somewhat complicated scenario where my users come into my encription domain with securemote, and then are natted into a pool so that no any ip address in the internet can access my machines, but only those on the securemote pool (IP NAT POOL option on the gateway machine). So far so good But the problem arises when the users need to have exceed running to some unix servers. The outgoing channel from the "client" side is ok, encrypted and the natting from the real ip to the pool ip works, unidirectional services are ok (telnet, ftp...) but the return channel from the unix machine to the exceed machine although is encrypted is directed to the real ip address of the exceed machine not the natted one. There is when X11 breaks. Is this scenario feasible, I mean nat and securemote with X11? I´ve followed phoneboy document and created a rule for the return channel where I´ve defined a service of type other (tco,dport=6000,<dst,0> in userc_rules) , source my unix machines, destination any action accept, but till now no success. Any hint? best regards and thanks in advance Jesus Calvo SchlumbergerSema Spain Albarracin 25 28037-Madrid ------------------------------------------------------------------ This email is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not necessarily represent those of SchlumbergerSema. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. ------------------------------------------------------------------ ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|