Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] Problems after 4.1SP5 to NG FP2 migration

To: [email protected]
Subject: [FW-1] Problems after 4.1SP5 to NG FP2 migration
From: Philip Colmer <[email protected]>
Date: Tue, 20 Aug 2002 10:17:02 +0100
Importance: Normal
In-reply-to: <5D90F2332B50D411BE8AC03F9D40B@QHS63>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Last weekend, we turned off our 4.1SP5 firewall and turned on our NG FP2
firewall. Although the vast majority of the system is working properly,
we are having a lot of problems with SecuRemote.

Prior to the changeover, we made sure that all staff were either using
the 4.1 build 4199 copy or the NG build 52057 copy. Everyone was
successfully connecting to the 4.1 firewall using IKE and 3DES.

We are seeing a number of problems with the NG firewall and SecuRemote:

1. Inability to get the site details, with the error "Communication with
site  has failed".

2. Where staff have managed to get the topology, their sessions are
failing after a few minutes. For example, I'll start using IMAP through
SR and authenticate myself. About 5-10 minutes later, my IMAP client
will fail to communicate with the firewall.

3. Rules aren't behaving as they were with 4.1. For example, there is a
rule that allows members of the IT Department access to the internal
network for any service. With 4.1, I was able to use Outlook in offline
mode and synchronise with Exchange. This doesn't work with NG. As a
result, I am temporarily using IMAP to communicate with Exchange.

In addition, we have done a lot of work with NG on making more use of
groups of users. For example, we have an MSExchangeUsers group that
consists of departmental groups, e.g. Publishing, Software, IT, etc.
There is a rule that allows users of the MSExchangeUsers access to the
internal IP address of the Exchange server for ANY service.

However, that rule doesn't work for me - even for IMAP. Disabling that
rule and enabling the IT rule *does* allow me to use IMAP on Exchange.
Has anyone else seen problems with nested groups?

This has become a very painful and embarrassing problem. Can anyone
suggest any settings I can check or anything else to investigate
further?

Thanks.

--Philip

--
Philip Colmer MBCS CEng                 Tel: 01223 271223
I.T. Manager                            Fax: 01223 215513
ProQuest Information & Learning
The Quorum, Barnwell Road, Cambridge, CB5 8SW

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

References:
- [FW-1] Securemote failures
  - From: Jeff LaCoursiere <[email protected]>

Prev by Date: Re: [FW-1] Telnet Access to Nokia IP650 as a Checkpoint NG Enforcement Point
Next by Date: Re: [FW-1] FW-1 SmallOffice Q's
Previous by thread: [FW-1] Securemote failures
Next by thread: [FW-1] Destination Static NATting
Index(es):
- Date
- Thread