[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] Problem with NFuse connection - solution for me
Evening all, If you recall the email I sent out previously on this issue, I described problems I was having in connecting to my NFuse server from the Internet, whereas I could succesefully connect to this sytem from inside the network. After much trials and error, and the help of many of you, and specifically the help from Kerry Barnes, I managed to reach a solution and get it all working. One of the things I should have specified as an important issue was the use of VPN access for this, and had I done so, and perhaps put a little more thought into it, I might have reached a solution on my own with much less agrivation, but as it is, without the hints I received, the solution that works would not have been reached. So, The first thing to note is that I could get to the primary logon screen and get a list of the published applications. I could not run any of the applications. The first hint was in the boilerplate.ica file (right click the app icon and save to disk) which contains the IP address the internall system is returning to the NFUSE web page. This indicated that the address was not the NAT'd address, but the internal address. Changing the file on the IIS server to include the AltAddress parameter instead of the standard value, fixed this, and the IP address was then the correct NAT'd address. The next problem was that when I discovered that I had to have both the IIS server and the Citrix XML server in the access rule allowing users to gain the correct NFuse access. This means that the rule would look like : ANY IIS+XML HTTP+1494 Authorized This as apposed to having just the IIS server in the rule as was origionaly thought necessary. Also, I discovere from much log inspection that the initial contact is HTTP, whereas the application returning is being returned via 1494, which is why I need that to in the Service column. The obvious problem here is that the ANY then allowed anyone to access the Citrix XML server since this was not in the encrypted domain (as it had a NAT address). You would then ask why not simply place this server in the domain as well, and solve the problem. Well, because when I did that, or when I made the rule an authenticated rule, it would not work. I am still at a loss as to why this is. And belive me, I tried multiple combinations to test with no luck. So, now I am at the point where I have the IIS server in the encrypted domain in a rule with the XML server which is not in the encrypted domain, and I can access the applications fine. Then comes the brainstorm.....VPN users are in fact a part of the internall IP address scheme in the fact that they can ping an internall address and get a reply as well as telnet to the servers (Citrix) on port 1494 and get the ICA reply. This even thought they have an ISP generated IP address. So why do I need a NAT'd address at all ? Well, I don't. So I removed the NAT, placed both servers in the encrypted domain, remove all references to the ALTADDR from the Citrix servers and the IIS server, changing the ANY to a user access group, and the action to client encrypt, and expect it to work, but again, I get a Server not found at specific address error. So since I'm now well versed with boilerplate checking, I check the IP, and get the address of one of the other servers in the farm. (Under this configuration, the farm starts to work as a farm and choses a different server each time depending on it's load balancing). I added all four servers in the farm to the rule and to the encrypted domain, shared secrets etc, and the rule looks like the following: Access-Group@Any IIS-NFuse+Citrix-Server-Farm-Servers HTTP+1494 Client Encrypt And it works. Since I am using VPN only for this access, this solution works fine, but if someone wants to use NAT, there is still a problem which I have not yet been able to solve, regarding the inability to place both servers (IIS+XML) in the encryption domain and having it work, when they both have NAT'd addresses. Again, I would like to thank all who sent hints, as they all definetaly pushed me in the right direction. A few more days testing to ensure all is well, and I'll be pushing out to some very pleased bosses. Mike Glassman System & Security Admin Computer & Information Systems Israeli Airports Authority Ben-Gurion Airport http://www.ben-gurion-airport.co.il Tel : 972-3-9710785 Fax : 972-3-9710939 Email : [email protected] Usage of this email address or any email address at iaa.gov.il for the purpose of sales pitches, SPAM or any other such unwanted garbage, is illegal, and any person, whether corporate or alone doing so, will be prosecuted to the fullest possible extent. ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|