NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Checkpoint FW-1 Secure Client & XP ICS



Further Information:

>From the Firewall activity at the office, the initial login attempt appears
to come from my ICS server address, which is obviously correct & so works.
All further traffic shows the source address of the actual client machine,
so replies can't actually reach it.

This implies that it is something local on the client, but what??


----- Original Message -----
From: "Mike Crowhurst" <[email protected]>
To: <[email protected]>
Sent: Wednesday, June 12, 2002 6:51 AM
Subject: Re: [FW-1] Checkpoint FW-1 Secure Client & XP ICS


> I'll reply to all three in one....
>
> > In one of your many rebuilds of the XP desktop, did you install any new
> > windows patches from update? M$ seem to have a thing for changing
> > configurations when they install these.
> >
> > just a thought
> >
> > rich
>
> Yes, without a doubt, I'm a regular visitor to the WindowsUpdate site and
> apply all the relevant patches. The only reason I'm not focussing on the
XP
> machine is that things broke when the office config changed, rather than
> after any changes to the XP ICS server.
>
> > I am not going to argue with you if you had this working. Can you give
us
> > any more information about what is happening? Have you been able to
> > perform a traffic dump to see where things are failing?
> >
> > When the gateways IP address changed, did anything else change with it?
> >
> > Are you forcing UDP encapsulation, etc.?
>
> My thanks for not arguing, although I was expecting several "It can't work
> via ICS" replies. I've read enough articles on the internet detailing how
it
> is not supported via ICS as it doesn't work. Were it not for the fact that
> I've spent countless hours connected to the office via SecureClient 4.1
and
> ICS I'd have been forced to agree with the weight of popular opinion. In
any
> case, I'm sorry I didn't supply too much detail regarding the changes at
the
> office, but as I'm sure you're aware, publicising Firewall & network
details
> is often not the best way to go.
>
> Basically though it was actually a fairly major change. We currently have
> two seperate ISP links at the office, but as one of them is via the
rapidly
> sinking KPNQwest, all our connections are being transferred at present
onto
> just one. The VPN was configured via the KPNQwest based link. This has
been
> transferred over and  is now working via the other ISP's link, which is
why
> the address changed. Theoretically the configuration of the VPN itself has
> not changed, aside from the work necessary to transfer it. This does seem
to
> be the case, as connection to the VPN is possible, just only via a direct
> internet connection rather than via ICS.
>
> It has to be said at this point, that several people at the office have
> never been able to get the VPN working via ICS, whilst up until now I have
> never had a problem. I do not however recall having had to make any
special
> changes on my workstation here to get this going, in fact at one point I
> deliberately stripped the SecureClient off completely, re-installed it,
> copied in the office UserC.C file (easiest way to setup the connection
> details) and it worked straight off.
>
> I have now tried configuring the SecureClient with UDP Encapsulation on &
> off, but see no difference either way.
>
> >Have you checked all of the adapters SecureClient is bound to and made
sure
> the QOS agent is disabled?
>
>
> >Frank
>
> Yes, the network configuration on the XP machine hasn't changed, QOS
> disabled, and the SecureClient is bound to all adapters on the 2000 client
> machine.
>
> If I start up the SecureClient, but don't log in, then try to communicate
> with the office network I do immediately get the login dialog window
pop-up,
> so I'm sure the client is trying to handle the appropriate traffic.
>
> I've now installed MS Network monitor on both machines and run captures
> whilst connected to the VPN. When dialled up to the internet with the VPN
> working, a ping to an office server shows the expected Netmon capture -
> packets going back & forth between my workstation and the office firewall.
>
> When I disconnect and go back to using my home LAN and ICS, Netmon
captures
> on the ICS client and server show pings leaving the workstation,
apparently
> headed for the real destination address, then leaving the ICS server
headed
> for the office firewall. Pretty much what I'd expect, as I'd run these
kind
> of captures before, back when it used to work. Now however, I get no
packets
> back at all.
>
> I'm going to be trying to get someone at the office to check the FW-1 logs
> to see what they can see from that end, but don't have those details yet.
>
> Any suggestions welcomed.
>
> Mike
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.