Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Checkpoint FW-1 Secure Client & XP ICS

To: [email protected]
Subject: Re: [FW-1] Checkpoint FW-1 Secure Client & XP ICS
From: Mike Crowhurst <[email protected]>
Date: Wed, 12 Jun 2002 06:51:55 +0100
References: <003b01c2117e$a108dfa0$0800a8c0@uklukxp1>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

I'll reply to all three in one....

> In one of your many rebuilds of the XP desktop, did you install any new
> windows patches from update? M$ seem to have a thing for changing
> configurations when they install these.
>
> just a thought
>
> rich

Yes, without a doubt, I'm a regular visitor to the WindowsUpdate site and
apply all the relevant patches. The only reason I'm not focussing on the XP
machine is that things broke when the office config changed, rather than
after any changes to the XP ICS server.

> I am not going to argue with you if you had this working. Can you give us
> any more information about what is happening? Have you been able to
> perform a traffic dump to see where things are failing?
>
> When the gateways IP address changed, did anything else change with it?
>
> Are you forcing UDP encapsulation, etc.?

My thanks for not arguing, although I was expecting several "It can't work
via ICS" replies. I've read enough articles on the internet detailing how it
is not supported via ICS as it doesn't work. Were it not for the fact that
I've spent countless hours connected to the office via SecureClient 4.1 and
ICS I'd have been forced to agree with the weight of popular opinion. In any
case, I'm sorry I didn't supply too much detail regarding the changes at the
office, but as I'm sure you're aware, publicising Firewall & network details
is often not the best way to go.

Basically though it was actually a fairly major change. We currently have
two seperate ISP links at the office, but as one of them is via the rapidly
sinking KPNQwest, all our connections are being transferred at present onto
just one. The VPN was configured via the KPNQwest based link. This has been
transferred over and  is now working via the other ISP's link, which is why
the address changed. Theoretically the configuration of the VPN itself has
not changed, aside from the work necessary to transfer it. This does seem to
be the case, as connection to the VPN is possible, just only via a direct
internet connection rather than via ICS.

It has to be said at this point, that several people at the office have
never been able to get the VPN working via ICS, whilst up until now I have
never had a problem. I do not however recall having had to make any special
changes on my workstation here to get this going, in fact at one point I
deliberately stripped the SecureClient off completely, re-installed it,
copied in the office UserC.C file (easiest way to setup the connection
details) and it worked straight off.

I have now tried configuring the SecureClient with UDP Encapsulation on &
off, but see no difference either way.

>Have you checked all of the adapters SecureClient is bound to and made sure
the QOS agent is disabled?


>Frank

Yes, the network configuration on the XP machine hasn't changed, QOS
disabled, and the SecureClient is bound to all adapters on the 2000 client
machine.

If I start up the SecureClient, but don't log in, then try to communicate
with the office network I do immediately get the login dialog window pop-up,
so I'm sure the client is trying to handle the appropriate traffic.

I've now installed MS Network monitor on both machines and run captures
whilst connected to the VPN. When dialled up to the internet with the VPN
working, a ping to an office server shows the expected Netmon capture -
packets going back & forth between my workstation and the office firewall.

When I disconnect and go back to using my home LAN and ICS, Netmon captures
on the ICS client and server show pings leaving the workstation, apparently
headed for the real destination address, then leaving the ICS server headed
for the office firewall. Pretty much what I'd expect, as I'd run these kind
of captures before, back when it used to work. Now however, I get no packets
back at all.

I'm going to be trying to get someone at the office to check the FW-1 logs
to see what they can see from that end, but don't have those details yet.

Any suggestions welcomed.

Mike

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- Re: [FW-1] Checkpoint FW-1 Secure Client & XP ICS
  - From: Mike Crowhurst <[email protected]>

References:
- Re: [FW-1] Checkpoint FW-1 Secure Client & XP ICS
  - From: Richard Marshall <[email protected]>

Prev by Date: [FW-1] MS UPNP Traffic
Next by Date: Re: [FW-1] Packet out od state from second level inside network
Previous by thread: Re: [FW-1] Checkpoint FW-1 Secure Client & XP ICS
Next by thread: Re: [FW-1] Checkpoint FW-1 Secure Client & XP ICS
Index(es):
- Date
- Thread