Hi David, You're welcome. I would be happy to send the moron admin that you're dealing with a comprehensive disseration on why he needs to get an education on VPN security technology. Its so very, very sad that dolts like that have control over network security, esp. VPN configuration..But like someone smarter than me said "it takes all kinds to screw up a world" :-) Thanks! Tom www.isaserver.org/shinder -----Original Message----- From: David V. Dellanno [mailto:ddellanno@xxxxxxxxxx] Sent: Wednesday, October 15, 2003 12:30 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Checkpoint Firewall-1 | SecureClient-1| Big Time Help - this is a doosey! AD: Get Thawte's New Step-by-Step SSL Guide for MSIIS: http://www.isaserver.org/thawte/ Hi Tom, Reason - corporate policy and that's all. Pretty much stonewall the PPTP solution from the start and there wasn't anyway to convince him to utilized PPTP, it was there way or the highway. Didn't have much support from their IT side. Also the developers I am supporting required access to their clients corporate public database and the admin feels paranoia that they will be accessing it through PPTP a lack of security. I had mention that he could setup a rule to permit our site Public IP address to have only the resource behind CP access through PPTP, but that idea was shunted as well. Resolution - Their IT Admin suggested to lend us their hardware vpn solution to provide the developers vpn access and this should provide both outbound and inbound vpn for their developers for this environment. They both agreed to this quick solution. He will be shipping it overnight, so I wasn't able to resolve the issue with ISA. Thank you very much for your quick response and thoroughness answer. I rarely request this response but I thought I exhausted everything that ISA could provide support for CP environment. Dave -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Monday, October 13, 2003 9:46 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Checkpoint Firewall-1 | SecureClient-1| Big Time Help - this is a doosey! AD: Get Thawtes New Step-by-Step SSL Guide for MSIIS: http://www.isaserver.org/thawte/ Hi Dave, Did the guy give you a reason for not allow PPTP? There must be some sort of superstition he has, maybe he lost the clove of garlic that he usually wears around his neck and he's afraid PPTP will bite his booty or something? ;-) It looks like they use a proprietary, non-RFC version of NAT-T (gee, that's a surprize, next thing you'll tell me that the other firewall vendors don't support L2TP/IPSec in VPN gateway mode). So, you need to make sure that they are not using the firewall client and that they are configured as SecureNAT clients. Make sure there are protocol defintions to support all the required protocols. You don't need to allow outbound IP Protocols fifty and fifty-one because they are encapsulated in probably UDP 2746. I'd sure like to know why the heck they require TCP 443 open for a NAT-T IPSec connection to their dreaded CP firewall :-) But enough of my whining. Check out: http://www.isaserver.org/articles/IPSec_Passthrough.html HTH, Tom www.isaserver.org/shinder -----Original Message----- From: David V. Dellanno [mailto:ddellanno@xxxxxxxxxx] Sent: Monday, October 13, 2003 7:45 PM To: [ISAserver.org Discussion List] Subject: [isalist] Checkpoint Firewall-1 | SecureClient-1| Big Time Help - this is a doosey! AD: Get Thawte's New Step-by-Step SSL Guide for MSIIS: http://www.isaserver.org/thawte/ Hi everyone, Been along time to post a question with yah guys and gays. I ran into tonight a stubber! I customer of mine is evaluating ISA 2000 versus SonicWall Pro 100 but his requirements is to vpn to a project of theirs that uses Checkpoint Firewall-1. ISA 2000 VPN(pptp) is rock solid to allow VPNClients to their network and outside their network. The problem they are having is their deverpers are at their project site behind FW-1 and attempting to vpn back to their HQ-ISA2K but the connection fails. Also, they attempt to vpnclient (using Checkpoint SecureClient-1) behind HQ-ISA2K to the project site FW-1 and fail to connect. Their admin wants us to verify that the following ports are enabled (notice I didn't say open :^): SSL - 443 UDP - 500 TCP - 264 UDP - 2746 IP 50 + 51 I made the protocol rules with not results... Looked at the IP Packet Logs and FWLogs with ALLOWED listed for just 264 and 500...I don't see anywhere else in the logs for SecureClient-1 uses any other ports, then I just gave up and broke the Holy Moly ISA Golden Rule, and created packet filters for the listed ports and still fails! Gessh.... Yes, we are on a completely different subnet then project site Yes, their admin will not allow PPTP in their site and out of their site..(Company Policy)...that explains why MS VPN Client doesn't' work from their site - talk about big fish eating the little fish! Yes, we the moved the client to a public ip (dial-up) and their SecureClient-1 functions correctly, but behind ISA...nadda! So.....Is there something I have missed to make Checkpoint VPN Client work behind ISA? I would like to push ISA very much but I'm guessing the customer is swaying towards a simple dummy hardware solution? Either way, I'm interested in knowing what else I can do to allow Checkpoint VPN Client to work behind ISA? Sorry in advance to the multi-post newsgroups but I'm looking for an answer tonight as soon as I can get an answer I'm going to work all night until I find an answer on this Thanks everyone _____ Regards, David V. Dellanno - MCSE, MCP+I, MCP MSDEMO Consultants Williams Place 2564 Bridgewood Lane Snellville, Georgia 30078 USA (770) 736-8794 (Office) msdemo.net Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Get Thawte's New Step-by-Step SSL Guide for MSIIS Find out how to test, purchase, and install a Thawte Digital Certificate on your MSIIS web server: http://www.isaserver.org/thawte/ ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') Get Thawtes New Step-by-Step SSL Guide for MSIIS Find out how to test, purchase, and install a Thawte Digital Certificate on your MSIIS web server: http://www.isaserver.org/thawte/ ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: ddellanno@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Get Thawte's New Step-by-Step SSL Guide for MSIIS Find out how to test, purchase, and install a Thawte Digital Certificate on your MSIIS web server: http://www.isaserver.org/thawte/ ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')