| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] Office mode with SecuRemote
- To: [email protected]
- Subject: Re: [FW-1] Office mode with SecuRemote
- From: Robin Frousheger <[email protected]>
- Date: Wed, 26 Feb 2003 13:05:48 +1100
- Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
- Sender: Mailing list for discussion of Firewall-1 <[email protected]>
- Thread-index: AcLc9v8juh6ssQWMTFOeKH9Y55bb7wAQbPSw
- Thread-topic: [FW-1] Office mode with SecuRemote
No problems Michel.
IP Pool NAT and Office Mode IP Pool are complementary, and are again for slightly different purposes.
As I understand it, IP Pool NAT facilitates "Multiple Entry Point" configurations where you may have several FW-1 gateways around the perimeter of you LAN/WAN. Each firewall will allocate from its own IP pool, and thus internal routing can reliably direct traffic back to the correct entry point (As opposed to trying to partition entry points and routes based on the original external IP address)
Office Mode overcomes the potential duplicate client side networks as discussed before.
IP Pool NAT operates *after* Office Mode, meaning when you are using Pool NAT and OM, the final IP seen inside the network will be the Pool NAT one.
To support Pool NAT and Office Mode, you need one IP Pool per gateway for Pool NAT and 1 pool for all Office Mode (Assuming DHCP allocation is used)
Pro's/Con's - Office Mode is only supported by SecureClient in Connect Mode. If you are in a MEP environment, you are probably already using IP Pool NAT, and will probably continue to need to. If you are only using IP Pool NAT on a single gateway, you should be able to change to Office Mode and cease Pool NAT and still achieve the same net effect.
Regards,
Robin
---
-----Original Message-----
From: Messier, Michel [mailto:[email protected]]
Sent: Wednesday, 26 February 2003 2:34 AM
To: [email protected]
Subject: Re: [FW-1] Office mode with SecuRemote
Robin, thanks very much for the explanation.
I still have something that's unclear to me. I'm already using IP Pool NAT
for the SR incoming connexions, therefore I already have an internal IP
adress when coming through SR. How does that relate to the Office Mode IP
Pool? Do I stop using IP Pool NAT and start using Office Mode IP Pool??
Thanks for all the explanations.
Michel
-----Message d'origine-----
De : Robin Frousheger [mailto:[email protected]]
Envoyé : 24 février, 2003 17:52
À : [email protected]
Objet : Re: [FW-1] Office mode with SecuRemote
Michel,
Once SR/SC is installed and topology information has been updated, it will
prompt for VPN authentication after username and password have been entered
into the Ctl-Alt-Del login dialog, but before actual login occurs. The VPN
auth can be presented as either transparent mode auth, or as a connect mode
'Connect' dialog.
If VPN auth is successful, login will be able to occur through the newly set
up VPN. This is the feature provided by SDL and is not directly affected by
NAT/Home network scenarios - once a VPN can be negotiated, SDL assists with
the login process.
Office mode is one feature that enhances VPN negotiation from behind a NAT
device or home network. It creates a virtual network adapter on the client
PC with an IP address allocated by the firewall, and uses that as a basis
for all VPN communication. Office mode requires Connect mode to be enabled.
E.g. I have a home PC with IP address 192.168.0.5 and my co-worker has a
home PC with the same IP address, both of us using a NAT/DSL box for
connectivity. When my SR/SC starts it will tunnel the VPN packets through
the NAT box (One of it's built in features) and the firewall will 'see' the
packets coming from 192.168.0.5. When my co-worker starts SR/SC, the
firewall will 'see' her PC as 192.168.0.5 as well - duplicate IP addresses =
conflict & bad stuff
If Office mode were in use, the firewall would allocate an individual IP
address per machine, as it sees them. So in this case, my PC might be
allocated 10.42.42.1, and my co-worker's allocated 10.42.42.2 - for VPN
communication purposes only. Locally, the PC is still using 192.168.0.5,
and NAT-ing through the DSL box as it otherwise would.
Hope that's not too confusing.
Regards,
Robin
---
-----Original Message-----
From: Messier, Michel [mailto:[email protected]]
Sent: Friday, 21 February 2003 3:24 AM
To: [email protected]
Subject: Re: [FW-1] Office mode with SecuRemote
Thanks Robin,
One more question though... what happens for SDL and/or Office mode if I
hook up from a home network sitting behing a router? How do I establish the
VPN tunnel _before_ the windows logon???
thx for your input,
Michel
-----Message d'origine-----
De : Robin Frousheger [mailto:[email protected]]
Envoyé : 17 février, 2003 19:42
À : [email protected]
Objet : Re: [FW-1] Office mode with SecuRemote
I can offer some testing results with our environ...
Firewall: NG FP1 with OM Hotfix
Clients: WinXP and Win2k with SecureClient 53333
Office mode allocates an "internal" address to each client for the
purposes of communicating to the firewall/internal network (This helps
overcome the problems resulting from loads of companies, hotels, home
users, etc using a 192.168.0.x network)
Secure Domain Logon allows SecureClient and the VPN to start *before* a
user logs on, thus allowing (nearly) seamless login to a domain
(Including profiles, login scripts, and group policy - almost)
SDL and 'Connect Mode' / 'Office Mode' can be used independently or
jointly with no ill effects.
A note on our findings with group policy and SDL: It appears to work
perfectly with Win2k clients, and *totally* disables it on WinXP.
As yet, no one can (or is willing) to tell us why...
Regards,
Robin
---
-----Original Message-----
From: Messier, Michel [mailto:[email protected]]
Sent: Tuesday, 18 February 2003 2:48 AM
To: [email protected]
Subject: [FW-1] Office mode with SecuRemote
Hey listers,
I'm looking at the possibility to enable Secure Domain Logon in our
environment. Here's our environment:
Module : NG FP3 HF1
Console: NG FP3
SecuRemote : will be NG FP3 (build 53328)
What is Office Mode vs SDL?
- Do they offer the same functionnality?
- Which one would be easier to use and maintain?
All I'm looking for is for our clients to be logged onto the domain
instead
of simply getting ip connectivity to the domain.
Thanks,
Michel Messier
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the Network Administrator on +61 3 9667 6699.
This footnote also confirms that this email message has been scanned
for the presence of computer viruses and inappropriate content.
**********************************************************************
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
|
|
