[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Office mode with SecuRemote
No problems Michel. IP Pool NAT and Office Mode IP Pool are complementary, and are again for slightly different purposes. As I understand it, IP Pool NAT facilitates "Multiple Entry Point" configurations where you may have several FW-1 gateways around the perimeter of you LAN/WAN. Each firewall will allocate from its own IP pool, and thus internal routing can reliably direct traffic back to the correct entry point (As opposed to trying to partition entry points and routes based on the original external IP address) Office Mode overcomes the potential duplicate client side networks as discussed before. IP Pool NAT operates *after* Office Mode, meaning when you are using Pool NAT and OM, the final IP seen inside the network will be the Pool NAT one. To support Pool NAT and Office Mode, you need one IP Pool per gateway for Pool NAT and 1 pool for all Office Mode (Assuming DHCP allocation is used) Pro's/Con's - Office Mode is only supported by SecureClient in Connect Mode. If you are in a MEP environment, you are probably already using IP Pool NAT, and will probably continue to need to. If you are only using IP Pool NAT on a single gateway, you should be able to change to Office Mode and cease Pool NAT and still achieve the same net effect. Regards, Robin --- -----Original Message----- From: Messier, Michel [mailto:[email protected]] Sent: Wednesday, 26 February 2003 2:34 AM To: [email protected] Subject: Re: [FW-1] Office mode with SecuRemote Robin, thanks very much for the explanation. I still have something that's unclear to me. I'm already using IP Pool NAT for the SR incoming connexions, therefore I already have an internal IP adress when coming through SR. How does that relate to the Office Mode IP Pool? Do I stop using IP Pool NAT and start using Office Mode IP Pool?? Thanks for all the explanations. Michel -----Message d'origine----- De : Robin Frousheger [mailto:[email protected]] Envoyé : 24 février, 2003 17:52 À : [email protected] Objet : Re: [FW-1] Office mode with SecuRemote Michel, Once SR/SC is installed and topology information has been updated, it will prompt for VPN authentication after username and password have been entered into the Ctl-Alt-Del login dialog, but before actual login occurs. The VPN auth can be presented as either transparent mode auth, or as a connect mode 'Connect' dialog. If VPN auth is successful, login will be able to occur through the newly set up VPN. This is the feature provided by SDL and is not directly affected by NAT/Home network scenarios - once a VPN can be negotiated, SDL assists with the login process. Office mode is one feature that enhances VPN negotiation from behind a NAT device or home network. It creates a virtual network adapter on the client PC with an IP address allocated by the firewall, and uses that as a basis for all VPN communication. Office mode requires Connect mode to be enabled. E.g. I have a home PC with IP address 192.168.0.5 and my co-worker has a home PC with the same IP address, both of us using a NAT/DSL box for connectivity. When my SR/SC starts it will tunnel the VPN packets through the NAT box (One of it's built in features) and the firewall will 'see' the packets coming from 192.168.0.5. When my co-worker starts SR/SC, the firewall will 'see' her PC as 192.168.0.5 as well - duplicate IP addresses = conflict & bad stuff If Office mode were in use, the firewall would allocate an individual IP address per machine, as it sees them. So in this case, my PC might be allocated 10.42.42.1, and my co-worker's allocated 10.42.42.2 - for VPN communication purposes only. Locally, the PC is still using 192.168.0.5, and NAT-ing through the DSL box as it otherwise would. Hope that's not too confusing. Regards, Robin --- -----Original Message----- From: Messier, Michel [mailto:[email protected]] Sent: Friday, 21 February 2003 3:24 AM To: [email protected] Subject: Re: [FW-1] Office mode with SecuRemote Thanks Robin, One more question though... what happens for SDL and/or Office mode if I hook up from a home network sitting behing a router? How do I establish the VPN tunnel _before_ the windows logon??? thx for your input, Michel -----Message d'origine----- De : Robin Frousheger [mailto:[email protected]] Envoyé : 17 février, 2003 19:42 À : [email protected] Objet : Re: [FW-1] Office mode with SecuRemote I can offer some testing results with our environ... Firewall: NG FP1 with OM Hotfix Clients: WinXP and Win2k with SecureClient 53333 Office mode allocates an "internal" address to each client for the purposes of communicating to the firewall/internal network (This helps overcome the problems resulting from loads of companies, hotels, home users, etc using a 192.168.0.x network) Secure Domain Logon allows SecureClient and the VPN to start *before* a user logs on, thus allowing (nearly) seamless login to a domain (Including profiles, login scripts, and group policy - almost) SDL and 'Connect Mode' / 'Office Mode' can be used independently or jointly with no ill effects. A note on our findings with group policy and SDL: It appears to work perfectly with Win2k clients, and *totally* disables it on WinXP. As yet, no one can (or is willing) to tell us why... Regards, Robin --- -----Original Message----- From: Messier, Michel [mailto:[email protected]] Sent: Tuesday, 18 February 2003 2:48 AM To: [email protected] Subject: [FW-1] Office mode with SecuRemote Hey listers, I'm looking at the possibility to enable Secure Domain Logon in our environment. Here's our environment: Module : NG FP3 HF1 Console: NG FP3 SecuRemote : will be NG FP3 (build 53328) What is Office Mode vs SDL? - Do they offer the same functionnality? - Which one would be easier to use and maintain? All I'm looking for is for our clients to be logged onto the domain instead of simply getting ip connectivity to the domain. Thanks, Michel Messier ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the Network Administrator on +61 3 9667 6699. This footnote also confirms that this email message has been scanned for the presence of computer viruses and inappropriate content. ********************************************************************** ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|