[FW-1] SecuRemote, Terminal Services and Outlook while inside the encryption domain

["Rodriguez, Laz" <Lrodrigu@FW1-NOSPAMMFWW.COM>]

All,

I have been experiencing tremendous amount of downtime due to SecuRemote NG and my new T40 IBM Laptops.

 Here is the scenario,  I currently replaced my old IBM T22's with Windows Xp and SecuRemote 4.1 sp5 with New IBM T40's Running Windows XP sp1 and SecuRemote ver r54.
 There were no problems with the old environment it all worked well,     After a month of deployment,  my T40 users started to complain on how slow the new laptops were went they came to the office (inside the encryption domain)  outlook kept requesting data and their remote desktop got disconnected sporadically.  Opening attachments from the network would sometimes cause excel and word to fails as well.
After 3 weeks of heavy testing I discovered that it had to do with SecuRemote NG.  Removed NG and installed 4.1 Build 4200 all back to normal.

I discovered that it has to do with time,  NG is releasing its tcp state tables that it maintain, braking all connections.

Here is a quick way to recreate the problem,   Please note that secure remote does not need to be running in order to re-create the problem,  both services need to be stopped which is the part that concerns me, if SecuRemote is not running why then does it care about tcp state tables.

***Inside  your encryption domain open a remote desktop to a terminal server an connect,   minimize the connection and double-click click your clock, change the date to tomorrows date.  Go back to your remote desktop, you should have a black or frozen screen and it disconnects within 1 min.***


Please note my users are not changing the clock, they have no rights.   The issues happen all thru the day, multiple times in the same machines

Have any one out there seen this problem with NG.????   I have a call into checkpoint, they are researching the issue.

______________________________________________________________________________________________________________
Here is an excerpt from an email that I received from techsupport,


RE: SecuRemote latency issues while inside encryption domain

I have done some testing on the SecuRemote client.  Moving the clock ahead one day will indeed cause all active TCP connections to break.  This is because the client maintains a state table very similar to the state table in a FireWall-1 gateway.  When a TCP connection is created, the details of the connection are placed in the state table with a timeout of 10800 seconds (3 hours).  When you move the clock ahead one day, it causes all of the connections in the connections table to immediately expire.  This causes the SecuRemote kernel to not have any state saved when the next packet for one of these connections comes into the kernel.  The SecuRemote kernel will therefore drop the packet.  This causes the connection to break.

This is not a problem, in and of itself.  This is the way the client is designed to work.

______________________________________________________________________________________________________________________



 Thanks

Laz Rodriguez



_____________________________________________
Laz Rodríguez
Director, Computer Operations and Technology
Maidenform, Inc.
Bayonne,  NJ  07002
VoiceFaxemail: lrodrigu@maidenform.com



=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================