[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Checkpoint FW-1 Secure Client & XP ICS
I'll reply to all three in one.... > In one of your many rebuilds of the XP desktop, did you install any new > windows patches from update? M$ seem to have a thing for changing > configurations when they install these. > > just a thought > > rich Yes, without a doubt, I'm a regular visitor to the WindowsUpdate site and apply all the relevant patches. The only reason I'm not focussing on the XP machine is that things broke when the office config changed, rather than after any changes to the XP ICS server. > I am not going to argue with you if you had this working. Can you give us > any more information about what is happening? Have you been able to > perform a traffic dump to see where things are failing? > > When the gateways IP address changed, did anything else change with it? > > Are you forcing UDP encapsulation, etc.? My thanks for not arguing, although I was expecting several "It can't work via ICS" replies. I've read enough articles on the internet detailing how it is not supported via ICS as it doesn't work. Were it not for the fact that I've spent countless hours connected to the office via SecureClient 4.1 and ICS I'd have been forced to agree with the weight of popular opinion. In any case, I'm sorry I didn't supply too much detail regarding the changes at the office, but as I'm sure you're aware, publicising Firewall & network details is often not the best way to go. Basically though it was actually a fairly major change. We currently have two seperate ISP links at the office, but as one of them is via the rapidly sinking KPNQwest, all our connections are being transferred at present onto just one. The VPN was configured via the KPNQwest based link. This has been transferred over and is now working via the other ISP's link, which is why the address changed. Theoretically the configuration of the VPN itself has not changed, aside from the work necessary to transfer it. This does seem to be the case, as connection to the VPN is possible, just only via a direct internet connection rather than via ICS. It has to be said at this point, that several people at the office have never been able to get the VPN working via ICS, whilst up until now I have never had a problem. I do not however recall having had to make any special changes on my workstation here to get this going, in fact at one point I deliberately stripped the SecureClient off completely, re-installed it, copied in the office UserC.C file (easiest way to setup the connection details) and it worked straight off. I have now tried configuring the SecureClient with UDP Encapsulation on & off, but see no difference either way. >Have you checked all of the adapters SecureClient is bound to and made sure the QOS agent is disabled? >Frank Yes, the network configuration on the XP machine hasn't changed, QOS disabled, and the SecureClient is bound to all adapters on the 2000 client machine. If I start up the SecureClient, but don't log in, then try to communicate with the office network I do immediately get the login dialog window pop-up, so I'm sure the client is trying to handle the appropriate traffic. I've now installed MS Network monitor on both machines and run captures whilst connected to the VPN. When dialled up to the internet with the VPN working, a ping to an office server shows the expected Netmon capture - packets going back & forth between my workstation and the office firewall. When I disconnect and go back to using my home LAN and ICS, Netmon captures on the ICS client and server show pings leaving the workstation, apparently headed for the real destination address, then leaving the ICS server headed for the office firewall. Pretty much what I'd expect, as I'd run these kind of captures before, back when it used to work. Now however, I get no packets back at all. I'm going to be trying to get someone at the office to check the FW-1 logs to see what they can see from that end, but don't have those details yet. Any suggestions welcomed. Mike ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|