NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Strange problem with Web access to an Access Point def ined in a DMZ lan


  • To: [email protected]
  • Subject: Re: [FW-1] Strange problem with Web access to an Access Point def ined in a DMZ lan
  • From: [email protected]
  • Date: Sun, 24 Feb 2002 08:41:49 +0200
  • Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
  • Sender: Mailing list for discussion of Firewall-1 <[email protected]>
  • Thread-index: AcG6mF8XY7OFpm9rQii9a+NvgcJfgACZcagg
  • Thread-topic: Re: [FW-1] Strange problem with Web access to an Access Point def ined in a DMZ lan

Title: RE: Re: [FW-1] Strange problem with Web access to an Access Point def ined in a DMZ lan

Dave,

In most cases I would agree, but in this case the solutions don't apply since :

We are accessing the units by their IP address and not by a name, so there is no reason there should be a DNS record or PTR for them (as well as these being in the Secured VLAN and not a DMZ, and the Telnet to the exact same IP address works fine.

I am not using the HTTP security server option at all.

Mike

    -----Original Message-----

    From:   David Knoll [SMTP:[email protected]]

    Sent:   ä ôáøåàø 21 2002 6:18

    To:     [email protected]

    Subject:             Re: [FW-1] Strange problem with Web access to an Access Point def             ined             in a DMZ lan

    Yes well it is not so much a problem as it is a security feature (Well part of it at least).

     

    As the one and only Dameon D. Welch points out:

     

    There can be two reasons for this behaviour:

     

    1)       The HTTP Security Server of FW-1 performs DNS reverse lookup to ascertain whether the IP address is registered and registered correctly. Many domain names have several IP addresses mapped to them but not all of those addresses were assigned a PTR record. Others simply never took the time to create the PTR record. This is a security feature of FW-1 that prevents impersonation. In any case to solve this do one of the following:

    A)      Ask the destination site to add a PTR record for the site in question in his DNS records.

    B)      Use the name returned by the reverse lookup instead of the FQDN you usually use.

    C)      Add a PTR record to the DNS Server against which the FW makes it's name resolutions.

    D)      Welch's solution – "Add an entry in your Firewall's local host file and have the system resolve against the hosts file first (note: This is untested)"

    E)      "Exclude the sites in question from going through the security server by adding a rule above your security server rule that permits normal HTTP to the site"

     

    2)       Connection to the desired site timed out. Some users indicated that allocating greater timeout for Bind in Policy properties -à resolving Tab, solved that problem for them, but I am sceptical.

     

     

     

    The Reverse Lookup behaviour was first made public by Arjan van der Valk on March 2nd 1999.

     

     

     

     

     

    David Knoll
    UpBIT Solutions Ltd


    Tel:+ 972-3-6476387

    Fax:+ 972-3-6476396

    Cellular:+ 972-54-496357

     

    E-mail: [email protected]

     

    Upbit Solutions Ltd

    9 Nissan Street

    Tel-Aviv 69715, Israel

    --------------------------------------------
    This message may contain confidential and/or proprietary information, and is intended only for the person / entity to whom it was originally addressed. The content of this message may contain private views and opinions which do not constitute a formal disclosure or commitment unless specifically stated.




     

    -----Original Message-----
    From: Mailing list for discussion of Firewall-1 [mailto:[email protected]] On Behalf Of Chontzopoulos, Dimitris
    Sent: Thursday, February 21, 2002 1:26 AM
    To: [email protected]
    Subject: Re: [FW-1] Strange problem with Web access to an Access Point def ined in a DMZ lan

     

    Does configuring a HTTP resource has to do something with that? I am merely asking because i have the same problem with MANY Web sites. I have also configured 4 HTTP resources and before doing that (the HTTP resources that is) i had no problems. Now you will say, "Geeeeeeee, nice going dude... What do you do for a living? Nuclear scientist ?"... Ok. I have to admit that. But how come i haven't seen just one time so far a question like this? That is, except once i posted a question like this myself... Can someone give us the light in here? How about Checkpoint? Isn't that a little dooooooooohhhhh? Just asking boys and girls...

      -----Original Message-----
      From: David Knoll [mailto:[email protected]]
      Sent: Thursday, February 21, 2002 12:23 AM
      To: [email protected]
      Subject: Re: [FW-1] Strange problem with Web access to an Access Point defined in a DMZ lan

      Do you use a security sever (add with resource) for HTTP?

       

      David Knoll
      UpBIT Solutions Ltd


      Tel:+ 972-3-6476387

      Fax:+ 972-3-6476396

      Cellular:+ 972-54-496357

       

      E-mail: [email protected]

       

      Upbit Solutions Ltd

      9 Nissan Street

      Tel-Aviv 69715, Israel

      --------------------------------------------
      This message may contain confidential and/or proprietary information, and is intended only for the person / entity to whom it was originally addressed. The content of this message may contain private views and opinions which do not constitute a formal disclosure or commitment unless specifically stated.



       

      -----Original Message-----
      From: Mailing list for discussion of Firewall-1 [mailto:[email protected]] On Behalf Of [email protected]
      Sent: Wednesday, February 20, 2002 4:26 PM
      To: [email protected]
      Subject: [FW-1] Strange problem with Web access to an Access Point defined in a DMZ lan

       

      Afternoon all,

      I have a very odd situation here that I am unable to work out.

      I have a setup as follows :

      Internal Network

      |

      |

      FW ---- Secured VLAN

      |

      |

      Internet

      On the secured VLAN I have a Lan dedicated only to Access Points.

      I have a rule allowing specific users to access the AP's from the Internal Network using HTTP and Telnet.

      The users can Telnet to the AP's fine.

      The users attempt to access the AP's via HTTP. I see the sessions established in the log' and in the browser I get :

      "FW-1 at fw: Failed to connect to the WWW server".

      This again, despite the fact that I see the session established in the logs, and Telnet (standard) works fine.

      Anyone have any idea what could be causing this ?

      Thanks,

       

      Mike Glassman

      System & Security Admin

      Computer & Information Systems

      Israeli Airports Authority

      Ben-Gurion Airport

      <http://www.ben-gurion-airport.co.il>

      Tel : 972-3-9710785

      Fax : 972-3-9710939

      Email : [email protected]

      Usage of this email address or any email address at iaa.gov.il for the purpose of sales pitches, SPAM or any other such unwanted garbage, is illegal, and any person, whether corporate or alone doing so, will be prosecuted to the fullest possible extent.



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.